isabelle: doc-src/Intro/getting.tex@216d6ed87399 (annotated)

105 216d6ed87399 Initial revision lcp parents: diff changeset	1	%% $Id$
216d6ed87399 Initial revision lcp parents: diff changeset	2	\part{Getting started with Isabelle}
216d6ed87399 Initial revision lcp parents: diff changeset	3	This Part describes how to perform simple proofs using Isabelle. Although
216d6ed87399 Initial revision lcp parents: diff changeset	4	it frequently refers to concepts from the previous Part, a user can get
216d6ed87399 Initial revision lcp parents: diff changeset	5	started without understanding them in detail.
216d6ed87399 Initial revision lcp parents: diff changeset	6
216d6ed87399 Initial revision lcp parents: diff changeset	7	As of this writing, Isabelle's user interface is \ML. Proofs are conducted
216d6ed87399 Initial revision lcp parents: diff changeset	8	by applying certain \ML{} functions, which update a stored proof state.
216d6ed87399 Initial revision lcp parents: diff changeset	9	Logics are combined and extended by calling \ML{} functions. All syntax
216d6ed87399 Initial revision lcp parents: diff changeset	10	must be expressed using {\sc ascii} characters. Menu-driven graphical
216d6ed87399 Initial revision lcp parents: diff changeset	11	interfaces are under construction, but Isabelle users will always need to
216d6ed87399 Initial revision lcp parents: diff changeset	12	know some \ML, at least to use tacticals.
216d6ed87399 Initial revision lcp parents: diff changeset	13
216d6ed87399 Initial revision lcp parents: diff changeset	14	Object-logics are built upon Pure Isabelle, which implements the meta-logic
216d6ed87399 Initial revision lcp parents: diff changeset	15	and provides certain fundamental data structures: types, terms, signatures,
216d6ed87399 Initial revision lcp parents: diff changeset	16	theorems and theories, tactics and tacticals. These data structures have
216d6ed87399 Initial revision lcp parents: diff changeset	17	the corresponding \ML{} types {\tt typ}, {\tt term}, {\tt Sign.sg}, {\tt thm},
216d6ed87399 Initial revision lcp parents: diff changeset	18	{\tt theory} and {\tt tactic}; tacticals have function types such as {\tt
216d6ed87399 Initial revision lcp parents: diff changeset	19	tactic->tactic}. Isabelle users can operate on these data structures by
216d6ed87399 Initial revision lcp parents: diff changeset	20	writing \ML{} programs.
216d6ed87399 Initial revision lcp parents: diff changeset	21
216d6ed87399 Initial revision lcp parents: diff changeset	22	\section{Forward proof}
216d6ed87399 Initial revision lcp parents: diff changeset	23	\index{Isabelle!getting started}\index{ML}
216d6ed87399 Initial revision lcp parents: diff changeset	24	This section describes the concrete syntax for types, terms and theorems,
216d6ed87399 Initial revision lcp parents: diff changeset	25	and demonstrates forward proof.
216d6ed87399 Initial revision lcp parents: diff changeset	26
216d6ed87399 Initial revision lcp parents: diff changeset	27	\subsection{Lexical matters}
216d6ed87399 Initial revision lcp parents: diff changeset	28	\index{identifiers\|bold}\index{reserved words\|bold}
216d6ed87399 Initial revision lcp parents: diff changeset	29	An {\bf identifier} is a string of letters, digits, underscores~(\verb\|_\|)
216d6ed87399 Initial revision lcp parents: diff changeset	30	and single quotes~({\tt'}), beginning with a letter. Single quotes are
216d6ed87399 Initial revision lcp parents: diff changeset	31	regarded as primes; for instance {\tt x'} is read as~$x'$. Identifiers are
216d6ed87399 Initial revision lcp parents: diff changeset	32	separated by white space and special characters. {\bf Reserved words} are
216d6ed87399 Initial revision lcp parents: diff changeset	33	identifiers that appear in Isabelle syntax definitions.
216d6ed87399 Initial revision lcp parents: diff changeset	34
216d6ed87399 Initial revision lcp parents: diff changeset	35	An Isabelle theory can declare symbols composed of special characters, such
216d6ed87399 Initial revision lcp parents: diff changeset	36	as {\tt=}, {\tt==}, {\tt=>} and {\tt==>}. (The latter three are part of
216d6ed87399 Initial revision lcp parents: diff changeset	37	the syntax of the meta-logic.) Such symbols may be run together; thus if
216d6ed87399 Initial revision lcp parents: diff changeset	38	\verb\|}\| and \verb\|{\| are used for set brackets then \verb\|{{a},{a,b}}\| is
216d6ed87399 Initial revision lcp parents: diff changeset	39	valid notation for a set of sets --- but only if \verb\|}}\| and \verb\|{{\|
216d6ed87399 Initial revision lcp parents: diff changeset	40	have not been declared as symbols! The parser resolves any ambiguity by
216d6ed87399 Initial revision lcp parents: diff changeset	41	taking the longest possible symbol that has been declared. Thus the string
216d6ed87399 Initial revision lcp parents: diff changeset	42	{\tt==>} is read as a single symbol. But \hbox{\tt= =>} is read as two
216d6ed87399 Initial revision lcp parents: diff changeset	43	symbols, as is \verb\|}}\|, as discussed above.
216d6ed87399 Initial revision lcp parents: diff changeset	44
216d6ed87399 Initial revision lcp parents: diff changeset	45	Identifiers that are not reserved words may serve as free variables or
216d6ed87399 Initial revision lcp parents: diff changeset	46	constants. A type identifier consists of an identifier prefixed by a
216d6ed87399 Initial revision lcp parents: diff changeset	47	prime, for example {\tt'a} and \hbox{\tt'hello}. An unknown (or type
216d6ed87399 Initial revision lcp parents: diff changeset	48	unknown) consists of a question mark, an identifier (or type identifier),
216d6ed87399 Initial revision lcp parents: diff changeset	49	and a subscript. The subscript, a non-negative integer, allows the
216d6ed87399 Initial revision lcp parents: diff changeset	50	renaming of unknowns prior to unification.
216d6ed87399 Initial revision lcp parents: diff changeset	51
216d6ed87399 Initial revision lcp parents: diff changeset	52	The subscript may appear after the identifier, separated by a dot; this
216d6ed87399 Initial revision lcp parents: diff changeset	53	prevents ambiguity when the identifier ends with a digit. Thus {\tt?z6.0}
216d6ed87399 Initial revision lcp parents: diff changeset	54	has identifier \verb\|"z6"\| and subscript~0, while {\tt?a0.5} has identifier
216d6ed87399 Initial revision lcp parents: diff changeset	55	\verb\|"a0"\| and subscript~5. If the identifier does not end with a digit,
216d6ed87399 Initial revision lcp parents: diff changeset	56	then no dot appears and a subscript of~0 is omitted; for example,
216d6ed87399 Initial revision lcp parents: diff changeset	57	{\tt?hello} has identifier \verb\|"hello"\| and subscript zero, while
216d6ed87399 Initial revision lcp parents: diff changeset	58	{\tt?z6} has identifier \verb\|"z"\| and subscript~6. The same conventions
216d6ed87399 Initial revision lcp parents: diff changeset	59	apply to type unknowns. Note that the question mark is {\bf not} part of the
216d6ed87399 Initial revision lcp parents: diff changeset	60	identifier!
216d6ed87399 Initial revision lcp parents: diff changeset	61
216d6ed87399 Initial revision lcp parents: diff changeset	62
216d6ed87399 Initial revision lcp parents: diff changeset	63	\subsection{Syntax of types and terms}
216d6ed87399 Initial revision lcp parents: diff changeset	64	\index{Isabelle!syntax of}
216d6ed87399 Initial revision lcp parents: diff changeset	65	\index{classes!built-in\|bold}
216d6ed87399 Initial revision lcp parents: diff changeset	66	Classes are denoted by identifiers; the built-in class \ttindex{logic}
216d6ed87399 Initial revision lcp parents: diff changeset	67	contains the `logical' types. Sorts are lists of classes enclosed in
216d6ed87399 Initial revision lcp parents: diff changeset	68	braces~\{ and \}; singleton sorts may be abbreviated by dropping the braces.
216d6ed87399 Initial revision lcp parents: diff changeset	69
216d6ed87399 Initial revision lcp parents: diff changeset	70	\index{types!syntax\|bold}
216d6ed87399 Initial revision lcp parents: diff changeset	71	Types are written with a syntax like \ML's. The built-in type \ttindex{prop}
216d6ed87399 Initial revision lcp parents: diff changeset	72	is the type of propositions. Type variables can be constrained to particular
216d6ed87399 Initial revision lcp parents: diff changeset	73	classes or sorts, for example {\tt 'a::term} and {\tt ?'b::\{ord,arith\}}.
216d6ed87399 Initial revision lcp parents: diff changeset	74	\[\dquotes
216d6ed87399 Initial revision lcp parents: diff changeset	75	\begin{array}{lll}
216d6ed87399 Initial revision lcp parents: diff changeset	76	\multicolumn{3}{c}{\hbox{ASCII Notation for Types}} \\ \hline
216d6ed87399 Initial revision lcp parents: diff changeset	77	t "::" C & t :: C & \hbox{class constraint} \\
216d6ed87399 Initial revision lcp parents: diff changeset	78	t "::" "\{" C@1 "," \ldots "," C@n "\}" &
216d6ed87399 Initial revision lcp parents: diff changeset	79	t :: \{C@1,\dots,C@n\} & \hbox{sort constraint} \\
216d6ed87399 Initial revision lcp parents: diff changeset	80	\sigma"=>"\tau & \sigma\To\tau & \hbox{function type} \\
216d6ed87399 Initial revision lcp parents: diff changeset	81	"[" \sigma@1 "," \ldots "," \sigma@n "] => " \tau &
216d6ed87399 Initial revision lcp parents: diff changeset	82	[\sigma@1,\ldots,\sigma@n] \To\tau & \hbox{curried function type} \\
216d6ed87399 Initial revision lcp parents: diff changeset	83	"(" \tau@1"," \ldots "," \tau@n ")" tycon &
216d6ed87399 Initial revision lcp parents: diff changeset	84	(\tau@1, \ldots, \tau@n)tycon & \hbox{type construction}
216d6ed87399 Initial revision lcp parents: diff changeset	85	\end{array}
216d6ed87399 Initial revision lcp parents: diff changeset	86	\]
216d6ed87399 Initial revision lcp parents: diff changeset	87	Terms are those of the typed $\lambda$-calculus.
216d6ed87399 Initial revision lcp parents: diff changeset	88	\index{terms!syntax\|bold}
216d6ed87399 Initial revision lcp parents: diff changeset	89	\[\dquotes
216d6ed87399 Initial revision lcp parents: diff changeset	90	\begin{array}{lll}
216d6ed87399 Initial revision lcp parents: diff changeset	91	\multicolumn{3}{c}{\hbox{ASCII Notation for Terms}} \\ \hline
216d6ed87399 Initial revision lcp parents: diff changeset	92	t "::" \sigma & t :: \sigma & \hbox{type constraint} \\
216d6ed87399 Initial revision lcp parents: diff changeset	93	"\%" x "." t & \lambda x.t & \hbox{abstraction} \\
216d6ed87399 Initial revision lcp parents: diff changeset	94	"\%" x@1\ldots x@n "." t & \lambda x@1\ldots x@n.t &
216d6ed87399 Initial revision lcp parents: diff changeset	95	\hbox{curried abstraction} \\
216d6ed87399 Initial revision lcp parents: diff changeset	96	t "(" u@1"," \ldots "," u@n ")" &
216d6ed87399 Initial revision lcp parents: diff changeset	97	t (u@1, \ldots, u@n) & \hbox{curried application}
216d6ed87399 Initial revision lcp parents: diff changeset	98	\end{array}
216d6ed87399 Initial revision lcp parents: diff changeset	99	\]
216d6ed87399 Initial revision lcp parents: diff changeset	100	The theorems and rules of an object-logic are represented by theorems in
216d6ed87399 Initial revision lcp parents: diff changeset	101	the meta-logic, which are expressed using meta-formulae. Since the
216d6ed87399 Initial revision lcp parents: diff changeset	102	meta-logic is higher-order, meta-formulae~$\phi$, $\psi$, $\theta$,~\ldots{}
216d6ed87399 Initial revision lcp parents: diff changeset	103	are just terms of type~\ttindex{prop}.
