isabelle: doc-src/Logics/FOL.tex@33fbffd06c12 (annotated)

104 d8205bb279a7 Initial revision lcp parents: diff changeset	1	%% $Id$
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	2	\chapter{First-Order Logic}
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	3	\index{first-order logic\|(}
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	4
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	5	Isabelle implements Gentzen's natural deduction systems {\sc nj} and {\sc
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	6	nk}. Intuitionistic first-order logic is defined first, as theory
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	7	\thydx{IFOL}. Classical logic, theory \thydx{FOL}, is
104 d8205bb279a7 Initial revision lcp parents: diff changeset	8	obtained by adding the double negation rule. Basic proof procedures are
d8205bb279a7 Initial revision lcp parents: diff changeset	9	provided. The intuitionistic prover works with derived rules to simplify
5151 1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	10	implications in the assumptions. Classical~\texttt{FOL} employs Isabelle's
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	11	classical reasoner, which simulates a sequent calculus.
104 d8205bb279a7 Initial revision lcp parents: diff changeset	12
d8205bb279a7 Initial revision lcp parents: diff changeset	13	\section{Syntax and rules of inference}
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	14	The logic is many-sorted, using Isabelle's type classes. The class of
5151 1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	15	first-order terms is called \cldx{term} and is a subclass of \texttt{logic}.
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	16	No types of individuals are provided, but extensions can define types such
5151 1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	17	as \texttt{nat::term} and type constructors such as \texttt{list::(term)term}
1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	18	(see the examples directory, \texttt{FOL/ex}). Below, the type variable
1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	19	$\alpha$ ranges over class \texttt{term}; the equality symbol and quantifiers
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	20	are polymorphic (many-sorted). The type of formulae is~\tydx{o}, which
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	21	belongs to class~\cldx{logic}. Figure~\ref{fol-syntax} gives the syntax.
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	22	Note that $a$\verb\|~=\|$b$ is translated to $\neg(a=b)$.
104 d8205bb279a7 Initial revision lcp parents: diff changeset	23
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	24	Figure~\ref{fol-rules} shows the inference rules with their~\ML\ names.
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	25	Negation is defined in the usual way for intuitionistic logic; $\neg P$
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	26	abbreviates $P\imp\bot$. The biconditional~($\bimp$) is defined through
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	27	$\conj$ and~$\imp$; introduction and elimination rules are derived for it.
104 d8205bb279a7 Initial revision lcp parents: diff changeset	28
d8205bb279a7 Initial revision lcp parents: diff changeset	29	The unique existence quantifier, $\exists!x.P(x)$, is defined in terms
d8205bb279a7 Initial revision lcp parents: diff changeset	30	of~$\exists$ and~$\forall$. An Isabelle binder, it admits nested
3138 6c0c7e99312d replaced Int by IntPr, result by qed; wenzelm parents: 3133 diff changeset	31	quantifications. For instance, $\exists!x\;y.P(x,y)$ abbreviates
104 d8205bb279a7 Initial revision lcp parents: diff changeset	32	$\exists!x. \exists!y.P(x,y)$; note that this does not mean that there
d8205bb279a7 Initial revision lcp parents: diff changeset	33	exists a unique pair $(x,y)$ satisfying~$P(x,y)$.
d8205bb279a7 Initial revision lcp parents: diff changeset	34
d8205bb279a7 Initial revision lcp parents: diff changeset	35	Some intuitionistic derived rules are shown in
287 6b62a6ddbe15 first draft of Springer book lcp parents: 157 diff changeset	36	Fig.\ts\ref{fol-int-derived}, again with their \ML\ names. These include
104 d8205bb279a7 Initial revision lcp parents: diff changeset	37	rules for the defined symbols $\neg$, $\bimp$ and $\exists!$. Natural
333 2ca08f62df33 final Springer copy lcp parents: 313 diff changeset	38	deduction typically involves a combination of forward and backward
104 d8205bb279a7 Initial revision lcp parents: diff changeset	39	reasoning, particularly with the destruction rules $(\conj E)$,
333 2ca08f62df33 final Springer copy lcp parents: 313 diff changeset	40	$({\imp}E)$, and~$(\forall E)$. Isabelle's backward style handles these
104 d8205bb279a7 Initial revision lcp parents: diff changeset	41	rules badly, so sequent-style rules are derived to eliminate conjunctions,
d8205bb279a7 Initial revision lcp parents: diff changeset	42	implications, and universal quantifiers. Used with elim-resolution,
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	43	\tdx{allE} eliminates a universal quantifier while \tdx{all_dupE}
104 d8205bb279a7 Initial revision lcp parents: diff changeset	44	re-inserts the quantified formula for later use. The rules {\tt
d8205bb279a7 Initial revision lcp parents: diff changeset	45	conj_impE}, etc., support the intuitionistic proof procedure
d8205bb279a7 Initial revision lcp parents: diff changeset	46	(see~\S\ref{fol-int-prover}).
d8205bb279a7 Initial revision lcp parents: diff changeset	47
5151 1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	48	See the files \texttt{FOL/IFOL.thy}, \texttt{FOL/IFOL.ML} and
1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	49	\texttt{FOL/intprover.ML} for complete listings of the rules and
104 d8205bb279a7 Initial revision lcp parents: diff changeset	50	derived rules.
d8205bb279a7 Initial revision lcp parents: diff changeset	51
d8205bb279a7 Initial revision lcp parents: diff changeset	52	\begin{figure}
d8205bb279a7 Initial revision lcp parents: diff changeset	53	\begin{center}
d8205bb279a7 Initial revision lcp parents: diff changeset	54	\begin{tabular}{rrr}
111 1b3cddf41b2d Various updates for Isabelle-93 lcp parents: 104 diff changeset	55	\it name &\it meta-type & \it description \\
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	56	\cdx{Trueprop}& $o\To prop$ & coercion to $prop$\\
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	57	\cdx{Not} & $o\To o$ & negation ($\neg$) \\
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	58	\cdx{True} & $o$ & tautology ($\top$) \\
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	59	\cdx{False} & $o$ & absurdity ($\bot$)
104 d8205bb279a7 Initial revision lcp parents: diff changeset	60	\end{tabular}
d8205bb279a7 Initial revision lcp parents: diff changeset	61	\end{center}
d8205bb279a7 Initial revision lcp parents: diff changeset	62	\subcaption{Constants}
d8205bb279a7 Initial revision lcp parents: diff changeset	63
d8205bb279a7 Initial revision lcp parents: diff changeset	64	\begin{center}
d8205bb279a7 Initial revision lcp parents: diff changeset	65	\begin{tabular}{llrrr}
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	66	\it symbol &\it name &\it meta-type & \it priority & \it description \\
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	67	\sdx{ALL} & \cdx{All} & $(\alpha\To o)\To o$ & 10 &
111 1b3cddf41b2d Various updates for Isabelle-93 lcp parents: 104 diff changeset	68	universal quantifier ($\forall$) \\
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	69	\sdx{EX} & \cdx{Ex} & $(\alpha\To o)\To o$ & 10 &
111 1b3cddf41b2d Various updates for Isabelle-93 lcp parents: 104 diff changeset	70	existential quantifier ($\exists$) \\
5151 1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	71	\texttt{EX!} & \cdx{Ex1} & $(\alpha\To o)\To o$ & 10 &
111 1b3cddf41b2d Various updates for Isabelle-93 lcp parents: 104 diff changeset	72	unique existence ($\exists!$)
104 d8205bb279a7 Initial revision lcp parents: diff changeset	73	\end{tabular}
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	74	\index{*"E"X"! symbol}
104 d8205bb279a7 Initial revision lcp parents: diff changeset	75	\end{center}
d8205bb279a7 Initial revision lcp parents: diff changeset	76	\subcaption{Binders}
d8205bb279a7 Initial revision lcp parents: diff changeset	77
d8205bb279a7 Initial revision lcp parents: diff changeset	78	\begin{center}
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	79	\index{*"= symbol}
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	80	\index{&@{\tt\&} symbol}
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	81	\index{*"\| symbol}
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	82	\index{*"-"-"> symbol}
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	83	\index{*"<"-"> symbol}
104 d8205bb279a7 Initial revision lcp parents: diff changeset	84	\begin{tabular}{rrrr}
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	85	\it symbol & \it meta-type & \it priority & \it description \\
111 1b3cddf41b2d Various updates for Isabelle-93 lcp parents: 104 diff changeset	86	\tt = & $[\alpha,\alpha]\To o$ & Left 50 & equality ($=$) \\
1b3cddf41b2d Various updates for Isabelle-93 lcp parents: 104 diff changeset	87	\tt \& & $[o,o]\To o$ & Right 35 & conjunction ($\conj$) \\
1b3cddf41b2d Various updates for Isabelle-93 lcp parents: 104 diff changeset	88	\tt \| & $[o,o]\To o$ & Right 30 & disjunction ($\disj$) \\
1b3cddf41b2d Various updates for Isabelle-93 lcp parents: 104 diff changeset	89	\tt --> & $[o,o]\To o$ & Right 25 & implication ($\imp$) \\
1b3cddf41b2d Various updates for Isabelle-93 lcp parents: 104 diff changeset	90	\tt <-> & $[o,o]\To o$ & Right 25 & biconditional ($\bimp$)
104 d8205bb279a7 Initial revision lcp parents: diff changeset	91	\end{tabular}
d8205bb279a7 Initial revision lcp parents: diff changeset	92	\end{center}
d8205bb279a7 Initial revision lcp parents: diff changeset	93	\subcaption{Infixes}
d8205bb279a7 Initial revision lcp parents: diff changeset	94
d8205bb279a7 Initial revision lcp parents: diff changeset	95	\dquotes
d8205bb279a7 Initial revision lcp parents: diff changeset	96	\[\begin{array}{rcl}
d8205bb279a7 Initial revision lcp parents: diff changeset	97	formula & = & \hbox{expression of type~$o$} \\
111 1b3cddf41b2d Various updates for Isabelle-93 lcp parents: 104 diff changeset	98	& \| & term " = " term \\
1b3cddf41b2d Various updates for Isabelle-93 lcp parents: 104 diff changeset	99	& \| & term " \ttilde= " term \\
1b3cddf41b2d Various updates for Isabelle-93 lcp parents: 104 diff changeset	100	& \| & "\ttilde\ " formula \\
1b3cddf41b2d Various updates for Isabelle-93 lcp parents: 104 diff changeset	101	& \| & formula " \& " formula \\
1b3cddf41b2d Various updates for Isabelle-93 lcp parents: 104 diff changeset	102	& \| & formula " \| " formula \\
1b3cddf41b2d Various updates for Isabelle-93 lcp parents: 104 diff changeset	103	& \| & formula " --> " formula \\
1b3cddf41b2d Various updates for Isabelle-93 lcp parents: 104 diff changeset	104	& \| & formula " <-> " formula \\
1b3cddf41b2d Various updates for Isabelle-93 lcp parents: 104 diff changeset	105	& \| & "ALL~" id~id^* " . " formula \\
1b3cddf41b2d Various updates for Isabelle-93 lcp parents: 104 diff changeset	106	& \| & "EX~~" id~id^* " . " formula \\
1b3cddf41b2d Various updates for Isabelle-93 lcp parents: 104 diff changeset	107	& \| & "EX!~" id~id^* " . " formula
104 d8205bb279a7 Initial revision lcp parents: diff changeset	108	\end{array}
d8205bb279a7 Initial revision lcp parents: diff changeset	109	\]
d8205bb279a7 Initial revision lcp parents: diff changeset	110	\subcaption{Grammar}
5151 1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	111	\caption{Syntax of \texttt{FOL}} \label{fol-syntax}
104 d8205bb279a7 Initial revision lcp parents: diff changeset	112	\end{figure}
d8205bb279a7 Initial revision lcp parents: diff changeset	113
d8205bb279a7 Initial revision lcp parents: diff changeset	114
d8205bb279a7 Initial revision lcp parents: diff changeset	115	\begin{figure}
d8205bb279a7 Initial revision lcp parents: diff changeset	116	\begin{ttbox}
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	117	\tdx{refl} a=a
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	118	\tdx{subst} [\| a=b; P(a) \|] ==> P(b)
104 d8205bb279a7 Initial revision lcp parents: diff changeset	119	\subcaption{Equality rules}
d8205bb279a7 Initial revision lcp parents: diff changeset	120
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	121	\tdx{conjI} [\| P; Q \|] ==> P&Q
