isabelle: doc-src/Logics/FOL.tex@3ca200d880f4 (annotated)

104 d8205bb279a7 Initial revision lcp parents: diff changeset	1	%% $Id$
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	2	\chapter{First-Order Logic}
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	3	\index{first-order logic\|(}
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	4
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	5	Isabelle implements Gentzen's natural deduction systems {\sc nj} and {\sc
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	6	nk}. Intuitionistic first-order logic is defined first, as theory
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	7	\thydx{IFOL}. Classical logic, theory \thydx{FOL}, is
104 d8205bb279a7 Initial revision lcp parents: diff changeset	8	obtained by adding the double negation rule. Basic proof procedures are
d8205bb279a7 Initial revision lcp parents: diff changeset	9	provided. The intuitionistic prover works with derived rules to simplify
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	10	implications in the assumptions. Classical~{\tt FOL} employs Isabelle's
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	11	classical reasoner, which simulates a sequent calculus.
104 d8205bb279a7 Initial revision lcp parents: diff changeset	12
d8205bb279a7 Initial revision lcp parents: diff changeset	13	\section{Syntax and rules of inference}
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	14	The logic is many-sorted, using Isabelle's type classes. The class of
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	15	first-order terms is called \cldx{term} and is a subclass of {\tt logic}.
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	16	No types of individuals are provided, but extensions can define types such
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	17	as {\tt nat::term} and type constructors such as {\tt list::(term)term}
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	18	(see the examples directory, {\tt FOL/ex}). Below, the type variable
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	19	$\alpha$ ranges over class {\tt term}; the equality symbol and quantifiers
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	20	are polymorphic (many-sorted). The type of formulae is~\tydx{o}, which
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	21	belongs to class~\cldx{logic}. Figure~\ref{fol-syntax} gives the syntax.
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	22	Note that $a$\verb\|~=\|$b$ is translated to $\neg(a=b)$.
104 d8205bb279a7 Initial revision lcp parents: diff changeset	23
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	24	Figure~\ref{fol-rules} shows the inference rules with their~\ML\ names.
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	25	Negation is defined in the usual way for intuitionistic logic; $\neg P$
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	26	abbreviates $P\imp\bot$. The biconditional~($\bimp$) is defined through
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	27	$\conj$ and~$\imp$; introduction and elimination rules are derived for it.
104 d8205bb279a7 Initial revision lcp parents: diff changeset	28
d8205bb279a7 Initial revision lcp parents: diff changeset	29	The unique existence quantifier, $\exists!x.P(x)$, is defined in terms
d8205bb279a7 Initial revision lcp parents: diff changeset	30	of~$\exists$ and~$\forall$. An Isabelle binder, it admits nested
d8205bb279a7 Initial revision lcp parents: diff changeset	31	quantifications. For instance, $\exists!x y.P(x,y)$ abbreviates
d8205bb279a7 Initial revision lcp parents: diff changeset	32	$\exists!x. \exists!y.P(x,y)$; note that this does not mean that there
d8205bb279a7 Initial revision lcp parents: diff changeset	33	exists a unique pair $(x,y)$ satisfying~$P(x,y)$.
d8205bb279a7 Initial revision lcp parents: diff changeset	34
d8205bb279a7 Initial revision lcp parents: diff changeset	35	Some intuitionistic derived rules are shown in
287 6b62a6ddbe15 first draft of Springer book lcp parents: 157 diff changeset	36	Fig.\ts\ref{fol-int-derived}, again with their \ML\ names. These include
104 d8205bb279a7 Initial revision lcp parents: diff changeset	37	rules for the defined symbols $\neg$, $\bimp$ and $\exists!$. Natural
333 2ca08f62df33 final Springer copy lcp parents: 313 diff changeset	38	deduction typically involves a combination of forward and backward
104 d8205bb279a7 Initial revision lcp parents: diff changeset	39	reasoning, particularly with the destruction rules $(\conj E)$,
333 2ca08f62df33 final Springer copy lcp parents: 313 diff changeset	40	$({\imp}E)$, and~$(\forall E)$. Isabelle's backward style handles these
104 d8205bb279a7 Initial revision lcp parents: diff changeset	41	rules badly, so sequent-style rules are derived to eliminate conjunctions,
d8205bb279a7 Initial revision lcp parents: diff changeset	42	implications, and universal quantifiers. Used with elim-resolution,
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	43	\tdx{allE} eliminates a universal quantifier while \tdx{all_dupE}
104 d8205bb279a7 Initial revision lcp parents: diff changeset	44	re-inserts the quantified formula for later use. The rules {\tt
d8205bb279a7 Initial revision lcp parents: diff changeset	45	conj_impE}, etc., support the intuitionistic proof procedure
d8205bb279a7 Initial revision lcp parents: diff changeset	46	(see~\S\ref{fol-int-prover}).
d8205bb279a7 Initial revision lcp parents: diff changeset	47
333 2ca08f62df33 final Springer copy lcp parents: 313 diff changeset	48	See the files {\tt FOL/IFOL.thy}, {\tt FOL/IFOL.ML} and
287 6b62a6ddbe15 first draft of Springer book lcp parents: 157 diff changeset	49	{\tt FOL/intprover.ML} for complete listings of the rules and
104 d8205bb279a7 Initial revision lcp parents: diff changeset	50	derived rules.
d8205bb279a7 Initial revision lcp parents: diff changeset	51
d8205bb279a7 Initial revision lcp parents: diff changeset	52	\begin{figure}
d8205bb279a7 Initial revision lcp parents: diff changeset	53	\begin{center}
d8205bb279a7 Initial revision lcp parents: diff changeset	54	\begin{tabular}{rrr}
111 1b3cddf41b2d Various updates for Isabelle-93 lcp parents: 104 diff changeset	55	\it name &\it meta-type & \it description \\
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	56	\cdx{Trueprop}& $o\To prop$ & coercion to $prop$\\
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	57	\cdx{Not} & $o\To o$ & negation ($\neg$) \\
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	58	\cdx{True} & $o$ & tautology ($\top$) \\
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	59	\cdx{False} & $o$ & absurdity ($\bot$)
104 d8205bb279a7 Initial revision lcp parents: diff changeset	60	\end{tabular}
d8205bb279a7 Initial revision lcp parents: diff changeset	61	\end{center}
d8205bb279a7 Initial revision lcp parents: diff changeset	62	\subcaption{Constants}
d8205bb279a7 Initial revision lcp parents: diff changeset	63
d8205bb279a7 Initial revision lcp parents: diff changeset	64	\begin{center}
d8205bb279a7 Initial revision lcp parents: diff changeset	65	\begin{tabular}{llrrr}
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	66	\it symbol &\it name &\it meta-type & \it priority & \it description \\
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	67	\sdx{ALL} & \cdx{All} & $(\alpha\To o)\To o$ & 10 &
111 1b3cddf41b2d Various updates for Isabelle-93 lcp parents: 104 diff changeset	68	universal quantifier ($\forall$) \\
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	69	\sdx{EX} & \cdx{Ex} & $(\alpha\To o)\To o$ & 10 &
111 1b3cddf41b2d Various updates for Isabelle-93 lcp parents: 104 diff changeset	70	existential quantifier ($\exists$) \\
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	71	{\tt EX!} & \cdx{Ex1} & $(\alpha\To o)\To o$ & 10 &
111 1b3cddf41b2d Various updates for Isabelle-93 lcp parents: 104 diff changeset	72	unique existence ($\exists!$)
104 d8205bb279a7 Initial revision lcp parents: diff changeset	73	\end{tabular}
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	74	\index{*"E"X"! symbol}
104 d8205bb279a7 Initial revision lcp parents: diff changeset	75	\end{center}
d8205bb279a7 Initial revision lcp parents: diff changeset	76	\subcaption{Binders}
d8205bb279a7 Initial revision lcp parents: diff changeset	77
d8205bb279a7 Initial revision lcp parents: diff changeset	78	\begin{center}
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	79	\index{*"= symbol}
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	80	\index{&@{\tt\&} symbol}
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	81	\index{*"\| symbol}
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	82	\index{*"-"-"> symbol}
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	83	\index{*"<"-"> symbol}
104 d8205bb279a7 Initial revision lcp parents: diff changeset	84	\begin{tabular}{rrrr}
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	85	\it symbol & \it meta-type & \it priority & \it description \\
111 1b3cddf41b2d Various updates for Isabelle-93 lcp parents: 104 diff changeset	86	\tt = & $[\alpha,\alpha]\To o$ & Left 50 & equality ($=$) \\
1b3cddf41b2d Various updates for Isabelle-93 lcp parents: 104 diff changeset	87	\tt \& & $[o,o]\To o$ & Right 35 & conjunction ($\conj$) \\
1b3cddf41b2d Various updates for Isabelle-93 lcp parents: 104 diff changeset	88	\tt \| & $[o,o]\To o$ & Right 30 & disjunction ($\disj$) \\
1b3cddf41b2d Various updates for Isabelle-93 lcp parents: 104 diff changeset	89	\tt --> & $[o,o]\To o$ & Right 25 & implication ($\imp$) \\
1b3cddf41b2d Various updates for Isabelle-93 lcp parents: 104 diff changeset	90	\tt <-> & $[o,o]\To o$ & Right 25 & biconditional ($\bimp$)
104 d8205bb279a7 Initial revision lcp parents: diff changeset	91	\end{tabular}
d8205bb279a7 Initial revision lcp parents: diff changeset	92	\end{center}
d8205bb279a7 Initial revision lcp parents: diff changeset	93	\subcaption{Infixes}
d8205bb279a7 Initial revision lcp parents: diff changeset	94
d8205bb279a7 Initial revision lcp parents: diff changeset	95	\dquotes
d8205bb279a7 Initial revision lcp parents: diff changeset	96	\[\begin{array}{rcl}
d8205bb279a7 Initial revision lcp parents: diff changeset	97	formula & = & \hbox{expression of type~$o$} \\
111 1b3cddf41b2d Various updates for Isabelle-93 lcp parents: 104 diff changeset	98	& \| & term " = " term \\
1b3cddf41b2d Various updates for Isabelle-93 lcp parents: 104 diff changeset	99	& \| & term " \ttilde= " term \\
1b3cddf41b2d Various updates for Isabelle-93 lcp parents: 104 diff changeset	100	& \| & "\ttilde\ " formula \\
1b3cddf41b2d Various updates for Isabelle-93 lcp parents: 104 diff changeset	101	& \| & formula " \& " formula \\
1b3cddf41b2d Various updates for Isabelle-93 lcp parents: 104 diff changeset	102	& \| & formula " \| " formula \\
1b3cddf41b2d Various updates for Isabelle-93 lcp parents: 104 diff changeset	103	& \| & formula " --> " formula \\
1b3cddf41b2d Various updates for Isabelle-93 lcp parents: 104 diff changeset	104	& \| & formula " <-> " formula \\
1b3cddf41b2d Various updates for Isabelle-93 lcp parents: 104 diff changeset	105	& \| & "ALL~" id~id^* " . " formula \\
1b3cddf41b2d Various updates for Isabelle-93 lcp parents: 104 diff changeset	106	& \| & "EX~~" id~id^* " . " formula \\
1b3cddf41b2d Various updates for Isabelle-93 lcp parents: 104 diff changeset	107	& \| & "EX!~" id~id^* " . " formula
104 d8205bb279a7 Initial revision lcp parents: diff changeset	108	\end{array}
d8205bb279a7 Initial revision lcp parents: diff changeset	109	\]
d8205bb279a7 Initial revision lcp parents: diff changeset	110	\subcaption{Grammar}
d8205bb279a7 Initial revision lcp parents: diff changeset	111	\caption{Syntax of {\tt FOL}} \label{fol-syntax}
d8205bb279a7 Initial revision lcp parents: diff changeset	112	\end{figure}
d8205bb279a7 Initial revision lcp parents: diff changeset	113
d8205bb279a7 Initial revision lcp parents: diff changeset	114
d8205bb279a7 Initial revision lcp parents: diff changeset	115	\begin{figure}
d8205bb279a7 Initial revision lcp parents: diff changeset	116	\begin{ttbox}
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	117	\tdx{refl} a=a
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	118	\tdx{subst} [\| a=b; P(a) \|] ==> P(b)
104 d8205bb279a7 Initial revision lcp parents: diff changeset	119	\subcaption{Equality rules}
d8205bb279a7 Initial revision lcp parents: diff changeset	120
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	121	\tdx{conjI} [\| P; Q \|] ==> P&Q