216d6ed87399 Initial revision lcp parents: diff changeset	104	\index{meta-formulae!syntax\|bold}
216d6ed87399 Initial revision lcp parents: diff changeset	105	\[\dquotes
216d6ed87399 Initial revision lcp parents: diff changeset	106	\begin{array}{l@{\quad}l@{\quad}l}
216d6ed87399 Initial revision lcp parents: diff changeset	107	\multicolumn{3}{c}{\hbox{ASCII Notation for Meta-Formulae}} \\ \hline
216d6ed87399 Initial revision lcp parents: diff changeset	108	a " == " b & a\equiv b & \hbox{meta-equality} \\
216d6ed87399 Initial revision lcp parents: diff changeset	109	a " =?= " b & a\qeq b & \hbox{flex-flex constraint} \\
216d6ed87399 Initial revision lcp parents: diff changeset	110	\phi " ==> " \psi & \phi\Imp \psi & \hbox{meta-implication} \\
216d6ed87399 Initial revision lcp parents: diff changeset	111	"[\|" \phi@1 ";" \ldots ";" \phi@n "\|] ==> " \psi &
216d6ed87399 Initial revision lcp parents: diff changeset	112	\List{\phi@1;\ldots;\phi@n} \Imp \psi & \hbox{nested implication} \\
216d6ed87399 Initial revision lcp parents: diff changeset	113	"!!" x "." \phi & \Forall x.\phi & \hbox{meta-quantification} \\
216d6ed87399 Initial revision lcp parents: diff changeset	114	"!!" x@1\ldots x@n "." \phi &
216d6ed87399 Initial revision lcp parents: diff changeset	115	\Forall x@1. \ldots \Forall x@n.\phi & \hbox{nested quantification}
216d6ed87399 Initial revision lcp parents: diff changeset	116	\end{array}
216d6ed87399 Initial revision lcp parents: diff changeset	117	\]
216d6ed87399 Initial revision lcp parents: diff changeset	118	Flex-flex constraints are meta-equalities arising from unification; they
216d6ed87399 Initial revision lcp parents: diff changeset	119	require special treatment. See~\S\ref{flexflex}.
216d6ed87399 Initial revision lcp parents: diff changeset	120	\index{flex-flex equations}
216d6ed87399 Initial revision lcp parents: diff changeset	121
216d6ed87399 Initial revision lcp parents: diff changeset	122	Most logics define the implicit coercion $Trueprop$ from object-formulae to
216d6ed87399 Initial revision lcp parents: diff changeset	123	propositions.
216d6ed87399 Initial revision lcp parents: diff changeset	124	\index{Trueprop@{$Trueprop$}}
216d6ed87399 Initial revision lcp parents: diff changeset	125	This could cause an ambiguity: in $P\Imp Q$, do the variables $P$ and $Q$
216d6ed87399 Initial revision lcp parents: diff changeset	126	stand for meta-formulae or object-formulae? If the latter, $P\Imp Q$
216d6ed87399 Initial revision lcp parents: diff changeset	127	really abbreviates $Trueprop(P)\Imp Trueprop(Q)$. To prevent such
216d6ed87399 Initial revision lcp parents: diff changeset	128	ambiguities, Isabelle's syntax does not allow a meta-formula to consist of
216d6ed87399 Initial revision lcp parents: diff changeset	129	a variable. Variables of type~\ttindex{prop} are seldom useful, but you
216d6ed87399 Initial revision lcp parents: diff changeset	130	can make a variable stand for a meta-formula by prefixing it with the
216d6ed87399 Initial revision lcp parents: diff changeset	131	keyword \ttindex{PROP}:
216d6ed87399 Initial revision lcp parents: diff changeset	132	\begin{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	133	PROP ?psi ==> PROP ?theta
216d6ed87399 Initial revision lcp parents: diff changeset	134	\end{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	135
216d6ed87399 Initial revision lcp parents: diff changeset	136	Symbols of object-logics also must be rendered into {\sc ascii}, typically
216d6ed87399 Initial revision lcp parents: diff changeset	137	as follows:
216d6ed87399 Initial revision lcp parents: diff changeset	138	\[ \begin{tabular}{l@{\quad}l@{\quad}l}
216d6ed87399 Initial revision lcp parents: diff changeset	139	\tt True & $\top$ & true \\
216d6ed87399 Initial revision lcp parents: diff changeset	140	\tt False & $\bot$ & false \\
216d6ed87399 Initial revision lcp parents: diff changeset	141	\tt $P$ \& $Q$ & $P\conj Q$ & conjunction \\
216d6ed87399 Initial revision lcp parents: diff changeset	142	\tt $P$ \| $Q$ & $P\disj Q$ & disjunction \\
216d6ed87399 Initial revision lcp parents: diff changeset	143	\verb'~' $P$ & $\neg P$ & negation \\
216d6ed87399 Initial revision lcp parents: diff changeset	144	\tt $P$ --> $Q$ & $P\imp Q$ & implication \\
216d6ed87399 Initial revision lcp parents: diff changeset	145	\tt $P$ <-> $Q$ & $P\bimp Q$ & bi-implication \\
216d6ed87399 Initial revision lcp parents: diff changeset	146	\tt ALL $x\,y\,z$ .\ $P$ & $\forall x\,y\,z.P$ & for all \\
216d6ed87399 Initial revision lcp parents: diff changeset	147	\tt EX $x\,y\,z$ .\ $P$ & $\exists x\,y\,z.P$ & there exists
216d6ed87399 Initial revision lcp parents: diff changeset	148	\end{tabular}
216d6ed87399 Initial revision lcp parents: diff changeset	149	\]
216d6ed87399 Initial revision lcp parents: diff changeset	150	To illustrate the notation, consider two axioms for first-order logic:
216d6ed87399 Initial revision lcp parents: diff changeset	151	$$ \List{P; Q} \Imp P\conj Q \eqno(\conj I) $$
216d6ed87399 Initial revision lcp parents: diff changeset	152	$$ \List{\exists x.P(x); \Forall x. P(x)\imp Q} \Imp Q \eqno(\exists E) $$
216d6ed87399 Initial revision lcp parents: diff changeset	153	Using the {\tt [\|\ldots\|]} shorthand, $({\conj}I)$ translates literally into
216d6ed87399 Initial revision lcp parents: diff changeset	154	{\sc ascii} characters as
216d6ed87399 Initial revision lcp parents: diff changeset	155	\begin{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	156	[\| ?P; ?Q \|] ==> ?P & ?Q
216d6ed87399 Initial revision lcp parents: diff changeset	157	\end{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	158	The schematic variables let unification instantiate the rule. To
216d6ed87399 Initial revision lcp parents: diff changeset	159	avoid cluttering rules with question marks, Isabelle converts any free
216d6ed87399 Initial revision lcp parents: diff changeset	160	variables in a rule to schematic variables; we normally write $({\conj}I)$ as
216d6ed87399 Initial revision lcp parents: diff changeset	161	\begin{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	162	[\| P; Q \|] ==> P & Q
216d6ed87399 Initial revision lcp parents: diff changeset	163	\end{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	164	This variables convention agrees with the treatment of variables in goals.
216d6ed87399 Initial revision lcp parents: diff changeset	165	Free variables in a goal remain fixed throughout the proof. After the
216d6ed87399 Initial revision lcp parents: diff changeset	166	proof is finished, Isabelle converts them to scheme variables in the
216d6ed87399 Initial revision lcp parents: diff changeset	167	resulting theorem. Scheme variables in a goal may be replaced by terms
216d6ed87399 Initial revision lcp parents: diff changeset	168	during the proof, supporting answer extraction, program synthesis, and so
216d6ed87399 Initial revision lcp parents: diff changeset	169	forth.
216d6ed87399 Initial revision lcp parents: diff changeset	170
216d6ed87399 Initial revision lcp parents: diff changeset	171	For a final example, the rule $(\exists E)$ is rendered in {\sc ascii} as
216d6ed87399 Initial revision lcp parents: diff changeset	172	\begin{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	173	[\| EX x.P(x); !!x. P(x) ==> Q \|] ==> Q
216d6ed87399 Initial revision lcp parents: diff changeset	174	\end{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	175
216d6ed87399 Initial revision lcp parents: diff changeset	176
216d6ed87399 Initial revision lcp parents: diff changeset	177	\subsection{Basic operations on theorems}
216d6ed87399 Initial revision lcp parents: diff changeset	178	\index{theorems!basic operations on\|bold}
216d6ed87399 Initial revision lcp parents: diff changeset	179	\index{LCF}
216d6ed87399 Initial revision lcp parents: diff changeset	180	Meta-level theorems have type \ttindex{thm} and represent the theorems and
216d6ed87399 Initial revision lcp parents: diff changeset	181	inference rules of object-logics. Isabelle's meta-logic is implemented
216d6ed87399 Initial revision lcp parents: diff changeset	182	using the {\sc lcf} approach: each meta-level inference rule is represented by
216d6ed87399 Initial revision lcp parents: diff changeset	183	a function from theorems to theorems. Object-level rules are taken as
216d6ed87399 Initial revision lcp parents: diff changeset	184	axioms.
216d6ed87399 Initial revision lcp parents: diff changeset	185
216d6ed87399 Initial revision lcp parents: diff changeset	186	The main theorem printing commands are {\tt prth}, {\tt prths} and~{\tt
216d6ed87399 Initial revision lcp parents: diff changeset	187	prthq}. Of the other operations on theorems, most useful are {\tt RS}
216d6ed87399 Initial revision lcp parents: diff changeset	188	and {\tt RSN}, which perform resolution.
216d6ed87399 Initial revision lcp parents: diff changeset	189
216d6ed87399 Initial revision lcp parents: diff changeset	190	\index{printing commands\|bold}
216d6ed87399 Initial revision lcp parents: diff changeset	191	\begin{description}
216d6ed87399 Initial revision lcp parents: diff changeset	192	\item[\ttindexbold{prth} {\it thm}] pretty-prints {\it thm\/} at the terminal.
216d6ed87399 Initial revision lcp parents: diff changeset	193
216d6ed87399 Initial revision lcp parents: diff changeset	194	\item[\ttindexbold{prths} {\it thms}] pretty-prints {\it thms}, a list of
216d6ed87399 Initial revision lcp parents: diff changeset	195	theorems.
216d6ed87399 Initial revision lcp parents: diff changeset	196
216d6ed87399 Initial revision lcp parents: diff changeset	197	\item[\ttindexbold{prthq} {\it thmq}] pretty-prints {\it thmq}, a sequence of
216d6ed87399 Initial revision lcp parents: diff changeset	198	theorems; this is useful for inspecting the output of a tactic.
216d6ed87399 Initial revision lcp parents: diff changeset	199
216d6ed87399 Initial revision lcp parents: diff changeset	200	\item[\tt$thm1$ RS $thm2$] \indexbold{*RS} resolves the conclusion of $thm1$
216d6ed87399 Initial revision lcp parents: diff changeset	201	with the first premise of~$thm2$.
216d6ed87399 Initial revision lcp parents: diff changeset	202
216d6ed87399 Initial revision lcp parents: diff changeset	203	\item[\tt$thm1$ RSN $(i,thm2)$] \indexbold{*RSN} resolves the conclusion of $thm1$
216d6ed87399 Initial revision lcp parents: diff changeset	204	with the $i$th premise of~$thm2$.
216d6ed87399 Initial revision lcp parents: diff changeset	205
216d6ed87399 Initial revision lcp parents: diff changeset	206	\item[\ttindexbold{standard} $thm$] puts $thm$ into a standard
216d6ed87399 Initial revision lcp parents: diff changeset	207	format. It also renames schematic variables to have subscript zero,
216d6ed87399 Initial revision lcp parents: diff changeset	208	improving readability and reducing subscript growth.
