author | oheimb |
Sat, 15 Feb 1997 17:35:53 +0100 | |
changeset 2632 | 1612b99395d4 |
parent 2631 | 5e5c78ba955e |
child 3089 | 32dad29d4666 |
permissions | -rw-r--r-- |
104 | 1 |
%% $Id$ |
319 | 2 |
\chapter{The Classical Reasoner}\label{chap:classical} |
286 | 3 |
\index{classical reasoner|(} |
308 | 4 |
\newcommand\ainfer[2]{\begin{array}{r@{\,}l}#2\\ \hline#1\end{array}} |
5 |
||
104 | 6 |
Although Isabelle is generic, many users will be working in some extension |
308 | 7 |
of classical first-order logic. Isabelle's set theory~{\tt ZF} is built |
8 |
upon theory~{\tt FOL}, while higher-order logic contains first-order logic |
|
9 |
as a fragment. Theorem-proving in predicate logic is undecidable, but many |
|
10 |
researchers have developed strategies to assist in this task. |
|
104 | 11 |
|
286 | 12 |
Isabelle's classical reasoner is an \ML{} functor that accepts certain |
104 | 13 |
information about a logic and delivers a suite of automatic tactics. Each |
14 |
tactic takes a collection of rules and executes a simple, non-clausal proof |
|
15 |
procedure. They are slow and simplistic compared with resolution theorem |
|
16 |
provers, but they can save considerable time and effort. They can prove |
|
17 |
theorems such as Pelletier's~\cite{pelletier86} problems~40 and~41 in |
|
18 |
seconds: |
|
19 |
\[ (\exists y. \forall x. J(y,x) \bimp \neg J(x,x)) |
|
20 |
\imp \neg (\forall x. \exists y. \forall z. J(z,y) \bimp \neg J(z,x)) \] |
|
21 |
\[ (\forall z. \exists y. \forall x. F(x,y) \bimp F(x,z) \conj \neg F(x,x)) |
|
22 |
\imp \neg (\exists z. \forall x. F(x,z)) |
|
23 |
\] |
|
308 | 24 |
% |
25 |
The tactics are generic. They are not restricted to first-order logic, and |
|
26 |
have been heavily used in the development of Isabelle's set theory. Few |
|
27 |
interactive proof assistants provide this much automation. The tactics can |
|
28 |
be traced, and their components can be called directly; in this manner, |
|
29 |
any proof can be viewed interactively. |
|
104 | 30 |
|
2479 | 31 |
The simplest way to apply the classical reasoner (to subgoal~$i$) is as |
32 |
follows: |
|
33 |
\begin{ttbox} |
|
34 |
by (Fast_tac \(i\)); |
|
35 |
\end{ttbox} |
|
36 |
If the subgoal is a simple formula of the predicate calculus or set theory, |
|
37 |
then it should be proved quickly. However, to use the classical reasoner |
|
38 |
effectively, you need to know how it works. |
|
39 |
||
40 |
We shall first discuss the underlying principles, then present the classical |
|
41 |
reasoner. Finally, we shall see how to instantiate it for new logics. The |
|
42 |
logics {\tt FOL}, {\tt HOL} and {\tt ZF} have it already installed. |
|
104 | 43 |
|
44 |
||
45 |
\section{The sequent calculus} |
|
46 |
\index{sequent calculus} |
|
47 |
Isabelle supports natural deduction, which is easy to use for interactive |
|
48 |
proof. But natural deduction does not easily lend itself to automation, |
|
49 |
and has a bias towards intuitionism. For certain proofs in classical |
|
50 |
logic, it can not be called natural. The {\bf sequent calculus}, a |
|
51 |
generalization of natural deduction, is easier to automate. |
|
52 |
||
53 |
A {\bf sequent} has the form $\Gamma\turn\Delta$, where $\Gamma$ |
|
308 | 54 |
and~$\Delta$ are sets of formulae.% |
55 |
\footnote{For first-order logic, sequents can equivalently be made from |
|
56 |
lists or multisets of formulae.} The sequent |
|
104 | 57 |
\[ P@1,\ldots,P@m\turn Q@1,\ldots,Q@n \] |
58 |
is {\bf valid} if $P@1\conj\ldots\conj P@m$ implies $Q@1\disj\ldots\disj |
|
59 |
Q@n$. Thus $P@1,\ldots,P@m$ represent assumptions, each of which is true, |
|
60 |
while $Q@1,\ldots,Q@n$ represent alternative goals. A sequent is {\bf |
|
61 |
basic} if its left and right sides have a common formula, as in $P,Q\turn |
|
62 |
Q,R$; basic sequents are trivially valid. |
|
63 |
||
64 |
Sequent rules are classified as {\bf right} or {\bf left}, indicating which |
|
65 |
side of the $\turn$~symbol they operate on. Rules that operate on the |
|
66 |
right side are analogous to natural deduction's introduction rules, and |
|
308 | 67 |
left rules are analogous to elimination rules. |
68 |
Recall the natural deduction rules for |
|
69 |
first-order logic, |
|
70 |
\iflabelundefined{fol-fig}{from {\it Introduction to Isabelle}}% |
|
71 |
{Fig.\ts\ref{fol-fig}}. |
|
72 |
The sequent calculus analogue of~$({\imp}I)$ is the rule |
|
104 | 73 |
$$ \ainfer{\Gamma &\turn \Delta, P\imp Q}{P,\Gamma &\turn \Delta,Q} |
74 |
\eqno({\imp}R) $$ |
|
75 |
This breaks down some implication on the right side of a sequent; $\Gamma$ |
|
76 |
and $\Delta$ stand for the sets of formulae that are unaffected by the |
|
77 |
inference. The analogue of the pair~$({\disj}I1)$ and~$({\disj}I2)$ is the |
|
78 |
single rule |
|
79 |
$$ \ainfer{\Gamma &\turn \Delta, P\disj Q}{\Gamma &\turn \Delta,P,Q} |
|
80 |
\eqno({\disj}R) $$ |
|
81 |
This breaks down some disjunction on the right side, replacing it by both |
|
82 |
disjuncts. Thus, the sequent calculus is a kind of multiple-conclusion logic. |