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	122	\tdx{conjunct1} P&Q ==> P
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	123	\tdx{conjunct2} P&Q ==> Q
104 d8205bb279a7 Initial revision lcp parents: diff changeset	124
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	125	\tdx{disjI1} P ==> P\|Q
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	126	\tdx{disjI2} Q ==> P\|Q
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	127	\tdx{disjE} [\| P\|Q; P ==> R; Q ==> R \|] ==> R
104 d8205bb279a7 Initial revision lcp parents: diff changeset	128
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	129	\tdx{impI} (P ==> Q) ==> P-->Q
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	130	\tdx{mp} [\| P-->Q; P \|] ==> Q
104 d8205bb279a7 Initial revision lcp parents: diff changeset	131
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	132	\tdx{FalseE} False ==> P
104 d8205bb279a7 Initial revision lcp parents: diff changeset	133	\subcaption{Propositional rules}
d8205bb279a7 Initial revision lcp parents: diff changeset	134
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	135	\tdx{allI} (!!x. P(x)) ==> (ALL x.P(x))
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	136	\tdx{spec} (ALL x.P(x)) ==> P(x)
104 d8205bb279a7 Initial revision lcp parents: diff changeset	137
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	138	\tdx{exI} P(x) ==> (EX x.P(x))
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	139	\tdx{exE} [\| EX x.P(x); !!x. P(x) ==> R \|] ==> R
104 d8205bb279a7 Initial revision lcp parents: diff changeset	140	\subcaption{Quantifier rules}
d8205bb279a7 Initial revision lcp parents: diff changeset	141
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	142	\tdx{True_def} True == False-->False
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	143	\tdx{not_def} ~P == P-->False
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	144	\tdx{iff_def} P<->Q == (P-->Q) & (Q-->P)
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	145	\tdx{ex1_def} EX! x. P(x) == EX x. P(x) & (ALL y. P(y) --> y=x)
104 d8205bb279a7 Initial revision lcp parents: diff changeset	146	\subcaption{Definitions}
d8205bb279a7 Initial revision lcp parents: diff changeset	147	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	148
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	149	\caption{Rules of intuitionistic logic} \label{fol-rules}
104 d8205bb279a7 Initial revision lcp parents: diff changeset	150	\end{figure}
d8205bb279a7 Initial revision lcp parents: diff changeset	151
d8205bb279a7 Initial revision lcp parents: diff changeset	152
d8205bb279a7 Initial revision lcp parents: diff changeset	153	\begin{figure}
d8205bb279a7 Initial revision lcp parents: diff changeset	154	\begin{ttbox}
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	155	\tdx{sym} a=b ==> b=a
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	156	\tdx{trans} [\| a=b; b=c \|] ==> a=c
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	157	\tdx{ssubst} [\| b=a; P(a) \|] ==> P(b)
104 d8205bb279a7 Initial revision lcp parents: diff changeset	158	\subcaption{Derived equality rules}
d8205bb279a7 Initial revision lcp parents: diff changeset	159
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	160	\tdx{TrueI} True
104 d8205bb279a7 Initial revision lcp parents: diff changeset	161
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	162	\tdx{notI} (P ==> False) ==> ~P
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	163	\tdx{notE} [\| ~P; P \|] ==> R
104 d8205bb279a7 Initial revision lcp parents: diff changeset	164
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	165	\tdx{iffI} [\| P ==> Q; Q ==> P \|] ==> P<->Q
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	166	\tdx{iffE} [\| P <-> Q; [\| P-->Q; Q-->P \|] ==> R \|] ==> R
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	167	\tdx{iffD1} [\| P <-> Q; P \|] ==> Q
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	168	\tdx{iffD2} [\| P <-> Q; Q \|] ==> P
104 d8205bb279a7 Initial revision lcp parents: diff changeset	169
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	170	\tdx{ex1I} [\| P(a); !!x. P(x) ==> x=a \|] ==> EX! x. P(x)
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	171	\tdx{ex1E} [\| EX! x.P(x); !!x.[\| P(x); ALL y. P(y) --> y=x \|] ==> R
104 d8205bb279a7 Initial revision lcp parents: diff changeset	172	\|] ==> R
d8205bb279a7 Initial revision lcp parents: diff changeset	173	\subcaption{Derived rules for $\top$, $\neg$, $\bimp$ and $\exists!$}
d8205bb279a7 Initial revision lcp parents: diff changeset	174
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	175	\tdx{conjE} [\| P&Q; [\| P; Q \|] ==> R \|] ==> R
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	176	\tdx{impE} [\| P-->Q; P; Q ==> R \|] ==> R
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	177	\tdx{allE} [\| ALL x.P(x); P(x) ==> R \|] ==> R
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	178	\tdx{all_dupE} [\| ALL x.P(x); [\| P(x); ALL x.P(x) \|] ==> R \|] ==> R
104 d8205bb279a7 Initial revision lcp parents: diff changeset	179	\subcaption{Sequent-style elimination rules}
d8205bb279a7 Initial revision lcp parents: diff changeset	180
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	181	\tdx{conj_impE} [\| (P&Q)-->S; P-->(Q-->S) ==> R \|] ==> R
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	182	\tdx{disj_impE} [\| (P\|Q)-->S; [\| P-->S; Q-->S \|] ==> R \|] ==> R
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	183	\tdx{imp_impE} [\| (P-->Q)-->S; [\| P; Q-->S \|] ==> Q; S ==> R \|] ==> R
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	184	\tdx{not_impE} [\| ~P --> S; P ==> False; S ==> R \|] ==> R
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	185	\tdx{iff_impE} [\| (P<->Q)-->S; [\| P; Q-->S \|] ==> Q; [\| Q; P-->S \|] ==> P;
104 d8205bb279a7 Initial revision lcp parents: diff changeset	186	S ==> R \|] ==> R
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	187	\tdx{all_impE} [\| (ALL x.P(x))-->S; !!x.P(x); S ==> R \|] ==> R
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	188	\tdx{ex_impE} [\| (EX x.P(x))-->S; P(a)-->S ==> R \|] ==> R
104 d8205bb279a7 Initial revision lcp parents: diff changeset	189	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	190	\subcaption{Intuitionistic simplification of implication}
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	191	\caption{Derived rules for intuitionistic logic} \label{fol-int-derived}
104 d8205bb279a7 Initial revision lcp parents: diff changeset	192	\end{figure}
d8205bb279a7 Initial revision lcp parents: diff changeset	193
d8205bb279a7 Initial revision lcp parents: diff changeset	194
d8205bb279a7 Initial revision lcp parents: diff changeset	195	\section{Generic packages}
2495 82ec47e0a8d3 New discussion of implicit simpsets & clasets paulson parents: 1388 diff changeset	196	\FOL{} instantiates most of Isabelle's generic packages.
104 d8205bb279a7 Initial revision lcp parents: diff changeset	197	\begin{itemize}
d8205bb279a7 Initial revision lcp parents: diff changeset	198	\item
d8205bb279a7 Initial revision lcp parents: diff changeset	199	Because it includes a general substitution rule, \FOL{} instantiates the
d8205bb279a7 Initial revision lcp parents: diff changeset	200	tactic \ttindex{hyp_subst_tac}, which substitutes for an equality
d8205bb279a7 Initial revision lcp parents: diff changeset	201	throughout a subgoal and its hypotheses.
2495 82ec47e0a8d3 New discussion of implicit simpsets & clasets paulson parents: 1388 diff changeset	202	(See {\tt FOL/ROOT.ML} for details.)
104 d8205bb279a7 Initial revision lcp parents: diff changeset	203	\item
2495 82ec47e0a8d3 New discussion of implicit simpsets & clasets paulson parents: 1388 diff changeset	204	It instantiates the simplifier. Both equality ($=$) and the biconditional
82ec47e0a8d3 New discussion of implicit simpsets & clasets paulson parents: 1388 diff changeset	205	($\bimp$) may be used for rewriting. Tactics such as {\tt Asm_simp_tac} and
82ec47e0a8d3 New discussion of implicit simpsets & clasets paulson parents: 1388 diff changeset	206	{\tt Full_simp_tac} use the default simpset ({\tt!simpset}), which works for
82ec47e0a8d3 New discussion of implicit simpsets & clasets paulson parents: 1388 diff changeset	207	most purposes. Named simplification sets include \ttindexbold{IFOL_ss},
82ec47e0a8d3 New discussion of implicit simpsets & clasets paulson parents: 1388 diff changeset	208	for intuitionistic first-order logic, and \ttindexbold{FOL_ss},
82ec47e0a8d3 New discussion of implicit simpsets & clasets paulson parents: 1388 diff changeset	209	for classical logic. See the file
287 6b62a6ddbe15 first draft of Springer book lcp parents: 157 diff changeset	210	{\tt FOL/simpdata.ML} for a complete listing of the simplification
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	211	rules%
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	212	\iflabelundefined{sec:setting-up-simp}{}%
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	213	{, and \S\ref{sec:setting-up-simp} for discussion}.
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	214
104 d8205bb279a7 Initial revision lcp parents: diff changeset	215	\item
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	216	It instantiates the classical reasoner. See~\S\ref{fol-cla-prover}
104 d8205bb279a7 Initial revision lcp parents: diff changeset	217	for details.
d8205bb279a7 Initial revision lcp parents: diff changeset	218	\end{itemize}
d8205bb279a7 Initial revision lcp parents: diff changeset	219
d8205bb279a7 Initial revision lcp parents: diff changeset	220
d8205bb279a7 Initial revision lcp parents: diff changeset	221	\section{Intuitionistic proof procedures} \label{fol-int-prover}
d8205bb279a7 Initial revision lcp parents: diff changeset	222	Implication elimination (the rules~{\tt mp} and~{\tt impE}) pose
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	223	difficulties for automated proof. In intuitionistic logic, the assumption
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	224	$P\imp Q$ cannot be treated like $\neg P\disj Q$. Given $P\imp Q$, we may
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	225	use~$Q$ provided we can prove~$P$; the proof of~$P$ may require repeated
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	226	use of $P\imp Q$. If the proof of~$P$ fails then the whole branch of the
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	227	proof must be abandoned. Thus intuitionistic propositional logic requires
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	228	backtracking.
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	229
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	230	For an elementary example, consider the intuitionistic proof of $Q$ from
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	231	$P\imp Q$ and $(P\imp Q)\imp P$. The implication $P\imp Q$ is needed
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	232	twice:
104 d8205bb279a7 Initial revision lcp parents: diff changeset	233	\[ \infer[({\imp}E)]{Q}{P\imp Q &
d8205bb279a7 Initial revision lcp parents: diff changeset	234	\infer[({\imp}E)]{P}{(P\imp Q)\imp P & P\imp Q}}
d8205bb279a7 Initial revision lcp parents: diff changeset	235	\]
d8205bb279a7 Initial revision lcp parents: diff changeset	236	The theorem prover for intuitionistic logic does not use~{\tt impE}.\@
d8205bb279a7 Initial revision lcp parents: diff changeset	237	Instead, it simplifies implications using derived rules
287 6b62a6ddbe15 first draft of Springer book lcp parents: 157 diff changeset	238	(Fig.\ts\ref{fol-int-derived}). It reduces the antecedents of implications
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	239	to atoms and then uses Modus Ponens: from $P\imp Q$ and~$P$ deduce~$Q$.
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	240	The rules \tdx{conj_impE} and \tdx{disj_impE} are
104 d8205bb279a7 Initial revision lcp parents: diff changeset	241	straightforward: $(P\conj Q)\imp S$ is equivalent to $P\imp (Q\imp S)$, and
d8205bb279a7 Initial revision lcp parents: diff changeset	242	$(P\disj Q)\imp S$ is equivalent to the conjunction of $P\imp S$ and $Q\imp
d8205bb279a7 Initial revision lcp parents: diff changeset	243	S$. The other \ldots{\tt_impE} rules are unsafe; the method requires
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	244	backtracking. All the rules are derived in the same simple manner.