216d6ed87399 Initial revision lcp parents: diff changeset	209	\end{description}
216d6ed87399 Initial revision lcp parents: diff changeset	210	\index{ML}
216d6ed87399 Initial revision lcp parents: diff changeset	211	The rules of a theory are normally bound to \ML\ identifiers. Suppose we
216d6ed87399 Initial revision lcp parents: diff changeset	212	are running an Isabelle session containing natural deduction first-order
216d6ed87399 Initial revision lcp parents: diff changeset	213	logic. Let us try an example given in~\S\ref{joining}. We first print
216d6ed87399 Initial revision lcp parents: diff changeset	214	\ttindex{mp}, which is the rule~$({\imp}E)$, then resolve it with itself.
216d6ed87399 Initial revision lcp parents: diff changeset	215	\begin{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	216	prth mp;
216d6ed87399 Initial revision lcp parents: diff changeset	217	{\out [\| ?P --> ?Q; ?P \|] ==> ?Q}
216d6ed87399 Initial revision lcp parents: diff changeset	218	{\out val it = "[\| ?P --> ?Q; ?P \|] ==> ?Q" : thm}
216d6ed87399 Initial revision lcp parents: diff changeset	219	prth (mp RS mp);
216d6ed87399 Initial revision lcp parents: diff changeset	220	{\out [\| ?P1 --> ?P --> ?Q; ?P1; ?P \|] ==> ?Q}
216d6ed87399 Initial revision lcp parents: diff changeset	221	{\out val it = "[\| ?P1 --> ?P --> ?Q; ?P1; ?P \|] ==> ?Q" : thm}
216d6ed87399 Initial revision lcp parents: diff changeset	222	\end{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	223	In the Isabelle documentation, user's input appears in {\tt typewriter
216d6ed87399 Initial revision lcp parents: diff changeset	224	characters}, and output appears in {\sltt slanted typewriter characters}.
216d6ed87399 Initial revision lcp parents: diff changeset	225	\ML's response {\out val }~\ldots{} is compiler-dependent and will
216d6ed87399 Initial revision lcp parents: diff changeset	226	sometimes be suppressed. This session illustrates two formats for the
216d6ed87399 Initial revision lcp parents: diff changeset	227	display of theorems. Isabelle's top-level displays theorems as ML values,
216d6ed87399 Initial revision lcp parents: diff changeset	228	enclosed in quotes.\footnote{This works under both Poly/ML and Standard ML
216d6ed87399 Initial revision lcp parents: diff changeset	229	of New Jersey.} Printing functions like {\tt prth} omit the quotes and
216d6ed87399 Initial revision lcp parents: diff changeset	230	the surrounding {\tt val \ldots :\ thm}.
216d6ed87399 Initial revision lcp parents: diff changeset	231
216d6ed87399 Initial revision lcp parents: diff changeset	232	To contrast {\tt RS} with {\tt RSN}, we resolve
216d6ed87399 Initial revision lcp parents: diff changeset	233	\ttindex{conjunct1}, which stands for~$(\conj E1)$, with~\ttindex{mp}.
216d6ed87399 Initial revision lcp parents: diff changeset	234	\begin{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	235	conjunct1 RS mp;
216d6ed87399 Initial revision lcp parents: diff changeset	236	{\out val it = "[\| (?P --> ?Q) & ?Q1; ?P \|] ==> ?Q" : thm}
216d6ed87399 Initial revision lcp parents: diff changeset	237	conjunct1 RSN (2,mp);
216d6ed87399 Initial revision lcp parents: diff changeset	238	{\out val it = "[\| ?P --> ?Q; ?P & ?Q1 \|] ==> ?Q" : thm}
216d6ed87399 Initial revision lcp parents: diff changeset	239	\end{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	240	These correspond to the following proofs:
216d6ed87399 Initial revision lcp parents: diff changeset	241	\[ \infer[({\imp}E)]{Q}{\infer[({\conj}E1)]{P\imp Q}{(P\imp Q)\conj Q@1} & P}
216d6ed87399 Initial revision lcp parents: diff changeset	242	\qquad
216d6ed87399 Initial revision lcp parents: diff changeset	243	\infer[({\imp}E)]{Q}{P\imp Q & \infer[({\conj}E1)]{P}{P\conj Q@1}}
216d6ed87399 Initial revision lcp parents: diff changeset	244	\]
216d6ed87399 Initial revision lcp parents: diff changeset	245	The printing commands return their argument; the \ML{} identifier~{\tt it}
216d6ed87399 Initial revision lcp parents: diff changeset	246	denotes the value just printed. You may derive a rule by pasting other
216d6ed87399 Initial revision lcp parents: diff changeset	247	rules together. Below, \ttindex{spec} stands for~$(\forall E)$:
216d6ed87399 Initial revision lcp parents: diff changeset	248	\begin{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	249	spec;
216d6ed87399 Initial revision lcp parents: diff changeset	250	{\out val it = "ALL x. ?P(x) ==> ?P(?x)" : thm}
216d6ed87399 Initial revision lcp parents: diff changeset	251	it RS mp;
216d6ed87399 Initial revision lcp parents: diff changeset	252	{\out val it = "[\| ALL x. ?P3(x) --> ?Q2(x); ?P3(?x1) \|] ==> ?Q2(?x1)" : thm}
216d6ed87399 Initial revision lcp parents: diff changeset	253	it RS conjunct1;
216d6ed87399 Initial revision lcp parents: diff changeset	254	{\out val it = "[\| ALL x. ?P4(x) --> ?P6(x) & ?Q5(x); ?P4(?x2) \|] ==> ?P6(?x2)"}
216d6ed87399 Initial revision lcp parents: diff changeset	255	standard it;
216d6ed87399 Initial revision lcp parents: diff changeset	256	{\out val it = "[\| ALL x. ?P(x) --> ?Pa(x) & ?Q(x); ?P(?x) \|] ==> ?Pa(?x)"}
216d6ed87399 Initial revision lcp parents: diff changeset	257	\end{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	258	By resolving $(\forall E)$ with (${\imp}E)$ and (${\conj}E1)$, we have
216d6ed87399 Initial revision lcp parents: diff changeset	259	derived a destruction rule for formulae of the form $\forall x.
216d6ed87399 Initial revision lcp parents: diff changeset	260	P(x)\imp(Q(x)\conj R(x))$. Used with destruct-resolution, such specialized
216d6ed87399 Initial revision lcp parents: diff changeset	261	rules provide a way of referring to particular assumptions.
216d6ed87399 Initial revision lcp parents: diff changeset	262
216d6ed87399 Initial revision lcp parents: diff changeset	263	\subsection{Flex-flex equations} \label{flexflex}
216d6ed87399 Initial revision lcp parents: diff changeset	264	\index{flex-flex equations\|bold}\index{unknowns!of function type}
216d6ed87399 Initial revision lcp parents: diff changeset	265	In higher-order unification, {\bf flex-flex} equations are those where both
216d6ed87399 Initial revision lcp parents: diff changeset	266	sides begin with a function unknown, such as $\Var{f}(0)\qeq\Var{g}(0)$.
216d6ed87399 Initial revision lcp parents: diff changeset	267	They admit a trivial unifier, here $\Var{f}\equiv \lambda x.\Var{a}$ and
216d6ed87399 Initial revision lcp parents: diff changeset	268	$\Var{g}\equiv \lambda y.\Var{a}$, where $\Var{a}$ is a new unknown. They
216d6ed87399 Initial revision lcp parents: diff changeset	269	admit many other unifiers, such as $\Var{f} \equiv \lambda x.\Var{g}(0)$
216d6ed87399 Initial revision lcp parents: diff changeset	270	and $\{\Var{f} \equiv \lambda x.x,\, \Var{g} \equiv \lambda x.0\}$. Huet's
216d6ed87399 Initial revision lcp parents: diff changeset	271	procedure does not enumerate the unifiers; instead, it retains flex-flex
216d6ed87399 Initial revision lcp parents: diff changeset	272	equations as constraints on future unifications. Flex-flex constraints
216d6ed87399 Initial revision lcp parents: diff changeset	273	occasionally become attached to a proof state; more frequently, they appear
216d6ed87399 Initial revision lcp parents: diff changeset	274	during use of {\tt RS} and~{\tt RSN}:
216d6ed87399 Initial revision lcp parents: diff changeset	275	\begin{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	276	refl;
216d6ed87399 Initial revision lcp parents: diff changeset	277	{\out val it = "?a = ?a" : thm}
216d6ed87399 Initial revision lcp parents: diff changeset	278	exI;
216d6ed87399 Initial revision lcp parents: diff changeset	279	{\out val it = "?P(?x) ==> EX x. ?P(x)" : thm}
216d6ed87399 Initial revision lcp parents: diff changeset	280	refl RS exI;
216d6ed87399 Initial revision lcp parents: diff changeset	281	{\out val it = "?a3(?x) =?= ?a2(?x) ==> EX x. ?a3(x) = ?a2(x)" : thm}
216d6ed87399 Initial revision lcp parents: diff changeset	282	\end{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	283
216d6ed87399 Initial revision lcp parents: diff changeset	284	\noindent
216d6ed87399 Initial revision lcp parents: diff changeset	285	Renaming variables, this is $\exists x.\Var{f}(x)=\Var{g}(x)$ with
216d6ed87399 Initial revision lcp parents: diff changeset	286	the constraint ${\Var{f}(\Var{u})\qeq\Var{g}(\Var{u})}$. Instances
216d6ed87399 Initial revision lcp parents: diff changeset	287	satisfying the constraint include $\exists x.\Var{f}(x)=\Var{f}(x)$ and
216d6ed87399 Initial revision lcp parents: diff changeset	288	$\exists x.x=\Var{u}$. Calling \ttindex{flexflex_rule} removes all
216d6ed87399 Initial revision lcp parents: diff changeset	289	constraints by applying the trivial unifier:\index{*prthq}
216d6ed87399 Initial revision lcp parents: diff changeset	290	\begin{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	291	prthq (flexflex_rule it);
216d6ed87399 Initial revision lcp parents: diff changeset	292	{\out EX x. ?a4 = ?a4}
216d6ed87399 Initial revision lcp parents: diff changeset	293	\end{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	294	Isabelle simplifies flex-flex equations to eliminate redundant bound
216d6ed87399 Initial revision lcp parents: diff changeset	295	variables. In $\lambda x\,y.\Var{f}(k(y),x) \qeq \lambda x\,y.\Var{g}(y)$,
216d6ed87399 Initial revision lcp parents: diff changeset	296	there is no bound occurrence of~$x$ on the right side; thus, there will be
216d6ed87399 Initial revision lcp parents: diff changeset	297	none on the left, in a common instance of these terms. Choosing a new
216d6ed87399 Initial revision lcp parents: diff changeset	298	variable~$\Var{h}$, Isabelle assigns $\Var{f}\equiv \lambda u\,v.?h(u)$,
216d6ed87399 Initial revision lcp parents: diff changeset	299	simplifying the left side to $\lambda x\,y.\Var{h}(k(y))$. Dropping $x$
216d6ed87399 Initial revision lcp parents: diff changeset	300	from the equation leaves $\lambda y.\Var{h}(k(y)) \qeq \lambda
216d6ed87399 Initial revision lcp parents: diff changeset	301	y.\Var{g}(y)$. By $\eta$-conversion, this simplifies to the assignment
216d6ed87399 Initial revision lcp parents: diff changeset	302	$\Var{g}\equiv\lambda y.?h(k(y))$.
216d6ed87399 Initial revision lcp parents: diff changeset	303
216d6ed87399 Initial revision lcp parents: diff changeset	304	\begin{warn}
216d6ed87399 Initial revision lcp parents: diff changeset	305	\ttindex{RS} and \ttindex{RSN} fail (by raising exception {\tt THM}) unless
216d6ed87399 Initial revision lcp parents: diff changeset	306	the resolution delivers {\bf exactly one} resolvent. For multiple results,
216d6ed87399 Initial revision lcp parents: diff changeset	307	use \ttindex{RL} and \ttindex{RLN}, which operate on theorem lists. The
216d6ed87399 Initial revision lcp parents: diff changeset	308	following example uses \ttindex{read_instantiate} to create an instance
216d6ed87399 Initial revision lcp parents: diff changeset	309	of \ttindex{refl} containing no schematic variables.