|
83 |
||
84 |
To illustrate the use of multiple formulae on the right, let us prove |
|
85 |
the classical theorem $(P\imp Q)\disj(Q\imp P)$. Working backwards, we |
|
86 |
reduce this formula to a basic sequent: |
|
87 |
\[ \infer[(\disj)R]{\turn(P\imp Q)\disj(Q\imp P)} |
|
88 |
{\infer[(\imp)R]{\turn(P\imp Q), (Q\imp P)\;} |
|
89 |
{\infer[(\imp)R]{P \turn Q, (Q\imp P)\qquad} |
|
90 |
{P, Q \turn Q, P\qquad\qquad}}} |
|
91 |
\] |
|
92 |
This example is typical of the sequent calculus: start with the desired |
|
93 |
theorem and apply rules backwards in a fairly arbitrary manner. This yields a |
|
94 |
surprisingly effective proof procedure. Quantifiers add few complications, |
|
95 |
since Isabelle handles parameters and schematic variables. See Chapter~10 |
|
96 |
of {\em ML for the Working Programmer}~\cite{paulson91} for further |
|
97 |
discussion. |
|
98 |
||
99 |
||
100 |
\section{Simulating sequents by natural deduction} |
|
308 | 101 |
Isabelle can represent sequents directly, as in the object-logic~{\tt LK}\@. |
104 | 102 |
But natural deduction is easier to work with, and most object-logics employ |
103 |
it. Fortunately, we can simulate the sequent $P@1,\ldots,P@m\turn |
|
104 |
Q@1,\ldots,Q@n$ by the Isabelle formula |
|
105 |
\[ \List{P@1;\ldots;P@m; \neg Q@2;\ldots; \neg Q@n}\Imp Q@1, \] |
|
106 |
where the order of the assumptions and the choice of~$Q@1$ are arbitrary. |
|
107 |
Elim-resolution plays a key role in simulating sequent proofs. |
|
108 |
||
109 |
We can easily handle reasoning on the left. |
|
308 | 110 |
As discussed in |
111 |
\iflabelundefined{destruct}{{\it Introduction to Isabelle}}{\S\ref{destruct}}, |
|
104 | 112 |
elim-resolution with the rules $(\disj E)$, $(\bot E)$ and $(\exists E)$ |
113 |
achieves a similar effect as the corresponding sequent rules. For the |
|
114 |
other connectives, we use sequent-style elimination rules instead of |
|
308 | 115 |
destruction rules such as $({\conj}E1,2)$ and $(\forall E)$. But note that |
116 |
the rule $(\neg L)$ has no effect under our representation of sequents! |
|
104 | 117 |
$$ \ainfer{\neg P,\Gamma &\turn \Delta}{\Gamma &\turn \Delta,P} |
118 |
\eqno({\neg}L) $$ |
|
119 |
What about reasoning on the right? Introduction rules can only affect the |
|
308 | 120 |
formula in the conclusion, namely~$Q@1$. The other right-side formulae are |
319 | 121 |
represented as negated assumptions, $\neg Q@2$, \ldots,~$\neg Q@n$. |
122 |
\index{assumptions!negated} |
|
123 |
In order to operate on one of these, it must first be exchanged with~$Q@1$. |
|
104 | 124 |
Elim-resolution with the {\bf swap} rule has this effect: |
125 |
$$ \List{\neg P; \; \neg R\Imp P} \Imp R \eqno(swap)$$ |
|
126 |
To ensure that swaps occur only when necessary, each introduction rule is |
|
127 |
converted into a swapped form: it is resolved with the second premise |
|
128 |
of~$(swap)$. The swapped form of~$({\conj}I)$, which might be |
|
129 |
called~$({\neg\conj}E)$, is |
|
130 |
\[ \List{\neg(P\conj Q); \; \neg R\Imp P; \; \neg R\Imp Q} \Imp R. \] |
|
131 |
Similarly, the swapped form of~$({\imp}I)$ is |
|
132 |
\[ \List{\neg(P\imp Q); \; \List{\neg R;P}\Imp Q} \Imp R \] |
|
133 |
Swapped introduction rules are applied using elim-resolution, which deletes |
|
134 |
the negated formula. Our representation of sequents also requires the use |
|
135 |
of ordinary introduction rules. If we had no regard for readability, we |
|
136 |
could treat the right side more uniformly by representing sequents as |
|
137 |
\[ \List{P@1;\ldots;P@m; \neg Q@1;\ldots; \neg Q@n}\Imp \bot. \] |
|
138 |
||
139 |
||
140 |
\section{Extra rules for the sequent calculus} |
|
141 |
As mentioned, destruction rules such as $({\conj}E1,2)$ and $(\forall E)$ |
|
142 |
must be replaced by sequent-style elimination rules. In addition, we need |
|
143 |
rules to embody the classical equivalence between $P\imp Q$ and $\neg P\disj |
|
144 |
Q$. The introduction rules~$({\disj}I1,2)$ are replaced by a rule that |
|
145 |
simulates $({\disj}R)$: |
|
146 |
\[ (\neg Q\Imp P) \Imp P\disj Q \] |
|
147 |
The destruction rule $({\imp}E)$ is replaced by |
|
332 | 148 |
\[ \List{P\imp Q;\; \neg P\Imp R;\; Q\Imp R} \Imp R. \] |
104 | 149 |
Quantifier replication also requires special rules. In classical logic, |
308 | 150 |
$\exists x{.}P$ is equivalent to $\neg\forall x{.}\neg P$; the rules |
151 |
$(\exists R)$ and $(\forall L)$ are dual: |
|
104 | 152 |
\[ \ainfer{\Gamma &\turn \Delta, \exists x{.}P} |
153 |
{\Gamma &\turn \Delta, \exists x{.}P, P[t/x]} \; (\exists R) |
|
154 |
\qquad |
|
155 |
\ainfer{\forall x{.}P, \Gamma &\turn \Delta} |
|
156 |
{P[t/x], \forall x{.}P, \Gamma &\turn \Delta} \; (\forall L) |
|
157 |
\] |
|
158 |
Thus both kinds of quantifier may be replicated. Theorems requiring |
|
159 |
multiple uses of a universal formula are easy to invent; consider |
|
308 | 160 |
\[ (\forall x.P(x)\imp P(f(x))) \conj P(a) \imp P(f^n(a)), \] |
161 |
for any~$n>1$. Natural examples of the multiple use of an existential |
|
162 |