104 d8205bb279a7 Initial revision lcp parents: diff changeset	245
d8205bb279a7 Initial revision lcp parents: diff changeset	246	Dyckhoff has independently discovered similar rules, and (more importantly)
d8205bb279a7 Initial revision lcp parents: diff changeset	247	has demonstrated their completeness for propositional
d8205bb279a7 Initial revision lcp parents: diff changeset	248	logic~\cite{dyckhoff}. However, the tactics given below are not complete
d8205bb279a7 Initial revision lcp parents: diff changeset	249	for first-order logic because they discard universally quantified
d8205bb279a7 Initial revision lcp parents: diff changeset	250	assumptions after a single use.
d8205bb279a7 Initial revision lcp parents: diff changeset	251	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	252	mp_tac : int -> tactic
d8205bb279a7 Initial revision lcp parents: diff changeset	253	eq_mp_tac : int -> tactic
d8205bb279a7 Initial revision lcp parents: diff changeset	254	Int.safe_step_tac : int -> tactic
d8205bb279a7 Initial revision lcp parents: diff changeset	255	Int.safe_tac : tactic
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	256	Int.inst_step_tac : int -> tactic
104 d8205bb279a7 Initial revision lcp parents: diff changeset	257	Int.step_tac : int -> tactic
d8205bb279a7 Initial revision lcp parents: diff changeset	258	Int.fast_tac : int -> tactic
d8205bb279a7 Initial revision lcp parents: diff changeset	259	Int.best_tac : int -> tactic
d8205bb279a7 Initial revision lcp parents: diff changeset	260	\end{ttbox}
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	261	Most of these belong to the structure {\tt Int} and resemble the
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	262	tactics of Isabelle's classical reasoner.
104 d8205bb279a7 Initial revision lcp parents: diff changeset	263
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	264	\begin{ttdescription}
104 d8205bb279a7 Initial revision lcp parents: diff changeset	265	\item[\ttindexbold{mp_tac} {\it i}]
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	266	attempts to use \tdx{notE} or \tdx{impE} within the assumptions in
104 d8205bb279a7 Initial revision lcp parents: diff changeset	267	subgoal $i$. For each assumption of the form $\neg P$ or $P\imp Q$, it
d8205bb279a7 Initial revision lcp parents: diff changeset	268	searches for another assumption unifiable with~$P$. By
d8205bb279a7 Initial revision lcp parents: diff changeset	269	contradiction with $\neg P$ it can solve the subgoal completely; by Modus
d8205bb279a7 Initial revision lcp parents: diff changeset	270	Ponens it can replace the assumption $P\imp Q$ by $Q$. The tactic can
d8205bb279a7 Initial revision lcp parents: diff changeset	271	produce multiple outcomes, enumerating all suitable pairs of assumptions.
d8205bb279a7 Initial revision lcp parents: diff changeset	272
d8205bb279a7 Initial revision lcp parents: diff changeset	273	\item[\ttindexbold{eq_mp_tac} {\it i}]
d8205bb279a7 Initial revision lcp parents: diff changeset	274	is like {\tt mp_tac} {\it i}, but may not instantiate unknowns --- thus, it
d8205bb279a7 Initial revision lcp parents: diff changeset	275	is safe.
d8205bb279a7 Initial revision lcp parents: diff changeset	276
d8205bb279a7 Initial revision lcp parents: diff changeset	277	\item[\ttindexbold{Int.safe_step_tac} $i$] performs a safe step on
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	278	subgoal~$i$. This may include proof by assumption or Modus Ponens (taking
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	279	care not to instantiate unknowns), or {\tt hyp_subst_tac}.
104 d8205bb279a7 Initial revision lcp parents: diff changeset	280
d8205bb279a7 Initial revision lcp parents: diff changeset	281	\item[\ttindexbold{Int.safe_tac}] repeatedly performs safe steps on all
d8205bb279a7 Initial revision lcp parents: diff changeset	282	subgoals. It is deterministic, with at most one outcome.
d8205bb279a7 Initial revision lcp parents: diff changeset	283
d8205bb279a7 Initial revision lcp parents: diff changeset	284	\item[\ttindexbold{Int.inst_step_tac} $i$] is like {\tt safe_step_tac},
d8205bb279a7 Initial revision lcp parents: diff changeset	285	but allows unknowns to be instantiated.
d8205bb279a7 Initial revision lcp parents: diff changeset	286
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	287	\item[\ttindexbold{Int.step_tac} $i$] tries {\tt safe_tac} or {\tt
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	288	inst_step_tac}, or applies an unsafe rule. This is the basic step of
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	289	the intuitionistic proof procedure.
104 d8205bb279a7 Initial revision lcp parents: diff changeset	290
d8205bb279a7 Initial revision lcp parents: diff changeset	291	\item[\ttindexbold{Int.fast_tac} $i$] applies {\tt step_tac}, using
d8205bb279a7 Initial revision lcp parents: diff changeset	292	depth-first search, to solve subgoal~$i$.
d8205bb279a7 Initial revision lcp parents: diff changeset	293
d8205bb279a7 Initial revision lcp parents: diff changeset	294	\item[\ttindexbold{Int.best_tac} $i$] applies {\tt step_tac}, using
d8205bb279a7 Initial revision lcp parents: diff changeset	295	best-first search (guided by the size of the proof state) to solve subgoal~$i$.
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	296	\end{ttdescription}
104 d8205bb279a7 Initial revision lcp parents: diff changeset	297	Here are some of the theorems that {\tt Int.fast_tac} proves
d8205bb279a7 Initial revision lcp parents: diff changeset	298	automatically. The latter three date from {\it Principia Mathematica}
d8205bb279a7 Initial revision lcp parents: diff changeset	299	(11.53, 11.55, *11.61)~\cite{principia}.
d8205bb279a7 Initial revision lcp parents: diff changeset	300	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	301	~~P & ~~(P --> Q) --> ~~Q
d8205bb279a7 Initial revision lcp parents: diff changeset	302	(ALL x y. P(x) --> Q(y)) <-> ((EX x. P(x)) --> (ALL y. Q(y)))
d8205bb279a7 Initial revision lcp parents: diff changeset	303	(EX x y. P(x) & Q(x,y)) <-> (EX x. P(x) & (EX y. Q(x,y)))
d8205bb279a7 Initial revision lcp parents: diff changeset	304	(EX y. ALL x. P(x) --> Q(x,y)) --> (ALL x. P(x) --> (EX y. Q(x,y)))
d8205bb279a7 Initial revision lcp parents: diff changeset	305	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	306
d8205bb279a7 Initial revision lcp parents: diff changeset	307
d8205bb279a7 Initial revision lcp parents: diff changeset	308
d8205bb279a7 Initial revision lcp parents: diff changeset	309	\begin{figure}
d8205bb279a7 Initial revision lcp parents: diff changeset	310	\begin{ttbox}
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	311	\tdx{excluded_middle} ~P \| P
104 d8205bb279a7 Initial revision lcp parents: diff changeset	312
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	313	\tdx{disjCI} (~Q ==> P) ==> P\|Q
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	314	\tdx{exCI} (ALL x. ~P(x) ==> P(a)) ==> EX x.P(x)
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	315	\tdx{impCE} [\| P-->Q; ~P ==> R; Q ==> R \|] ==> R
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	316	\tdx{iffCE} [\| P<->Q; [\| P; Q \|] ==> R; [\| ~P; ~Q \|] ==> R \|] ==> R
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	317	\tdx{notnotD} ~~P ==> P
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	318	\tdx{swap} ~P ==> (~Q ==> P) ==> Q
104 d8205bb279a7 Initial revision lcp parents: diff changeset	319	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	320	\caption{Derived rules for classical logic} \label{fol-cla-derived}
d8205bb279a7 Initial revision lcp parents: diff changeset	321	\end{figure}
d8205bb279a7 Initial revision lcp parents: diff changeset	322
d8205bb279a7 Initial revision lcp parents: diff changeset	323
d8205bb279a7 Initial revision lcp parents: diff changeset	324	\section{Classical proof procedures} \label{fol-cla-prover}
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	325	The classical theory, \thydx{FOL}, consists of intuitionistic logic plus
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	326	the rule
104 d8205bb279a7 Initial revision lcp parents: diff changeset	327	$$ \vcenter{\infer{P}{\infer*{P}{[\neg P]}}} \eqno(classical) $$
d8205bb279a7 Initial revision lcp parents: diff changeset	328	\noindent
d8205bb279a7 Initial revision lcp parents: diff changeset	329	Natural deduction in classical logic is not really all that natural.
d8205bb279a7 Initial revision lcp parents: diff changeset	330	{\FOL} derives classical introduction rules for $\disj$ and~$\exists$, as
d8205bb279a7 Initial revision lcp parents: diff changeset	331	well as classical elimination rules for~$\imp$ and~$\bimp$, and the swap
287 6b62a6ddbe15 first draft of Springer book lcp parents: 157 diff changeset	332	rule (see Fig.\ts\ref{fol-cla-derived}).
104 d8205bb279a7 Initial revision lcp parents: diff changeset	333
2495 82ec47e0a8d3 New discussion of implicit simpsets & clasets paulson parents: 1388 diff changeset	334	The classical reasoner is installed. Tactics such as {\tt Fast_tac} and {\tt
82ec47e0a8d3 New discussion of implicit simpsets & clasets paulson parents: 1388 diff changeset	335	Best_tac} use the default claset ({\tt!claset}), which works for most
82ec47e0a8d3 New discussion of implicit simpsets & clasets paulson parents: 1388 diff changeset	336	purposes. Named clasets include \ttindexbold{prop_cs}, which includes the
82ec47e0a8d3 New discussion of implicit simpsets & clasets paulson parents: 1388 diff changeset	337	propositional rules, and \ttindexbold{FOL_cs}, which also includes quantifier
82ec47e0a8d3 New discussion of implicit simpsets & clasets paulson parents: 1388 diff changeset	338	rules. See the file {\tt FOL/cladata.ML} for lists of the
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	339	classical rules, and
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	340	\iflabelundefined{chap:classical}{the {\em Reference Manual\/}}%
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	341	{Chap.\ts\ref{chap:classical}}
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	342	for more discussion of classical proof methods.