216d6ed87399 Initial revision lcp parents: diff changeset	310	\begin{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	311	val reflk = read_instantiate [("a","k")] refl;
216d6ed87399 Initial revision lcp parents: diff changeset	312	{\out val reflk = "k = k" : thm}
216d6ed87399 Initial revision lcp parents: diff changeset	313	\end{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	314
216d6ed87399 Initial revision lcp parents: diff changeset	315	\noindent
216d6ed87399 Initial revision lcp parents: diff changeset	316	A flex-flex constraint is no longer possible; resolution does not find a
216d6ed87399 Initial revision lcp parents: diff changeset	317	unique unifier:
216d6ed87399 Initial revision lcp parents: diff changeset	318	\begin{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	319	reflk RS exI;
216d6ed87399 Initial revision lcp parents: diff changeset	320	{\out uncaught exception THM}
216d6ed87399 Initial revision lcp parents: diff changeset	321	\end{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	322	Using \ttindex{RL} this time, we discover that there are four unifiers, and
216d6ed87399 Initial revision lcp parents: diff changeset	323	four resolvents:
216d6ed87399 Initial revision lcp parents: diff changeset	324	\begin{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	325	[reflk] RL [exI];
216d6ed87399 Initial revision lcp parents: diff changeset	326	{\out val it = ["EX x. x = x", "EX x. k = x",}
216d6ed87399 Initial revision lcp parents: diff changeset	327	{\out "EX x. x = k", "EX x. k = k"] : thm list}
216d6ed87399 Initial revision lcp parents: diff changeset	328	\end{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	329	\end{warn}
216d6ed87399 Initial revision lcp parents: diff changeset	330
216d6ed87399 Initial revision lcp parents: diff changeset	331
216d6ed87399 Initial revision lcp parents: diff changeset	332	\section{Backward proof}
216d6ed87399 Initial revision lcp parents: diff changeset	333	Although {\tt RS} and {\tt RSN} are fine for simple forward reasoning,
216d6ed87399 Initial revision lcp parents: diff changeset	334	large proofs require tactics. Isabelle provides a suite of commands for
216d6ed87399 Initial revision lcp parents: diff changeset	335	conducting a backward proof using tactics.
216d6ed87399 Initial revision lcp parents: diff changeset	336
216d6ed87399 Initial revision lcp parents: diff changeset	337	\subsection{The basic tactics}
216d6ed87399 Initial revision lcp parents: diff changeset	338	\index{tactics!basic\|bold}
216d6ed87399 Initial revision lcp parents: diff changeset	339	The tactics {\tt assume_tac}, {\tt
216d6ed87399 Initial revision lcp parents: diff changeset	340	resolve_tac}, {\tt eresolve_tac}, and {\tt dresolve_tac} suffice for most
216d6ed87399 Initial revision lcp parents: diff changeset	341	single-step proofs. Although {\tt eresolve_tac} and {\tt dresolve_tac} are
216d6ed87399 Initial revision lcp parents: diff changeset	342	not strictly necessary, they simplify proofs involving elimination and
216d6ed87399 Initial revision lcp parents: diff changeset	343	destruction rules. All the tactics act on a subgoal designated by a
216d6ed87399 Initial revision lcp parents: diff changeset	344	positive integer~$i$, failing if~$i$ is out of range. The resolution
216d6ed87399 Initial revision lcp parents: diff changeset	345	tactics try their list of theorems in left-to-right order.
216d6ed87399 Initial revision lcp parents: diff changeset	346
216d6ed87399 Initial revision lcp parents: diff changeset	347	\begin{description}
216d6ed87399 Initial revision lcp parents: diff changeset	348	\item[\ttindexbold{assume_tac} {\it i}] is the tactic that attempts to solve
216d6ed87399 Initial revision lcp parents: diff changeset	349	subgoal~$i$ by assumption. Proof by assumption is not a trivial step; it
216d6ed87399 Initial revision lcp parents: diff changeset	350	can falsify other subgoals by instantiating shared variables. There may be
216d6ed87399 Initial revision lcp parents: diff changeset	351	several ways of solving the subgoal by assumption.
216d6ed87399 Initial revision lcp parents: diff changeset	352
216d6ed87399 Initial revision lcp parents: diff changeset	353	\item[\ttindexbold{resolve_tac} {\it thms} {\it i}]
216d6ed87399 Initial revision lcp parents: diff changeset	354	is the basic resolution tactic, used for most proof steps. The $thms$
216d6ed87399 Initial revision lcp parents: diff changeset	355	represent object-rules, which are resolved against subgoal~$i$ of the proof
216d6ed87399 Initial revision lcp parents: diff changeset	356	state. For each rule, resolution forms next states by unifying the
216d6ed87399 Initial revision lcp parents: diff changeset	357	conclusion with the subgoal and inserting instantiated premises in its
216d6ed87399 Initial revision lcp parents: diff changeset	358	place. A rule can admit many higher-order unifiers. The tactic fails if
216d6ed87399 Initial revision lcp parents: diff changeset	359	none of the rules generates next states.
216d6ed87399 Initial revision lcp parents: diff changeset	360
216d6ed87399 Initial revision lcp parents: diff changeset	361	\item[\ttindexbold{eresolve_tac} {\it thms} {\it i}]
216d6ed87399 Initial revision lcp parents: diff changeset	362	performs elim-resolution. Like
216d6ed87399 Initial revision lcp parents: diff changeset	363	\hbox{\tt resolve_tac {\it thms} {\it i}} followed by \hbox{\tt assume_tac
216d6ed87399 Initial revision lcp parents: diff changeset	364	{\it i}}, it applies a rule then solves its first premise by assumption.
216d6ed87399 Initial revision lcp parents: diff changeset	365	But {\tt eresolve_tac} additionally deletes that assumption from any
216d6ed87399 Initial revision lcp parents: diff changeset	366	subgoals arising from the resolution.
216d6ed87399 Initial revision lcp parents: diff changeset	367
216d6ed87399 Initial revision lcp parents: diff changeset	368
216d6ed87399 Initial revision lcp parents: diff changeset	369	\item[\ttindexbold{dresolve_tac} {\it thms} {\it i}]
216d6ed87399 Initial revision lcp parents: diff changeset	370	performs destruct-resolution with the~$thms$, as described
216d6ed87399 Initial revision lcp parents: diff changeset	371	in~\S\ref{destruct}. It is useful for forward reasoning from the
216d6ed87399 Initial revision lcp parents: diff changeset	372	assumptions.
216d6ed87399 Initial revision lcp parents: diff changeset	373	\end{description}
216d6ed87399 Initial revision lcp parents: diff changeset	374
216d6ed87399 Initial revision lcp parents: diff changeset	375	\subsection{Commands for backward proof}
216d6ed87399 Initial revision lcp parents: diff changeset	376	\index{proof!commands for\|bold}
216d6ed87399 Initial revision lcp parents: diff changeset	377	Tactics are normally applied using the subgoal module, which maintains a
216d6ed87399 Initial revision lcp parents: diff changeset	378	proof state and manages the proof construction. It allows interactive
216d6ed87399 Initial revision lcp parents: diff changeset	379	backtracking through the proof space, going away to prove lemmas, etc.; of
216d6ed87399 Initial revision lcp parents: diff changeset	380	its many commands, most important are the following:
216d6ed87399 Initial revision lcp parents: diff changeset	381	\begin{description}
216d6ed87399 Initial revision lcp parents: diff changeset	382	\item[\ttindexbold{goal} {\it theory} {\it formula}; ]
216d6ed87399 Initial revision lcp parents: diff changeset	383	begins a new proof, where $theory$ is usually an \ML\ identifier
216d6ed87399 Initial revision lcp parents: diff changeset	384	and the {\it formula\/} is written as an \ML\ string.
216d6ed87399 Initial revision lcp parents: diff changeset	385
216d6ed87399 Initial revision lcp parents: diff changeset	386	\item[\ttindexbold{by} {\it tactic}; ]
216d6ed87399 Initial revision lcp parents: diff changeset	387	applies the {\it tactic\/} to the current proof
216d6ed87399 Initial revision lcp parents: diff changeset	388	state, raising an exception if the tactic fails.
216d6ed87399 Initial revision lcp parents: diff changeset	389
216d6ed87399 Initial revision lcp parents: diff changeset	390	\item[\ttindexbold{undo}(); ]
216d6ed87399 Initial revision lcp parents: diff changeset	391	reverts to the previous proof state. Undo can be repeated but cannot be
216d6ed87399 Initial revision lcp parents: diff changeset	392	undone. Do not omit the parentheses; typing {\tt undo;} merely causes \ML\
216d6ed87399 Initial revision lcp parents: diff changeset	393	to echo the value of that function.
216d6ed87399 Initial revision lcp parents: diff changeset	394
216d6ed87399 Initial revision lcp parents: diff changeset	395	\item[\ttindexbold{result}()]
216d6ed87399 Initial revision lcp parents: diff changeset	396	returns the theorem just proved, in a standard format. It fails if
216d6ed87399 Initial revision lcp parents: diff changeset	397	unproved subgoals are left or if the main goal does not match the one you
216d6ed87399 Initial revision lcp parents: diff changeset	398	started with.
216d6ed87399 Initial revision lcp parents: diff changeset	399	\end{description}
216d6ed87399 Initial revision lcp parents: diff changeset	400	The commands and tactics given above are cumbersome for interactive use.
216d6ed87399 Initial revision lcp parents: diff changeset	401	Although our examples will use the full commands, you may prefer Isabelle's
216d6ed87399 Initial revision lcp parents: diff changeset	402	shortcuts:
216d6ed87399 Initial revision lcp parents: diff changeset	403	\begin{center} \tt
216d6ed87399 Initial revision lcp parents: diff changeset	404	\indexbold{br} \indexbold{be} \indexbold{bd} \indexbold{ba}
216d6ed87399 Initial revision lcp parents: diff changeset	405	\begin{tabular}{l@{\qquad\rm abbreviates\qquad}l}
216d6ed87399 Initial revision lcp parents: diff changeset	406	ba {\it i}; & by (assume_tac {\it i}); \\
216d6ed87399 Initial revision lcp parents: diff changeset	407
216d6ed87399 Initial revision lcp parents: diff changeset	408	br {\it thm} {\it i}; & by (resolve_tac [{\it thm}] {\it i}); \\
216d6ed87399 Initial revision lcp parents: diff changeset	409
216d6ed87399 Initial revision lcp parents: diff changeset	410	be {\it thm} {\it i}; & by (eresolve_tac [{\it thm}] {\it i}); \\
216d6ed87399 Initial revision lcp parents: diff changeset	411
216d6ed87399 Initial revision lcp parents: diff changeset	412	bd {\it thm} {\it i}; & by (dresolve_tac [{\it thm}] {\it i});
216d6ed87399 Initial revision lcp parents: diff changeset	413	\end{tabular}
216d6ed87399 Initial revision lcp parents: diff changeset	414	\end{center}
216d6ed87399 Initial revision lcp parents: diff changeset	415
216d6ed87399 Initial revision lcp parents: diff changeset	416	\subsection{A trivial example in propositional logic}
216d6ed87399 Initial revision lcp parents: diff changeset	417	\index{examples!propositional}
216d6ed87399 Initial revision lcp parents: diff changeset	418	Directory {\tt FOL} of the Isabelle distribution defines the \ML\
216d6ed87399 Initial revision lcp parents: diff changeset	419	identifier~\ttindex{FOL.thy}, which denotes the theory of first-order
216d6ed87399 Initial revision lcp parents: diff changeset	420	logic. Let us try the example from~\S\ref{prop-proof}, entering the goal
216d6ed87399 Initial revision lcp parents: diff changeset	421	$P\disj P\imp P$ in that theory.\footnote{To run these examples, see the
216d6ed87399 Initial revision lcp parents: diff changeset	422	file {\tt FOL/ex/intro.ML}.}
216d6ed87399 Initial revision lcp parents: diff changeset	423	\begin{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	424	goal FOL.thy "P\|P --> P";
216d6ed87399 Initial revision lcp parents: diff changeset	425	{\out Level 0}
216d6ed87399 Initial revision lcp parents: diff changeset	426	{\out P \| P --> P}
216d6ed87399 Initial revision lcp parents: diff changeset	427	{\out 1. P \| P --> P}
216d6ed87399 Initial revision lcp parents: diff changeset	428	\end{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	429	Isabelle responds by printing the initial proof state, which has $P\disj
216d6ed87399 Initial revision lcp parents: diff changeset	430	P\imp P$ as the main goal and the only subgoal. The \bfindex{level} of the
216d6ed87399 Initial revision lcp parents: diff changeset	431	state is the number of {\tt by} commands that have been applied to reach
216d6ed87399 Initial revision lcp parents: diff changeset	432	it. We now use \ttindex{resolve_tac} to apply the rule \ttindex{impI},
216d6ed87399 Initial revision lcp parents: diff changeset	433	or~$({\imp}I)$, to subgoal~1:
216d6ed87399 Initial revision lcp parents: diff changeset	434	\begin{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	435	by (resolve_tac [impI] 1);
216d6ed87399 Initial revision lcp parents: diff changeset	436	{\out Level 1}
216d6ed87399 Initial revision lcp parents: diff changeset	437	{\out P \| P --> P}
216d6ed87399 Initial revision lcp parents: diff changeset	438	{\out 1. P \| P ==> P}
216d6ed87399 Initial revision lcp parents: diff changeset	439	\end{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	440	In the new proof state, subgoal~1 is $P$ under the assumption $P\disj P$.