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	122	\tdx{conjunct1} P&Q ==> P
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	123	\tdx{conjunct2} P&Q ==> Q
104 d8205bb279a7 Initial revision lcp parents: diff changeset	124
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	125	\tdx{disjI1} P ==> P\|Q
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	126	\tdx{disjI2} Q ==> P\|Q
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	127	\tdx{disjE} [\| P\|Q; P ==> R; Q ==> R \|] ==> R
104 d8205bb279a7 Initial revision lcp parents: diff changeset	128
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	129	\tdx{impI} (P ==> Q) ==> P-->Q
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	130	\tdx{mp} [\| P-->Q; P \|] ==> Q
104 d8205bb279a7 Initial revision lcp parents: diff changeset	131
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	132	\tdx{FalseE} False ==> P
104 d8205bb279a7 Initial revision lcp parents: diff changeset	133	\subcaption{Propositional rules}
d8205bb279a7 Initial revision lcp parents: diff changeset	134
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	135	\tdx{allI} (!!x. P(x)) ==> (ALL x.P(x))
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	136	\tdx{spec} (ALL x.P(x)) ==> P(x)
104 d8205bb279a7 Initial revision lcp parents: diff changeset	137
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	138	\tdx{exI} P(x) ==> (EX x.P(x))
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	139	\tdx{exE} [\| EX x.P(x); !!x. P(x) ==> R \|] ==> R
104 d8205bb279a7 Initial revision lcp parents: diff changeset	140	\subcaption{Quantifier rules}
d8205bb279a7 Initial revision lcp parents: diff changeset	141
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	142	\tdx{True_def} True == False-->False
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	143	\tdx{not_def} ~P == P-->False
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	144	\tdx{iff_def} P<->Q == (P-->Q) & (Q-->P)
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	145	\tdx{ex1_def} EX! x. P(x) == EX x. P(x) & (ALL y. P(y) --> y=x)
104 d8205bb279a7 Initial revision lcp parents: diff changeset	146	\subcaption{Definitions}
d8205bb279a7 Initial revision lcp parents: diff changeset	147	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	148
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	149	\caption{Rules of intuitionistic logic} \label{fol-rules}
104 d8205bb279a7 Initial revision lcp parents: diff changeset	150	\end{figure}
d8205bb279a7 Initial revision lcp parents: diff changeset	151
d8205bb279a7 Initial revision lcp parents: diff changeset	152
d8205bb279a7 Initial revision lcp parents: diff changeset	153	\begin{figure}
d8205bb279a7 Initial revision lcp parents: diff changeset	154	\begin{ttbox}
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	155	\tdx{sym} a=b ==> b=a
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	156	\tdx{trans} [\| a=b; b=c \|] ==> a=c
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	157	\tdx{ssubst} [\| b=a; P(a) \|] ==> P(b)
104 d8205bb279a7 Initial revision lcp parents: diff changeset	158	\subcaption{Derived equality rules}
d8205bb279a7 Initial revision lcp parents: diff changeset	159
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	160	\tdx{TrueI} True
104 d8205bb279a7 Initial revision lcp parents: diff changeset	161
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	162	\tdx{notI} (P ==> False) ==> ~P
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	163	\tdx{notE} [\| ~P; P \|] ==> R
104 d8205bb279a7 Initial revision lcp parents: diff changeset	164
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	165	\tdx{iffI} [\| P ==> Q; Q ==> P \|] ==> P<->Q
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	166	\tdx{iffE} [\| P <-> Q; [\| P-->Q; Q-->P \|] ==> R \|] ==> R
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	167	\tdx{iffD1} [\| P <-> Q; P \|] ==> Q
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	168	\tdx{iffD2} [\| P <-> Q; Q \|] ==> P
104 d8205bb279a7 Initial revision lcp parents: diff changeset	169
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	170	\tdx{ex1I} [\| P(a); !!x. P(x) ==> x=a \|] ==> EX! x. P(x)
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	171	\tdx{ex1E} [\| EX! x.P(x); !!x.[\| P(x); ALL y. P(y) --> y=x \|] ==> R
104 d8205bb279a7 Initial revision lcp parents: diff changeset	172	\|] ==> R
d8205bb279a7 Initial revision lcp parents: diff changeset	173	\subcaption{Derived rules for $\top$, $\neg$, $\bimp$ and $\exists!$}
d8205bb279a7 Initial revision lcp parents: diff changeset	174
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	175	\tdx{conjE} [\| P&Q; [\| P; Q \|] ==> R \|] ==> R
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	176	\tdx{impE} [\| P-->Q; P; Q ==> R \|] ==> R
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	177	\tdx{allE} [\| ALL x.P(x); P(x) ==> R \|] ==> R
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	178	\tdx{all_dupE} [\| ALL x.P(x); [\| P(x); ALL x.P(x) \|] ==> R \|] ==> R
104 d8205bb279a7 Initial revision lcp parents: diff changeset	179	\subcaption{Sequent-style elimination rules}
d8205bb279a7 Initial revision lcp parents: diff changeset	180
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	181	\tdx{conj_impE} [\| (P&Q)-->S; P-->(Q-->S) ==> R \|] ==> R
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	182	\tdx{disj_impE} [\| (P\|Q)-->S; [\| P-->S; Q-->S \|] ==> R \|] ==> R
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	183	\tdx{imp_impE} [\| (P-->Q)-->S; [\| P; Q-->S \|] ==> Q; S ==> R \|] ==> R
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	184	\tdx{not_impE} [\| ~P --> S; P ==> False; S ==> R \|] ==> R
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	185	\tdx{iff_impE} [\| (P<->Q)-->S; [\| P; Q-->S \|] ==> Q; [\| Q; P-->S \|] ==> P;
104 d8205bb279a7 Initial revision lcp parents: diff changeset	186	S ==> R \|] ==> R
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	187	\tdx{all_impE} [\| (ALL x.P(x))-->S; !!x.P(x); S ==> R \|] ==> R
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	188	\tdx{ex_impE} [\| (EX x.P(x))-->S; P(a)-->S ==> R \|] ==> R
104 d8205bb279a7 Initial revision lcp parents: diff changeset	189	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	190	\subcaption{Intuitionistic simplification of implication}
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	191	\caption{Derived rules for intuitionistic logic} \label{fol-int-derived}
104 d8205bb279a7 Initial revision lcp parents: diff changeset	192	\end{figure}
d8205bb279a7 Initial revision lcp parents: diff changeset	193
d8205bb279a7 Initial revision lcp parents: diff changeset	194
d8205bb279a7 Initial revision lcp parents: diff changeset	195	\section{Generic packages}
2495 82ec47e0a8d3 New discussion of implicit simpsets & clasets paulson parents: 1388 diff changeset	196	\FOL{} instantiates most of Isabelle's generic packages.
104 d8205bb279a7 Initial revision lcp parents: diff changeset	197	\begin{itemize}
d8205bb279a7 Initial revision lcp parents: diff changeset	198	\item
2495 82ec47e0a8d3 New discussion of implicit simpsets & clasets paulson parents: 1388 diff changeset	199	It instantiates the simplifier. Both equality ($=$) and the biconditional
5151 1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	200	($\bimp$) may be used for rewriting. Tactics such as \texttt{Asm_simp_tac} and
1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	201	\texttt{Full_simp_tac} refer to the default simpset (\texttt{simpset()}), which works for
2495 82ec47e0a8d3 New discussion of implicit simpsets & clasets paulson parents: 1388 diff changeset	202	most purposes. Named simplification sets include \ttindexbold{IFOL_ss},
82ec47e0a8d3 New discussion of implicit simpsets & clasets paulson parents: 1388 diff changeset	203	for intuitionistic first-order logic, and \ttindexbold{FOL_ss},
82ec47e0a8d3 New discussion of implicit simpsets & clasets paulson parents: 1388 diff changeset	204	for classical logic. See the file
5151 1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	205	\texttt{FOL/simpdata.ML} for a complete listing of the simplification
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	206	rules%
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	207	\iflabelundefined{sec:setting-up-simp}{}%
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	208	{, and \S\ref{sec:setting-up-simp} for discussion}.
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	209
104 d8205bb279a7 Initial revision lcp parents: diff changeset	210	\item
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	211	It instantiates the classical reasoner. See~\S\ref{fol-cla-prover}
104 d8205bb279a7 Initial revision lcp parents: diff changeset	212	for details.
3133 8c55b0f16da2 stylistic improvements paulson parents: 2495 diff changeset	213
8c55b0f16da2 stylistic improvements paulson parents: 2495 diff changeset	214	\item \FOL{} provides the tactic \ttindex{hyp_subst_tac}, which substitutes
8c55b0f16da2 stylistic improvements paulson parents: 2495 diff changeset	215	for an equality throughout a subgoal and its hypotheses. This tactic uses
8c55b0f16da2 stylistic improvements paulson parents: 2495 diff changeset	216	\FOL's general substitution rule.
104 d8205bb279a7 Initial revision lcp parents: diff changeset	217	\end{itemize}
d8205bb279a7 Initial revision lcp parents: diff changeset	218
3133 8c55b0f16da2 stylistic improvements paulson parents: 2495 diff changeset	219	\begin{warn}\index{simplification!of conjunctions}%
8c55b0f16da2 stylistic improvements paulson parents: 2495 diff changeset	220	Reducing $a=b\conj P(a)$ to $a=b\conj P(b)$ is sometimes advantageous. The
8c55b0f16da2 stylistic improvements paulson parents: 2495 diff changeset	221	left part of a conjunction helps in simplifying the right part. This effect
8c55b0f16da2 stylistic improvements paulson parents: 2495 diff changeset	222	is not available by default: it can be slow. It can be obtained by
8c55b0f16da2 stylistic improvements paulson parents: 2495 diff changeset	223	including \ttindex{conj_cong} in a simpset, \verb$addcongs [conj_cong]$.
8c55b0f16da2 stylistic improvements paulson parents: 2495 diff changeset	224	\end{warn}
8c55b0f16da2 stylistic improvements paulson parents: 2495 diff changeset	225
104 d8205bb279a7 Initial revision lcp parents: diff changeset	226
d8205bb279a7 Initial revision lcp parents: diff changeset	227	\section{Intuitionistic proof procedures} \label{fol-int-prover}
5151 1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	228	Implication elimination (the rules~\texttt{mp} and~\texttt{impE}) pose
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	229	difficulties for automated proof. In intuitionistic logic, the assumption
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	230	$P\imp Q$ cannot be treated like $\neg P\disj Q$. Given $P\imp Q$, we may
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	231	use~$Q$ provided we can prove~$P$; the proof of~$P$ may require repeated
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	232	use of $P\imp Q$. If the proof of~$P$ fails then the whole branch of the
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	233	proof must be abandoned. Thus intuitionistic propositional logic requires
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	234	backtracking.
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	235
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	236	For an elementary example, consider the intuitionistic proof of $Q$ from
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	237	$P\imp Q$ and $(P\imp Q)\imp P$. The implication $P\imp Q$ is needed
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	238	twice:
104 d8205bb279a7 Initial revision lcp parents: diff changeset	239	\[ \infer[({\imp}E)]{Q}{P\imp Q &
d8205bb279a7 Initial revision lcp parents: diff changeset	240	\infer[({\imp}E)]{P}{(P\imp Q)\imp P & P\imp Q}}
d8205bb279a7 Initial revision lcp parents: diff changeset	241	\]
5151 1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	242	The theorem prover for intuitionistic logic does not use~\texttt{impE}.\@
104 d8205bb279a7 Initial revision lcp parents: diff changeset	243	Instead, it simplifies implications using derived rules
287 6b62a6ddbe15 first draft of Springer book lcp parents: 157 diff changeset	244	(Fig.\ts\ref{fol-int-derived}). It reduces the antecedents of implications
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	245	to atoms and then uses Modus Ponens: from $P\imp Q$ and~$P$ deduce~$Q$.