104 d8205bb279a7 Initial revision lcp parents: diff changeset	343
d8205bb279a7 Initial revision lcp parents: diff changeset	344
d8205bb279a7 Initial revision lcp parents: diff changeset	345	\section{An intuitionistic example}
d8205bb279a7 Initial revision lcp parents: diff changeset	346	Here is a session similar to one in {\em Logic and Computation}
d8205bb279a7 Initial revision lcp parents: diff changeset	347	\cite[pages~222--3]{paulson87}. Isabelle treats quantifiers differently
d8205bb279a7 Initial revision lcp parents: diff changeset	348	from {\sc lcf}-based theorem provers such as {\sc hol}. The proof begins
d8205bb279a7 Initial revision lcp parents: diff changeset	349	by entering the goal in intuitionistic logic, then applying the rule
d8205bb279a7 Initial revision lcp parents: diff changeset	350	$({\imp}I)$.
d8205bb279a7 Initial revision lcp parents: diff changeset	351	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	352	goal IFOL.thy "(EX y. ALL x. Q(x,y)) --> (ALL x. EX y. Q(x,y))";
d8205bb279a7 Initial revision lcp parents: diff changeset	353	{\out Level 0}
d8205bb279a7 Initial revision lcp parents: diff changeset	354	{\out (EX y. ALL x. Q(x,y)) --> (ALL x. EX y. Q(x,y))}
d8205bb279a7 Initial revision lcp parents: diff changeset	355	{\out 1. (EX y. ALL x. Q(x,y)) --> (ALL x. EX y. Q(x,y))}
d8205bb279a7 Initial revision lcp parents: diff changeset	356	\ttbreak
d8205bb279a7 Initial revision lcp parents: diff changeset	357	by (resolve_tac [impI] 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	358	{\out Level 1}
d8205bb279a7 Initial revision lcp parents: diff changeset	359	{\out (EX y. ALL x. Q(x,y)) --> (ALL x. EX y. Q(x,y))}
d8205bb279a7 Initial revision lcp parents: diff changeset	360	{\out 1. EX y. ALL x. Q(x,y) ==> ALL x. EX y. Q(x,y)}
d8205bb279a7 Initial revision lcp parents: diff changeset	361	\end{ttbox}
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	362	In this example, we shall never have more than one subgoal. Applying
104 d8205bb279a7 Initial revision lcp parents: diff changeset	363	$({\imp}I)$ replaces~\verb\|-->\| by~\verb\|==>\|, making
d8205bb279a7 Initial revision lcp parents: diff changeset	364	$\ex{y}\all{x}Q(x,y)$ an assumption. We have the choice of
d8205bb279a7 Initial revision lcp parents: diff changeset	365	$({\exists}E)$ and $({\forall}I)$; let us try the latter.
d8205bb279a7 Initial revision lcp parents: diff changeset	366	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	367	by (resolve_tac [allI] 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	368	{\out Level 2}
d8205bb279a7 Initial revision lcp parents: diff changeset	369	{\out (EX y. ALL x. Q(x,y)) --> (ALL x. EX y. Q(x,y))}
d8205bb279a7 Initial revision lcp parents: diff changeset	370	{\out 1. !!x. EX y. ALL x. Q(x,y) ==> EX y. Q(x,y)}
d8205bb279a7 Initial revision lcp parents: diff changeset	371	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	372	Applying $({\forall}I)$ replaces the \hbox{\tt ALL x} by \hbox{\tt!!x},
d8205bb279a7 Initial revision lcp parents: diff changeset	373	changing the universal quantifier from object~($\forall$) to
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	374	meta~($\Forall$). The bound variable is a {\bf parameter} of the
104 d8205bb279a7 Initial revision lcp parents: diff changeset	375	subgoal. We now must choose between $({\exists}I)$ and $({\exists}E)$. What
d8205bb279a7 Initial revision lcp parents: diff changeset	376	happens if the wrong rule is chosen?
d8205bb279a7 Initial revision lcp parents: diff changeset	377	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	378	by (resolve_tac [exI] 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	379	{\out Level 3}
d8205bb279a7 Initial revision lcp parents: diff changeset	380	{\out (EX y. ALL x. Q(x,y)) --> (ALL x. EX y. Q(x,y))}
d8205bb279a7 Initial revision lcp parents: diff changeset	381	{\out 1. !!x. EX y. ALL x. Q(x,y) ==> Q(x,?y2(x))}
d8205bb279a7 Initial revision lcp parents: diff changeset	382	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	383	The new subgoal~1 contains the function variable {\tt?y2}. Instantiating
d8205bb279a7 Initial revision lcp parents: diff changeset	384	{\tt?y2} can replace~{\tt?y2(x)} by a term containing~{\tt x}, even
d8205bb279a7 Initial revision lcp parents: diff changeset	385	though~{\tt x} is a bound variable. Now we analyse the assumption
d8205bb279a7 Initial revision lcp parents: diff changeset	386	$\exists y.\forall x. Q(x,y)$ using elimination rules:
d8205bb279a7 Initial revision lcp parents: diff changeset	387	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	388	by (eresolve_tac [exE] 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	389	{\out Level 4}
d8205bb279a7 Initial revision lcp parents: diff changeset	390	{\out (EX y. ALL x. Q(x,y)) --> (ALL x. EX y. Q(x,y))}
d8205bb279a7 Initial revision lcp parents: diff changeset	391	{\out 1. !!x y. ALL x. Q(x,y) ==> Q(x,?y2(x))}
d8205bb279a7 Initial revision lcp parents: diff changeset	392	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	393	Applying $(\exists E)$ has produced the parameter {\tt y} and stripped the
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	394	existential quantifier from the assumption. But the subgoal is unprovable:
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	395	there is no way to unify {\tt ?y2(x)} with the bound variable~{\tt y}.
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	396	Using {\tt choplev} we can return to the critical point. This time we
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	397	apply $({\exists}E)$:
104 d8205bb279a7 Initial revision lcp parents: diff changeset	398	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	399	choplev 2;
d8205bb279a7 Initial revision lcp parents: diff changeset	400	{\out Level 2}
d8205bb279a7 Initial revision lcp parents: diff changeset	401	{\out (EX y. ALL x. Q(x,y)) --> (ALL x. EX y. Q(x,y))}
d8205bb279a7 Initial revision lcp parents: diff changeset	402	{\out 1. !!x. EX y. ALL x. Q(x,y) ==> EX y. Q(x,y)}
d8205bb279a7 Initial revision lcp parents: diff changeset	403	\ttbreak
d8205bb279a7 Initial revision lcp parents: diff changeset	404	by (eresolve_tac [exE] 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	405	{\out Level 3}
d8205bb279a7 Initial revision lcp parents: diff changeset	406	{\out (EX y. ALL x. Q(x,y)) --> (ALL x. EX y. Q(x,y))}
d8205bb279a7 Initial revision lcp parents: diff changeset	407	{\out 1. !!x y. ALL x. Q(x,y) ==> EX y. Q(x,y)}
d8205bb279a7 Initial revision lcp parents: diff changeset	408	\end{ttbox}
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	409	We now have two parameters and no scheme variables. Applying
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	410	$({\exists}I)$ and $({\forall}E)$ produces two scheme variables, which are
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	411	applied to those parameters. Parameters should be produced early, as this
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	412	example demonstrates.
104 d8205bb279a7 Initial revision lcp parents: diff changeset	413	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	414	by (resolve_tac [exI] 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	415	{\out Level 4}
d8205bb279a7 Initial revision lcp parents: diff changeset	416	{\out (EX y. ALL x. Q(x,y)) --> (ALL x. EX y. Q(x,y))}
d8205bb279a7 Initial revision lcp parents: diff changeset	417	{\out 1. !!x y. ALL x. Q(x,y) ==> Q(x,?y3(x,y))}
d8205bb279a7 Initial revision lcp parents: diff changeset	418	\ttbreak
d8205bb279a7 Initial revision lcp parents: diff changeset	419	by (eresolve_tac [allE] 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	420	{\out Level 5}
d8205bb279a7 Initial revision lcp parents: diff changeset	421	{\out (EX y. ALL x. Q(x,y)) --> (ALL x. EX y. Q(x,y))}
d8205bb279a7 Initial revision lcp parents: diff changeset	422	{\out 1. !!x y. Q(?x4(x,y),y) ==> Q(x,?y3(x,y))}
d8205bb279a7 Initial revision lcp parents: diff changeset	423	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	424	The subgoal has variables {\tt ?y3} and {\tt ?x4} applied to both
d8205bb279a7 Initial revision lcp parents: diff changeset	425	parameters. The obvious projection functions unify {\tt?x4(x,y)} with~{\tt
d8205bb279a7 Initial revision lcp parents: diff changeset	426	x} and \verb\|?y3(x,y)\| with~{\tt y}.
d8205bb279a7 Initial revision lcp parents: diff changeset	427	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	428	by (assume_tac 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	429	{\out Level 6}
d8205bb279a7 Initial revision lcp parents: diff changeset	430	{\out (EX y. ALL x. Q(x,y)) --> (ALL x. EX y. Q(x,y))}
d8205bb279a7 Initial revision lcp parents: diff changeset	431	{\out No subgoals!}
d8205bb279a7 Initial revision lcp parents: diff changeset	432	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	433	The theorem was proved in six tactic steps, not counting the abandoned
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	434	ones. But proof checking is tedious; \ttindex{Int.fast_tac} proves the
104 d8205bb279a7 Initial revision lcp parents: diff changeset	435	theorem in one step.
d8205bb279a7 Initial revision lcp parents: diff changeset	436	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	437	goal IFOL.thy "(EX y. ALL x. Q(x,y)) --> (ALL x. EX y. Q(x,y))";
d8205bb279a7 Initial revision lcp parents: diff changeset	438	{\out Level 0}
d8205bb279a7 Initial revision lcp parents: diff changeset	439	{\out (EX y. ALL x. Q(x,y)) --> (ALL x. EX y. Q(x,y))}
d8205bb279a7 Initial revision lcp parents: diff changeset	440	{\out 1. (EX y. ALL x. Q(x,y)) --> (ALL x. EX y. Q(x,y))}
d8205bb279a7 Initial revision lcp parents: diff changeset	441	by (Int.fast_tac 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	442	{\out Level 1}
d8205bb279a7 Initial revision lcp parents: diff changeset	443	{\out (EX y. ALL x. Q(x,y)) --> (ALL x. EX y. Q(x,y))}
d8205bb279a7 Initial revision lcp parents: diff changeset	444	{\out No subgoals!}
d8205bb279a7 Initial revision lcp parents: diff changeset	445	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	446
d8205bb279a7 Initial revision lcp parents: diff changeset	447
d8205bb279a7 Initial revision lcp parents: diff changeset	448	\section{An example of intuitionistic negation}
d8205bb279a7 Initial revision lcp parents: diff changeset	449	The following example demonstrates the specialized forms of implication
d8205bb279a7 Initial revision lcp parents: diff changeset	450	elimination. Even propositional formulae can be difficult to prove from
d8205bb279a7 Initial revision lcp parents: diff changeset	451	the basic rules; the specialized rules help considerably.
d8205bb279a7 Initial revision lcp parents: diff changeset	452
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	453	Propositional examples are easy to invent. As Dummett notes~\cite[page
104 d8205bb279a7 Initial revision lcp parents: diff changeset	454	28]{dummett}, $\neg P$ is classically provable if and only if it is
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	455	intuitionistically provable; therefore, $P$ is classically provable if and
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	456	only if $\neg\neg P$ is intuitionistically provable.%
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	457	\footnote{Of course this holds only for propositional logic, not if $P$ is
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	458	allowed to contain quantifiers.} Proving $\neg\neg P$ intuitionistically is
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	459	much harder than proving~$P$ classically.
104 d8205bb279a7 Initial revision lcp parents: diff changeset	460
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	461	Our example is the double negation of the classical tautology $(P\imp
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	462	Q)\disj (Q\imp P)$. When stating the goal, we command Isabelle to expand
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	463	negations to implications using the definition $\neg P\equiv P\imp\bot$.
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	464	This allows use of the special implication rules.
104 d8205bb279a7 Initial revision lcp parents: diff changeset	465	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	466	goalw IFOL.thy [not_def] "~ ~ ((P-->Q) \| (Q-->P))";
d8205bb279a7 Initial revision lcp parents: diff changeset	467	{\out Level 0}
d8205bb279a7 Initial revision lcp parents: diff changeset	468	{\out ~ ~ ((P --> Q) \| (Q --> P))}
d8205bb279a7 Initial revision lcp parents: diff changeset	469	{\out 1. ((P --> Q) \| (Q --> P) --> False) --> False}
d8205bb279a7 Initial revision lcp parents: diff changeset	470	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	471	The first step is trivial.
d8205bb279a7 Initial revision lcp parents: diff changeset	472	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	473	by (resolve_tac [impI] 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	474	{\out Level 1}
d8205bb279a7 Initial revision lcp parents: diff changeset	475	{\out ~ ~ ((P --> Q) \| (Q --> P))}
d8205bb279a7 Initial revision lcp parents: diff changeset	476	{\out 1. (P --> Q) \| (Q --> P) --> False ==> False}
d8205bb279a7 Initial revision lcp parents: diff changeset	477	\end{ttbox}
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	478	By $(\imp E)$ it would suffice to prove $(P\imp Q)\disj (Q\imp P)$, but
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	479	that formula is not a theorem of intuitionistic logic. Instead we apply
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	480	the specialized implication rule \tdx{disj_impE}. It splits the
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	481	assumption into two assumptions, one for each disjunct.