216d6ed87399 Initial revision lcp parents: diff changeset	441	(The meta-implication {\tt==>} indicates assumptions.) We apply
216d6ed87399 Initial revision lcp parents: diff changeset	442	\ttindex{disjE}, or~(${\disj}E)$, to that subgoal:
216d6ed87399 Initial revision lcp parents: diff changeset	443	\begin{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	444	by (resolve_tac [disjE] 1);
216d6ed87399 Initial revision lcp parents: diff changeset	445	{\out Level 2}
216d6ed87399 Initial revision lcp parents: diff changeset	446	{\out P \| P --> P}
216d6ed87399 Initial revision lcp parents: diff changeset	447	{\out 1. P \| P ==> ?P1 \| ?Q1}
216d6ed87399 Initial revision lcp parents: diff changeset	448	{\out 2. [\| P \| P; ?P1 \|] ==> P}
216d6ed87399 Initial revision lcp parents: diff changeset	449	{\out 3. [\| P \| P; ?Q1 \|] ==> P}
216d6ed87399 Initial revision lcp parents: diff changeset	450	\end{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	451	At Level~2 there are three subgoals, each provable by
216d6ed87399 Initial revision lcp parents: diff changeset	452	assumption. We deviate from~\S\ref{prop-proof} by tackling subgoal~3
216d6ed87399 Initial revision lcp parents: diff changeset	453	first, using \ttindex{assume_tac}. This updates {\tt?Q1} to~{\tt P}.
216d6ed87399 Initial revision lcp parents: diff changeset	454	\begin{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	455	by (assume_tac 3);
216d6ed87399 Initial revision lcp parents: diff changeset	456	{\out Level 3}
216d6ed87399 Initial revision lcp parents: diff changeset	457	{\out P \| P --> P}
216d6ed87399 Initial revision lcp parents: diff changeset	458	{\out 1. P \| P ==> ?P1 \| P}
216d6ed87399 Initial revision lcp parents: diff changeset	459	{\out 2. [\| P \| P; ?P1 \|] ==> P}
216d6ed87399 Initial revision lcp parents: diff changeset	460	\end{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	461	Next we tackle subgoal~2, instantiating {\tt?P1} to~{\tt P}.
216d6ed87399 Initial revision lcp parents: diff changeset	462	\begin{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	463	by (assume_tac 2);
216d6ed87399 Initial revision lcp parents: diff changeset	464	{\out Level 4}
216d6ed87399 Initial revision lcp parents: diff changeset	465	{\out P \| P --> P}
216d6ed87399 Initial revision lcp parents: diff changeset	466	{\out 1. P \| P ==> P \| P}
216d6ed87399 Initial revision lcp parents: diff changeset	467	\end{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	468	Lastly we prove the remaining subgoal by assumption:
216d6ed87399 Initial revision lcp parents: diff changeset	469	\begin{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	470	by (assume_tac 1);
216d6ed87399 Initial revision lcp parents: diff changeset	471	{\out Level 5}
216d6ed87399 Initial revision lcp parents: diff changeset	472	{\out P \| P --> P}
216d6ed87399 Initial revision lcp parents: diff changeset	473	{\out No subgoals!}
216d6ed87399 Initial revision lcp parents: diff changeset	474	\end{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	475	Isabelle tells us that there are no longer any subgoals: the proof is
216d6ed87399 Initial revision lcp parents: diff changeset	476	complete. Calling \ttindex{result} returns the theorem.
216d6ed87399 Initial revision lcp parents: diff changeset	477	\begin{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	478	val mythm = result();
216d6ed87399 Initial revision lcp parents: diff changeset	479	{\out val mythm = "?P \| ?P --> ?P" : thm}
216d6ed87399 Initial revision lcp parents: diff changeset	480	\end{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	481	Isabelle has replaced the free variable~{\tt P} by the scheme
216d6ed87399 Initial revision lcp parents: diff changeset	482	variable~{\tt?P}\@. Free variables in the proof state remain fixed
216d6ed87399 Initial revision lcp parents: diff changeset	483	throughout the proof. Isabelle finally converts them to scheme variables
216d6ed87399 Initial revision lcp parents: diff changeset	484	so that the resulting theorem can be instantiated with any formula.
216d6ed87399 Initial revision lcp parents: diff changeset	485
216d6ed87399 Initial revision lcp parents: diff changeset	486
216d6ed87399 Initial revision lcp parents: diff changeset	487	\subsection{Proving a distributive law}
216d6ed87399 Initial revision lcp parents: diff changeset	488	\index{examples!propositional}
216d6ed87399 Initial revision lcp parents: diff changeset	489	To demonstrate the tactics \ttindex{eresolve_tac}, \ttindex{dresolve_tac}
216d6ed87399 Initial revision lcp parents: diff changeset	490	and the tactical \ttindex{REPEAT}, we shall prove part of the distributive
216d6ed87399 Initial revision lcp parents: diff changeset	491	law $(P\conj Q)\disj R \iff (P\disj R)\conj (Q\disj R)$.
216d6ed87399 Initial revision lcp parents: diff changeset	492
216d6ed87399 Initial revision lcp parents: diff changeset	493	We begin by stating the goal to Isabelle and applying~$({\imp}I)$ to it:
216d6ed87399 Initial revision lcp parents: diff changeset	494	\begin{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	495	goal FOL.thy "(P & Q) \| R --> (P \| R)";
216d6ed87399 Initial revision lcp parents: diff changeset	496	{\out Level 0}
216d6ed87399 Initial revision lcp parents: diff changeset	497	{\out P & Q \| R --> P \| R}
216d6ed87399 Initial revision lcp parents: diff changeset	498	{\out 1. P & Q \| R --> P \| R}
216d6ed87399 Initial revision lcp parents: diff changeset	499	by (resolve_tac [impI] 1);
216d6ed87399 Initial revision lcp parents: diff changeset	500	{\out Level 1}
216d6ed87399 Initial revision lcp parents: diff changeset	501	{\out P & Q \| R --> P \| R}
216d6ed87399 Initial revision lcp parents: diff changeset	502	{\out 1. P & Q \| R ==> P \| R}
216d6ed87399 Initial revision lcp parents: diff changeset	503	\end{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	504	Previously we applied~(${\disj}E)$ using {\tt resolve_tac}, but
216d6ed87399 Initial revision lcp parents: diff changeset	505	\ttindex{eresolve_tac} deletes the assumption after use. The resulting proof
216d6ed87399 Initial revision lcp parents: diff changeset	506	state is simpler.
216d6ed87399 Initial revision lcp parents: diff changeset	507	\begin{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	508	by (eresolve_tac [disjE] 1);
216d6ed87399 Initial revision lcp parents: diff changeset	509	{\out Level 2}
216d6ed87399 Initial revision lcp parents: diff changeset	510	{\out P & Q \| R --> P \| R}
216d6ed87399 Initial revision lcp parents: diff changeset	511	{\out 1. P & Q ==> P \| R}
216d6ed87399 Initial revision lcp parents: diff changeset	512	{\out 2. R ==> P \| R}
216d6ed87399 Initial revision lcp parents: diff changeset	513	\end{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	514	Using \ttindex{dresolve_tac}, we can apply~(${\conj}E1)$ to subgoal~1,
216d6ed87399 Initial revision lcp parents: diff changeset	515	replacing the assumption $P\conj Q$ by~$P$. Normally we should apply the
216d6ed87399 Initial revision lcp parents: diff changeset	516	rule~(${\conj}E)$, given in~\S\ref{destruct}. That is an elimination rule
216d6ed87399 Initial revision lcp parents: diff changeset	517	and requires {\tt eresolve_tac}; it would replace $P\conj Q$ by the two
216d6ed87399 Initial revision lcp parents: diff changeset	518	assumptions~$P$ and~$Q$. The present example does not need~$Q$.
216d6ed87399 Initial revision lcp parents: diff changeset	519	\begin{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	520	by (dresolve_tac [conjunct1] 1);
216d6ed87399 Initial revision lcp parents: diff changeset	521	{\out Level 3}
216d6ed87399 Initial revision lcp parents: diff changeset	522	{\out P & Q \| R --> P \| R}
216d6ed87399 Initial revision lcp parents: diff changeset	523	{\out 1. P ==> P \| R}
216d6ed87399 Initial revision lcp parents: diff changeset	524	{\out 2. R ==> P \| R}
216d6ed87399 Initial revision lcp parents: diff changeset	525	\end{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	526	The next two steps apply~(${\disj}I1$) and~(${\disj}I2$) in an obvious manner.
216d6ed87399 Initial revision lcp parents: diff changeset	527	\begin{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	528	by (resolve_tac [disjI1] 1);
216d6ed87399 Initial revision lcp parents: diff changeset	529	{\out Level 4}
216d6ed87399 Initial revision lcp parents: diff changeset	530	{\out P & Q \| R --> P \| R}
216d6ed87399 Initial revision lcp parents: diff changeset	531	{\out 1. P ==> P}
216d6ed87399 Initial revision lcp parents: diff changeset	532	{\out 2. R ==> P \| R}
216d6ed87399 Initial revision lcp parents: diff changeset	533	\ttbreak
216d6ed87399 Initial revision lcp parents: diff changeset	534	by (resolve_tac [disjI2] 2);
216d6ed87399 Initial revision lcp parents: diff changeset	535	{\out Level 5}
216d6ed87399 Initial revision lcp parents: diff changeset	536	{\out P & Q \| R --> P \| R}
216d6ed87399 Initial revision lcp parents: diff changeset	537	{\out 1. P ==> P}
216d6ed87399 Initial revision lcp parents: diff changeset	538	{\out 2. R ==> R}
216d6ed87399 Initial revision lcp parents: diff changeset	539	\end{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	540	Two calls of~\ttindex{assume_tac} can finish the proof. The
216d6ed87399 Initial revision lcp parents: diff changeset	541	tactical~\ttindex{REPEAT} expresses a tactic that calls {\tt assume_tac~1}
216d6ed87399 Initial revision lcp parents: diff changeset	542	as many times as possible. We can restrict attention to subgoal~1 because
216d6ed87399 Initial revision lcp parents: diff changeset	543	the other subgoals move up after subgoal~1 disappears.