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	246	The rules \tdx{conj_impE} and \tdx{disj_impE} are
104 d8205bb279a7 Initial revision lcp parents: diff changeset	247	straightforward: $(P\conj Q)\imp S$ is equivalent to $P\imp (Q\imp S)$, and
d8205bb279a7 Initial revision lcp parents: diff changeset	248	$(P\disj Q)\imp S$ is equivalent to the conjunction of $P\imp S$ and $Q\imp
d8205bb279a7 Initial revision lcp parents: diff changeset	249	S$. The other \ldots{\tt_impE} rules are unsafe; the method requires
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	250	backtracking. All the rules are derived in the same simple manner.
104 d8205bb279a7 Initial revision lcp parents: diff changeset	251
d8205bb279a7 Initial revision lcp parents: diff changeset	252	Dyckhoff has independently discovered similar rules, and (more importantly)
d8205bb279a7 Initial revision lcp parents: diff changeset	253	has demonstrated their completeness for propositional
d8205bb279a7 Initial revision lcp parents: diff changeset	254	logic~\cite{dyckhoff}. However, the tactics given below are not complete
d8205bb279a7 Initial revision lcp parents: diff changeset	255	for first-order logic because they discard universally quantified
d8205bb279a7 Initial revision lcp parents: diff changeset	256	assumptions after a single use.
d8205bb279a7 Initial revision lcp parents: diff changeset	257	\begin{ttbox}
3138 6c0c7e99312d replaced Int by IntPr, result by qed; wenzelm parents: 3133 diff changeset	258	mp_tac : int -> tactic
6c0c7e99312d replaced Int by IntPr, result by qed; wenzelm parents: 3133 diff changeset	259	eq_mp_tac : int -> tactic
6c0c7e99312d replaced Int by IntPr, result by qed; wenzelm parents: 3133 diff changeset	260	IntPr.safe_step_tac : int -> tactic
6c0c7e99312d replaced Int by IntPr, result by qed; wenzelm parents: 3133 diff changeset	261	IntPr.safe_tac : tactic
6c0c7e99312d replaced Int by IntPr, result by qed; wenzelm parents: 3133 diff changeset	262	IntPr.inst_step_tac : int -> tactic
6c0c7e99312d replaced Int by IntPr, result by qed; wenzelm parents: 3133 diff changeset	263	IntPr.step_tac : int -> tactic
6c0c7e99312d replaced Int by IntPr, result by qed; wenzelm parents: 3133 diff changeset	264	IntPr.fast_tac : int -> tactic
6c0c7e99312d replaced Int by IntPr, result by qed; wenzelm parents: 3133 diff changeset	265	IntPr.best_tac : int -> tactic
104 d8205bb279a7 Initial revision lcp parents: diff changeset	266	\end{ttbox}
5151 1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	267	Most of these belong to the structure \texttt{IntPr} and resemble the
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	268	tactics of Isabelle's classical reasoner.
104 d8205bb279a7 Initial revision lcp parents: diff changeset	269
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	270	\begin{ttdescription}
104 d8205bb279a7 Initial revision lcp parents: diff changeset	271	\item[\ttindexbold{mp_tac} {\it i}]
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	272	attempts to use \tdx{notE} or \tdx{impE} within the assumptions in
104 d8205bb279a7 Initial revision lcp parents: diff changeset	273	subgoal $i$. For each assumption of the form $\neg P$ or $P\imp Q$, it
d8205bb279a7 Initial revision lcp parents: diff changeset	274	searches for another assumption unifiable with~$P$. By
d8205bb279a7 Initial revision lcp parents: diff changeset	275	contradiction with $\neg P$ it can solve the subgoal completely; by Modus
d8205bb279a7 Initial revision lcp parents: diff changeset	276	Ponens it can replace the assumption $P\imp Q$ by $Q$. The tactic can
d8205bb279a7 Initial revision lcp parents: diff changeset	277	produce multiple outcomes, enumerating all suitable pairs of assumptions.
d8205bb279a7 Initial revision lcp parents: diff changeset	278
d8205bb279a7 Initial revision lcp parents: diff changeset	279	\item[\ttindexbold{eq_mp_tac} {\it i}]
5151 1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	280	is like \texttt{mp_tac} {\it i}, but may not instantiate unknowns --- thus, it
104 d8205bb279a7 Initial revision lcp parents: diff changeset	281	is safe.
d8205bb279a7 Initial revision lcp parents: diff changeset	282
3138 6c0c7e99312d replaced Int by IntPr, result by qed; wenzelm parents: 3133 diff changeset	283	\item[\ttindexbold{IntPr.safe_step_tac} $i$] performs a safe step on
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	284	subgoal~$i$. This may include proof by assumption or Modus Ponens (taking
5151 1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	285	care not to instantiate unknowns), or \texttt{hyp_subst_tac}.
104 d8205bb279a7 Initial revision lcp parents: diff changeset	286
3138 6c0c7e99312d replaced Int by IntPr, result by qed; wenzelm parents: 3133 diff changeset	287	\item[\ttindexbold{IntPr.safe_tac}] repeatedly performs safe steps on all
104 d8205bb279a7 Initial revision lcp parents: diff changeset	288	subgoals. It is deterministic, with at most one outcome.
d8205bb279a7 Initial revision lcp parents: diff changeset	289
5151 1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	290	\item[\ttindexbold{IntPr.inst_step_tac} $i$] is like \texttt{safe_step_tac},
104 d8205bb279a7 Initial revision lcp parents: diff changeset	291	but allows unknowns to be instantiated.
d8205bb279a7 Initial revision lcp parents: diff changeset	292
5151 1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	293	\item[\ttindexbold{IntPr.step_tac} $i$] tries \texttt{safe_tac} or {\tt
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	294	inst_step_tac}, or applies an unsafe rule. This is the basic step of
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	295	the intuitionistic proof procedure.
104 d8205bb279a7 Initial revision lcp parents: diff changeset	296
5151 1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	297	\item[\ttindexbold{IntPr.fast_tac} $i$] applies \texttt{step_tac}, using
104 d8205bb279a7 Initial revision lcp parents: diff changeset	298	depth-first search, to solve subgoal~$i$.
d8205bb279a7 Initial revision lcp parents: diff changeset	299
5151 1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	300	\item[\ttindexbold{IntPr.best_tac} $i$] applies \texttt{step_tac}, using
104 d8205bb279a7 Initial revision lcp parents: diff changeset	301	best-first search (guided by the size of the proof state) to solve subgoal~$i$.
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	302	\end{ttdescription}
5151 1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	303	Here are some of the theorems that \texttt{IntPr.fast_tac} proves
104 d8205bb279a7 Initial revision lcp parents: diff changeset	304	automatically. The latter three date from {\it Principia Mathematica}
d8205bb279a7 Initial revision lcp parents: diff changeset	305	(11.53, 11.55, *11.61)~\cite{principia}.
d8205bb279a7 Initial revision lcp parents: diff changeset	306	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	307	~~P & ~~(P --> Q) --> ~~Q
d8205bb279a7 Initial revision lcp parents: diff changeset	308	(ALL x y. P(x) --> Q(y)) <-> ((EX x. P(x)) --> (ALL y. Q(y)))
d8205bb279a7 Initial revision lcp parents: diff changeset	309	(EX x y. P(x) & Q(x,y)) <-> (EX x. P(x) & (EX y. Q(x,y)))
d8205bb279a7 Initial revision lcp parents: diff changeset	310	(EX y. ALL x. P(x) --> Q(x,y)) --> (ALL x. P(x) --> (EX y. Q(x,y)))
d8205bb279a7 Initial revision lcp parents: diff changeset	311	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	312
d8205bb279a7 Initial revision lcp parents: diff changeset	313
d8205bb279a7 Initial revision lcp parents: diff changeset	314
d8205bb279a7 Initial revision lcp parents: diff changeset	315	\begin{figure}
d8205bb279a7 Initial revision lcp parents: diff changeset	316	\begin{ttbox}
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	317	\tdx{excluded_middle} ~P \| P
104 d8205bb279a7 Initial revision lcp parents: diff changeset	318
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	319	\tdx{disjCI} (~Q ==> P) ==> P\|Q
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	320	\tdx{exCI} (ALL x. ~P(x) ==> P(a)) ==> EX x.P(x)
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	321	\tdx{impCE} [\| P-->Q; ~P ==> R; Q ==> R \|] ==> R
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	322	\tdx{iffCE} [\| P<->Q; [\| P; Q \|] ==> R; [\| ~P; ~Q \|] ==> R \|] ==> R
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	323	\tdx{notnotD} ~~P ==> P
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	324	\tdx{swap} ~P ==> (~Q ==> P) ==> Q
104 d8205bb279a7 Initial revision lcp parents: diff changeset	325	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	326	\caption{Derived rules for classical logic} \label{fol-cla-derived}
d8205bb279a7 Initial revision lcp parents: diff changeset	327	\end{figure}
d8205bb279a7 Initial revision lcp parents: diff changeset	328
d8205bb279a7 Initial revision lcp parents: diff changeset	329
d8205bb279a7 Initial revision lcp parents: diff changeset	330	\section{Classical proof procedures} \label{fol-cla-prover}
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	331	The classical theory, \thydx{FOL}, consists of intuitionistic logic plus
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	332	the rule
104 d8205bb279a7 Initial revision lcp parents: diff changeset	333	$$ \vcenter{\infer{P}{\infer*{P}{[\neg P]}}} \eqno(classical) $$
d8205bb279a7 Initial revision lcp parents: diff changeset	334	\noindent
d8205bb279a7 Initial revision lcp parents: diff changeset	335	Natural deduction in classical logic is not really all that natural.
d8205bb279a7 Initial revision lcp parents: diff changeset	336	{\FOL} derives classical introduction rules for $\disj$ and~$\exists$, as
d8205bb279a7 Initial revision lcp parents: diff changeset	337	well as classical elimination rules for~$\imp$ and~$\bimp$, and the swap
287 6b62a6ddbe15 first draft of Springer book lcp parents: 157 diff changeset	338	rule (see Fig.\ts\ref{fol-cla-derived}).
104 d8205bb279a7 Initial revision lcp parents: diff changeset	339
5151 1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	340	The classical reasoner is installed. Tactics such as \texttt{Blast_tac} and {\tt
1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	341	Best_tac} refer to the default claset (\texttt{claset()}), which works for most
2495 82ec47e0a8d3 New discussion of implicit simpsets & clasets paulson parents: 1388 diff changeset	342	purposes. Named clasets include \ttindexbold{prop_cs}, which includes the
82ec47e0a8d3 New discussion of implicit simpsets & clasets paulson parents: 1388 diff changeset	343	propositional rules, and \ttindexbold{FOL_cs}, which also includes quantifier
5151 1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	344	rules. See the file \texttt{FOL/cladata.ML} for lists of the
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	345	classical rules, and
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	346	\iflabelundefined{chap:classical}{the {\em Reference Manual\/}}%
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	347	{Chap.\ts\ref{chap:classical}}
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	348	for more discussion of classical proof methods.
104 d8205bb279a7 Initial revision lcp parents: diff changeset	349
d8205bb279a7 Initial revision lcp parents: diff changeset	350
d8205bb279a7 Initial revision lcp parents: diff changeset	351	\section{An intuitionistic example}
d8205bb279a7 Initial revision lcp parents: diff changeset	352	Here is a session similar to one in {\em Logic and Computation}
d8205bb279a7 Initial revision lcp parents: diff changeset	353	\cite[pages~222--3]{paulson87}. Isabelle treats quantifiers differently
5151 1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	354	from {\sc lcf}-based theorem provers such as {\sc hol}.
1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	355
1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	356	First, we specify that we are working in intuitionistic logic:
104 d8205bb279a7 Initial revision lcp parents: diff changeset	357	\begin{ttbox}
5151 1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	358	context IFOL.thy;
1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	359	\end{ttbox}
1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	360	The proof begins by entering the goal, then applying the rule $({\imp}I)$.