formula are rare; a standard one is $\exists x.\forall y. P(x)\imp P(y)$. |
|
104 | 163 |
|
164 |
Forgoing quantifier replication loses completeness, but gains decidability, |
|
165 |
since the search space becomes finite. Many useful theorems can be proved |
|
166 |
without replication, and the search generally delivers its verdict in a |
|
167 |
reasonable time. To adopt this approach, represent the sequent rules |
|
168 |
$(\exists R)$, $(\exists L)$ and $(\forall R)$ by $(\exists I)$, $(\exists |
|
169 |
E)$ and $(\forall I)$, respectively, and put $(\forall E)$ into elimination |
|
170 |
form: |
|
171 |
$$ \List{\forall x{.}P(x); P(t)\Imp Q} \Imp Q \eqno(\forall E@2) $$ |
|
172 |
Elim-resolution with this rule will delete the universal formula after a |
|
173 |
single use. To replicate universal quantifiers, replace the rule by |
|
174 |
$$ \List{\forall x{.}P(x);\; \List{P(t); \forall x{.}P(x)}\Imp Q} \Imp Q. |
|
175 |
\eqno(\forall E@3) $$ |
|
176 |
To replicate existential quantifiers, replace $(\exists I)$ by |
|
332 | 177 |
\[ \List{\neg(\exists x{.}P(x)) \Imp P(t)} \Imp \exists x{.}P(x). \] |
104 | 178 |
All introduction rules mentioned above are also useful in swapped form. |
179 |
||
180 |
Replication makes the search space infinite; we must apply the rules with |
|
286 | 181 |
care. The classical reasoner distinguishes between safe and unsafe |
104 | 182 |
rules, applying the latter only when there is no alternative. Depth-first |
183 |
search may well go down a blind alley; best-first search is better behaved |
|
184 |
in an infinite search space. However, quantifier replication is too |
|
185 |
expensive to prove any but the simplest theorems. |
|
186 |
||
187 |
||
188 |
\section{Classical rule sets} |
|
319 | 189 |
\index{classical sets} |
190 |
Each automatic tactic takes a {\bf classical set} --- a collection of |
|
104 | 191 |
rules, classified as introduction or elimination and as {\bf safe} or {\bf |
192 |
unsafe}. In general, safe rules can be attempted blindly, while unsafe |
|
193 |
rules must be used with care. A safe rule must never reduce a provable |
|
308 | 194 |
goal to an unprovable set of subgoals. |
104 | 195 |
|
308 | 196 |
The rule~$({\disj}I1)$ is unsafe because it reduces $P\disj Q$ to~$P$. Any |
197 |
rule is unsafe whose premises contain new unknowns. The elimination |
|
198 |
rule~$(\forall E@2)$ is unsafe, since it is applied via elim-resolution, |
|
199 |
which discards the assumption $\forall x{.}P(x)$ and replaces it by the |
|
200 |
weaker assumption~$P(\Var{t})$. The rule $({\exists}I)$ is unsafe for |
|
201 |
similar reasons. The rule~$(\forall E@3)$ is unsafe in a different sense: |
|
202 |
since it keeps the assumption $\forall x{.}P(x)$, it is prone to looping. |
|
203 |
In classical first-order logic, all rules are safe except those mentioned |
|
204 |
above. |
|
104 | 205 |
|
206 |
The safe/unsafe distinction is vague, and may be regarded merely as a way |
|
207 |
of giving some rules priority over others. One could argue that |
|
208 |
$({\disj}E)$ is unsafe, because repeated application of it could generate |
|
209 |
exponentially many subgoals. Induction rules are unsafe because inductive |
|
210 |
proofs are difficult to set up automatically. Any inference is unsafe that |
|
211 |
instantiates an unknown in the proof state --- thus \ttindex{match_tac} |
|
212 |
must be used, rather than \ttindex{resolve_tac}. Even proof by assumption |
|
213 |
is unsafe if it instantiates unknowns shared with other subgoals --- thus |
|
214 |
\ttindex{eq_assume_tac} must be used, rather than \ttindex{assume_tac}. |
|
215 |
||
1099 | 216 |
\subsection{Adding rules to classical sets} |
319 | 217 |
Classical rule sets belong to the abstract type \mltydx{claset}, which |
286 | 218 |
supports the following operations (provided the classical reasoner is |
104 | 219 |
installed!): |
220 |
\begin{ttbox} |
|
1099 | 221 |
empty_cs : claset |
222 |
print_cs : claset -> unit |
|
223 |
addSIs : claset * thm list -> claset \hfill{\bf infix 4} |
|
224 |
addSEs : claset * thm list -> claset \hfill{\bf infix 4} |
|
225 |
addSDs : claset * thm list -> claset \hfill{\bf infix 4} |
|
226 |
addIs : claset * thm list -> claset \hfill{\bf infix 4} |
|
227 |
addEs : claset * thm list -> claset \hfill{\bf infix 4} |
|
228 |
addDs : claset * thm list -> claset \hfill{\bf infix 4} |
|
1869 | 229 |
delrules : claset * thm list -> claset \hfill{\bf infix 4} |
104 | 230 |
\end{ttbox} |
1869 | 231 |
The add operations do not check for repetitions. |
308 | 232 |
\begin{ttdescription} |
104 | 233 |
\item[\ttindexbold{empty_cs}] is the empty classical set. |
234 |
||
1099 | 235 |
\item[\ttindexbold{print_cs} $cs$] prints the rules of~$cs$. |
236 |
||
308 | 237 |
\item[$cs$ addSIs $rules$] \indexbold{*addSIs} |
238 |
adds safe introduction~$rules$ to~$cs$. |
|
104 | 239 |
|
308 | 240 |
\item[$cs$ addSEs $rules$] \indexbold{*addSEs} |
241 |
adds safe elimination~$rules$ to~$cs$. |
|
104 | 242 |
|
308 | 243 |
\item[$cs$ addSDs $rules$] \indexbold{*addSDs} |
244 |
adds safe destruction~$rules$ to~$cs$. |