216d6ed87399 Initial revision lcp parents: diff changeset	544	\begin{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	545	by (REPEAT (assume_tac 1));
216d6ed87399 Initial revision lcp parents: diff changeset	546	{\out Level 6}
216d6ed87399 Initial revision lcp parents: diff changeset	547	{\out P & Q \| R --> P \| R}
216d6ed87399 Initial revision lcp parents: diff changeset	548	{\out No subgoals!}
216d6ed87399 Initial revision lcp parents: diff changeset	549	\end{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	550
216d6ed87399 Initial revision lcp parents: diff changeset	551
216d6ed87399 Initial revision lcp parents: diff changeset	552	\section{Quantifier reasoning}
216d6ed87399 Initial revision lcp parents: diff changeset	553	\index{quantifiers!reasoning about}\index{parameters}\index{unknowns}
216d6ed87399 Initial revision lcp parents: diff changeset	554	This section illustrates how Isabelle enforces quantifier provisos.
216d6ed87399 Initial revision lcp parents: diff changeset	555	Quantifier rules create terms such as~$\Var{f}(x,z)$, where~$\Var{f}$ is a
216d6ed87399 Initial revision lcp parents: diff changeset	556	function unknown and $x$ and~$z$ are parameters. This may be replaced by
216d6ed87399 Initial revision lcp parents: diff changeset	557	any term, possibly containing free occurrences of $x$ and~$z$.
216d6ed87399 Initial revision lcp parents: diff changeset	558
216d6ed87399 Initial revision lcp parents: diff changeset	559	\subsection{Two quantifier proofs, successful and not}
216d6ed87399 Initial revision lcp parents: diff changeset	560	\index{examples!with quantifiers}
216d6ed87399 Initial revision lcp parents: diff changeset	561	Let us contrast a proof of the theorem $\forall x.\exists y.x=y$ with an
216d6ed87399 Initial revision lcp parents: diff changeset	562	attempted proof of the non-theorem $\exists y.\forall x.x=y$. The former
216d6ed87399 Initial revision lcp parents: diff changeset	563	proof succeeds, and the latter fails, because of the scope of quantified
216d6ed87399 Initial revision lcp parents: diff changeset	564	variables~\cite{paulson89}. Unification helps even in these trivial
216d6ed87399 Initial revision lcp parents: diff changeset	565	proofs. In $\forall x.\exists y.x=y$ the $y$ that `exists' is simply $x$,
216d6ed87399 Initial revision lcp parents: diff changeset	566	but we need never say so. This choice is forced by the reflexive law for
216d6ed87399 Initial revision lcp parents: diff changeset	567	equality, and happens automatically.
216d6ed87399 Initial revision lcp parents: diff changeset	568
216d6ed87399 Initial revision lcp parents: diff changeset	569	\subsubsection{The successful proof}
216d6ed87399 Initial revision lcp parents: diff changeset	570	The proof of $\forall x.\exists y.x=y$ demonstrates the introduction rules
216d6ed87399 Initial revision lcp parents: diff changeset	571	$(\forall I)$ and~$(\exists I)$. We state the goal and apply $(\forall I)$:
216d6ed87399 Initial revision lcp parents: diff changeset	572	\begin{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	573	goal FOL.thy "ALL x. EX y. x=y";
216d6ed87399 Initial revision lcp parents: diff changeset	574	{\out Level 0}
216d6ed87399 Initial revision lcp parents: diff changeset	575	{\out ALL x. EX y. x = y}
216d6ed87399 Initial revision lcp parents: diff changeset	576	{\out 1. ALL x. EX y. x = y}
216d6ed87399 Initial revision lcp parents: diff changeset	577	\ttbreak
216d6ed87399 Initial revision lcp parents: diff changeset	578	by (resolve_tac [allI] 1);
216d6ed87399 Initial revision lcp parents: diff changeset	579	{\out Level 1}
216d6ed87399 Initial revision lcp parents: diff changeset	580	{\out ALL x. EX y. x = y}
216d6ed87399 Initial revision lcp parents: diff changeset	581	{\out 1. !!x. EX y. x = y}
216d6ed87399 Initial revision lcp parents: diff changeset	582	\end{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	583	The variable~{\tt x} is no longer universally quantified, but is a
216d6ed87399 Initial revision lcp parents: diff changeset	584	parameter in the subgoal; thus, it is universally quantified at the
216d6ed87399 Initial revision lcp parents: diff changeset	585	meta-level. The subgoal must be proved for all possible values of~{\tt x}.
216d6ed87399 Initial revision lcp parents: diff changeset	586	We apply the rule $(\exists I)$:
216d6ed87399 Initial revision lcp parents: diff changeset	587	\begin{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	588	by (resolve_tac [exI] 1);
216d6ed87399 Initial revision lcp parents: diff changeset	589	{\out Level 2}
216d6ed87399 Initial revision lcp parents: diff changeset	590	{\out ALL x. EX y. x = y}
216d6ed87399 Initial revision lcp parents: diff changeset	591	{\out 1. !!x. x = ?y1(x)}
216d6ed87399 Initial revision lcp parents: diff changeset	592	\end{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	593	The bound variable {\tt y} has become {\tt?y1(x)}. This term consists of
216d6ed87399 Initial revision lcp parents: diff changeset	594	the function unknown~{\tt?y1} applied to the parameter~{\tt x}.
216d6ed87399 Initial revision lcp parents: diff changeset	595	Instances of {\tt?y1(x)} may or may not contain~{\tt x}. We resolve the
216d6ed87399 Initial revision lcp parents: diff changeset	596	subgoal with the reflexivity axiom.
216d6ed87399 Initial revision lcp parents: diff changeset	597	\begin{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	598	by (resolve_tac [refl] 1);
216d6ed87399 Initial revision lcp parents: diff changeset	599	{\out Level 3}
216d6ed87399 Initial revision lcp parents: diff changeset	600	{\out ALL x. EX y. x = y}
216d6ed87399 Initial revision lcp parents: diff changeset	601	{\out No subgoals!}
216d6ed87399 Initial revision lcp parents: diff changeset	602	\end{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	603	Let us consider what has happened in detail. The reflexivity axiom is
216d6ed87399 Initial revision lcp parents: diff changeset	604	lifted over~$x$ to become $\Forall x.\Var{f}(x)=\Var{f}(x)$, which is
216d6ed87399 Initial revision lcp parents: diff changeset	605	unified with $\Forall x.x=\Var{y@1}(x)$. The function unknowns $\Var{f}$
216d6ed87399 Initial revision lcp parents: diff changeset	606	and~$\Var{y@1}$ are both instantiated to the identity function, and
216d6ed87399 Initial revision lcp parents: diff changeset	607	$x=\Var{y@1}(x)$ collapses to~$x=x$ by $\beta$-reduction.
216d6ed87399 Initial revision lcp parents: diff changeset	608
216d6ed87399 Initial revision lcp parents: diff changeset	609	\subsubsection{The unsuccessful proof}
216d6ed87399 Initial revision lcp parents: diff changeset	610	We state the goal $\exists y.\forall x.x=y$, which is {\bf not} a theorem, and
216d6ed87399 Initial revision lcp parents: diff changeset	611	try~$(\exists I)$:
216d6ed87399 Initial revision lcp parents: diff changeset	612	\begin{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	613	goal FOL.thy "EX y. ALL x. x=y";
216d6ed87399 Initial revision lcp parents: diff changeset	614	{\out Level 0}
216d6ed87399 Initial revision lcp parents: diff changeset	615	{\out EX y. ALL x. x = y}
216d6ed87399 Initial revision lcp parents: diff changeset	616	{\out 1. EX y. ALL x. x = y}
216d6ed87399 Initial revision lcp parents: diff changeset	617	\ttbreak
216d6ed87399 Initial revision lcp parents: diff changeset	618	by (resolve_tac [exI] 1);
216d6ed87399 Initial revision lcp parents: diff changeset	619	{\out Level 1}
216d6ed87399 Initial revision lcp parents: diff changeset	620	{\out EX y. ALL x. x = y}
216d6ed87399 Initial revision lcp parents: diff changeset	621	{\out 1. ALL x. x = ?y}
216d6ed87399 Initial revision lcp parents: diff changeset	622	\end{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	623	The unknown {\tt ?y} may be replaced by any term, but this can never
216d6ed87399 Initial revision lcp parents: diff changeset	624	introduce another bound occurrence of~{\tt x}. We now apply~$(\forall I)$:
216d6ed87399 Initial revision lcp parents: diff changeset	625	\begin{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	626	by (resolve_tac [allI] 1);
216d6ed87399 Initial revision lcp parents: diff changeset	627	{\out Level 2}
216d6ed87399 Initial revision lcp parents: diff changeset	628	{\out EX y. ALL x. x = y}
216d6ed87399 Initial revision lcp parents: diff changeset	629	{\out 1. !!x. x = ?y}
216d6ed87399 Initial revision lcp parents: diff changeset	630	\end{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	631	Compare our position with the previous Level~2. Instead of {\tt?y1(x)} we
216d6ed87399 Initial revision lcp parents: diff changeset	632	have~{\tt?y}, whose instances may not contain the bound variable~{\tt x}.
216d6ed87399 Initial revision lcp parents: diff changeset	633	The reflexivity axiom does not unify with subgoal~1.
216d6ed87399 Initial revision lcp parents: diff changeset	634	\begin{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	635	by (resolve_tac [refl] 1);
216d6ed87399 Initial revision lcp parents: diff changeset	636	{\out by: tactic returned no results}
216d6ed87399 Initial revision lcp parents: diff changeset	637	\end{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	638	No other choice of rules seems likely to complete the proof. Of course,
216d6ed87399 Initial revision lcp parents: diff changeset	639	this is no guarantee that Isabelle cannot prove $\exists y.\forall x.x=y$
216d6ed87399 Initial revision lcp parents: diff changeset	640	or other invalid assertions. We must appeal to the soundness of
216d6ed87399 Initial revision lcp parents: diff changeset	641	first-order logic and the faithfulness of its encoding in
216d6ed87399 Initial revision lcp parents: diff changeset	642	Isabelle~\cite{paulson89}, and must trust the implementation.
216d6ed87399 Initial revision lcp parents: diff changeset	643
216d6ed87399 Initial revision lcp parents: diff changeset	644
216d6ed87399 Initial revision lcp parents: diff changeset	645	\subsection{Nested quantifiers}
216d6ed87399 Initial revision lcp parents: diff changeset	646	\index{examples!with quantifiers}
216d6ed87399 Initial revision lcp parents: diff changeset	647	Multiple quantifiers create complex terms. Proving $(\forall x\,y.P(x,y))
216d6ed87399 Initial revision lcp parents: diff changeset	648	\imp (\forall z\,w.P(w,z))$, will demonstrate how parameters and
216d6ed87399 Initial revision lcp parents: diff changeset	649	unknowns develop. If they appear in the wrong order, the proof will fail.
216d6ed87399 Initial revision lcp parents: diff changeset	650	This section concludes with a demonstration of {\tt REPEAT}
216d6ed87399 Initial revision lcp parents: diff changeset	651	and~{\tt ORELSE}.
216d6ed87399 Initial revision lcp parents: diff changeset	652
216d6ed87399 Initial revision lcp parents: diff changeset	653	The start of the proof is routine.
216d6ed87399 Initial revision lcp parents: diff changeset	654	\begin{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	655	goal FOL.thy "(ALL x y.P(x,y)) --> (ALL z w.P(w,z))";
216d6ed87399 Initial revision lcp parents: diff changeset	656	{\out Level 0}
216d6ed87399 Initial revision lcp parents: diff changeset	657	{\out (ALL x y. P(x,y)) --> (ALL z w. P(w,z))}
216d6ed87399 Initial revision lcp parents: diff changeset	658	{\out 1. (ALL x y. P(x,y)) --> (ALL z w. P(w,z))}
216d6ed87399 Initial revision lcp parents: diff changeset	659	\ttbreak
216d6ed87399 Initial revision lcp parents: diff changeset	660	by (resolve_tac [impI] 1);
216d6ed87399 Initial revision lcp parents: diff changeset	661	{\out Level 1}
216d6ed87399 Initial revision lcp parents: diff changeset	662	{\out (ALL x y. P(x,y)) --> (ALL z w. P(w,z))}
216d6ed87399 Initial revision lcp parents: diff changeset	663	{\out 1. ALL x y. P(x,y) ==> ALL z w. P(w,z)}
216d6ed87399 Initial revision lcp parents: diff changeset	664	\end{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	665
216d6ed87399 Initial revision lcp parents: diff changeset	666	\subsubsection{The wrong approach}
216d6ed87399 Initial revision lcp parents: diff changeset	667	Using \ttindex{dresolve_tac}, we apply the rule $(\forall E)$, bound to the
216d6ed87399 Initial revision lcp parents: diff changeset	668	\ML\ identifier \ttindex{spec}. Then we apply $(\forall I)$.