1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	361	\begin{ttbox}
1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	362	Goal "(EX y. ALL x. Q(x,y)) --> (ALL x. EX y. Q(x,y))";
104 d8205bb279a7 Initial revision lcp parents: diff changeset	363	{\out Level 0}
d8205bb279a7 Initial revision lcp parents: diff changeset	364	{\out (EX y. ALL x. Q(x,y)) --> (ALL x. EX y. Q(x,y))}
d8205bb279a7 Initial revision lcp parents: diff changeset	365	{\out 1. (EX y. ALL x. Q(x,y)) --> (ALL x. EX y. Q(x,y))}
d8205bb279a7 Initial revision lcp parents: diff changeset	366	\ttbreak
d8205bb279a7 Initial revision lcp parents: diff changeset	367	by (resolve_tac [impI] 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	368	{\out Level 1}
d8205bb279a7 Initial revision lcp parents: diff changeset	369	{\out (EX y. ALL x. Q(x,y)) --> (ALL x. EX y. Q(x,y))}
d8205bb279a7 Initial revision lcp parents: diff changeset	370	{\out 1. EX y. ALL x. Q(x,y) ==> ALL x. EX y. Q(x,y)}
d8205bb279a7 Initial revision lcp parents: diff changeset	371	\end{ttbox}
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	372	In this example, we shall never have more than one subgoal. Applying
104 d8205bb279a7 Initial revision lcp parents: diff changeset	373	$({\imp}I)$ replaces~\verb\|-->\| by~\verb\|==>\|, making
d8205bb279a7 Initial revision lcp parents: diff changeset	374	$\ex{y}\all{x}Q(x,y)$ an assumption. We have the choice of
d8205bb279a7 Initial revision lcp parents: diff changeset	375	$({\exists}E)$ and $({\forall}I)$; let us try the latter.
d8205bb279a7 Initial revision lcp parents: diff changeset	376	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	377	by (resolve_tac [allI] 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	378	{\out Level 2}
d8205bb279a7 Initial revision lcp parents: diff changeset	379	{\out (EX y. ALL x. Q(x,y)) --> (ALL x. EX y. Q(x,y))}
d8205bb279a7 Initial revision lcp parents: diff changeset	380	{\out 1. !!x. EX y. ALL x. Q(x,y) ==> EX y. Q(x,y)}
d8205bb279a7 Initial revision lcp parents: diff changeset	381	\end{ttbox}
5151 1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	382	Applying $({\forall}I)$ replaces the \texttt{ALL~x} by \hbox{\tt!!x},
104 d8205bb279a7 Initial revision lcp parents: diff changeset	383	changing the universal quantifier from object~($\forall$) to
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	384	meta~($\Forall$). The bound variable is a {\bf parameter} of the
104 d8205bb279a7 Initial revision lcp parents: diff changeset	385	subgoal. We now must choose between $({\exists}I)$ and $({\exists}E)$. What
d8205bb279a7 Initial revision lcp parents: diff changeset	386	happens if the wrong rule is chosen?
d8205bb279a7 Initial revision lcp parents: diff changeset	387	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	388	by (resolve_tac [exI] 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	389	{\out Level 3}
d8205bb279a7 Initial revision lcp parents: diff changeset	390	{\out (EX y. ALL x. Q(x,y)) --> (ALL x. EX y. Q(x,y))}
d8205bb279a7 Initial revision lcp parents: diff changeset	391	{\out 1. !!x. EX y. ALL x. Q(x,y) ==> Q(x,?y2(x))}
d8205bb279a7 Initial revision lcp parents: diff changeset	392	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	393	The new subgoal~1 contains the function variable {\tt?y2}. Instantiating
5151 1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	394	{\tt?y2} can replace~{\tt?y2(x)} by a term containing~\texttt{x}, even
1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	395	though~\texttt{x} is a bound variable. Now we analyse the assumption
104 d8205bb279a7 Initial revision lcp parents: diff changeset	396	$\exists y.\forall x. Q(x,y)$ using elimination rules:
d8205bb279a7 Initial revision lcp parents: diff changeset	397	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	398	by (eresolve_tac [exE] 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	399	{\out Level 4}
d8205bb279a7 Initial revision lcp parents: diff changeset	400	{\out (EX y. ALL x. Q(x,y)) --> (ALL x. EX y. Q(x,y))}
d8205bb279a7 Initial revision lcp parents: diff changeset	401	{\out 1. !!x y. ALL x. Q(x,y) ==> Q(x,?y2(x))}
d8205bb279a7 Initial revision lcp parents: diff changeset	402	\end{ttbox}
5151 1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	403	Applying $(\exists E)$ has produced the parameter \texttt{y} and stripped the
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	404	existential quantifier from the assumption. But the subgoal is unprovable:
5151 1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	405	there is no way to unify \texttt{?y2(x)} with the bound variable~\texttt{y}.
1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	406	Using \texttt{choplev} we can return to the critical point. This time we
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	407	apply $({\exists}E)$:
104 d8205bb279a7 Initial revision lcp parents: diff changeset	408	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	409	choplev 2;
d8205bb279a7 Initial revision lcp parents: diff changeset	410	{\out Level 2}
d8205bb279a7 Initial revision lcp parents: diff changeset	411	{\out (EX y. ALL x. Q(x,y)) --> (ALL x. EX y. Q(x,y))}
d8205bb279a7 Initial revision lcp parents: diff changeset	412	{\out 1. !!x. EX y. ALL x. Q(x,y) ==> EX y. Q(x,y)}
d8205bb279a7 Initial revision lcp parents: diff changeset	413	\ttbreak
d8205bb279a7 Initial revision lcp parents: diff changeset	414	by (eresolve_tac [exE] 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	415	{\out Level 3}
d8205bb279a7 Initial revision lcp parents: diff changeset	416	{\out (EX y. ALL x. Q(x,y)) --> (ALL x. EX y. Q(x,y))}
d8205bb279a7 Initial revision lcp parents: diff changeset	417	{\out 1. !!x y. ALL x. Q(x,y) ==> EX y. Q(x,y)}
d8205bb279a7 Initial revision lcp parents: diff changeset	418	\end{ttbox}
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	419	We now have two parameters and no scheme variables. Applying
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	420	$({\exists}I)$ and $({\forall}E)$ produces two scheme variables, which are
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	421	applied to those parameters. Parameters should be produced early, as this
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	422	example demonstrates.
104 d8205bb279a7 Initial revision lcp parents: diff changeset	423	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	424	by (resolve_tac [exI] 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	425	{\out Level 4}
d8205bb279a7 Initial revision lcp parents: diff changeset	426	{\out (EX y. ALL x. Q(x,y)) --> (ALL x. EX y. Q(x,y))}
d8205bb279a7 Initial revision lcp parents: diff changeset	427	{\out 1. !!x y. ALL x. Q(x,y) ==> Q(x,?y3(x,y))}
d8205bb279a7 Initial revision lcp parents: diff changeset	428	\ttbreak
d8205bb279a7 Initial revision lcp parents: diff changeset	429	by (eresolve_tac [allE] 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	430	{\out Level 5}
d8205bb279a7 Initial revision lcp parents: diff changeset	431	{\out (EX y. ALL x. Q(x,y)) --> (ALL x. EX y. Q(x,y))}
d8205bb279a7 Initial revision lcp parents: diff changeset	432	{\out 1. !!x y. Q(?x4(x,y),y) ==> Q(x,?y3(x,y))}
d8205bb279a7 Initial revision lcp parents: diff changeset	433	\end{ttbox}
5151 1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	434	The subgoal has variables \texttt{?y3} and \texttt{?x4} applied to both
104 d8205bb279a7 Initial revision lcp parents: diff changeset	435	parameters. The obvious projection functions unify {\tt?x4(x,y)} with~{\tt
5151 1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	436	x} and \verb\|?y3(x,y)\| with~\texttt{y}.
104 d8205bb279a7 Initial revision lcp parents: diff changeset	437	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	438	by (assume_tac 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	439	{\out Level 6}
d8205bb279a7 Initial revision lcp parents: diff changeset	440	{\out (EX y. ALL x. Q(x,y)) --> (ALL x. EX y. Q(x,y))}
d8205bb279a7 Initial revision lcp parents: diff changeset	441	{\out No subgoals!}
d8205bb279a7 Initial revision lcp parents: diff changeset	442	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	443	The theorem was proved in six tactic steps, not counting the abandoned
3138 6c0c7e99312d replaced Int by IntPr, result by qed; wenzelm parents: 3133 diff changeset	444	ones. But proof checking is tedious; \ttindex{IntPr.fast_tac} proves the
104 d8205bb279a7 Initial revision lcp parents: diff changeset	445	theorem in one step.
d8205bb279a7 Initial revision lcp parents: diff changeset	446	\begin{ttbox}
5151 1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	447	Goal "(EX y. ALL x. Q(x,y)) --> (ALL x. EX y. Q(x,y))";
104 d8205bb279a7 Initial revision lcp parents: diff changeset	448	{\out Level 0}
d8205bb279a7 Initial revision lcp parents: diff changeset	449	{\out (EX y. ALL x. Q(x,y)) --> (ALL x. EX y. Q(x,y))}
d8205bb279a7 Initial revision lcp parents: diff changeset	450	{\out 1. (EX y. ALL x. Q(x,y)) --> (ALL x. EX y. Q(x,y))}
3138 6c0c7e99312d replaced Int by IntPr, result by qed; wenzelm parents: 3133 diff changeset	451	by (IntPr.fast_tac 1);
104 d8205bb279a7 Initial revision lcp parents: diff changeset	452	{\out Level 1}
d8205bb279a7 Initial revision lcp parents: diff changeset	453	{\out (EX y. ALL x. Q(x,y)) --> (ALL x. EX y. Q(x,y))}
d8205bb279a7 Initial revision lcp parents: diff changeset	454	{\out No subgoals!}
d8205bb279a7 Initial revision lcp parents: diff changeset	455	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	456
d8205bb279a7 Initial revision lcp parents: diff changeset	457
d8205bb279a7 Initial revision lcp parents: diff changeset	458	\section{An example of intuitionistic negation}
d8205bb279a7 Initial revision lcp parents: diff changeset	459	The following example demonstrates the specialized forms of implication
d8205bb279a7 Initial revision lcp parents: diff changeset	460	elimination. Even propositional formulae can be difficult to prove from
d8205bb279a7 Initial revision lcp parents: diff changeset	461	the basic rules; the specialized rules help considerably.
d8205bb279a7 Initial revision lcp parents: diff changeset	462
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	463	Propositional examples are easy to invent. As Dummett notes~\cite[page
104 d8205bb279a7 Initial revision lcp parents: diff changeset	464	28]{dummett}, $\neg P$ is classically provable if and only if it is
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	465	intuitionistically provable; therefore, $P$ is classically provable if and
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	466	only if $\neg\neg P$ is intuitionistically provable.%
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	467	\footnote{Of course this holds only for propositional logic, not if $P$ is
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	468	allowed to contain quantifiers.} Proving $\neg\neg P$ intuitionistically is
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	469	much harder than proving~$P$ classically.
104 d8205bb279a7 Initial revision lcp parents: diff changeset	470
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	471	Our example is the double negation of the classical tautology $(P\imp
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	472	Q)\disj (Q\imp P)$. When stating the goal, we command Isabelle to expand
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	473	negations to implications using the definition $\neg P\equiv P\imp\bot$.
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	474	This allows use of the special implication rules.
104 d8205bb279a7 Initial revision lcp parents: diff changeset	475	\begin{ttbox}
5151 1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	476	Goalw [not_def] "~ ~ ((P-->Q) \| (Q-->P))";
104 d8205bb279a7 Initial revision lcp parents: diff changeset	477	{\out Level 0}
d8205bb279a7 Initial revision lcp parents: diff changeset	478	{\out ~ ~ ((P --> Q) \| (Q --> P))}
d8205bb279a7 Initial revision lcp parents: diff changeset	479	{\out 1. ((P --> Q) \| (Q --> P) --> False) --> False}
d8205bb279a7 Initial revision lcp parents: diff changeset	480	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	481	The first step is trivial.
d8205bb279a7 Initial revision lcp parents: diff changeset	482	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	483	by (resolve_tac [impI] 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	484	{\out Level 1}
d8205bb279a7 Initial revision lcp parents: diff changeset	485	{\out ~ ~ ((P --> Q) \| (Q --> P))}
d8205bb279a7 Initial revision lcp parents: diff changeset	486	{\out 1. (P --> Q) \| (Q --> P) --> False ==> False}
d8205bb279a7 Initial revision lcp parents: diff changeset	487	\end{ttbox}
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	488	By $(\imp E)$ it would suffice to prove $(P\imp Q)\disj (Q\imp P)$, but
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	489	that formula is not a theorem of intuitionistic logic. Instead we apply
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	490	the specialized implication rule \tdx{disj_impE}. It splits the
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	491	assumption into two assumptions, one for each disjunct.