|
104 | 245 |
|
308 | 246 |
\item[$cs$ addIs $rules$] \indexbold{*addIs} |
247 |
adds unsafe introduction~$rules$ to~$cs$. |
|
104 | 248 |
|
308 | 249 |
\item[$cs$ addEs $rules$] \indexbold{*addEs} |
250 |
adds unsafe elimination~$rules$ to~$cs$. |
|
104 | 251 |
|
308 | 252 |
\item[$cs$ addDs $rules$] \indexbold{*addDs} |
253 |
adds unsafe destruction~$rules$ to~$cs$. |
|
1869 | 254 |
|
255 |
\item[$cs$ delrules $rules$] \indexbold{*delrules} |
|
256 |
deletes~$rules$ from~$cs$. |
|
308 | 257 |
\end{ttdescription} |
258 |
||
104 | 259 |
Introduction rules are those that can be applied using ordinary resolution. |
260 |
The classical set automatically generates their swapped forms, which will |
|
261 |
be applied using elim-resolution. Elimination rules are applied using |
|
286 | 262 |
elim-resolution. In a classical set, rules are sorted by the number of new |
263 |
subgoals they will yield; rules that generate the fewest subgoals will be |
|
264 |
tried first (see \S\ref{biresolve_tac}). |
|
104 | 265 |
|
1099 | 266 |
|
267 |
\subsection{Modifying the search step} |
|
104 | 268 |
For a given classical set, the proof strategy is simple. Perform as many |
269 |
safe inferences as possible; or else, apply certain safe rules, allowing |
|
270 |
instantiation of unknowns; or else, apply an unsafe rule. The tactics may |
|
319 | 271 |
also apply {\tt hyp_subst_tac}, if they have been set up to do so (see |
104 | 272 |
below). They may perform a form of Modus Ponens: if there are assumptions |
273 |
$P\imp Q$ and~$P$, then replace $P\imp Q$ by~$Q$. |
|
274 |
||
1099 | 275 |
The classical reasoner allows you to modify this basic proof strategy by |
2632 | 276 |
applying two arbitrary {\bf wrapper tacticals} to it. This affects each step of |
2631
5e5c78ba955e
description of safe vs. unsafe wrapper and the functions involved
oheimb
parents:
2479
diff
changeset
|
277 |
the search. Usually they are the identity tacticals, but they could apply |
5e5c78ba955e
description of safe vs. unsafe wrapper and the functions involved
oheimb
parents:
2479
diff
changeset
|
278 |
another tactic before or after the step tactic. The first one, which is |
5e5c78ba955e
description of safe vs. unsafe wrapper and the functions involved
oheimb
parents:
2479
diff
changeset
|
279 |
considered to be safe, affects \ttindex{safe_step_tac} and all the tactics that |
5e5c78ba955e
description of safe vs. unsafe wrapper and the functions involved
oheimb
parents:
2479
diff
changeset
|
280 |
call it. The the second one, which may be unsafe, affects |
2632 | 281 |
\ttindex{step_tac}, \ttindex{slow_step_tac} and the tactics that call them. |
1099 | 282 |
|
283 |
\begin{ttbox} |
|
2632 | 284 |
addss : claset * simpset -> claset \hfill{\bf infix 4} |
285 |
addSbefore : claset * (int -> tactic) -> claset \hfill{\bf infix 4} |
|
286 |
addSaltern : claset * (int -> tactic) -> claset \hfill{\bf infix 4} |
|
287 |
setSWrapper : claset * ((int -> tactic) -> |
|
288 |
(int -> tactic)) -> claset \hfill{\bf infix 4} |
|
289 |
compSWrapper : claset * ((int -> tactic) -> |
|
290 |
(int -> tactic)) -> claset \hfill{\bf infix 4} |
|
291 |
addbefore : claset * (int -> tactic) -> claset \hfill{\bf infix 4} |
|
292 |
addaltern : claset * (int -> tactic) -> claset \hfill{\bf infix 4} |
|
293 |
setWrapper : claset * ((int -> tactic) -> |
|
294 |
(int -> tactic)) -> claset \hfill{\bf infix 4} |
|
295 |
compWrapper : claset * ((int -> tactic) -> |
|
296 |
(int -> tactic)) -> claset \hfill{\bf infix 4} |
|
1099 | 297 |
\end{ttbox} |
298 |
% |
|
299 |
\index{simplification!from classical reasoner} |
|
2631
5e5c78ba955e
description of safe vs. unsafe wrapper and the functions involved
oheimb
parents:
2479
diff
changeset
|
300 |
The wrapper tacticals underly the operator \ttindex{addss}, which combines |
1099 | 301 |
each search step by simplification. Strictly speaking, {\tt addss} is not |
2631
5e5c78ba955e
description of safe vs. unsafe wrapper and the functions involved
oheimb
parents:
2479
diff
changeset
|
302 |
part of the classical reasoner. It should be defined (using {\tt addSaltern (CHANGED o (safe_asm_more_full_simp_tac ss)}) when the simplifier is installed. |
1099 | 303 |
|
304 |
\begin{ttdescription} |
|
305 |
\item[$cs$ addss $ss$] \indexbold{*addss} |
|
2631
5e5c78ba955e
description of safe vs. unsafe wrapper and the functions involved
oheimb
parents:
2479
diff
changeset
|
306 |
adds the simpset~$ss$ to the classical set. The assumptions and goal will be |
5e5c78ba955e
description of safe vs. unsafe wrapper and the functions involved
oheimb
parents:
2479
diff
changeset
|
307 |
simplified, in a safe way, after the safe steps of the search. |
5e5c78ba955e
description of safe vs. unsafe wrapper and the functions involved
oheimb
parents:
2479
diff
changeset
|
308 |
|
5e5c78ba955e
description of safe vs. unsafe wrapper and the functions involved
oheimb
parents:
2479
diff
changeset
|
309 |
\item[$cs$ addSbefore $tac$] \indexbold{*addSbefore} |
5e5c78ba955e
description of safe vs. unsafe wrapper and the functions involved