216d6ed87399 Initial revision lcp parents: diff changeset	669	\begin{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	670	by (dresolve_tac [spec] 1);
216d6ed87399 Initial revision lcp parents: diff changeset	671	{\out Level 2}
216d6ed87399 Initial revision lcp parents: diff changeset	672	{\out (ALL x y. P(x,y)) --> (ALL z w. P(w,z))}
216d6ed87399 Initial revision lcp parents: diff changeset	673	{\out 1. ALL y. P(?x1,y) ==> ALL z w. P(w,z)}
216d6ed87399 Initial revision lcp parents: diff changeset	674	\ttbreak
216d6ed87399 Initial revision lcp parents: diff changeset	675	by (resolve_tac [allI] 1);
216d6ed87399 Initial revision lcp parents: diff changeset	676	{\out Level 3}
216d6ed87399 Initial revision lcp parents: diff changeset	677	{\out (ALL x y. P(x,y)) --> (ALL z w. P(w,z))}
216d6ed87399 Initial revision lcp parents: diff changeset	678	{\out 1. !!z. ALL y. P(?x1,y) ==> ALL w. P(w,z)}
216d6ed87399 Initial revision lcp parents: diff changeset	679	\end{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	680	The unknown {\tt ?u} and the parameter {\tt z} have appeared. We again
216d6ed87399 Initial revision lcp parents: diff changeset	681	apply $(\forall I)$ and~$(\forall E)$.
216d6ed87399 Initial revision lcp parents: diff changeset	682	\begin{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	683	by (dresolve_tac [spec] 1);
216d6ed87399 Initial revision lcp parents: diff changeset	684	{\out Level 4}
216d6ed87399 Initial revision lcp parents: diff changeset	685	{\out (ALL x y. P(x,y)) --> (ALL z w. P(w,z))}
216d6ed87399 Initial revision lcp parents: diff changeset	686	{\out 1. !!z. P(?x1,?y3(z)) ==> ALL w. P(w,z)}
216d6ed87399 Initial revision lcp parents: diff changeset	687	\ttbreak
216d6ed87399 Initial revision lcp parents: diff changeset	688	by (resolve_tac [allI] 1);
216d6ed87399 Initial revision lcp parents: diff changeset	689	{\out Level 5}
216d6ed87399 Initial revision lcp parents: diff changeset	690	{\out (ALL x y. P(x,y)) --> (ALL z w. P(w,z))}
216d6ed87399 Initial revision lcp parents: diff changeset	691	{\out 1. !!z w. P(?x1,?y3(z)) ==> P(w,z)}
216d6ed87399 Initial revision lcp parents: diff changeset	692	\end{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	693	The unknown {\tt ?y3} and the parameter {\tt w} have appeared. Each
216d6ed87399 Initial revision lcp parents: diff changeset	694	unknown is applied to the parameters existing at the time of its creation;
216d6ed87399 Initial revision lcp parents: diff changeset	695	instances of {\tt ?x1} cannot contain~{\tt z} or~{\tt w}, while instances
216d6ed87399 Initial revision lcp parents: diff changeset	696	of {\tt?y3(z)} can only contain~{\tt z}. Because of these restrictions,
216d6ed87399 Initial revision lcp parents: diff changeset	697	proof by assumption will fail.
216d6ed87399 Initial revision lcp parents: diff changeset	698	\begin{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	699	by (assume_tac 1);
216d6ed87399 Initial revision lcp parents: diff changeset	700	{\out by: tactic returned no results}
216d6ed87399 Initial revision lcp parents: diff changeset	701	{\out uncaught exception ERROR}
216d6ed87399 Initial revision lcp parents: diff changeset	702	\end{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	703
216d6ed87399 Initial revision lcp parents: diff changeset	704	\subsubsection{The right approach}
216d6ed87399 Initial revision lcp parents: diff changeset	705	To do this proof, the rules must be applied in the correct order.
216d6ed87399 Initial revision lcp parents: diff changeset	706	Eigenvariables should be created before unknowns. The
216d6ed87399 Initial revision lcp parents: diff changeset	707	\ttindex{choplev} command returns to an earlier stage of the proof;
216d6ed87399 Initial revision lcp parents: diff changeset	708	let us return to the result of applying~$({\imp}I)$:
216d6ed87399 Initial revision lcp parents: diff changeset	709	\begin{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	710	choplev 1;
216d6ed87399 Initial revision lcp parents: diff changeset	711	{\out Level 1}
216d6ed87399 Initial revision lcp parents: diff changeset	712	{\out (ALL x y. P(x,y)) --> (ALL z w. P(w,z))}
216d6ed87399 Initial revision lcp parents: diff changeset	713	{\out 1. ALL x y. P(x,y) ==> ALL z w. P(w,z)}
216d6ed87399 Initial revision lcp parents: diff changeset	714	\end{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	715	Previously, we made the mistake of applying $(\forall E)$; this time, we
216d6ed87399 Initial revision lcp parents: diff changeset	716	apply $(\forall I)$ twice.
216d6ed87399 Initial revision lcp parents: diff changeset	717	\begin{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	718	by (resolve_tac [allI] 1);
216d6ed87399 Initial revision lcp parents: diff changeset	719	{\out Level 2}
216d6ed87399 Initial revision lcp parents: diff changeset	720	{\out (ALL x y. P(x,y)) --> (ALL z w. P(w,z))}
216d6ed87399 Initial revision lcp parents: diff changeset	721	{\out 1. !!z. ALL x y. P(x,y) ==> ALL w. P(w,z)}
216d6ed87399 Initial revision lcp parents: diff changeset	722	\ttbreak
216d6ed87399 Initial revision lcp parents: diff changeset	723	by (resolve_tac [allI] 1);
216d6ed87399 Initial revision lcp parents: diff changeset	724	{\out Level 3}
216d6ed87399 Initial revision lcp parents: diff changeset	725	{\out (ALL x y. P(x,y)) --> (ALL z w. P(w,z))}
216d6ed87399 Initial revision lcp parents: diff changeset	726	{\out 1. !!z w. ALL x y. P(x,y) ==> P(w,z)}
216d6ed87399 Initial revision lcp parents: diff changeset	727	\end{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	728	The parameters {\tt z} and~{\tt w} have appeared. We now create the
216d6ed87399 Initial revision lcp parents: diff changeset	729	unknowns:
216d6ed87399 Initial revision lcp parents: diff changeset	730	\begin{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	731	by (dresolve_tac [spec] 1);
216d6ed87399 Initial revision lcp parents: diff changeset	732	{\out Level 4}
216d6ed87399 Initial revision lcp parents: diff changeset	733	{\out (ALL x y. P(x,y)) --> (ALL z w. P(w,z))}
216d6ed87399 Initial revision lcp parents: diff changeset	734	{\out 1. !!z w. ALL y. P(?x3(z,w),y) ==> P(w,z)}
216d6ed87399 Initial revision lcp parents: diff changeset	735	\ttbreak
216d6ed87399 Initial revision lcp parents: diff changeset	736	by (dresolve_tac [spec] 1);
216d6ed87399 Initial revision lcp parents: diff changeset	737	{\out Level 5}
216d6ed87399 Initial revision lcp parents: diff changeset	738	{\out (ALL x y. P(x,y)) --> (ALL z w. P(w,z))}
216d6ed87399 Initial revision lcp parents: diff changeset	739	{\out 1. !!z w. P(?x3(z,w),?y4(z,w)) ==> P(w,z)}
216d6ed87399 Initial revision lcp parents: diff changeset	740	\end{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	741	Both {\tt?x3(z,w)} and~{\tt?y4(z,w)} could become any terms containing {\tt
216d6ed87399 Initial revision lcp parents: diff changeset	742	z} and~{\tt w}:
216d6ed87399 Initial revision lcp parents: diff changeset	743	\begin{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	744	by (assume_tac 1);
216d6ed87399 Initial revision lcp parents: diff changeset	745	{\out Level 6}
216d6ed87399 Initial revision lcp parents: diff changeset	746	{\out (ALL x y. P(x,y)) --> (ALL z w. P(w,z))}
216d6ed87399 Initial revision lcp parents: diff changeset	747	{\out No subgoals!}
216d6ed87399 Initial revision lcp parents: diff changeset	748	\end{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	749
216d6ed87399 Initial revision lcp parents: diff changeset	750	\subsubsection{A one-step proof using tacticals}
216d6ed87399 Initial revision lcp parents: diff changeset	751	\index{tacticals}
216d6ed87399 Initial revision lcp parents: diff changeset	752	\index{examples!of tacticals}
216d6ed87399 Initial revision lcp parents: diff changeset	753	Repeated application of rules can be an effective theorem-proving
216d6ed87399 Initial revision lcp parents: diff changeset	754	procedure, but the rules should be attempted in an order that delays the
216d6ed87399 Initial revision lcp parents: diff changeset	755	creation of unknowns. As we have just seen, \ttindex{allI} should be
216d6ed87399 Initial revision lcp parents: diff changeset	756	attempted before~\ttindex{spec}, while \ttindex{assume_tac} generally can
216d6ed87399 Initial revision lcp parents: diff changeset	757	be attempted first. Such priorities can easily be expressed
216d6ed87399 Initial revision lcp parents: diff changeset	758	using~\ttindex{ORELSE}, and repeated using~\ttindex{REPEAT}. Let us return
216d6ed87399 Initial revision lcp parents: diff changeset	759	to the original goal using \ttindex{choplev}:
216d6ed87399 Initial revision lcp parents: diff changeset	760	\begin{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	761	choplev 0;
216d6ed87399 Initial revision lcp parents: diff changeset	762	{\out Level 0}
216d6ed87399 Initial revision lcp parents: diff changeset	763	{\out (ALL x y. P(x,y)) --> (ALL z w. P(w,z))}
216d6ed87399 Initial revision lcp parents: diff changeset	764	{\out 1. (ALL x y. P(x,y)) --> (ALL z w. P(w,z))}
216d6ed87399 Initial revision lcp parents: diff changeset	765	\end{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	766	A repetitive procedure proves it:
216d6ed87399 Initial revision lcp parents: diff changeset	767	\begin{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	768	by (REPEAT (assume_tac 1
216d6ed87399 Initial revision lcp parents: diff changeset	769	ORELSE resolve_tac [impI,allI] 1
216d6ed87399 Initial revision lcp parents: diff changeset	770	ORELSE dresolve_tac [spec] 1));
216d6ed87399 Initial revision lcp parents: diff changeset	771	{\out Level 1}
216d6ed87399 Initial revision lcp parents: diff changeset	772	{\out (ALL x y. P(x,y)) --> (ALL z w. P(w,z))}
216d6ed87399 Initial revision lcp parents: diff changeset	773	{\out No subgoals!}
216d6ed87399 Initial revision lcp parents: diff changeset	774	\end{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	775
216d6ed87399 Initial revision lcp parents: diff changeset	776
216d6ed87399 Initial revision lcp parents: diff changeset	777	\subsection{A realistic quantifier proof}
216d6ed87399 Initial revision lcp parents: diff changeset	778	\index{examples!with quantifiers}
216d6ed87399 Initial revision lcp parents: diff changeset	779	A proof of $(\forall x. P(x) \imp Q) \imp (\exists x. P(x)) \imp Q$
216d6ed87399 Initial revision lcp parents: diff changeset	780	demonstrates the practical use of parameters and unknowns.