104 d8205bb279a7 Initial revision lcp parents: diff changeset	492	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	493	by (eresolve_tac [disj_impE] 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	494	{\out Level 2}
d8205bb279a7 Initial revision lcp parents: diff changeset	495	{\out ~ ~ ((P --> Q) \| (Q --> P))}
d8205bb279a7 Initial revision lcp parents: diff changeset	496	{\out 1. [\| (P --> Q) --> False; (Q --> P) --> False \|] ==> False}
d8205bb279a7 Initial revision lcp parents: diff changeset	497	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	498	We cannot hope to prove $P\imp Q$ or $Q\imp P$ separately, but
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	499	their negations are inconsistent. Applying \tdx{imp_impE} breaks down
104 d8205bb279a7 Initial revision lcp parents: diff changeset	500	the assumption $\neg(P\imp Q)$, asking to show~$Q$ while providing new
d8205bb279a7 Initial revision lcp parents: diff changeset	501	assumptions~$P$ and~$\neg Q$.
d8205bb279a7 Initial revision lcp parents: diff changeset	502	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	503	by (eresolve_tac [imp_impE] 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	504	{\out Level 3}
d8205bb279a7 Initial revision lcp parents: diff changeset	505	{\out ~ ~ ((P --> Q) \| (Q --> P))}
d8205bb279a7 Initial revision lcp parents: diff changeset	506	{\out 1. [\| (Q --> P) --> False; P; Q --> False \|] ==> Q}
d8205bb279a7 Initial revision lcp parents: diff changeset	507	{\out 2. [\| (Q --> P) --> False; False \|] ==> False}
d8205bb279a7 Initial revision lcp parents: diff changeset	508	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	509	Subgoal~2 holds trivially; let us ignore it and continue working on
d8205bb279a7 Initial revision lcp parents: diff changeset	510	subgoal~1. Thanks to the assumption~$P$, we could prove $Q\imp P$;
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	511	applying \tdx{imp_impE} is simpler.
104 d8205bb279a7 Initial revision lcp parents: diff changeset	512	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	513	by (eresolve_tac [imp_impE] 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	514	{\out Level 4}
d8205bb279a7 Initial revision lcp parents: diff changeset	515	{\out ~ ~ ((P --> Q) \| (Q --> P))}
d8205bb279a7 Initial revision lcp parents: diff changeset	516	{\out 1. [\| P; Q --> False; Q; P --> False \|] ==> P}
d8205bb279a7 Initial revision lcp parents: diff changeset	517	{\out 2. [\| P; Q --> False; False \|] ==> Q}
d8205bb279a7 Initial revision lcp parents: diff changeset	518	{\out 3. [\| (Q --> P) --> False; False \|] ==> False}
d8205bb279a7 Initial revision lcp parents: diff changeset	519	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	520	The three subgoals are all trivial.
d8205bb279a7 Initial revision lcp parents: diff changeset	521	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	522	by (REPEAT (eresolve_tac [FalseE] 2));
d8205bb279a7 Initial revision lcp parents: diff changeset	523	{\out Level 5}
d8205bb279a7 Initial revision lcp parents: diff changeset	524	{\out ~ ~ ((P --> Q) \| (Q --> P))}
d8205bb279a7 Initial revision lcp parents: diff changeset	525	{\out 1. [\| P; Q --> False; Q; P --> False \|] ==> P}
287 6b62a6ddbe15 first draft of Springer book lcp parents: 157 diff changeset	526	\ttbreak
104 d8205bb279a7 Initial revision lcp parents: diff changeset	527	by (assume_tac 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	528	{\out Level 6}
d8205bb279a7 Initial revision lcp parents: diff changeset	529	{\out ~ ~ ((P --> Q) \| (Q --> P))}
d8205bb279a7 Initial revision lcp parents: diff changeset	530	{\out No subgoals!}
d8205bb279a7 Initial revision lcp parents: diff changeset	531	\end{ttbox}
5151 1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	532	This proof is also trivial for \texttt{IntPr.fast_tac}.
104 d8205bb279a7 Initial revision lcp parents: diff changeset	533
d8205bb279a7 Initial revision lcp parents: diff changeset	534
d8205bb279a7 Initial revision lcp parents: diff changeset	535	\section{A classical example} \label{fol-cla-example}
d8205bb279a7 Initial revision lcp parents: diff changeset	536	To illustrate classical logic, we shall prove the theorem
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	537	$\ex{y}\all{x}P(y)\imp P(x)$. Informally, the theorem can be proved as
104 d8205bb279a7 Initial revision lcp parents: diff changeset	538	follows. Choose~$y$ such that~$\neg P(y)$, if such exists; otherwise
5151 1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	539	$\all{x}P(x)$ is true. Either way the theorem holds. First, we switch to
1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	540	classical logic:
1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	541	\begin{ttbox}
1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	542	context FOL.thy;
1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	543	\end{ttbox}
104 d8205bb279a7 Initial revision lcp parents: diff changeset	544
d8205bb279a7 Initial revision lcp parents: diff changeset	545	The formal proof does not conform in any obvious way to the sketch given
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	546	above. The key inference is the first one, \tdx{exCI}; this classical
104 d8205bb279a7 Initial revision lcp parents: diff changeset	547	version of~$(\exists I)$ allows multiple instantiation of the quantifier.
d8205bb279a7 Initial revision lcp parents: diff changeset	548	\begin{ttbox}
5151 1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	549	Goal "EX y. ALL x. P(y)-->P(x)";
104 d8205bb279a7 Initial revision lcp parents: diff changeset	550	{\out Level 0}
d8205bb279a7 Initial revision lcp parents: diff changeset	551	{\out EX y. ALL x. P(y) --> P(x)}
d8205bb279a7 Initial revision lcp parents: diff changeset	552	{\out 1. EX y. ALL x. P(y) --> P(x)}
d8205bb279a7 Initial revision lcp parents: diff changeset	553	\ttbreak
d8205bb279a7 Initial revision lcp parents: diff changeset	554	by (resolve_tac [exCI] 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	555	{\out Level 1}
d8205bb279a7 Initial revision lcp parents: diff changeset	556	{\out EX y. ALL x. P(y) --> P(x)}
d8205bb279a7 Initial revision lcp parents: diff changeset	557	{\out 1. ALL y. ~ (ALL x. P(y) --> P(x)) ==> ALL x. P(?a) --> P(x)}
d8205bb279a7 Initial revision lcp parents: diff changeset	558	\end{ttbox}
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	559	We can either exhibit a term {\tt?a} to satisfy the conclusion of
104 d8205bb279a7 Initial revision lcp parents: diff changeset	560	subgoal~1, or produce a contradiction from the assumption. The next
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	561	steps are routine.
104 d8205bb279a7 Initial revision lcp parents: diff changeset	562	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	563	by (resolve_tac [allI] 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	564	{\out Level 2}
d8205bb279a7 Initial revision lcp parents: diff changeset	565	{\out EX y. ALL x. P(y) --> P(x)}
d8205bb279a7 Initial revision lcp parents: diff changeset	566	{\out 1. !!x. ALL y. ~ (ALL x. P(y) --> P(x)) ==> P(?a) --> P(x)}
d8205bb279a7 Initial revision lcp parents: diff changeset	567	\ttbreak
d8205bb279a7 Initial revision lcp parents: diff changeset	568	by (resolve_tac [impI] 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	569	{\out Level 3}
d8205bb279a7 Initial revision lcp parents: diff changeset	570	{\out EX y. ALL x. P(y) --> P(x)}
d8205bb279a7 Initial revision lcp parents: diff changeset	571	{\out 1. !!x. [\| ALL y. ~ (ALL x. P(y) --> P(x)); P(?a) \|] ==> P(x)}
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	572	\end{ttbox}
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	573	By the duality between $\exists$ and~$\forall$, applying~$(\forall E)$
333 2ca08f62df33 final Springer copy lcp parents: 313 diff changeset	574	in effect applies~$(\exists I)$ again.
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	575	\begin{ttbox}
104 d8205bb279a7 Initial revision lcp parents: diff changeset	576	by (eresolve_tac [allE] 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	577	{\out Level 4}
d8205bb279a7 Initial revision lcp parents: diff changeset	578	{\out EX y. ALL x. P(y) --> P(x)}
d8205bb279a7 Initial revision lcp parents: diff changeset	579	{\out 1. !!x. [\| P(?a); ~ (ALL xa. P(?y3(x)) --> P(xa)) \|] ==> P(x)}
d8205bb279a7 Initial revision lcp parents: diff changeset	580	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	581	In classical logic, a negated assumption is equivalent to a conclusion. To
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	582	get this effect, we create a swapped version of~$(\forall I)$ and apply it
104 d8205bb279a7 Initial revision lcp parents: diff changeset	583	using \ttindex{eresolve_tac}; we could equivalently have applied~$(\forall
d8205bb279a7 Initial revision lcp parents: diff changeset	584	I)$ using \ttindex{swap_res_tac}.
d8205bb279a7 Initial revision lcp parents: diff changeset	585	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	586	allI RSN (2,swap);
d8205bb279a7 Initial revision lcp parents: diff changeset	587	{\out val it = "[\| ~ (ALL x. ?P1(x)); !!x. ~ ?Q ==> ?P1(x) \|] ==> ?Q" : thm}
d8205bb279a7 Initial revision lcp parents: diff changeset	588	by (eresolve_tac [it] 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	589	{\out Level 5}
d8205bb279a7 Initial revision lcp parents: diff changeset	590	{\out EX y. ALL x. P(y) --> P(x)}
d8205bb279a7 Initial revision lcp parents: diff changeset	591	{\out 1. !!x xa. [\| P(?a); ~ P(x) \|] ==> P(?y3(x)) --> P(xa)}
d8205bb279a7 Initial revision lcp parents: diff changeset	592	\end{ttbox}
5151 1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	593	The previous conclusion, \texttt{P(x)}, has become a negated assumption.
104 d8205bb279a7 Initial revision lcp parents: diff changeset	594	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	595	by (resolve_tac [impI] 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	596	{\out Level 6}
d8205bb279a7 Initial revision lcp parents: diff changeset	597	{\out EX y. ALL x. P(y) --> P(x)}
d8205bb279a7 Initial revision lcp parents: diff changeset	598	{\out 1. !!x xa. [\| P(?a); ~ P(x); P(?y3(x)) \|] ==> P(xa)}
d8205bb279a7 Initial revision lcp parents: diff changeset	599	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	600	The subgoal has three assumptions. We produce a contradiction between the
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	601	\index{assumptions!contradictory} assumptions~\verb\|~P(x)\| and~{\tt
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	602	P(?y3(x))}. The proof never instantiates the unknown~{\tt?a}.