104 d8205bb279a7 Initial revision lcp parents: diff changeset	482	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	483	by (eresolve_tac [disj_impE] 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	484	{\out Level 2}
d8205bb279a7 Initial revision lcp parents: diff changeset	485	{\out ~ ~ ((P --> Q) \| (Q --> P))}
d8205bb279a7 Initial revision lcp parents: diff changeset	486	{\out 1. [\| (P --> Q) --> False; (Q --> P) --> False \|] ==> False}
d8205bb279a7 Initial revision lcp parents: diff changeset	487	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	488	We cannot hope to prove $P\imp Q$ or $Q\imp P$ separately, but
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	489	their negations are inconsistent. Applying \tdx{imp_impE} breaks down
104 d8205bb279a7 Initial revision lcp parents: diff changeset	490	the assumption $\neg(P\imp Q)$, asking to show~$Q$ while providing new
d8205bb279a7 Initial revision lcp parents: diff changeset	491	assumptions~$P$ and~$\neg Q$.
d8205bb279a7 Initial revision lcp parents: diff changeset	492	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	493	by (eresolve_tac [imp_impE] 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	494	{\out Level 3}
d8205bb279a7 Initial revision lcp parents: diff changeset	495	{\out ~ ~ ((P --> Q) \| (Q --> P))}
d8205bb279a7 Initial revision lcp parents: diff changeset	496	{\out 1. [\| (Q --> P) --> False; P; Q --> False \|] ==> Q}
d8205bb279a7 Initial revision lcp parents: diff changeset	497	{\out 2. [\| (Q --> P) --> False; False \|] ==> False}
d8205bb279a7 Initial revision lcp parents: diff changeset	498	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	499	Subgoal~2 holds trivially; let us ignore it and continue working on
d8205bb279a7 Initial revision lcp parents: diff changeset	500	subgoal~1. Thanks to the assumption~$P$, we could prove $Q\imp P$;
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	501	applying \tdx{imp_impE} is simpler.
104 d8205bb279a7 Initial revision lcp parents: diff changeset	502	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	503	by (eresolve_tac [imp_impE] 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	504	{\out Level 4}
d8205bb279a7 Initial revision lcp parents: diff changeset	505	{\out ~ ~ ((P --> Q) \| (Q --> P))}
d8205bb279a7 Initial revision lcp parents: diff changeset	506	{\out 1. [\| P; Q --> False; Q; P --> False \|] ==> P}
d8205bb279a7 Initial revision lcp parents: diff changeset	507	{\out 2. [\| P; Q --> False; False \|] ==> Q}
d8205bb279a7 Initial revision lcp parents: diff changeset	508	{\out 3. [\| (Q --> P) --> False; False \|] ==> False}
d8205bb279a7 Initial revision lcp parents: diff changeset	509	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	510	The three subgoals are all trivial.
d8205bb279a7 Initial revision lcp parents: diff changeset	511	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	512	by (REPEAT (eresolve_tac [FalseE] 2));
d8205bb279a7 Initial revision lcp parents: diff changeset	513	{\out Level 5}
d8205bb279a7 Initial revision lcp parents: diff changeset	514	{\out ~ ~ ((P --> Q) \| (Q --> P))}
d8205bb279a7 Initial revision lcp parents: diff changeset	515	{\out 1. [\| P; Q --> False; Q; P --> False \|] ==> P}
287 6b62a6ddbe15 first draft of Springer book lcp parents: 157 diff changeset	516	\ttbreak
104 d8205bb279a7 Initial revision lcp parents: diff changeset	517	by (assume_tac 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	518	{\out Level 6}
d8205bb279a7 Initial revision lcp parents: diff changeset	519	{\out ~ ~ ((P --> Q) \| (Q --> P))}
d8205bb279a7 Initial revision lcp parents: diff changeset	520	{\out No subgoals!}
d8205bb279a7 Initial revision lcp parents: diff changeset	521	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	522	This proof is also trivial for {\tt Int.fast_tac}.
d8205bb279a7 Initial revision lcp parents: diff changeset	523
d8205bb279a7 Initial revision lcp parents: diff changeset	524
d8205bb279a7 Initial revision lcp parents: diff changeset	525	\section{A classical example} \label{fol-cla-example}
d8205bb279a7 Initial revision lcp parents: diff changeset	526	To illustrate classical logic, we shall prove the theorem
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	527	$\ex{y}\all{x}P(y)\imp P(x)$. Informally, the theorem can be proved as
104 d8205bb279a7 Initial revision lcp parents: diff changeset	528	follows. Choose~$y$ such that~$\neg P(y)$, if such exists; otherwise
d8205bb279a7 Initial revision lcp parents: diff changeset	529	$\all{x}P(x)$ is true. Either way the theorem holds.
d8205bb279a7 Initial revision lcp parents: diff changeset	530
d8205bb279a7 Initial revision lcp parents: diff changeset	531	The formal proof does not conform in any obvious way to the sketch given
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	532	above. The key inference is the first one, \tdx{exCI}; this classical
104 d8205bb279a7 Initial revision lcp parents: diff changeset	533	version of~$(\exists I)$ allows multiple instantiation of the quantifier.
d8205bb279a7 Initial revision lcp parents: diff changeset	534	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	535	goal FOL.thy "EX y. ALL x. P(y)-->P(x)";
d8205bb279a7 Initial revision lcp parents: diff changeset	536	{\out Level 0}
d8205bb279a7 Initial revision lcp parents: diff changeset	537	{\out EX y. ALL x. P(y) --> P(x)}
d8205bb279a7 Initial revision lcp parents: diff changeset	538	{\out 1. EX y. ALL x. P(y) --> P(x)}
d8205bb279a7 Initial revision lcp parents: diff changeset	539	\ttbreak
d8205bb279a7 Initial revision lcp parents: diff changeset	540	by (resolve_tac [exCI] 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	541	{\out Level 1}
d8205bb279a7 Initial revision lcp parents: diff changeset	542	{\out EX y. ALL x. P(y) --> P(x)}
d8205bb279a7 Initial revision lcp parents: diff changeset	543	{\out 1. ALL y. ~ (ALL x. P(y) --> P(x)) ==> ALL x. P(?a) --> P(x)}
d8205bb279a7 Initial revision lcp parents: diff changeset	544	\end{ttbox}
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	545	We can either exhibit a term {\tt?a} to satisfy the conclusion of
104 d8205bb279a7 Initial revision lcp parents: diff changeset	546	subgoal~1, or produce a contradiction from the assumption. The next
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	547	steps are routine.
104 d8205bb279a7 Initial revision lcp parents: diff changeset	548	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	549	by (resolve_tac [allI] 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	550	{\out Level 2}
d8205bb279a7 Initial revision lcp parents: diff changeset	551	{\out EX y. ALL x. P(y) --> P(x)}
d8205bb279a7 Initial revision lcp parents: diff changeset	552	{\out 1. !!x. ALL y. ~ (ALL x. P(y) --> P(x)) ==> P(?a) --> P(x)}
d8205bb279a7 Initial revision lcp parents: diff changeset	553	\ttbreak
d8205bb279a7 Initial revision lcp parents: diff changeset	554	by (resolve_tac [impI] 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	555	{\out Level 3}
d8205bb279a7 Initial revision lcp parents: diff changeset	556	{\out EX y. ALL x. P(y) --> P(x)}
d8205bb279a7 Initial revision lcp parents: diff changeset	557	{\out 1. !!x. [\| ALL y. ~ (ALL x. P(y) --> P(x)); P(?a) \|] ==> P(x)}
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	558	\end{ttbox}
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	559	By the duality between $\exists$ and~$\forall$, applying~$(\forall E)$
333 2ca08f62df33 final Springer copy lcp parents: 313 diff changeset	560	in effect applies~$(\exists I)$ again.
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	561	\begin{ttbox}
104 d8205bb279a7 Initial revision lcp parents: diff changeset	562	by (eresolve_tac [allE] 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	563	{\out Level 4}
d8205bb279a7 Initial revision lcp parents: diff changeset	564	{\out EX y. ALL x. P(y) --> P(x)}
d8205bb279a7 Initial revision lcp parents: diff changeset	565	{\out 1. !!x. [\| P(?a); ~ (ALL xa. P(?y3(x)) --> P(xa)) \|] ==> P(x)}
d8205bb279a7 Initial revision lcp parents: diff changeset	566	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	567	In classical logic, a negated assumption is equivalent to a conclusion. To
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	568	get this effect, we create a swapped version of~$(\forall I)$ and apply it
104 d8205bb279a7 Initial revision lcp parents: diff changeset	569	using \ttindex{eresolve_tac}; we could equivalently have applied~$(\forall
d8205bb279a7 Initial revision lcp parents: diff changeset	570	I)$ using \ttindex{swap_res_tac}.
d8205bb279a7 Initial revision lcp parents: diff changeset	571	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	572	allI RSN (2,swap);
d8205bb279a7 Initial revision lcp parents: diff changeset	573	{\out val it = "[\| ~ (ALL x. ?P1(x)); !!x. ~ ?Q ==> ?P1(x) \|] ==> ?Q" : thm}
d8205bb279a7 Initial revision lcp parents: diff changeset	574	by (eresolve_tac [it] 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	575	{\out Level 5}
d8205bb279a7 Initial revision lcp parents: diff changeset	576	{\out EX y. ALL x. P(y) --> P(x)}
d8205bb279a7 Initial revision lcp parents: diff changeset	577	{\out 1. !!x xa. [\| P(?a); ~ P(x) \|] ==> P(?y3(x)) --> P(xa)}
d8205bb279a7 Initial revision lcp parents: diff changeset	578	\end{ttbox}
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	579	The previous conclusion, {\tt P(x)}, has become a negated assumption.
104 d8205bb279a7 Initial revision lcp parents: diff changeset	580	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	581	by (resolve_tac [impI] 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	582	{\out Level 6}
d8205bb279a7 Initial revision lcp parents: diff changeset	583	{\out EX y. ALL x. P(y) --> P(x)}
d8205bb279a7 Initial revision lcp parents: diff changeset	584	{\out 1. !!x xa. [\| P(?a); ~ P(x); P(?y3(x)) \|] ==> P(xa)}
d8205bb279a7 Initial revision lcp parents: diff changeset	585	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	586	The subgoal has three assumptions. We produce a contradiction between the
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	587	\index{assumptions!contradictory} assumptions~\verb\|~P(x)\| and~{\tt
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	588	P(?y3(x))}. The proof never instantiates the unknown~{\tt?a}.
104 d8205bb279a7 Initial revision lcp parents: diff changeset	589	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	590	by (eresolve_tac [notE] 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	591	{\out Level 7}
d8205bb279a7 Initial revision lcp parents: diff changeset	592	{\out EX y. ALL x. P(y) --> P(x)}
d8205bb279a7 Initial revision lcp parents: diff changeset	593	{\out 1. !!x xa. [\| P(?a); P(?y3(x)) \|] ==> P(x)}
d8205bb279a7 Initial revision lcp parents: diff changeset	594	\ttbreak
d8205bb279a7 Initial revision lcp parents: diff changeset	595	by (assume_tac 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	596	{\out Level 8}
d8205bb279a7 Initial revision lcp parents: diff changeset	597	{\out EX y. ALL x. P(y) --> P(x)}
d8205bb279a7 Initial revision lcp parents: diff changeset	598	{\out No subgoals!}
d8205bb279a7 Initial revision lcp parents: diff changeset	599	\end{ttbox}
874 2432820efbfe removed mention of FOL_dup_cs lcp parents: 706 diff changeset	600	The civilised way to prove this theorem is through \ttindex{deepen_tac},
2432820efbfe removed mention of FOL_dup_cs lcp parents: 706 diff changeset	601	which automatically uses the classical version of~$(\exists I)$:
104 d8205bb279a7 Initial revision lcp parents: diff changeset	602	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	603	goal FOL.thy "EX y. ALL x. P(y)-->P(x)";
d8205bb279a7 Initial revision lcp parents: diff changeset	604	{\out Level 0}
d8205bb279a7 Initial revision lcp parents: diff changeset	605	{\out EX y. ALL x. P(y) --> P(x)}
d8205bb279a7 Initial revision lcp parents: diff changeset	606	{\out 1. EX y. ALL x. P(y) --> P(x)}
2495 82ec47e0a8d3 New discussion of implicit simpsets & clasets paulson parents: 1388 diff changeset	607	by (Deepen_tac 0 1);
874 2432820efbfe removed mention of FOL_dup_cs lcp parents: 706 diff changeset	608	{\out Depth = 0}
2432820efbfe removed mention of FOL_dup_cs lcp parents: 706 diff changeset	609	{\out Depth = 2}
104 d8205bb279a7 Initial revision lcp parents: diff changeset	610	{\out Level 1}
d8205bb279a7 Initial revision lcp parents: diff changeset	611	{\out EX y. ALL x. P(y) --> P(x)}
d8205bb279a7 Initial revision lcp parents: diff changeset	612	{\out No subgoals!}
d8205bb279a7 Initial revision lcp parents: diff changeset	613	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	614	If this theorem seems counterintuitive, then perhaps you are an
d8205bb279a7 Initial revision lcp parents: diff changeset	615	intuitionist. In constructive logic, proving $\ex{y}\all{x}P(y)\imp P(x)$
d8205bb279a7 Initial revision lcp parents: diff changeset	616	requires exhibiting a particular term~$t$ such that $\all{x}P(t)\imp P(x)$,
d8205bb279a7 Initial revision lcp parents: diff changeset	617	which we cannot do without further knowledge about~$P$.