216d6ed87399 Initial revision lcp parents: diff changeset	781	Since $\imp$ is nested to the right, $({\imp}I)$ can be applied twice; we
216d6ed87399 Initial revision lcp parents: diff changeset	782	use \ttindex{REPEAT}:
216d6ed87399 Initial revision lcp parents: diff changeset	783	\begin{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	784	goal FOL.thy "(ALL x.P(x) --> Q) --> (EX x.P(x)) --> Q";
216d6ed87399 Initial revision lcp parents: diff changeset	785	{\out Level 0}
216d6ed87399 Initial revision lcp parents: diff changeset	786	{\out (ALL x. P(x) --> Q) --> (EX x. P(x)) --> Q}
216d6ed87399 Initial revision lcp parents: diff changeset	787	{\out 1. (ALL x. P(x) --> Q) --> (EX x. P(x)) --> Q}
216d6ed87399 Initial revision lcp parents: diff changeset	788	\ttbreak
216d6ed87399 Initial revision lcp parents: diff changeset	789	by (REPEAT (resolve_tac [impI] 1));
216d6ed87399 Initial revision lcp parents: diff changeset	790	{\out Level 1}
216d6ed87399 Initial revision lcp parents: diff changeset	791	{\out (ALL x. P(x) --> Q) --> (EX x. P(x)) --> Q}
216d6ed87399 Initial revision lcp parents: diff changeset	792	{\out 1. [\| ALL x. P(x) --> Q; EX x. P(x) \|] ==> Q}
216d6ed87399 Initial revision lcp parents: diff changeset	793	\end{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	794	We can eliminate the universal or the existential quantifier. The
216d6ed87399 Initial revision lcp parents: diff changeset	795	existential quantifier should be eliminated first, since this creates a
216d6ed87399 Initial revision lcp parents: diff changeset	796	parameter. The rule~$(\exists E)$ is bound to the
216d6ed87399 Initial revision lcp parents: diff changeset	797	identifier~\ttindex{exE}.
216d6ed87399 Initial revision lcp parents: diff changeset	798	\begin{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	799	by (eresolve_tac [exE] 1);
216d6ed87399 Initial revision lcp parents: diff changeset	800	{\out Level 2}
216d6ed87399 Initial revision lcp parents: diff changeset	801	{\out (ALL x. P(x) --> Q) --> (EX x. P(x)) --> Q}
216d6ed87399 Initial revision lcp parents: diff changeset	802	{\out 1. !!x. [\| ALL x. P(x) --> Q; P(x) \|] ==> Q}
216d6ed87399 Initial revision lcp parents: diff changeset	803	\end{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	804	The only possibility now is $(\forall E)$, a destruction rule. We use
216d6ed87399 Initial revision lcp parents: diff changeset	805	\ttindex{dresolve_tac}, which discards the quantified assumption; it is
216d6ed87399 Initial revision lcp parents: diff changeset	806	only needed once.
216d6ed87399 Initial revision lcp parents: diff changeset	807	\begin{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	808	by (dresolve_tac [spec] 1);
216d6ed87399 Initial revision lcp parents: diff changeset	809	{\out Level 3}
216d6ed87399 Initial revision lcp parents: diff changeset	810	{\out (ALL x. P(x) --> Q) --> (EX x. P(x)) --> Q}
216d6ed87399 Initial revision lcp parents: diff changeset	811	{\out 1. !!x. [\| P(x); P(?x3(x)) --> Q \|] ==> Q}
216d6ed87399 Initial revision lcp parents: diff changeset	812	\end{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	813	Because the parameter~{\tt x} appeared first, the unknown
216d6ed87399 Initial revision lcp parents: diff changeset	814	term~{\tt?x3(x)} may depend upon it. Had we eliminated the universal
216d6ed87399 Initial revision lcp parents: diff changeset	815	quantifier before the existential, this would not be so.
216d6ed87399 Initial revision lcp parents: diff changeset	816
216d6ed87399 Initial revision lcp parents: diff changeset	817	Although $({\imp}E)$ is a destruction rule, it works with
216d6ed87399 Initial revision lcp parents: diff changeset	818	\ttindex{eresolve_tac} to perform backward chaining. This technique is
216d6ed87399 Initial revision lcp parents: diff changeset	819	frequently useful.
216d6ed87399 Initial revision lcp parents: diff changeset	820	\begin{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	821	by (eresolve_tac [mp] 1);
216d6ed87399 Initial revision lcp parents: diff changeset	822	{\out Level 4}
216d6ed87399 Initial revision lcp parents: diff changeset	823	{\out (ALL x. P(x) --> Q) --> (EX x. P(x)) --> Q}
216d6ed87399 Initial revision lcp parents: diff changeset	824	{\out 1. !!x. P(x) ==> P(?x3(x))}
216d6ed87399 Initial revision lcp parents: diff changeset	825	\end{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	826	The tactic has reduced~{\tt Q} to~{\tt P(?x3(x))}, deleting the
216d6ed87399 Initial revision lcp parents: diff changeset	827	implication. The final step is trivial, thanks to the occurrence of~{\tt x}.
216d6ed87399 Initial revision lcp parents: diff changeset	828	\begin{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	829	by (assume_tac 1);
216d6ed87399 Initial revision lcp parents: diff changeset	830	{\out Level 5}
216d6ed87399 Initial revision lcp parents: diff changeset	831	{\out (ALL x. P(x) --> Q) --> (EX x. P(x)) --> Q}
216d6ed87399 Initial revision lcp parents: diff changeset	832	{\out No subgoals!}
216d6ed87399 Initial revision lcp parents: diff changeset	833	\end{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	834
216d6ed87399 Initial revision lcp parents: diff changeset	835
216d6ed87399 Initial revision lcp parents: diff changeset	836	\subsection{The classical reasoning package}
216d6ed87399 Initial revision lcp parents: diff changeset	837	\index{classical reasoning package}
216d6ed87399 Initial revision lcp parents: diff changeset	838	Although Isabelle cannot compete with fully automatic theorem provers, it
216d6ed87399 Initial revision lcp parents: diff changeset	839	provides enough automation to tackle substantial examples. The classical
216d6ed87399 Initial revision lcp parents: diff changeset	840	reasoning package can be set up for any classical natural deduction logic
216d6ed87399 Initial revision lcp parents: diff changeset	841	--- see the {\em Reference Manual}.
216d6ed87399 Initial revision lcp parents: diff changeset	842
216d6ed87399 Initial revision lcp parents: diff changeset	843	Rules are packaged into bundles called \bfindex{classical sets}. The package
216d6ed87399 Initial revision lcp parents: diff changeset	844	provides several tactics, which apply rules using naive algorithms, using
216d6ed87399 Initial revision lcp parents: diff changeset	845	unification to handle quantifiers. The most useful tactic
216d6ed87399 Initial revision lcp parents: diff changeset	846	is~\ttindex{fast_tac}.
216d6ed87399 Initial revision lcp parents: diff changeset	847
216d6ed87399 Initial revision lcp parents: diff changeset	848	Let us solve problems~40 and~60 of Pelletier~\cite{pelletier86}. (The
216d6ed87399 Initial revision lcp parents: diff changeset	849	backslashes~\hbox{\verb\|\\|\ldots\verb\|\\|} are an \ML{} string escape
216d6ed87399 Initial revision lcp parents: diff changeset	850	sequence, to break the long string over two lines.)
216d6ed87399 Initial revision lcp parents: diff changeset	851	\begin{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	852	goal FOL.thy "(EX y. ALL x. J(y,x) <-> ~J(x,x)) \ttback
216d6ed87399 Initial revision lcp parents: diff changeset	853	\ttback --> ~ (ALL x. EX y. ALL z. J(z,y) <-> ~ J(z,x))";
216d6ed87399 Initial revision lcp parents: diff changeset	854	{\out Level 0}
216d6ed87399 Initial revision lcp parents: diff changeset	855	{\out (EX y. ALL x. J(y,x) <-> ~J(x,x)) -->}
216d6ed87399 Initial revision lcp parents: diff changeset	856	{\out ~(ALL x. EX y. ALL z. J(z,y) <-> ~J(z,x))}
216d6ed87399 Initial revision lcp parents: diff changeset	857	{\out 1. (EX y. ALL x. J(y,x) <-> ~J(x,x)) -->}
216d6ed87399 Initial revision lcp parents: diff changeset	858	{\out ~(ALL x. EX y. ALL z. J(z,y) <-> ~J(z,x))}
216d6ed87399 Initial revision lcp parents: diff changeset	859	\end{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	860	The rules of classical logic are bundled as {\tt FOL_cs}. We may solve
216d6ed87399 Initial revision lcp parents: diff changeset	861	subgoal~1 at a stroke, using~\ttindex{fast_tac}.
216d6ed87399 Initial revision lcp parents: diff changeset	862	\begin{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	863	by (fast_tac FOL_cs 1);
216d6ed87399 Initial revision lcp parents: diff changeset	864	{\out Level 1}
216d6ed87399 Initial revision lcp parents: diff changeset	865	{\out (EX y. ALL x. J(y,x) <-> ~J(x,x)) -->}
216d6ed87399 Initial revision lcp parents: diff changeset	866	{\out ~(ALL x. EX y. ALL z. J(z,y) <-> ~J(z,x))}
216d6ed87399 Initial revision lcp parents: diff changeset	867	{\out No subgoals!}
216d6ed87399 Initial revision lcp parents: diff changeset	868	\end{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	869	Sceptics may examine the proof by calling the package's single-step
216d6ed87399 Initial revision lcp parents: diff changeset	870	tactics, such as~{\tt step_tac}. This would take up much space, however,
216d6ed87399 Initial revision lcp parents: diff changeset	871	so let us proceed to the next example:
216d6ed87399 Initial revision lcp parents: diff changeset	872	\begin{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	873	goal FOL.thy "ALL x. P(x,f(x)) <-> \ttback
216d6ed87399 Initial revision lcp parents: diff changeset	874	\ttback (EX y. (ALL z. P(z,y) --> P(z,f(x))) & P(x,y))";
216d6ed87399 Initial revision lcp parents: diff changeset	875	{\out Level 0}
216d6ed87399 Initial revision lcp parents: diff changeset	876	{\out ALL x. P(x,f(x)) <-> (EX y. (ALL z. P(z,y) --> P(z,f(x))) & P(x,y))}
216d6ed87399 Initial revision lcp parents: diff changeset	877	{\out 1. ALL x. P(x,f(x)) <-> (EX y. (ALL z. P(z,y) --> P(z,f(x))) & P(x,y))}
216d6ed87399 Initial revision lcp parents: diff changeset	878	\end{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	879	Again, subgoal~1 succumbs immediately.
216d6ed87399 Initial revision lcp parents: diff changeset	880	\begin{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	881	by (fast_tac FOL_cs 1);
216d6ed87399 Initial revision lcp parents: diff changeset	882	{\out Level 1}
216d6ed87399 Initial revision lcp parents: diff changeset	883	{\out ALL x. P(x,f(x)) <-> (EX y. (ALL z. P(z,y) --> P(z,f(x))) & P(x,y))}
216d6ed87399 Initial revision lcp parents: diff changeset	884	{\out No subgoals!}
216d6ed87399 Initial revision lcp parents: diff changeset	885	\end{ttbox}
216d6ed87399 Initial revision lcp parents: diff changeset	886	The classical reasoning package is not restricted to the usual logical
216d6ed87399 Initial revision lcp parents: diff changeset	887	connectives. The natural deduction rules for unions and intersections in
216d6ed87399 Initial revision lcp parents: diff changeset	888	set theory resemble those for disjunction and conjunction, and in the
216d6ed87399 Initial revision lcp parents: diff changeset	889	infinitary case, for quantifiers. The package is valuable for reasoning in
216d6ed87399 Initial revision lcp parents: diff changeset	890	set theory.
216d6ed87399 Initial revision lcp parents: diff changeset	891
216d6ed87399 Initial revision lcp parents: diff changeset	892
216d6ed87399 Initial revision lcp parents: diff changeset	893	% Local Variables:
216d6ed87399 Initial revision lcp parents: diff changeset	894	% mode: latex
216d6ed87399 Initial revision lcp parents: diff changeset	895	% TeX-master: t
216d6ed87399 Initial revision lcp parents: diff changeset	896	% End:

author	lcp
	Wed, 10 Nov 1993 05:06:55 +0100
changeset 105	216d6ed87399
child 296	e1f6cd9f682e
permissions	-rw-r--r--