104 d8205bb279a7 Initial revision lcp parents: diff changeset	603	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	604	by (eresolve_tac [notE] 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	605	{\out Level 7}
d8205bb279a7 Initial revision lcp parents: diff changeset	606	{\out EX y. ALL x. P(y) --> P(x)}
d8205bb279a7 Initial revision lcp parents: diff changeset	607	{\out 1. !!x xa. [\| P(?a); P(?y3(x)) \|] ==> P(x)}
d8205bb279a7 Initial revision lcp parents: diff changeset	608	\ttbreak
d8205bb279a7 Initial revision lcp parents: diff changeset	609	by (assume_tac 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	610	{\out Level 8}
d8205bb279a7 Initial revision lcp parents: diff changeset	611	{\out EX y. ALL x. P(y) --> P(x)}
d8205bb279a7 Initial revision lcp parents: diff changeset	612	{\out No subgoals!}
d8205bb279a7 Initial revision lcp parents: diff changeset	613	\end{ttbox}
5151 1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	614	The civilised way to prove this theorem is through \ttindex{Blast_tac},
874 2432820efbfe removed mention of FOL_dup_cs lcp parents: 706 diff changeset	615	which automatically uses the classical version of~$(\exists I)$:
104 d8205bb279a7 Initial revision lcp parents: diff changeset	616	\begin{ttbox}
5151 1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	617	Goal "EX y. ALL x. P(y)-->P(x)";
104 d8205bb279a7 Initial revision lcp parents: diff changeset	618	{\out Level 0}
d8205bb279a7 Initial revision lcp parents: diff changeset	619	{\out EX y. ALL x. P(y) --> P(x)}
d8205bb279a7 Initial revision lcp parents: diff changeset	620	{\out 1. EX y. ALL x. P(y) --> P(x)}
5151 1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	621	by (Blast_tac 1);
874 2432820efbfe removed mention of FOL_dup_cs lcp parents: 706 diff changeset	622	{\out Depth = 0}
5151 1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	623	{\out Depth = 1}
874 2432820efbfe removed mention of FOL_dup_cs lcp parents: 706 diff changeset	624	{\out Depth = 2}
104 d8205bb279a7 Initial revision lcp parents: diff changeset	625	{\out Level 1}
d8205bb279a7 Initial revision lcp parents: diff changeset	626	{\out EX y. ALL x. P(y) --> P(x)}
d8205bb279a7 Initial revision lcp parents: diff changeset	627	{\out No subgoals!}
d8205bb279a7 Initial revision lcp parents: diff changeset	628	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	629	If this theorem seems counterintuitive, then perhaps you are an
d8205bb279a7 Initial revision lcp parents: diff changeset	630	intuitionist. In constructive logic, proving $\ex{y}\all{x}P(y)\imp P(x)$
d8205bb279a7 Initial revision lcp parents: diff changeset	631	requires exhibiting a particular term~$t$ such that $\all{x}P(t)\imp P(x)$,
d8205bb279a7 Initial revision lcp parents: diff changeset	632	which we cannot do without further knowledge about~$P$.
d8205bb279a7 Initial revision lcp parents: diff changeset	633
d8205bb279a7 Initial revision lcp parents: diff changeset	634
d8205bb279a7 Initial revision lcp parents: diff changeset	635	\section{Derived rules and the classical tactics}
d8205bb279a7 Initial revision lcp parents: diff changeset	636	Classical first-order logic can be extended with the propositional
d8205bb279a7 Initial revision lcp parents: diff changeset	637	connective $if(P,Q,R)$, where
d8205bb279a7 Initial revision lcp parents: diff changeset	638	$$ if(P,Q,R) \equiv P\conj Q \disj \neg P \conj R. \eqno(if) $$
d8205bb279a7 Initial revision lcp parents: diff changeset	639	Theorems about $if$ can be proved by treating this as an abbreviation,
d8205bb279a7 Initial revision lcp parents: diff changeset	640	replacing $if(P,Q,R)$ by $P\conj Q \disj \neg P \conj R$ in subgoals. But
d8205bb279a7 Initial revision lcp parents: diff changeset	641	this duplicates~$P$, causing an exponential blowup and an unreadable
d8205bb279a7 Initial revision lcp parents: diff changeset	642	formula. Introducing further abbreviations makes the problem worse.
d8205bb279a7 Initial revision lcp parents: diff changeset	643
d8205bb279a7 Initial revision lcp parents: diff changeset	644	Natural deduction demands rules that introduce and eliminate $if(P,Q,R)$
d8205bb279a7 Initial revision lcp parents: diff changeset	645	directly, without reference to its definition. The simple identity
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	646	\[ if(P,Q,R) \,\bimp\, (P\imp Q)\conj (\neg P\imp R) \]
104 d8205bb279a7 Initial revision lcp parents: diff changeset	647	suggests that the
d8205bb279a7 Initial revision lcp parents: diff changeset	648	$if$-introduction rule should be
157 8258c26ae084 Correction to page 16; thanks to Markus W. lcp parents: 111 diff changeset	649	\[ \infer[({if}\,I)]{if(P,Q,R)}{\infer{Q}{[P]} & \infer{R}{[\neg P]}} \]
104 d8205bb279a7 Initial revision lcp parents: diff changeset	650	The $if$-elimination rule reflects the definition of $if(P,Q,R)$ and the
d8205bb279a7 Initial revision lcp parents: diff changeset	651	elimination rules for~$\disj$ and~$\conj$.
d8205bb279a7 Initial revision lcp parents: diff changeset	652	\[ \infer[({if}\,E)]{S}{if(P,Q,R) & \infer*{S}{[P,Q]}
d8205bb279a7 Initial revision lcp parents: diff changeset	653	& \infer*{S}{[\neg P,R]}}
d8205bb279a7 Initial revision lcp parents: diff changeset	654	\]
d8205bb279a7 Initial revision lcp parents: diff changeset	655	Having made these plans, we get down to work with Isabelle. The theory of
5151 1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	656	classical logic, \texttt{FOL}, is extended with the constant
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	657	$if::[o,o,o]\To o$. The axiom \tdx{if_def} asserts the
104 d8205bb279a7 Initial revision lcp parents: diff changeset	658	equation~$(if)$.
d8205bb279a7 Initial revision lcp parents: diff changeset	659	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	660	If = FOL +
1388 7705e6211865 removed quotes from consts and syntax sections clasohm parents: 874 diff changeset	661	consts if :: [o,o,o]=>o
104 d8205bb279a7 Initial revision lcp parents: diff changeset	662	rules if_def "if(P,Q,R) == P&Q \| ~P&R"
d8205bb279a7 Initial revision lcp parents: diff changeset	663	end
d8205bb279a7 Initial revision lcp parents: diff changeset	664	\end{ttbox}
5151 1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	665	We create the file \texttt{If.thy} containing these declarations. (This file
1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	666	is on directory \texttt{FOL/ex} in the Isabelle distribution.) Typing
1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	667	\begin{ttbox}
1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	668	use_thy "If";
1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	669	\end{ttbox}
1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	670	loads that theory and sets it to be the current context.
104 d8205bb279a7 Initial revision lcp parents: diff changeset	671
d8205bb279a7 Initial revision lcp parents: diff changeset	672
d8205bb279a7 Initial revision lcp parents: diff changeset	673	\subsection{Deriving the introduction rule}
5151 1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	674
1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	675	The derivations of the introduction and elimination rules demonstrate the
1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	676	methods for rewriting with definitions. Classical reasoning is required,
1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	677	so we use \texttt{blast_tac}.
1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	678
104 d8205bb279a7 Initial revision lcp parents: diff changeset	679	The introduction rule, given the premises $P\Imp Q$ and $\neg P\Imp R$,
d8205bb279a7 Initial revision lcp parents: diff changeset	680	concludes $if(P,Q,R)$. We propose the conclusion as the main goal
5151 1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	681	using~\ttindex{goalw}, which uses \texttt{if_def} to rewrite occurrences
104 d8205bb279a7 Initial revision lcp parents: diff changeset	682	of $if$ in the subgoal.
d8205bb279a7 Initial revision lcp parents: diff changeset	683	\begin{ttbox}
5151 1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	684	val prems = Goalw [if_def]
104 d8205bb279a7 Initial revision lcp parents: diff changeset	685	"[\| P ==> Q; ~ P ==> R \|] ==> if(P,Q,R)";
d8205bb279a7 Initial revision lcp parents: diff changeset	686	{\out Level 0}
d8205bb279a7 Initial revision lcp parents: diff changeset	687	{\out if(P,Q,R)}
d8205bb279a7 Initial revision lcp parents: diff changeset	688	{\out 1. P & Q \| ~ P & R}
d8205bb279a7 Initial revision lcp parents: diff changeset	689	\end{ttbox}
5151 1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	690	The premises (bound to the {\ML} variable \texttt{prems}) are passed as
1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	691	introduction rules to \ttindex{blast_tac}. Remember that \texttt{claset()} refers
2495 82ec47e0a8d3 New discussion of implicit simpsets & clasets paulson parents: 1388 diff changeset	692	to the default classical set.
104 d8205bb279a7 Initial revision lcp parents: diff changeset	693	\begin{ttbox}
4877 7a046198610e fixed simpset(), claset(); wenzelm parents: 3138 diff changeset	694	by (blast_tac (claset() addIs prems) 1);
104 d8205bb279a7 Initial revision lcp parents: diff changeset	695	{\out Level 1}
d8205bb279a7 Initial revision lcp parents: diff changeset	696	{\out if(P,Q,R)}
d8205bb279a7 Initial revision lcp parents: diff changeset	697	{\out No subgoals!}
3138 6c0c7e99312d replaced Int by IntPr, result by qed; wenzelm parents: 3133 diff changeset	698	qed "ifI";
104 d8205bb279a7 Initial revision lcp parents: diff changeset	699	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	700
d8205bb279a7 Initial revision lcp parents: diff changeset	701
d8205bb279a7 Initial revision lcp parents: diff changeset	702	\subsection{Deriving the elimination rule}
d8205bb279a7 Initial revision lcp parents: diff changeset	703	The elimination rule has three premises, two of which are themselves rules.
d8205bb279a7 Initial revision lcp parents: diff changeset	704	The conclusion is simply $S$.
d8205bb279a7 Initial revision lcp parents: diff changeset	705	\begin{ttbox}
5151 1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	706	val major::prems = Goalw [if_def]
104 d8205bb279a7 Initial revision lcp parents: diff changeset	707	"[\| if(P,Q,R); [\| P; Q \|] ==> S; [\| ~ P; R \|] ==> S \|] ==> S";
d8205bb279a7 Initial revision lcp parents: diff changeset	708	{\out Level 0}
d8205bb279a7 Initial revision lcp parents: diff changeset	709	{\out S}
d8205bb279a7 Initial revision lcp parents: diff changeset	710	{\out 1. S}
d8205bb279a7 Initial revision lcp parents: diff changeset	711	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	712	The major premise contains an occurrence of~$if$, but the version returned
5151 1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	713	by \ttindex{goalw} (and bound to the {\ML} variable~\texttt{major}) has the
1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	714	definition expanded. Now \ttindex{cut_facts_tac} inserts~\texttt{major} as an
3133 8c55b0f16da2 stylistic improvements paulson parents: 2495 diff changeset	715	assumption in the subgoal, so that \ttindex{blast_tac} can break it down.
104 d8205bb279a7 Initial revision lcp parents: diff changeset	716	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	717	by (cut_facts_tac [major] 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	718	{\out Level 1}
d8205bb279a7 Initial revision lcp parents: diff changeset	719	{\out S}
d8205bb279a7 Initial revision lcp parents: diff changeset	720	{\out 1. P & Q \| ~ P & R ==> S}
d8205bb279a7 Initial revision lcp parents: diff changeset	721	\ttbreak
4877 7a046198610e fixed simpset(), claset(); wenzelm parents: 3138 diff changeset	722	by (blast_tac (claset() addIs prems) 1);
104 d8205bb279a7 Initial revision lcp parents: diff changeset	723	{\out Level 2}
d8205bb279a7 Initial revision lcp parents: diff changeset	724	{\out S}
d8205bb279a7 Initial revision lcp parents: diff changeset	725	{\out No subgoals!}
3138 6c0c7e99312d replaced Int by IntPr, result by qed; wenzelm parents: 3133 diff changeset	726	qed "ifE";
104 d8205bb279a7 Initial revision lcp parents: diff changeset	727	\end{ttbox}
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	728	As you may recall from
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	729	\iflabelundefined{definitions}{{\em Introduction to Isabelle}}%
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	730	{\S\ref{definitions}}, there are other
104 d8205bb279a7 Initial revision lcp parents: diff changeset	731	ways of treating definitions when deriving a rule. We can start the
5151 1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	732	proof using \texttt{goal}, which does not expand definitions, instead of
1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	733	\texttt{goalw}. We can use \ttindex{rew_tac}
104 d8205bb279a7 Initial revision lcp parents: diff changeset	734	to expand definitions in the subgoals --- perhaps after calling
d8205bb279a7 Initial revision lcp parents: diff changeset	735	\ttindex{cut_facts_tac} to insert the rule's premises. We can use
d8205bb279a7 Initial revision lcp parents: diff changeset	736	\ttindex{rewrite_rule}, which is a meta-inference rule, to expand
d8205bb279a7 Initial revision lcp parents: diff changeset	737	definitions in the premises directly.
d8205bb279a7 Initial revision lcp parents: diff changeset	738
d8205bb279a7 Initial revision lcp parents: diff changeset	739
d8205bb279a7 Initial revision lcp parents: diff changeset	740	\subsection{Using the derived rules}
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	741	The rules just derived have been saved with the {\ML} names \tdx{ifI}
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	742	and~\tdx{ifE}. They permit natural proofs of theorems such as the
104 d8205bb279a7 Initial revision lcp parents: diff changeset	743	following:
d8205bb279a7 Initial revision lcp parents: diff changeset	744	\begin{eqnarray*}
111 1b3cddf41b2d Various updates for Isabelle-93 lcp parents: 104 diff changeset	745	if(P, if(Q,A,B), if(Q,C,D)) & \bimp & if(Q,if(P,A,C),if(P,B,D)) \\
1b3cddf41b2d Various updates for Isabelle-93 lcp parents: 104 diff changeset	746	if(if(P,Q,R), A, B) & \bimp & if(P,if(Q,A,B),if(R,A,B))
104 d8205bb279a7 Initial revision lcp parents: diff changeset	747	\end{eqnarray*}
d8205bb279a7 Initial revision lcp parents: diff changeset	748	Proofs also require the classical reasoning rules and the $\bimp$
5151 1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	749	introduction rule (called~\tdx{iffI}: do not confuse with~\texttt{ifI}).