d8205bb279a7 Initial revision lcp parents: diff changeset	618
d8205bb279a7 Initial revision lcp parents: diff changeset	619
d8205bb279a7 Initial revision lcp parents: diff changeset	620	\section{Derived rules and the classical tactics}
d8205bb279a7 Initial revision lcp parents: diff changeset	621	Classical first-order logic can be extended with the propositional
d8205bb279a7 Initial revision lcp parents: diff changeset	622	connective $if(P,Q,R)$, where
d8205bb279a7 Initial revision lcp parents: diff changeset	623	$$ if(P,Q,R) \equiv P\conj Q \disj \neg P \conj R. \eqno(if) $$
d8205bb279a7 Initial revision lcp parents: diff changeset	624	Theorems about $if$ can be proved by treating this as an abbreviation,
d8205bb279a7 Initial revision lcp parents: diff changeset	625	replacing $if(P,Q,R)$ by $P\conj Q \disj \neg P \conj R$ in subgoals. But
d8205bb279a7 Initial revision lcp parents: diff changeset	626	this duplicates~$P$, causing an exponential blowup and an unreadable
d8205bb279a7 Initial revision lcp parents: diff changeset	627	formula. Introducing further abbreviations makes the problem worse.
d8205bb279a7 Initial revision lcp parents: diff changeset	628
d8205bb279a7 Initial revision lcp parents: diff changeset	629	Natural deduction demands rules that introduce and eliminate $if(P,Q,R)$
d8205bb279a7 Initial revision lcp parents: diff changeset	630	directly, without reference to its definition. The simple identity
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	631	\[ if(P,Q,R) \,\bimp\, (P\imp Q)\conj (\neg P\imp R) \]
104 d8205bb279a7 Initial revision lcp parents: diff changeset	632	suggests that the
d8205bb279a7 Initial revision lcp parents: diff changeset	633	$if$-introduction rule should be
157 8258c26ae084 Correction to page 16; thanks to Markus W. lcp parents: 111 diff changeset	634	\[ \infer[({if}\,I)]{if(P,Q,R)}{\infer{Q}{[P]} & \infer{R}{[\neg P]}} \]
104 d8205bb279a7 Initial revision lcp parents: diff changeset	635	The $if$-elimination rule reflects the definition of $if(P,Q,R)$ and the
d8205bb279a7 Initial revision lcp parents: diff changeset	636	elimination rules for~$\disj$ and~$\conj$.
d8205bb279a7 Initial revision lcp parents: diff changeset	637	\[ \infer[({if}\,E)]{S}{if(P,Q,R) & \infer*{S}{[P,Q]}
d8205bb279a7 Initial revision lcp parents: diff changeset	638	& \infer*{S}{[\neg P,R]}}
d8205bb279a7 Initial revision lcp parents: diff changeset	639	\]
d8205bb279a7 Initial revision lcp parents: diff changeset	640	Having made these plans, we get down to work with Isabelle. The theory of
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	641	classical logic, {\tt FOL}, is extended with the constant
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	642	$if::[o,o,o]\To o$. The axiom \tdx{if_def} asserts the
104 d8205bb279a7 Initial revision lcp parents: diff changeset	643	equation~$(if)$.
d8205bb279a7 Initial revision lcp parents: diff changeset	644	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	645	If = FOL +
1388 7705e6211865 removed quotes from consts and syntax sections clasohm parents: 874 diff changeset	646	consts if :: [o,o,o]=>o
104 d8205bb279a7 Initial revision lcp parents: diff changeset	647	rules if_def "if(P,Q,R) == P&Q \| ~P&R"
d8205bb279a7 Initial revision lcp parents: diff changeset	648	end
d8205bb279a7 Initial revision lcp parents: diff changeset	649	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	650	The derivations of the introduction and elimination rules demonstrate the
d8205bb279a7 Initial revision lcp parents: diff changeset	651	methods for rewriting with definitions. Classical reasoning is required,
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	652	so we use {\tt fast_tac}.
104 d8205bb279a7 Initial revision lcp parents: diff changeset	653
d8205bb279a7 Initial revision lcp parents: diff changeset	654
d8205bb279a7 Initial revision lcp parents: diff changeset	655	\subsection{Deriving the introduction rule}
d8205bb279a7 Initial revision lcp parents: diff changeset	656	The introduction rule, given the premises $P\Imp Q$ and $\neg P\Imp R$,
d8205bb279a7 Initial revision lcp parents: diff changeset	657	concludes $if(P,Q,R)$. We propose the conclusion as the main goal
d8205bb279a7 Initial revision lcp parents: diff changeset	658	using~\ttindex{goalw}, which uses {\tt if_def} to rewrite occurrences
d8205bb279a7 Initial revision lcp parents: diff changeset	659	of $if$ in the subgoal.
d8205bb279a7 Initial revision lcp parents: diff changeset	660	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	661	val prems = goalw If.thy [if_def]
d8205bb279a7 Initial revision lcp parents: diff changeset	662	"[\| P ==> Q; ~ P ==> R \|] ==> if(P,Q,R)";
d8205bb279a7 Initial revision lcp parents: diff changeset	663	{\out Level 0}
d8205bb279a7 Initial revision lcp parents: diff changeset	664	{\out if(P,Q,R)}
d8205bb279a7 Initial revision lcp parents: diff changeset	665	{\out 1. P & Q \| ~ P & R}
d8205bb279a7 Initial revision lcp parents: diff changeset	666	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	667	The premises (bound to the {\ML} variable {\tt prems}) are passed as
2495 82ec47e0a8d3 New discussion of implicit simpsets & clasets paulson parents: 1388 diff changeset	668	introduction rules to \ttindex{fast_tac}. Remember that {\tt!claset} refers
82ec47e0a8d3 New discussion of implicit simpsets & clasets paulson parents: 1388 diff changeset	669	to the default classical set.
104 d8205bb279a7 Initial revision lcp parents: diff changeset	670	\begin{ttbox}
2495 82ec47e0a8d3 New discussion of implicit simpsets & clasets paulson parents: 1388 diff changeset	671	by (fast_tac (!claset addIs prems) 1);
104 d8205bb279a7 Initial revision lcp parents: diff changeset	672	{\out Level 1}
d8205bb279a7 Initial revision lcp parents: diff changeset	673	{\out if(P,Q,R)}
d8205bb279a7 Initial revision lcp parents: diff changeset	674	{\out No subgoals!}
d8205bb279a7 Initial revision lcp parents: diff changeset	675	val ifI = result();
d8205bb279a7 Initial revision lcp parents: diff changeset	676	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	677
d8205bb279a7 Initial revision lcp parents: diff changeset	678
d8205bb279a7 Initial revision lcp parents: diff changeset	679	\subsection{Deriving the elimination rule}
d8205bb279a7 Initial revision lcp parents: diff changeset	680	The elimination rule has three premises, two of which are themselves rules.
d8205bb279a7 Initial revision lcp parents: diff changeset	681	The conclusion is simply $S$.
d8205bb279a7 Initial revision lcp parents: diff changeset	682	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	683	val major::prems = goalw If.thy [if_def]
d8205bb279a7 Initial revision lcp parents: diff changeset	684	"[\| if(P,Q,R); [\| P; Q \|] ==> S; [\| ~ P; R \|] ==> S \|] ==> S";
d8205bb279a7 Initial revision lcp parents: diff changeset	685	{\out Level 0}
d8205bb279a7 Initial revision lcp parents: diff changeset	686	{\out S}
d8205bb279a7 Initial revision lcp parents: diff changeset	687	{\out 1. S}
d8205bb279a7 Initial revision lcp parents: diff changeset	688	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	689	The major premise contains an occurrence of~$if$, but the version returned
d8205bb279a7 Initial revision lcp parents: diff changeset	690	by \ttindex{goalw} (and bound to the {\ML} variable~{\tt major}) has the
d8205bb279a7 Initial revision lcp parents: diff changeset	691	definition expanded. Now \ttindex{cut_facts_tac} inserts~{\tt major} as an
d8205bb279a7 Initial revision lcp parents: diff changeset	692	assumption in the subgoal, so that \ttindex{fast_tac} can break it down.
d8205bb279a7 Initial revision lcp parents: diff changeset	693	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	694	by (cut_facts_tac [major] 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	695	{\out Level 1}
d8205bb279a7 Initial revision lcp parents: diff changeset	696	{\out S}
d8205bb279a7 Initial revision lcp parents: diff changeset	697	{\out 1. P & Q \| ~ P & R ==> S}
d8205bb279a7 Initial revision lcp parents: diff changeset	698	\ttbreak
2495 82ec47e0a8d3 New discussion of implicit simpsets & clasets paulson parents: 1388 diff changeset	699	by (fast_tac (!claset addIs prems) 1);
104 d8205bb279a7 Initial revision lcp parents: diff changeset	700	{\out Level 2}
d8205bb279a7 Initial revision lcp parents: diff changeset	701	{\out S}
d8205bb279a7 Initial revision lcp parents: diff changeset	702	{\out No subgoals!}
d8205bb279a7 Initial revision lcp parents: diff changeset	703	val ifE = result();
d8205bb279a7 Initial revision lcp parents: diff changeset	704	\end{ttbox}
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	705	As you may recall from
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	706	\iflabelundefined{definitions}{{\em Introduction to Isabelle}}%
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	707	{\S\ref{definitions}}, there are other
104 d8205bb279a7 Initial revision lcp parents: diff changeset	708	ways of treating definitions when deriving a rule. We can start the
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	709	proof using {\tt goal}, which does not expand definitions, instead of
2495 82ec47e0a8d3 New discussion of implicit simpsets & clasets paulson parents: 1388 diff changeset	710	{\tt goalw}. We can use \ttindex{rew_tac}
104 d8205bb279a7 Initial revision lcp parents: diff changeset	711	to expand definitions in the subgoals --- perhaps after calling
d8205bb279a7 Initial revision lcp parents: diff changeset	712	\ttindex{cut_facts_tac} to insert the rule's premises. We can use
d8205bb279a7 Initial revision lcp parents: diff changeset	713	\ttindex{rewrite_rule}, which is a meta-inference rule, to expand
d8205bb279a7 Initial revision lcp parents: diff changeset	714	definitions in the premises directly.
d8205bb279a7 Initial revision lcp parents: diff changeset	715
d8205bb279a7 Initial revision lcp parents: diff changeset	716
d8205bb279a7 Initial revision lcp parents: diff changeset	717	\subsection{Using the derived rules}
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	718	The rules just derived have been saved with the {\ML} names \tdx{ifI}
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	719	and~\tdx{ifE}. They permit natural proofs of theorems such as the
104 d8205bb279a7 Initial revision lcp parents: diff changeset	720	following:
d8205bb279a7 Initial revision lcp parents: diff changeset	721	\begin{eqnarray*}
111 1b3cddf41b2d Various updates for Isabelle-93 lcp parents: 104 diff changeset	722	if(P, if(Q,A,B), if(Q,C,D)) & \bimp & if(Q,if(P,A,C),if(P,B,D)) \\
1b3cddf41b2d Various updates for Isabelle-93 lcp parents: 104 diff changeset	723	if(if(P,Q,R), A, B) & \bimp & if(P,if(Q,A,B),if(R,A,B))
104 d8205bb279a7 Initial revision lcp parents: diff changeset	724	\end{eqnarray*}
d8205bb279a7 Initial revision lcp parents: diff changeset	725	Proofs also require the classical reasoning rules and the $\bimp$
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	726	introduction rule (called~\tdx{iffI}: do not confuse with~{\tt ifI}).