oheimb
parents:
2479
diff
changeset
|
310 |
changes the safe wrapper tactical to apply the given tactic {\em before} |
5e5c78ba955e
description of safe vs. unsafe wrapper and the functions involved
oheimb
parents:
2479
diff
changeset
|
311 |
each safe step of the search. |
5e5c78ba955e
description of safe vs. unsafe wrapper and the functions involved
oheimb
parents:
2479
diff
changeset
|
312 |
|
5e5c78ba955e
description of safe vs. unsafe wrapper and the functions involved
oheimb
parents:
2479
diff
changeset
|
313 |
\item[$cs$ addSaltern $tac$] \indexbold{*addSaltern} |
5e5c78ba955e
description of safe vs. unsafe wrapper and the functions involved
oheimb
parents:
2479
diff
changeset
|
314 |
changes the safe wrapper tactical to apply the given tactic when a safe step |
5e5c78ba955e
description of safe vs. unsafe wrapper and the functions involved
oheimb
parents:
2479
diff
changeset
|
315 |
of the search would fail. |
5e5c78ba955e
description of safe vs. unsafe wrapper and the functions involved
oheimb
parents:
2479
diff
changeset
|
316 |
|
5e5c78ba955e
description of safe vs. unsafe wrapper and the functions involved
oheimb
parents:
2479
diff
changeset
|
317 |
\item[$cs$ setSWrapper $tactical$] \indexbold{*setSWrapper} |
5e5c78ba955e
description of safe vs. unsafe wrapper and the functions involved
oheimb
parents:
2479
diff
changeset
|
318 |
specifies a new safe wrapper tactical. |
5e5c78ba955e
description of safe vs. unsafe wrapper and the functions involved
oheimb
parents:
2479
diff
changeset
|
319 |
|
5e5c78ba955e
description of safe vs. unsafe wrapper and the functions involved
oheimb
parents:
2479
diff
changeset
|
320 |
\item[$cs$ compSWrapper $tactical$] \indexbold{*compSWrapper} |
5e5c78ba955e
description of safe vs. unsafe wrapper and the functions involved
oheimb
parents:
2479
diff
changeset
|
321 |
composes the $tactical$ with the existing safe wrapper tactical, |
5e5c78ba955e
description of safe vs. unsafe wrapper and the functions involved
oheimb
parents:
2479
diff
changeset
|
322 |
to combine their effects. |
1099 | 323 |
|
324 |
\item[$cs$ addbefore $tac$] \indexbold{*addbefore} |
|
2631
5e5c78ba955e
description of safe vs. unsafe wrapper and the functions involved
oheimb
parents:
2479
diff
changeset
|
325 |
changes the (unsafe) wrapper tactical to apply the given tactic, which should |
5e5c78ba955e
description of safe vs. unsafe wrapper and the functions involved
oheimb
parents:
2479
diff
changeset
|
326 |
be safe, {\em before} each step of the search. |
1099 | 327 |
|
2631
5e5c78ba955e
description of safe vs. unsafe wrapper and the functions involved
oheimb
parents:
2479
diff
changeset
|
328 |
\item[$cs$ addaltern $tac$] \indexbold{*addaltern} |
5e5c78ba955e
description of safe vs. unsafe wrapper and the functions involved
oheimb
parents:
2479
diff
changeset
|
329 |
changes the (unsafe) wrapper tactical to apply the given tactic |
5e5c78ba955e
description of safe vs. unsafe wrapper and the functions involved
oheimb
parents:
2479
diff
changeset
|
330 |
{\em alternatively} after each step of the search. |
1099 | 331 |
|
2631
5e5c78ba955e
description of safe vs. unsafe wrapper and the functions involved
oheimb
parents:
2479
diff
changeset
|
332 |
\item[$cs$ setWrapper $tactical$] \indexbold{*setWrapper} |
5e5c78ba955e
description of safe vs. unsafe wrapper and the functions involved
oheimb
parents:
2479
diff
changeset
|
333 |
specifies a new (unsafe) wrapper tactical. |
1099 | 334 |
|
2631
5e5c78ba955e
description of safe vs. unsafe wrapper and the functions involved
oheimb
parents:
2479
diff
changeset
|
335 |
\item[$cs$ compWrapper $tactical$] \indexbold{*compWrapper} |
5e5c78ba955e
description of safe vs. unsafe wrapper and the functions involved
oheimb
parents:
2479
diff
changeset
|
336 |
composes the $tactical$ with the existing (unsafe) wrapper tactical, |
5e5c78ba955e
description of safe vs. unsafe wrapper and the functions involved
oheimb
parents:
2479
diff
changeset
|
337 |
to combine their effects. |
1099 | 338 |
\end{ttdescription} |
339 |
||
104 | 340 |
|
341 |
\section{The classical tactics} |
|
319 | 342 |
\index{classical reasoner!tactics} |
104 | 343 |
If installed, the classical module provides several tactics (and other |
344 |
operations) for simulating the classical sequent calculus. |
|
345 |
||
332 | 346 |
\subsection{The automatic tactics} |
347 |
\begin{ttbox} |
|
875
a0b71a4bbe5e
documented slow_tac, slow_best_tac, depth_tac, deepen_tac
lcp
parents:
332
diff
changeset
|
348 |
fast_tac : claset -> int -> tactic |
a0b71a4bbe5e
documented slow_tac, slow_best_tac, depth_tac, deepen_tac
lcp
parents:
332
diff
changeset
|
349 |
best_tac : claset -> int -> tactic |
a0b71a4bbe5e
documented slow_tac, slow_best_tac, depth_tac, deepen_tac
lcp
parents:
332
diff
changeset
|
350 |
slow_tac : claset -> int -> tactic |
a0b71a4bbe5e
documented slow_tac, slow_best_tac, depth_tac, deepen_tac
lcp
parents:
332
diff
changeset
|
351 |
slow_best_tac : claset -> int -> tactic |
332 | 352 |
\end{ttbox} |
875
a0b71a4bbe5e
documented slow_tac, slow_best_tac, depth_tac, deepen_tac