104 d8205bb279a7 Initial revision lcp parents: diff changeset	750
d8205bb279a7 Initial revision lcp parents: diff changeset	751	To display the $if$-rules in action, let us analyse a proof step by step.
d8205bb279a7 Initial revision lcp parents: diff changeset	752	\begin{ttbox}
5151 1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	753	Goal "if(P, if(Q,A,B), if(Q,C,D)) <-> if(Q, if(P,A,C), if(P,B,D))";
104 d8205bb279a7 Initial revision lcp parents: diff changeset	754	{\out Level 0}
d8205bb279a7 Initial revision lcp parents: diff changeset	755	{\out if(P,if(Q,A,B),if(Q,C,D)) <-> if(Q,if(P,A,C),if(P,B,D))}
d8205bb279a7 Initial revision lcp parents: diff changeset	756	{\out 1. if(P,if(Q,A,B),if(Q,C,D)) <-> if(Q,if(P,A,C),if(P,B,D))}
d8205bb279a7 Initial revision lcp parents: diff changeset	757	\ttbreak
d8205bb279a7 Initial revision lcp parents: diff changeset	758	by (resolve_tac [iffI] 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	759	{\out Level 1}
d8205bb279a7 Initial revision lcp parents: diff changeset	760	{\out if(P,if(Q,A,B),if(Q,C,D)) <-> if(Q,if(P,A,C),if(P,B,D))}
d8205bb279a7 Initial revision lcp parents: diff changeset	761	{\out 1. if(P,if(Q,A,B),if(Q,C,D)) ==> if(Q,if(P,A,C),if(P,B,D))}
d8205bb279a7 Initial revision lcp parents: diff changeset	762	{\out 2. if(Q,if(P,A,C),if(P,B,D)) ==> if(P,if(Q,A,B),if(Q,C,D))}
d8205bb279a7 Initial revision lcp parents: diff changeset	763	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	764	The $if$-elimination rule can be applied twice in succession.
d8205bb279a7 Initial revision lcp parents: diff changeset	765	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	766	by (eresolve_tac [ifE] 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	767	{\out Level 2}
d8205bb279a7 Initial revision lcp parents: diff changeset	768	{\out if(P,if(Q,A,B),if(Q,C,D)) <-> if(Q,if(P,A,C),if(P,B,D))}
d8205bb279a7 Initial revision lcp parents: diff changeset	769	{\out 1. [\| P; if(Q,A,B) \|] ==> if(Q,if(P,A,C),if(P,B,D))}
d8205bb279a7 Initial revision lcp parents: diff changeset	770	{\out 2. [\| ~ P; if(Q,C,D) \|] ==> if(Q,if(P,A,C),if(P,B,D))}
d8205bb279a7 Initial revision lcp parents: diff changeset	771	{\out 3. if(Q,if(P,A,C),if(P,B,D)) ==> if(P,if(Q,A,B),if(Q,C,D))}
d8205bb279a7 Initial revision lcp parents: diff changeset	772	\ttbreak
d8205bb279a7 Initial revision lcp parents: diff changeset	773	by (eresolve_tac [ifE] 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	774	{\out Level 3}
d8205bb279a7 Initial revision lcp parents: diff changeset	775	{\out if(P,if(Q,A,B),if(Q,C,D)) <-> if(Q,if(P,A,C),if(P,B,D))}
d8205bb279a7 Initial revision lcp parents: diff changeset	776	{\out 1. [\| P; Q; A \|] ==> if(Q,if(P,A,C),if(P,B,D))}
d8205bb279a7 Initial revision lcp parents: diff changeset	777	{\out 2. [\| P; ~ Q; B \|] ==> if(Q,if(P,A,C),if(P,B,D))}
d8205bb279a7 Initial revision lcp parents: diff changeset	778	{\out 3. [\| ~ P; if(Q,C,D) \|] ==> if(Q,if(P,A,C),if(P,B,D))}
d8205bb279a7 Initial revision lcp parents: diff changeset	779	{\out 4. if(Q,if(P,A,C),if(P,B,D)) ==> if(P,if(Q,A,B),if(Q,C,D))}
d8205bb279a7 Initial revision lcp parents: diff changeset	780	\end{ttbox}
333 2ca08f62df33 final Springer copy lcp parents: 313 diff changeset	781	%
2ca08f62df33 final Springer copy lcp parents: 313 diff changeset	782	In the first two subgoals, all assumptions have been reduced to atoms. Now
104 d8205bb279a7 Initial revision lcp parents: diff changeset	783	$if$-introduction can be applied. Observe how the $if$-rules break down
d8205bb279a7 Initial revision lcp parents: diff changeset	784	occurrences of $if$ when they become the outermost connective.
d8205bb279a7 Initial revision lcp parents: diff changeset	785	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	786	by (resolve_tac [ifI] 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	787	{\out Level 4}
d8205bb279a7 Initial revision lcp parents: diff changeset	788	{\out if(P,if(Q,A,B),if(Q,C,D)) <-> if(Q,if(P,A,C),if(P,B,D))}
d8205bb279a7 Initial revision lcp parents: diff changeset	789	{\out 1. [\| P; Q; A; Q \|] ==> if(P,A,C)}
d8205bb279a7 Initial revision lcp parents: diff changeset	790	{\out 2. [\| P; Q; A; ~ Q \|] ==> if(P,B,D)}
d8205bb279a7 Initial revision lcp parents: diff changeset	791	{\out 3. [\| P; ~ Q; B \|] ==> if(Q,if(P,A,C),if(P,B,D))}
d8205bb279a7 Initial revision lcp parents: diff changeset	792	{\out 4. [\| ~ P; if(Q,C,D) \|] ==> if(Q,if(P,A,C),if(P,B,D))}
d8205bb279a7 Initial revision lcp parents: diff changeset	793	{\out 5. if(Q,if(P,A,C),if(P,B,D)) ==> if(P,if(Q,A,B),if(Q,C,D))}
d8205bb279a7 Initial revision lcp parents: diff changeset	794	\ttbreak
d8205bb279a7 Initial revision lcp parents: diff changeset	795	by (resolve_tac [ifI] 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	796	{\out Level 5}
d8205bb279a7 Initial revision lcp parents: diff changeset	797	{\out if(P,if(Q,A,B),if(Q,C,D)) <-> if(Q,if(P,A,C),if(P,B,D))}
d8205bb279a7 Initial revision lcp parents: diff changeset	798	{\out 1. [\| P; Q; A; Q; P \|] ==> A}
d8205bb279a7 Initial revision lcp parents: diff changeset	799	{\out 2. [\| P; Q; A; Q; ~ P \|] ==> C}
d8205bb279a7 Initial revision lcp parents: diff changeset	800	{\out 3. [\| P; Q; A; ~ Q \|] ==> if(P,B,D)}
d8205bb279a7 Initial revision lcp parents: diff changeset	801	{\out 4. [\| P; ~ Q; B \|] ==> if(Q,if(P,A,C),if(P,B,D))}
d8205bb279a7 Initial revision lcp parents: diff changeset	802	{\out 5. [\| ~ P; if(Q,C,D) \|] ==> if(Q,if(P,A,C),if(P,B,D))}
d8205bb279a7 Initial revision lcp parents: diff changeset	803	{\out 6. if(Q,if(P,A,C),if(P,B,D)) ==> if(P,if(Q,A,B),if(Q,C,D))}
d8205bb279a7 Initial revision lcp parents: diff changeset	804	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	805	Where do we stand? The first subgoal holds by assumption; the second and
2495 82ec47e0a8d3 New discussion of implicit simpsets & clasets paulson parents: 1388 diff changeset	806	third, by contradiction. This is getting tedious. We could use the classical
82ec47e0a8d3 New discussion of implicit simpsets & clasets paulson parents: 1388 diff changeset	807	reasoner, but first let us extend the default claset with the derived rules
104 d8205bb279a7 Initial revision lcp parents: diff changeset	808	for~$if$.
d8205bb279a7 Initial revision lcp parents: diff changeset	809	\begin{ttbox}
2495 82ec47e0a8d3 New discussion of implicit simpsets & clasets paulson parents: 1388 diff changeset	810	AddSIs [ifI];
82ec47e0a8d3 New discussion of implicit simpsets & clasets paulson parents: 1388 diff changeset	811	AddSEs [ifE];
82ec47e0a8d3 New discussion of implicit simpsets & clasets paulson parents: 1388 diff changeset	812	\end{ttbox}
82ec47e0a8d3 New discussion of implicit simpsets & clasets paulson parents: 1388 diff changeset	813	Now we can revert to the
3133 8c55b0f16da2 stylistic improvements paulson parents: 2495 diff changeset	814	initial proof state and let \ttindex{blast_tac} solve it.
2495 82ec47e0a8d3 New discussion of implicit simpsets & clasets paulson parents: 1388 diff changeset	815	\begin{ttbox}
104 d8205bb279a7 Initial revision lcp parents: diff changeset	816	choplev 0;
d8205bb279a7 Initial revision lcp parents: diff changeset	817	{\out Level 0}
d8205bb279a7 Initial revision lcp parents: diff changeset	818	{\out if(P,if(Q,A,B),if(Q,C,D)) <-> if(Q,if(P,A,C),if(P,B,D))}
d8205bb279a7 Initial revision lcp parents: diff changeset	819	{\out 1. if(P,if(Q,A,B),if(Q,C,D)) <-> if(Q,if(P,A,C),if(P,B,D))}
3133 8c55b0f16da2 stylistic improvements paulson parents: 2495 diff changeset	820	by (Blast_tac 1);
104 d8205bb279a7 Initial revision lcp parents: diff changeset	821	{\out Level 1}
d8205bb279a7 Initial revision lcp parents: diff changeset	822	{\out if(P,if(Q,A,B),if(Q,C,D)) <-> if(Q,if(P,A,C),if(P,B,D))}
d8205bb279a7 Initial revision lcp parents: diff changeset	823	{\out No subgoals!}
d8205bb279a7 Initial revision lcp parents: diff changeset	824	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	825	This tactic also solves the other example.