104 d8205bb279a7 Initial revision lcp parents: diff changeset	727
d8205bb279a7 Initial revision lcp parents: diff changeset	728	To display the $if$-rules in action, let us analyse a proof step by step.
d8205bb279a7 Initial revision lcp parents: diff changeset	729	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	730	goal If.thy
d8205bb279a7 Initial revision lcp parents: diff changeset	731	"if(P, if(Q,A,B), if(Q,C,D)) <-> if(Q, if(P,A,C), if(P,B,D))";
d8205bb279a7 Initial revision lcp parents: diff changeset	732	{\out Level 0}
d8205bb279a7 Initial revision lcp parents: diff changeset	733	{\out if(P,if(Q,A,B),if(Q,C,D)) <-> if(Q,if(P,A,C),if(P,B,D))}
d8205bb279a7 Initial revision lcp parents: diff changeset	734	{\out 1. if(P,if(Q,A,B),if(Q,C,D)) <-> if(Q,if(P,A,C),if(P,B,D))}
d8205bb279a7 Initial revision lcp parents: diff changeset	735	\ttbreak
d8205bb279a7 Initial revision lcp parents: diff changeset	736	by (resolve_tac [iffI] 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	737	{\out Level 1}
d8205bb279a7 Initial revision lcp parents: diff changeset	738	{\out if(P,if(Q,A,B),if(Q,C,D)) <-> if(Q,if(P,A,C),if(P,B,D))}
d8205bb279a7 Initial revision lcp parents: diff changeset	739	{\out 1. if(P,if(Q,A,B),if(Q,C,D)) ==> if(Q,if(P,A,C),if(P,B,D))}
d8205bb279a7 Initial revision lcp parents: diff changeset	740	{\out 2. if(Q,if(P,A,C),if(P,B,D)) ==> if(P,if(Q,A,B),if(Q,C,D))}
d8205bb279a7 Initial revision lcp parents: diff changeset	741	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	742	The $if$-elimination rule can be applied twice in succession.
d8205bb279a7 Initial revision lcp parents: diff changeset	743	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	744	by (eresolve_tac [ifE] 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	745	{\out Level 2}
d8205bb279a7 Initial revision lcp parents: diff changeset	746	{\out if(P,if(Q,A,B),if(Q,C,D)) <-> if(Q,if(P,A,C),if(P,B,D))}
d8205bb279a7 Initial revision lcp parents: diff changeset	747	{\out 1. [\| P; if(Q,A,B) \|] ==> if(Q,if(P,A,C),if(P,B,D))}
d8205bb279a7 Initial revision lcp parents: diff changeset	748	{\out 2. [\| ~ P; if(Q,C,D) \|] ==> if(Q,if(P,A,C),if(P,B,D))}
d8205bb279a7 Initial revision lcp parents: diff changeset	749	{\out 3. if(Q,if(P,A,C),if(P,B,D)) ==> if(P,if(Q,A,B),if(Q,C,D))}
d8205bb279a7 Initial revision lcp parents: diff changeset	750	\ttbreak
d8205bb279a7 Initial revision lcp parents: diff changeset	751	by (eresolve_tac [ifE] 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	752	{\out Level 3}
d8205bb279a7 Initial revision lcp parents: diff changeset	753	{\out if(P,if(Q,A,B),if(Q,C,D)) <-> if(Q,if(P,A,C),if(P,B,D))}
d8205bb279a7 Initial revision lcp parents: diff changeset	754	{\out 1. [\| P; Q; A \|] ==> if(Q,if(P,A,C),if(P,B,D))}
d8205bb279a7 Initial revision lcp parents: diff changeset	755	{\out 2. [\| P; ~ Q; B \|] ==> if(Q,if(P,A,C),if(P,B,D))}
d8205bb279a7 Initial revision lcp parents: diff changeset	756	{\out 3. [\| ~ P; if(Q,C,D) \|] ==> if(Q,if(P,A,C),if(P,B,D))}
d8205bb279a7 Initial revision lcp parents: diff changeset	757	{\out 4. if(Q,if(P,A,C),if(P,B,D)) ==> if(P,if(Q,A,B),if(Q,C,D))}
d8205bb279a7 Initial revision lcp parents: diff changeset	758	\end{ttbox}
333 2ca08f62df33 final Springer copy lcp parents: 313 diff changeset	759	%
2ca08f62df33 final Springer copy lcp parents: 313 diff changeset	760	In the first two subgoals, all assumptions have been reduced to atoms. Now
104 d8205bb279a7 Initial revision lcp parents: diff changeset	761	$if$-introduction can be applied. Observe how the $if$-rules break down
d8205bb279a7 Initial revision lcp parents: diff changeset	762	occurrences of $if$ when they become the outermost connective.
d8205bb279a7 Initial revision lcp parents: diff changeset	763	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	764	by (resolve_tac [ifI] 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	765	{\out Level 4}
d8205bb279a7 Initial revision lcp parents: diff changeset	766	{\out if(P,if(Q,A,B),if(Q,C,D)) <-> if(Q,if(P,A,C),if(P,B,D))}
d8205bb279a7 Initial revision lcp parents: diff changeset	767	{\out 1. [\| P; Q; A; Q \|] ==> if(P,A,C)}
d8205bb279a7 Initial revision lcp parents: diff changeset	768	{\out 2. [\| P; Q; A; ~ Q \|] ==> if(P,B,D)}
d8205bb279a7 Initial revision lcp parents: diff changeset	769	{\out 3. [\| P; ~ Q; B \|] ==> if(Q,if(P,A,C),if(P,B,D))}
d8205bb279a7 Initial revision lcp parents: diff changeset	770	{\out 4. [\| ~ P; if(Q,C,D) \|] ==> if(Q,if(P,A,C),if(P,B,D))}
d8205bb279a7 Initial revision lcp parents: diff changeset	771	{\out 5. if(Q,if(P,A,C),if(P,B,D)) ==> if(P,if(Q,A,B),if(Q,C,D))}
d8205bb279a7 Initial revision lcp parents: diff changeset	772	\ttbreak
d8205bb279a7 Initial revision lcp parents: diff changeset	773	by (resolve_tac [ifI] 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	774	{\out Level 5}
d8205bb279a7 Initial revision lcp parents: diff changeset	775	{\out if(P,if(Q,A,B),if(Q,C,D)) <-> if(Q,if(P,A,C),if(P,B,D))}
d8205bb279a7 Initial revision lcp parents: diff changeset	776	{\out 1. [\| P; Q; A; Q; P \|] ==> A}
d8205bb279a7 Initial revision lcp parents: diff changeset	777	{\out 2. [\| P; Q; A; Q; ~ P \|] ==> C}
d8205bb279a7 Initial revision lcp parents: diff changeset	778	{\out 3. [\| P; Q; A; ~ Q \|] ==> if(P,B,D)}
d8205bb279a7 Initial revision lcp parents: diff changeset	779	{\out 4. [\| P; ~ Q; B \|] ==> if(Q,if(P,A,C),if(P,B,D))}
d8205bb279a7 Initial revision lcp parents: diff changeset	780	{\out 5. [\| ~ P; if(Q,C,D) \|] ==> if(Q,if(P,A,C),if(P,B,D))}
d8205bb279a7 Initial revision lcp parents: diff changeset	781	{\out 6. if(Q,if(P,A,C),if(P,B,D)) ==> if(P,if(Q,A,B),if(Q,C,D))}
d8205bb279a7 Initial revision lcp parents: diff changeset	782	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	783	Where do we stand? The first subgoal holds by assumption; the second and
2495 82ec47e0a8d3 New discussion of implicit simpsets & clasets paulson parents: 1388 diff changeset	784	third, by contradiction. This is getting tedious. We could use the classical
82ec47e0a8d3 New discussion of implicit simpsets & clasets paulson parents: 1388 diff changeset	785	reasoner, but first let us extend the default claset with the derived rules
104 d8205bb279a7 Initial revision lcp parents: diff changeset	786	for~$if$.
d8205bb279a7 Initial revision lcp parents: diff changeset	787	\begin{ttbox}
2495 82ec47e0a8d3 New discussion of implicit simpsets & clasets paulson parents: 1388 diff changeset	788	AddSIs [ifI];
82ec47e0a8d3 New discussion of implicit simpsets & clasets paulson parents: 1388 diff changeset	789	AddSEs [ifE];
82ec47e0a8d3 New discussion of implicit simpsets & clasets paulson parents: 1388 diff changeset	790	\end{ttbox}
82ec47e0a8d3 New discussion of implicit simpsets & clasets paulson parents: 1388 diff changeset	791	Now we can revert to the
82ec47e0a8d3 New discussion of implicit simpsets & clasets paulson parents: 1388 diff changeset	792	initial proof state and let \ttindex{fast_tac} solve it.
82ec47e0a8d3 New discussion of implicit simpsets & clasets paulson parents: 1388 diff changeset	793	\begin{ttbox}
104 d8205bb279a7 Initial revision lcp parents: diff changeset	794	choplev 0;
d8205bb279a7 Initial revision lcp parents: diff changeset	795	{\out Level 0}
d8205bb279a7 Initial revision lcp parents: diff changeset	796	{\out if(P,if(Q,A,B),if(Q,C,D)) <-> if(Q,if(P,A,C),if(P,B,D))}
d8205bb279a7 Initial revision lcp parents: diff changeset	797	{\out 1. if(P,if(Q,A,B),if(Q,C,D)) <-> if(Q,if(P,A,C),if(P,B,D))}
2495 82ec47e0a8d3 New discussion of implicit simpsets & clasets paulson parents: 1388 diff changeset	798	by (Fast_tac 1);
104 d8205bb279a7 Initial revision lcp parents: diff changeset	799	{\out Level 1}
d8205bb279a7 Initial revision lcp parents: diff changeset	800	{\out if(P,if(Q,A,B),if(Q,C,D)) <-> if(Q,if(P,A,C),if(P,B,D))}
d8205bb279a7 Initial revision lcp parents: diff changeset	801	{\out No subgoals!}
d8205bb279a7 Initial revision lcp parents: diff changeset	802	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	803	This tactic also solves the other example.