lcp
parents:
332
diff
changeset
|
353 |
These tactics work by applying {\tt step_tac} or {\tt slow_step_tac} |
a0b71a4bbe5e
documented slow_tac, slow_best_tac, depth_tac, deepen_tac
lcp
parents:
332
diff
changeset
|
354 |
repeatedly. Their effect is restricted (by {\tt SELECT_GOAL}) to one subgoal; |
a0b71a4bbe5e
documented slow_tac, slow_best_tac, depth_tac, deepen_tac
lcp
parents:
332
diff
changeset
|
355 |
they either solve this subgoal or fail. The {\tt slow_} versions are more |
a0b71a4bbe5e
documented slow_tac, slow_best_tac, depth_tac, deepen_tac
lcp
parents:
332
diff
changeset
|
356 |
powerful but can be much slower. |
a0b71a4bbe5e
documented slow_tac, slow_best_tac, depth_tac, deepen_tac
lcp
parents:
332
diff
changeset
|
357 |
|
a0b71a4bbe5e
documented slow_tac, slow_best_tac, depth_tac, deepen_tac
lcp
parents:
332
diff
changeset
|
358 |
The best-first tactics are guided by a heuristic function: typically, the |
a0b71a4bbe5e
documented slow_tac, slow_best_tac, depth_tac, deepen_tac
lcp
parents:
332
diff
changeset
|
359 |
total size of the proof state. This function is supplied in the functor call |
a0b71a4bbe5e
documented slow_tac, slow_best_tac, depth_tac, deepen_tac
lcp
parents:
332
diff
changeset
|
360 |
that sets up the classical reasoner. |
332 | 361 |
\begin{ttdescription} |
362 |
\item[\ttindexbold{fast_tac} $cs$ $i$] applies {\tt step_tac} using |
|
363 |
depth-first search, to solve subgoal~$i$. |
|
364 |
||
365 |
\item[\ttindexbold{best_tac} $cs$ $i$] applies {\tt step_tac} using |
|
875
a0b71a4bbe5e
documented slow_tac, slow_best_tac, depth_tac, deepen_tac
lcp
parents:
332
diff
changeset
|
366 |
best-first search, to solve subgoal~$i$. |
a0b71a4bbe5e
documented slow_tac, slow_best_tac, depth_tac, deepen_tac
lcp
parents:
332
diff
changeset
|
367 |
|
a0b71a4bbe5e
documented slow_tac, slow_best_tac, depth_tac, deepen_tac
lcp
parents:
332
diff
changeset
|
368 |
\item[\ttindexbold{slow_tac} $cs$ $i$] applies {\tt slow_step_tac} using |
a0b71a4bbe5e
documented slow_tac, slow_best_tac, depth_tac, deepen_tac
lcp
parents:
332
diff
changeset
|
369 |
depth-first search, to solve subgoal~$i$. |
a0b71a4bbe5e
documented slow_tac, slow_best_tac, depth_tac, deepen_tac
lcp
parents:
332
diff
changeset
|
370 |
|
a0b71a4bbe5e
documented slow_tac, slow_best_tac, depth_tac, deepen_tac
lcp
parents:
332
diff
changeset
|
371 |
\item[\ttindexbold{slow_best_tac} $cs$ $i$] applies {\tt slow_step_tac} using |
a0b71a4bbe5e
documented slow_tac, slow_best_tac, depth_tac, deepen_tac
lcp
parents:
332
diff
changeset
|
372 |
best-first search, to solve subgoal~$i$. |
a0b71a4bbe5e
documented slow_tac, slow_best_tac, depth_tac, deepen_tac
lcp
parents:
332
diff
changeset
|
373 |
\end{ttdescription} |
a0b71a4bbe5e
documented slow_tac, slow_best_tac, depth_tac, deepen_tac
lcp
parents:
332
diff
changeset
|
374 |
|
a0b71a4bbe5e
documented slow_tac, slow_best_tac, depth_tac, deepen_tac
lcp
parents:
332
diff
changeset
|
375 |
|
a0b71a4bbe5e
documented slow_tac, slow_best_tac, depth_tac, deepen_tac
lcp
parents:
332
diff
changeset
|
376 |
\subsection{Depth-limited tactics} |
a0b71a4bbe5e
documented slow_tac, slow_best_tac, depth_tac, deepen_tac
lcp
parents:
332
diff
changeset
|
377 |
\begin{ttbox} |
a0b71a4bbe5e
documented slow_tac, slow_best_tac, depth_tac, deepen_tac
lcp
parents:
332
diff
changeset
|
378 |
depth_tac : claset -> int -> int -> tactic |
a0b71a4bbe5e
documented slow_tac, slow_best_tac, depth_tac, deepen_tac
lcp
parents:
332
diff
changeset
|
379 |
deepen_tac : claset -> int -> int -> tactic |
a0b71a4bbe5e
documented slow_tac, slow_best_tac, depth_tac, deepen_tac
lcp
parents:
332
diff
changeset
|
380 |
\end{ttbox} |
a0b71a4bbe5e
documented slow_tac, slow_best_tac, depth_tac, deepen_tac
lcp
parents:
332
diff
changeset
|
381 |
These work by exhaustive search up to a specified depth. Unsafe rules are |
a0b71a4bbe5e
documented slow_tac, slow_best_tac, depth_tac, deepen_tac
lcp
parents:
332
diff
changeset
|
382 |
modified to preserve the formula they act on, so that it be used repeatedly. |
1099 | 383 |
They can prove more goals than {\tt fast_tac} can but are much |
875
a0b71a4bbe5e
documented slow_tac, slow_best_tac, depth_tac, deepen_tac
lcp
parents:
332
diff
changeset
|
384 |
slower, for example if the assumptions have many universal quantifiers. |
a0b71a4bbe5e
documented slow_tac, slow_best_tac, depth_tac, deepen_tac
lcp
parents:
332
diff
changeset
|
385 |
|
a0b71a4bbe5e
documented slow_tac, slow_best_tac, depth_tac, deepen_tac
lcp
parents:
332
diff
changeset
|
386 |
The depth limits the number of unsafe steps. If you can estimate the minimum |
a0b71a4bbe5e
documented slow_tac, slow_best_tac, depth_tac, deepen_tac
lcp
parents:
332
diff
changeset
|
387 |
number of unsafe steps needed, supply this value as~$m$ to save time. |
a0b71a4bbe5e
documented slow_tac, slow_best_tac, depth_tac, deepen_tac
lcp
parents:
332
diff
changeset
|
388 |
\begin{ttdescription} |
a0b71a4bbe5e
documented slow_tac, slow_best_tac, depth_tac, deepen_tac
lcp
parents:
332
diff
changeset
|
389 |