d8205bb279a7 Initial revision lcp parents: diff changeset	826	\begin{ttbox}
5151 1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	827	Goal "if(if(P,Q,R), A, B) <-> if(P, if(Q,A,B), if(R,A,B))";
104 d8205bb279a7 Initial revision lcp parents: diff changeset	828	{\out Level 0}
d8205bb279a7 Initial revision lcp parents: diff changeset	829	{\out if(if(P,Q,R),A,B) <-> if(P,if(Q,A,B),if(R,A,B))}
d8205bb279a7 Initial revision lcp parents: diff changeset	830	{\out 1. if(if(P,Q,R),A,B) <-> if(P,if(Q,A,B),if(R,A,B))}
d8205bb279a7 Initial revision lcp parents: diff changeset	831	\ttbreak
3133 8c55b0f16da2 stylistic improvements paulson parents: 2495 diff changeset	832	by (Blast_tac 1);
104 d8205bb279a7 Initial revision lcp parents: diff changeset	833	{\out Level 1}
d8205bb279a7 Initial revision lcp parents: diff changeset	834	{\out if(if(P,Q,R),A,B) <-> if(P,if(Q,A,B),if(R,A,B))}
d8205bb279a7 Initial revision lcp parents: diff changeset	835	{\out No subgoals!}
d8205bb279a7 Initial revision lcp parents: diff changeset	836	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	837
d8205bb279a7 Initial revision lcp parents: diff changeset	838
d8205bb279a7 Initial revision lcp parents: diff changeset	839	\subsection{Derived rules versus definitions}
d8205bb279a7 Initial revision lcp parents: diff changeset	840	Dispensing with the derived rules, we can treat $if$ as an
3133 8c55b0f16da2 stylistic improvements paulson parents: 2495 diff changeset	841	abbreviation, and let \ttindex{blast_tac} prove the expanded formula. Let
104 d8205bb279a7 Initial revision lcp parents: diff changeset	842	us redo the previous proof:
d8205bb279a7 Initial revision lcp parents: diff changeset	843	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	844	choplev 0;
d8205bb279a7 Initial revision lcp parents: diff changeset	845	{\out Level 0}
d8205bb279a7 Initial revision lcp parents: diff changeset	846	{\out if(if(P,Q,R),A,B) <-> if(P,if(Q,A,B),if(R,A,B))}
d8205bb279a7 Initial revision lcp parents: diff changeset	847	{\out 1. if(if(P,Q,R),A,B) <-> if(P,if(Q,A,B),if(R,A,B))}
287 6b62a6ddbe15 first draft of Springer book lcp parents: 157 diff changeset	848	\end{ttbox}
6b62a6ddbe15 first draft of Springer book lcp parents: 157 diff changeset	849	This time, simply unfold using the definition of $if$:
6b62a6ddbe15 first draft of Springer book lcp parents: 157 diff changeset	850	\begin{ttbox}
2495 82ec47e0a8d3 New discussion of implicit simpsets & clasets paulson parents: 1388 diff changeset	851	by (rewtac if_def);
104 d8205bb279a7 Initial revision lcp parents: diff changeset	852	{\out Level 1}
d8205bb279a7 Initial revision lcp parents: diff changeset	853	{\out if(if(P,Q,R),A,B) <-> if(P,if(Q,A,B),if(R,A,B))}
d8205bb279a7 Initial revision lcp parents: diff changeset	854	{\out 1. (P & Q \| ~ P & R) & A \| ~ (P & Q \| ~ P & R) & B <->}
d8205bb279a7 Initial revision lcp parents: diff changeset	855	{\out P & (Q & A \| ~ Q & B) \| ~ P & (R & A \| ~ R & B)}
287 6b62a6ddbe15 first draft of Springer book lcp parents: 157 diff changeset	856	\end{ttbox}
2495 82ec47e0a8d3 New discussion of implicit simpsets & clasets paulson parents: 1388 diff changeset	857	We are left with a subgoal in pure first-order logic, which is why the
5151 1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	858	classical reasoner can prove it given \texttt{FOL_cs} alone. (We could, of
1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	859	course, have used \texttt{Blast_tac}.)
287 6b62a6ddbe15 first draft of Springer book lcp parents: 157 diff changeset	860	\begin{ttbox}
3133 8c55b0f16da2 stylistic improvements paulson parents: 2495 diff changeset	861	by (blast_tac FOL_cs 1);
104 d8205bb279a7 Initial revision lcp parents: diff changeset	862	{\out Level 2}
d8205bb279a7 Initial revision lcp parents: diff changeset	863	{\out if(if(P,Q,R),A,B) <-> if(P,if(Q,A,B),if(R,A,B))}
d8205bb279a7 Initial revision lcp parents: diff changeset	864	{\out No subgoals!}
d8205bb279a7 Initial revision lcp parents: diff changeset	865	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	866	Expanding definitions reduces the extended logic to the base logic. This
d8205bb279a7 Initial revision lcp parents: diff changeset	867	approach has its merits --- especially if the prover for the base logic is
2495 82ec47e0a8d3 New discussion of implicit simpsets & clasets paulson parents: 1388 diff changeset	868	good --- but can be slow. In these examples, proofs using the default
82ec47e0a8d3 New discussion of implicit simpsets & clasets paulson parents: 1388 diff changeset	869	claset (which includes the derived rules) run about six times faster
5151 1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	870	than proofs using \texttt{FOL_cs}.
104 d8205bb279a7 Initial revision lcp parents: diff changeset	871
d8205bb279a7 Initial revision lcp parents: diff changeset	872	Expanding definitions also complicates error diagnosis. Suppose we are having
d8205bb279a7 Initial revision lcp parents: diff changeset	873	difficulties in proving some goal. If by expanding definitions we have
d8205bb279a7 Initial revision lcp parents: diff changeset	874	made it unreadable, then we have little hope of diagnosing the problem.
d8205bb279a7 Initial revision lcp parents: diff changeset	875
d8205bb279a7 Initial revision lcp parents: diff changeset	876	Attempts at program verification often yield invalid assertions.
d8205bb279a7 Initial revision lcp parents: diff changeset	877	Let us try to prove one:
d8205bb279a7 Initial revision lcp parents: diff changeset	878	\begin{ttbox}
5151 1e944fe5ce96 Got rid of obsolete "goal" commands. paulson parents: 4877 diff changeset	879	Goal "if(if(P,Q,R), A, B) <-> if(P, if(Q,A,B), if(R,B,A))";
104 d8205bb279a7 Initial revision lcp parents: diff changeset	880	{\out Level 0}
d8205bb279a7 Initial revision lcp parents: diff changeset	881	{\out if(if(P,Q,R),A,B) <-> if(P,if(Q,A,B),if(R,B,A))}
d8205bb279a7 Initial revision lcp parents: diff changeset	882	{\out 1. if(if(P,Q,R),A,B) <-> if(P,if(Q,A,B),if(R,B,A))}
3133 8c55b0f16da2 stylistic improvements paulson parents: 2495 diff changeset	883	by (Blast_tac 1);
104 d8205bb279a7 Initial revision lcp parents: diff changeset	884	{\out by: tactic failed}
d8205bb279a7 Initial revision lcp parents: diff changeset	885	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	886	This failure message is uninformative, but we can get a closer look at the
3138 6c0c7e99312d replaced Int by IntPr, result by qed; wenzelm parents: 3133 diff changeset	887	situation by applying \ttindex{Step_tac}.
104 d8205bb279a7 Initial revision lcp parents: diff changeset	888	\begin{ttbox}
2495 82ec47e0a8d3 New discussion of implicit simpsets & clasets paulson parents: 1388 diff changeset	889	by (REPEAT (Step_tac 1));
104 d8205bb279a7 Initial revision lcp parents: diff changeset	890	{\out Level 1}
d8205bb279a7 Initial revision lcp parents: diff changeset	891	{\out if(if(P,Q,R),A,B) <-> if(P,if(Q,A,B),if(R,B,A))}
d8205bb279a7 Initial revision lcp parents: diff changeset	892	{\out 1. [\| A; ~ P; R; ~ P; R \|] ==> B}
d8205bb279a7 Initial revision lcp parents: diff changeset	893	{\out 2. [\| B; ~ P; ~ R; ~ P; ~ R \|] ==> A}
d8205bb279a7 Initial revision lcp parents: diff changeset	894	{\out 3. [\| ~ P; R; B; ~ P; R \|] ==> A}
d8205bb279a7 Initial revision lcp parents: diff changeset	895	{\out 4. [\| ~ P; ~ R; A; ~ B; ~ P \|] ==> R}
d8205bb279a7 Initial revision lcp parents: diff changeset	896	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	897	Subgoal~1 is unprovable and yields a countermodel: $P$ and~$B$ are false
d8205bb279a7 Initial revision lcp parents: diff changeset	898	while~$R$ and~$A$ are true. This truth assignment reduces the main goal to
d8205bb279a7 Initial revision lcp parents: diff changeset	899	$true\bimp false$, which is of course invalid.
d8205bb279a7 Initial revision lcp parents: diff changeset	900
d8205bb279a7 Initial revision lcp parents: diff changeset	901	We can repeat this analysis by expanding definitions, using just
d8205bb279a7 Initial revision lcp parents: diff changeset	902	the rules of {\FOL}:
d8205bb279a7 Initial revision lcp parents: diff changeset	903	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	904	choplev 0;
d8205bb279a7 Initial revision lcp parents: diff changeset	905	{\out Level 0}
d8205bb279a7 Initial revision lcp parents: diff changeset	906	{\out if(if(P,Q,R),A,B) <-> if(P,if(Q,A,B),if(R,B,A))}
d8205bb279a7 Initial revision lcp parents: diff changeset	907	{\out 1. if(if(P,Q,R),A,B) <-> if(P,if(Q,A,B),if(R,B,A))}
d8205bb279a7 Initial revision lcp parents: diff changeset	908	\ttbreak
2495 82ec47e0a8d3 New discussion of implicit simpsets & clasets paulson parents: 1388 diff changeset	909	by (rewtac if_def);
104 d8205bb279a7 Initial revision lcp parents: diff changeset	910	{\out Level 1}
d8205bb279a7 Initial revision lcp parents: diff changeset	911	{\out if(if(P,Q,R),A,B) <-> if(P,if(Q,A,B),if(R,B,A))}
d8205bb279a7 Initial revision lcp parents: diff changeset	912	{\out 1. (P & Q \| ~ P & R) & A \| ~ (P & Q \| ~ P & R) & B <->}
d8205bb279a7 Initial revision lcp parents: diff changeset	913	{\out P & (Q & A \| ~ Q & B) \| ~ P & (R & B \| ~ R & A)}
3133 8c55b0f16da2 stylistic improvements paulson parents: 2495 diff changeset	914	by (blast_tac FOL_cs 1);
104 d8205bb279a7 Initial revision lcp parents: diff changeset	915	{\out by: tactic failed}
d8205bb279a7 Initial revision lcp parents: diff changeset	916	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	917	Again we apply \ttindex{step_tac}:
d8205bb279a7 Initial revision lcp parents: diff changeset	918	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	919	by (REPEAT (step_tac FOL_cs 1));
d8205bb279a7 Initial revision lcp parents: diff changeset	920	{\out Level 2}
d8205bb279a7 Initial revision lcp parents: diff changeset	921	{\out if(if(P,Q,R),A,B) <-> if(P,if(Q,A,B),if(R,B,A))}
d8205bb279a7 Initial revision lcp parents: diff changeset	922	{\out 1. [\| A; ~ P; R; ~ P; R; ~ False \|] ==> B}
d8205bb279a7 Initial revision lcp parents: diff changeset	923	{\out 2. [\| A; ~ P; R; R; ~ False; ~ B; ~ B \|] ==> Q}
d8205bb279a7 Initial revision lcp parents: diff changeset	924	{\out 3. [\| B; ~ P; ~ R; ~ P; ~ A \|] ==> R}
d8205bb279a7 Initial revision lcp parents: diff changeset	925	{\out 4. [\| B; ~ P; ~ R; ~ Q; ~ A \|] ==> R}
d8205bb279a7 Initial revision lcp parents: diff changeset	926	{\out 5. [\| B; ~ R; ~ P; ~ A; ~ R; Q; ~ False \|] ==> A}
d8205bb279a7 Initial revision lcp parents: diff changeset	927	{\out 6. [\| ~ P; R; B; ~ P; R; ~ False \|] ==> A}
d8205bb279a7 Initial revision lcp parents: diff changeset	928	{\out 7. [\| ~ P; ~ R; A; ~ B; ~ R \|] ==> P}
d8205bb279a7 Initial revision lcp parents: diff changeset	929	{\out 8. [\| ~ P; ~ R; A; ~ B; ~ R \|] ==> Q}
d8205bb279a7 Initial revision lcp parents: diff changeset	930	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	931	Subgoal~1 yields the same countermodel as before. But each proof step has
d8205bb279a7 Initial revision lcp parents: diff changeset	932	taken six times as long, and the final result contains twice as many subgoals.
d8205bb279a7 Initial revision lcp parents: diff changeset	933
d8205bb279a7 Initial revision lcp parents: diff changeset	934	Expanding definitions causes a great increase in complexity. This is why
d8205bb279a7 Initial revision lcp parents: diff changeset	935	the classical prover has been designed to accept derived rules.
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	936
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	937	\index{first-order logic\|)}

author	wenzelm
	Tue, 21 Jul 1998 16:41:12 +0200
changeset 5170	33fbffd06c12
parent 5151	1e944fe5ce96
child 5205	602354039306
permissions	-rw-r--r--