d8205bb279a7 Initial revision lcp parents: diff changeset	804	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	805	goal If.thy "if(if(P,Q,R), A, B) <-> if(P, if(Q,A,B), if(R,A,B))";
d8205bb279a7 Initial revision lcp parents: diff changeset	806	{\out Level 0}
d8205bb279a7 Initial revision lcp parents: diff changeset	807	{\out if(if(P,Q,R),A,B) <-> if(P,if(Q,A,B),if(R,A,B))}
d8205bb279a7 Initial revision lcp parents: diff changeset	808	{\out 1. if(if(P,Q,R),A,B) <-> if(P,if(Q,A,B),if(R,A,B))}
d8205bb279a7 Initial revision lcp parents: diff changeset	809	\ttbreak
2495 82ec47e0a8d3 New discussion of implicit simpsets & clasets paulson parents: 1388 diff changeset	810	by (Fast_tac 1);
104 d8205bb279a7 Initial revision lcp parents: diff changeset	811	{\out Level 1}
d8205bb279a7 Initial revision lcp parents: diff changeset	812	{\out if(if(P,Q,R),A,B) <-> if(P,if(Q,A,B),if(R,A,B))}
d8205bb279a7 Initial revision lcp parents: diff changeset	813	{\out No subgoals!}
d8205bb279a7 Initial revision lcp parents: diff changeset	814	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	815
d8205bb279a7 Initial revision lcp parents: diff changeset	816
d8205bb279a7 Initial revision lcp parents: diff changeset	817	\subsection{Derived rules versus definitions}
d8205bb279a7 Initial revision lcp parents: diff changeset	818	Dispensing with the derived rules, we can treat $if$ as an
d8205bb279a7 Initial revision lcp parents: diff changeset	819	abbreviation, and let \ttindex{fast_tac} prove the expanded formula. Let
d8205bb279a7 Initial revision lcp parents: diff changeset	820	us redo the previous proof:
d8205bb279a7 Initial revision lcp parents: diff changeset	821	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	822	choplev 0;
d8205bb279a7 Initial revision lcp parents: diff changeset	823	{\out Level 0}
d8205bb279a7 Initial revision lcp parents: diff changeset	824	{\out if(if(P,Q,R),A,B) <-> if(P,if(Q,A,B),if(R,A,B))}
d8205bb279a7 Initial revision lcp parents: diff changeset	825	{\out 1. if(if(P,Q,R),A,B) <-> if(P,if(Q,A,B),if(R,A,B))}
287 6b62a6ddbe15 first draft of Springer book lcp parents: 157 diff changeset	826	\end{ttbox}
6b62a6ddbe15 first draft of Springer book lcp parents: 157 diff changeset	827	This time, simply unfold using the definition of $if$:
6b62a6ddbe15 first draft of Springer book lcp parents: 157 diff changeset	828	\begin{ttbox}
2495 82ec47e0a8d3 New discussion of implicit simpsets & clasets paulson parents: 1388 diff changeset	829	by (rewtac if_def);
104 d8205bb279a7 Initial revision lcp parents: diff changeset	830	{\out Level 1}
d8205bb279a7 Initial revision lcp parents: diff changeset	831	{\out if(if(P,Q,R),A,B) <-> if(P,if(Q,A,B),if(R,A,B))}
d8205bb279a7 Initial revision lcp parents: diff changeset	832	{\out 1. (P & Q \| ~ P & R) & A \| ~ (P & Q \| ~ P & R) & B <->}
d8205bb279a7 Initial revision lcp parents: diff changeset	833	{\out P & (Q & A \| ~ Q & B) \| ~ P & (R & A \| ~ R & B)}
287 6b62a6ddbe15 first draft of Springer book lcp parents: 157 diff changeset	834	\end{ttbox}
2495 82ec47e0a8d3 New discussion of implicit simpsets & clasets paulson parents: 1388 diff changeset	835	We are left with a subgoal in pure first-order logic, which is why the
82ec47e0a8d3 New discussion of implicit simpsets & clasets paulson parents: 1388 diff changeset	836	classical reasoner can prove it given {\tt FOL_cs} alone. (We could, of
82ec47e0a8d3 New discussion of implicit simpsets & clasets paulson parents: 1388 diff changeset	837	course, have used {\tt Fast_tac}.)
287 6b62a6ddbe15 first draft of Springer book lcp parents: 157 diff changeset	838	\begin{ttbox}
104 d8205bb279a7 Initial revision lcp parents: diff changeset	839	by (fast_tac FOL_cs 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	840	{\out Level 2}
d8205bb279a7 Initial revision lcp parents: diff changeset	841	{\out if(if(P,Q,R),A,B) <-> if(P,if(Q,A,B),if(R,A,B))}
d8205bb279a7 Initial revision lcp parents: diff changeset	842	{\out No subgoals!}
d8205bb279a7 Initial revision lcp parents: diff changeset	843	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	844	Expanding definitions reduces the extended logic to the base logic. This
d8205bb279a7 Initial revision lcp parents: diff changeset	845	approach has its merits --- especially if the prover for the base logic is
2495 82ec47e0a8d3 New discussion of implicit simpsets & clasets paulson parents: 1388 diff changeset	846	good --- but can be slow. In these examples, proofs using the default
82ec47e0a8d3 New discussion of implicit simpsets & clasets paulson parents: 1388 diff changeset	847	claset (which includes the derived rules) run about six times faster
82ec47e0a8d3 New discussion of implicit simpsets & clasets paulson parents: 1388 diff changeset	848	than proofs using {\tt FOL_cs}.
104 d8205bb279a7 Initial revision lcp parents: diff changeset	849
d8205bb279a7 Initial revision lcp parents: diff changeset	850	Expanding definitions also complicates error diagnosis. Suppose we are having
d8205bb279a7 Initial revision lcp parents: diff changeset	851	difficulties in proving some goal. If by expanding definitions we have
d8205bb279a7 Initial revision lcp parents: diff changeset	852	made it unreadable, then we have little hope of diagnosing the problem.
d8205bb279a7 Initial revision lcp parents: diff changeset	853
d8205bb279a7 Initial revision lcp parents: diff changeset	854	Attempts at program verification often yield invalid assertions.
d8205bb279a7 Initial revision lcp parents: diff changeset	855	Let us try to prove one:
d8205bb279a7 Initial revision lcp parents: diff changeset	856	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	857	goal If.thy "if(if(P,Q,R), A, B) <-> if(P, if(Q,A,B), if(R,B,A))";
d8205bb279a7 Initial revision lcp parents: diff changeset	858	{\out Level 0}
d8205bb279a7 Initial revision lcp parents: diff changeset	859	{\out if(if(P,Q,R),A,B) <-> if(P,if(Q,A,B),if(R,B,A))}
d8205bb279a7 Initial revision lcp parents: diff changeset	860	{\out 1. if(if(P,Q,R),A,B) <-> if(P,if(Q,A,B),if(R,B,A))}
2495 82ec47e0a8d3 New discussion of implicit simpsets & clasets paulson parents: 1388 diff changeset	861	by (Fast_tac 1);
104 d8205bb279a7 Initial revision lcp parents: diff changeset	862	{\out by: tactic failed}
d8205bb279a7 Initial revision lcp parents: diff changeset	863	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	864	This failure message is uninformative, but we can get a closer look at the
d8205bb279a7 Initial revision lcp parents: diff changeset	865	situation by applying \ttindex{step_tac}.
d8205bb279a7 Initial revision lcp parents: diff changeset	866	\begin{ttbox}
2495 82ec47e0a8d3 New discussion of implicit simpsets & clasets paulson parents: 1388 diff changeset	867	by (REPEAT (Step_tac 1));
104 d8205bb279a7 Initial revision lcp parents: diff changeset	868	{\out Level 1}
d8205bb279a7 Initial revision lcp parents: diff changeset	869	{\out if(if(P,Q,R),A,B) <-> if(P,if(Q,A,B),if(R,B,A))}
d8205bb279a7 Initial revision lcp parents: diff changeset	870	{\out 1. [\| A; ~ P; R; ~ P; R \|] ==> B}
d8205bb279a7 Initial revision lcp parents: diff changeset	871	{\out 2. [\| B; ~ P; ~ R; ~ P; ~ R \|] ==> A}
d8205bb279a7 Initial revision lcp parents: diff changeset	872	{\out 3. [\| ~ P; R; B; ~ P; R \|] ==> A}
d8205bb279a7 Initial revision lcp parents: diff changeset	873	{\out 4. [\| ~ P; ~ R; A; ~ B; ~ P \|] ==> R}
d8205bb279a7 Initial revision lcp parents: diff changeset	874	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	875	Subgoal~1 is unprovable and yields a countermodel: $P$ and~$B$ are false
d8205bb279a7 Initial revision lcp parents: diff changeset	876	while~$R$ and~$A$ are true. This truth assignment reduces the main goal to
d8205bb279a7 Initial revision lcp parents: diff changeset	877	$true\bimp false$, which is of course invalid.
d8205bb279a7 Initial revision lcp parents: diff changeset	878
d8205bb279a7 Initial revision lcp parents: diff changeset	879	We can repeat this analysis by expanding definitions, using just
d8205bb279a7 Initial revision lcp parents: diff changeset	880	the rules of {\FOL}:
d8205bb279a7 Initial revision lcp parents: diff changeset	881	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	882	choplev 0;
d8205bb279a7 Initial revision lcp parents: diff changeset	883	{\out Level 0}
d8205bb279a7 Initial revision lcp parents: diff changeset	884	{\out if(if(P,Q,R),A,B) <-> if(P,if(Q,A,B),if(R,B,A))}
d8205bb279a7 Initial revision lcp parents: diff changeset	885	{\out 1. if(if(P,Q,R),A,B) <-> if(P,if(Q,A,B),if(R,B,A))}
d8205bb279a7 Initial revision lcp parents: diff changeset	886	\ttbreak
2495 82ec47e0a8d3 New discussion of implicit simpsets & clasets paulson parents: 1388 diff changeset	887	by (rewtac if_def);
104 d8205bb279a7 Initial revision lcp parents: diff changeset	888	{\out Level 1}
d8205bb279a7 Initial revision lcp parents: diff changeset	889	{\out if(if(P,Q,R),A,B) <-> if(P,if(Q,A,B),if(R,B,A))}
d8205bb279a7 Initial revision lcp parents: diff changeset	890	{\out 1. (P & Q \| ~ P & R) & A \| ~ (P & Q \| ~ P & R) & B <->}
d8205bb279a7 Initial revision lcp parents: diff changeset	891	{\out P & (Q & A \| ~ Q & B) \| ~ P & (R & B \| ~ R & A)}
d8205bb279a7 Initial revision lcp parents: diff changeset	892	by (fast_tac FOL_cs 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	893	{\out by: tactic failed}
d8205bb279a7 Initial revision lcp parents: diff changeset	894	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	895	Again we apply \ttindex{step_tac}:
d8205bb279a7 Initial revision lcp parents: diff changeset	896	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	897	by (REPEAT (step_tac FOL_cs 1));
d8205bb279a7 Initial revision lcp parents: diff changeset	898	{\out Level 2}
d8205bb279a7 Initial revision lcp parents: diff changeset	899	{\out if(if(P,Q,R),A,B) <-> if(P,if(Q,A,B),if(R,B,A))}
d8205bb279a7 Initial revision lcp parents: diff changeset	900	{\out 1. [\| A; ~ P; R; ~ P; R; ~ False \|] ==> B}
d8205bb279a7 Initial revision lcp parents: diff changeset	901	{\out 2. [\| A; ~ P; R; R; ~ False; ~ B; ~ B \|] ==> Q}
d8205bb279a7 Initial revision lcp parents: diff changeset	902	{\out 3. [\| B; ~ P; ~ R; ~ P; ~ A \|] ==> R}
d8205bb279a7 Initial revision lcp parents: diff changeset	903	{\out 4. [\| B; ~ P; ~ R; ~ Q; ~ A \|] ==> R}
d8205bb279a7 Initial revision lcp parents: diff changeset	904	{\out 5. [\| B; ~ R; ~ P; ~ A; ~ R; Q; ~ False \|] ==> A}
d8205bb279a7 Initial revision lcp parents: diff changeset	905	{\out 6. [\| ~ P; R; B; ~ P; R; ~ False \|] ==> A}
d8205bb279a7 Initial revision lcp parents: diff changeset	906	{\out 7. [\| ~ P; ~ R; A; ~ B; ~ R \|] ==> P}
d8205bb279a7 Initial revision lcp parents: diff changeset	907	{\out 8. [\| ~ P; ~ R; A; ~ B; ~ R \|] ==> Q}
d8205bb279a7 Initial revision lcp parents: diff changeset	908	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	909	Subgoal~1 yields the same countermodel as before. But each proof step has
d8205bb279a7 Initial revision lcp parents: diff changeset	910	taken six times as long, and the final result contains twice as many subgoals.
d8205bb279a7 Initial revision lcp parents: diff changeset	911
d8205bb279a7 Initial revision lcp parents: diff changeset	912	Expanding definitions causes a great increase in complexity. This is why
d8205bb279a7 Initial revision lcp parents: diff changeset	913	the classical prover has been designed to accept derived rules.
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	914
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	915	\index{first-order logic\|)}

author	wenzelm
	Thu, 20 Feb 1997 15:52:53 +0100
changeset 2663	3ca200d880f4
parent 2495	82ec47e0a8d3
child 3133	8c55b0f16da2
permissions	-rw-r--r--