\item[\ttindexbold{depth_tac} $cs$ $m$ $i$] |
a0b71a4bbe5e
documented slow_tac, slow_best_tac, depth_tac, deepen_tac
lcp
parents:
332
diff
changeset
|
390 |
tries to solve subgoal~$i$ by exhaustive search up to depth~$m$. |
a0b71a4bbe5e
documented slow_tac, slow_best_tac, depth_tac, deepen_tac
lcp
parents:
332
diff
changeset
|
391 |
|
a0b71a4bbe5e
documented slow_tac, slow_best_tac, depth_tac, deepen_tac
lcp
parents:
332
diff
changeset
|
392 |
\item[\ttindexbold{deepen_tac} $cs$ $m$ $i$] |
a0b71a4bbe5e
documented slow_tac, slow_best_tac, depth_tac, deepen_tac
lcp
parents:
332
diff
changeset
|
393 |
tries to solve subgoal~$i$ by iterative deepening. It calls {\tt depth_tac} |
a0b71a4bbe5e
documented slow_tac, slow_best_tac, depth_tac, deepen_tac
lcp
parents:
332
diff
changeset
|
394 |
repeatedly with increasing depths, starting with~$m$. |
332 | 395 |
\end{ttdescription} |
396 |
||
397 |
||
104 | 398 |
\subsection{Single-step tactics} |
399 |
\begin{ttbox} |
|
400 |
safe_step_tac : claset -> int -> tactic |
|
401 |
safe_tac : claset -> tactic |
|
402 |
inst_step_tac : claset -> int -> tactic |
|
403 |
step_tac : claset -> int -> tactic |
|
404 |
slow_step_tac : claset -> int -> tactic |
|
405 |
\end{ttbox} |
|
406 |
The automatic proof procedures call these tactics. By calling them |
|
407 |
yourself, you can execute these procedures one step at a time. |
|
308 | 408 |
\begin{ttdescription} |
104 | 409 |
\item[\ttindexbold{safe_step_tac} $cs$ $i$] performs a safe step on |
2631
5e5c78ba955e
description of safe vs. unsafe wrapper and the functions involved
oheimb
parents:
2479
diff
changeset
|
410 |
subgoal~$i$. The safe wrapper tactical is applied to a tactic that may include |
5e5c78ba955e
description of safe vs. unsafe wrapper and the functions involved
oheimb
parents:
2479
diff
changeset
|
411 |
proof by assumption or Modus Ponens (taking care not to instantiate unknowns), |
5e5c78ba955e
description of safe vs. unsafe wrapper and the functions involved
oheimb
parents:
2479
diff
changeset
|
412 |
or {\tt hyp_subst_tac}. |
104 | 413 |
|
414 |
\item[\ttindexbold{safe_tac} $cs$] repeatedly performs safe steps on all |
|
415 |
subgoals. It is deterministic, with at most one outcome. If the automatic |
|
416 |
tactics fail, try using {\tt safe_tac} to open up your formula; then you |
|
417 |
can replicate certain quantifiers explicitly by applying appropriate rules. |
|
418 |
||
419 |
\item[\ttindexbold{inst_step_tac} $cs$ $i$] is like {\tt safe_step_tac}, |
|
420 |
but allows unknowns to be instantiated. |
|
421 |
||
1099 | 422 |
\item[\ttindexbold{step_tac} $cs$ $i$] is the basic step of the proof |
2631
5e5c78ba955e
description of safe vs. unsafe wrapper and the functions involved
oheimb
parents:
2479
diff
changeset
|
423 |
procedure. The (unsafe) wrapper tactical is applied to a tactic that tries |
5e5c78ba955e
description of safe vs. unsafe wrapper and the functions involved
oheimb
parents:
2479
diff
changeset
|
424 |
{\tt safe_tac}, {\tt inst_step_tac}, or applies an unsafe rule from~$cs$. |
104 | 425 |
|
426 |
\item[\ttindexbold{slow_step_tac}] |
|
427 |
resembles {\tt step_tac}, but allows backtracking between using safe |
|
428 |
rules with instantiation ({\tt inst_step_tac}) and using unsafe rules. |
|
875
a0b71a4bbe5e
documented slow_tac, slow_best_tac, depth_tac, deepen_tac
lcp
parents:
332
diff
changeset
|
429 |
The resulting search space is larger. |
308 | 430 |
\end{ttdescription} |
104 | 431 |
|
1869 | 432 |
\subsection{The current claset} |
2479 | 433 |
Some logics (\FOL, {\HOL} and \ZF) support the concept of a current |
434 |
claset\index{claset!current}. This is a default set of classical rules. The |
|
435 |
underlying idea is quite similar to that of a current simpset described in |
|
436 |
\S\ref{sec:simp-for-dummies}; please read that section, including its |
|
437 |
warnings. Just like simpsets, clasets can be associated with theories. The |
|
438 |
tactics |
|
1869 | 439 |
\begin{ttbox} |
440 |
Step_tac : int -> tactic |
|
441 |
Fast_tac : int -> tactic |
|
442 |
Best_tac : int -> tactic |
|
443 |
Deepen_tac : int -> int -> tactic |
|
444 |
\end{ttbox} |
|
445 |
\indexbold{*Step_tac} \indexbold{*Best_tac} \indexbold{*Fast_tac} |
|
446 |
\indexbold{*Deepen_tac} |
|
447 |
make use of the current claset. E.g.~{\tt Fast_tac} is defined as follows: |
|
448 |
\begin{ttbox} |
|
449 |
fun Fast_tac i = fast_tac (!claset) i; |
|
450 |
\end{ttbox} |
|
451 |
where \ttindex{!claset} is the current claset. |
|
452 |
The functions |
|
453 |
\begin{ttbox} |
|
454 |
AddSIs, AddSEs, AddSDs, AddIs, AddEs, AddDs: thm list -> unit |
|
455 |
\end{ttbox} |
|
456 |
\indexbold{*AddSIs} \indexbold{*AddSEs} \indexbold{*AddSDs} |
|
457 |
\indexbold{*AddIs} \indexbold{*AddEs} \indexbold{*AddDs} |
|
458 |
are used to add rules to the current claset. They work exactly like their |
|
459 |
lower case counterparts {\tt addSIs} etc. |
|
460 |
\begin{ttbox} |
|
461 |
Delrules : thm list -> unit |
|
462 |
\end{ttbox} |
|
463 |
deletes rules from the current claset. You do not need to worry via which of |
|
464 |
the above {\tt Add} functions the rule was initially added. |
|
104 | 465 |
|
466 |
\subsection{Other useful tactics} |
|
319 | 467 |
\index{tactics!for contradiction} |
468 |
\index{tactics!for Modus Ponens} |
|
104 | 469 |
\begin{ttbox} |
470 |
contr_tac : int -> tactic |
|
471 |
mp_tac : int -> tactic |
|
472 |
eq_mp_tac : int -> tactic |
|
473 |
swap_res_tac : thm list -> int -> tactic |
|
474 |
\end{ttbox} |
|
475 |
These can be used in the body of a specialized search. |
|
308 | 476 |
\begin{ttdescription} |
319 | 477 |
\item[\ttindexbold{contr_tac} {\it i}]\index{assumptions!contradictory} |
478 |
solves subgoal~$i$ by detecting a contradiction among two assumptions of |
|
479 |
the form $P$ and~$\neg P$, or fail. It may instantiate unknowns. The |
|
480 |
tactic can produce multiple outcomes, enumerating all possible |
|
481 |
contradictions. |
|
104 | 482 |
|
483 |
\item[\ttindexbold{mp_tac} {\it i}] |
|
484 |
is like {\tt contr_tac}, but also attempts to perform Modus Ponens in |
|
485 |
subgoal~$i$. If there are assumptions $P\imp Q$ and~$P$, then it replaces |
|
486 |
$P\imp Q$ by~$Q$. It may instantiate unknowns. It fails if it can do |
|
487 |
nothing. |
|
488 |
||
489 |
\item[\ttindexbold{eq_mp_tac} {\it i}] |
|
490 |
is like {\tt mp_tac} {\it i}, but may not instantiate unknowns --- thus, it |
|
491 |
is safe. |
|
492 |
||
493 |
\item[\ttindexbold{swap_res_tac} {\it thms} {\it i}] refines subgoal~$i$ of |
|
494 |
the proof state using {\it thms}, which should be a list of introduction |
|
319 | 495 |
rules. First, it attempts to solve the goal using {\tt assume_tac} or |
104 | 496 |
{\tt contr_tac}. It then attempts to apply each rule in turn, attempting |
497 |
resolution and also elim-resolution with the swapped form. |
|
308 | 498 |
\end{ttdescription} |
104 | 499 |
|
500 |
\subsection{Creating swapped rules} |
|
501 |
\begin{ttbox} |
|
502 |
swapify : thm list -> thm list |
|
503 |
joinrules : thm list * thm list -> (bool * thm) list |
|
504 |
\end{ttbox} |
|
308 | 505 |
\begin{ttdescription} |
104 | 506 |
\item[\ttindexbold{swapify} {\it thms}] returns a list consisting of the |
507 |
swapped versions of~{\it thms}, regarded as introduction rules. |
|
508 |
||
308 | 509 |
\item[\ttindexbold{joinrules} ({\it intrs}, {\it elims})] |
104 | 510 |
joins introduction rules, their swapped versions, and elimination rules for |
511 |
use with \ttindex{biresolve_tac}. Each rule is paired with~{\tt false} |
|
512 |
(indicating ordinary resolution) or~{\tt true} (indicating |
|
513 |
elim-resolution). |
|
308 | 514 |
\end{ttdescription} |
104 | 515 |
|
516 |
||
286 | 517 |
\section{Setting up the classical reasoner} |
319 | 518 |
\index{classical reasoner!setting up} |
104 | 519 |
Isabelle's classical object-logics, including {\tt FOL} and {\tt HOL}, have |
286 | 520 |
the classical reasoner already set up. When defining a new classical logic, |
521 |
you should set up the reasoner yourself. It consists of the \ML{} functor |
|
104 | 522 |
\ttindex{ClassicalFun}, which takes the argument |
319 | 523 |
signature {\tt CLASSICAL_DATA}: |
104 | 524 |
\begin{ttbox} |
525 |
signature CLASSICAL_DATA = |
|
526 |
sig |
|
527 |
val mp : thm |
|
528 |
val not_elim : thm |
|
529 |
val swap : thm |
|
530 |
val sizef : thm -> int |
|
531 |
val hyp_subst_tacs : (int -> tactic) list |
|
532 |
end; |
|
533 |
\end{ttbox} |
|
534 |
Thus, the functor requires the following items: |
|
308 | 535 |
\begin{ttdescription} |
319 | 536 |
\item[\tdxbold{mp}] should be the Modus Ponens rule |
104 | 537 |
$\List{\Var{P}\imp\Var{Q};\; \Var{P}} \Imp \Var{Q}$. |
538 |
||
319 | 539 |
\item[\tdxbold{not_elim}] should be the contradiction rule |
104 | 540 |
$\List{\neg\Var{P};\; \Var{P}} \Imp \Var{R}$. |
541 |
||
319 | 542 |
\item[\tdxbold{swap}] should be the swap rule |
104 | 543 |
$\List{\neg \Var{P}; \; \neg \Var{R}\Imp \Var{P}} \Imp \Var{R}$. |
544 |
||
545 |
\item[\ttindexbold{sizef}] is the heuristic function used for best-first |
|
546 |
search. It should estimate the size of the remaining subgoals. A good |
|
547 |
heuristic function is \ttindex{size_of_thm}, which measures the size of the |
|
548 |
proof state. Another size function might ignore certain subgoals (say, |
|
549 |
those concerned with type checking). A heuristic function might simply |
|
550 |
count the subgoals. |
|
551 |
||
319 | 552 |
\item[\ttindexbold{hyp_subst_tacs}] is a list of tactics for substitution in |
104 | 553 |
the hypotheses, typically created by \ttindex{HypsubstFun} (see |
554 |
Chapter~\ref{substitution}). This list can, of course, be empty. The |
|
555 |
tactics are assumed to be safe! |
|
308 | 556 |
\end{ttdescription} |
104 | 557 |
The functor is not at all sensitive to the formalization of the |
558 |
object-logic. It does not even examine the rules, but merely applies them |
|
559 |
according to its fixed strategy. The functor resides in {\tt |
|
319 | 560 |
Provers/classical.ML} in the Isabelle distribution directory. |
104 | 561 |
|
319 | 562 |
\index{classical reasoner|)} |