isabelle: doc-src/TutorialI/IsarOverview/Isar/Logic.thy@5e2016d151bd (annotated)

13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	1	(<)theory Logic = Main:(>)
502f69ea6627 * empty log message * nipkow parents: diff changeset	2
502f69ea6627 * empty log message * nipkow parents: diff changeset	3	text{*
502f69ea6627 * empty log message * nipkow parents: diff changeset	4	We begin by looking at a simplified grammar for Isar proofs:
502f69ea6627 * empty log message * nipkow parents: diff changeset	5	\begin{center}
502f69ea6627 * empty log message * nipkow parents: diff changeset	6	\begin{tabular}{lrl}
502f69ea6627 * empty log message * nipkow parents: diff changeset	7	\emph{proof} & ::= & \isacommand{proof} \emph{method}$^?$
502f69ea6627 * empty log message * nipkow parents: diff changeset	8	\emph{statement}*
502f69ea6627 * empty log message * nipkow parents: diff changeset	9	\isacommand{qed} \\
502f69ea6627 * empty log message * nipkow parents: diff changeset	10	&$\mid$& \isacommand{by} \emph{method}\\[1ex]
502f69ea6627 * empty log message * nipkow parents: diff changeset	11	\emph{statement} &::= & \isacommand{fix} \emph{variables} \\
502f69ea6627 * empty log message * nipkow parents: diff changeset	12	&$\mid$& \isacommand{assume} proposition* \\
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	13	&$\mid$& (\isacommand{from} \emph{label}$^*$ $\mid$
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	14	\isacommand{then})$^?$ \\
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	15	&& (\isacommand{show} $\mid$ \isacommand{have})
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	16	\emph{proposition} \emph{proof} \\[1ex]
502f69ea6627 * empty log message * nipkow parents: diff changeset	17	\emph{proposition} &::=& (\emph{label}{\bf:})$^?$ \emph{string}
502f69ea6627 * empty log message * nipkow parents: diff changeset	18	\end{tabular}
502f69ea6627 * empty log message * nipkow parents: diff changeset	19	\end{center}
502f69ea6627 * empty log message * nipkow parents: diff changeset	20	where paranthesis are used for grouping and $^?$ indicates an optional item.
502f69ea6627 * empty log message * nipkow parents: diff changeset	21
502f69ea6627 * empty log message * nipkow parents: diff changeset	22	This is a typical proof skeleton:
502f69ea6627 * empty log message * nipkow parents: diff changeset	23
502f69ea6627 * empty log message * nipkow parents: diff changeset	24	\begin{center}
502f69ea6627 * empty log message * nipkow parents: diff changeset	25	\begin{tabular}{@ {}ll}
502f69ea6627 * empty log message * nipkow parents: diff changeset	26	\isacommand{proof}\\
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	27	\hspace*{3ex}\isacommand{assume} "\emph{the-assm}"\\
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	28	\hspace*{3ex}\isacommand{have} "\dots" & -- "intermediate result"\\
502f69ea6627 * empty log message * nipkow parents: diff changeset	29	\hspace*{3ex}\vdots\\
502f69ea6627 * empty log message * nipkow parents: diff changeset	30	\hspace*{3ex}\isacommand{have} "\dots" & -- "intermediate result"\\
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	31	\hspace*{3ex}\isacommand{show} "\emph{the-concl}"\\
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	32	\isacommand{qed}
502f69ea6627 * empty log message * nipkow parents: diff changeset	33	\end{tabular}
502f69ea6627 * empty log message * nipkow parents: diff changeset	34	\end{center}
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	35	It proves \emph{the-assm}~@{text"\<Longrightarrow>"}~\emph{the-concl}.
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	36	*}
502f69ea6627 * empty log message * nipkow parents: diff changeset	37
502f69ea6627 * empty log message * nipkow parents: diff changeset	38	section{Logic}
502f69ea6627 * empty log message * nipkow parents: diff changeset	39
502f69ea6627 * empty log message * nipkow parents: diff changeset	40	subsection{Propositional logic}
502f69ea6627 * empty log message * nipkow parents: diff changeset	41
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	42	subsubsection{Introduction rules}
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	43
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	44	lemma "A \<longrightarrow> A"
502f69ea6627 * empty log message * nipkow parents: diff changeset	45	proof (rule impI)
502f69ea6627 * empty log message * nipkow parents: diff changeset	46	assume A: "A"
502f69ea6627 * empty log message * nipkow parents: diff changeset	47	show "A" by(rule A)
502f69ea6627 * empty log message * nipkow parents: diff changeset	48	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	49
502f69ea6627 * empty log message * nipkow parents: diff changeset	50	text{*\noindent
502f69ea6627 * empty log message * nipkow parents: diff changeset	51	The operational reading: the assume-show block proves @{prop"A \<Longrightarrow> A"},
502f69ea6627 * empty log message * nipkow parents: diff changeset	52	which rule @{thm[source]impI} turns into the desired @{prop"A \<longrightarrow> A"}.
502f69ea6627 * empty log message * nipkow parents: diff changeset	53	However, this text is much too detailled for comfort. Therefore Isar
502f69ea6627 * empty log message * nipkow parents: diff changeset	54	implements the following principle:
502f69ea6627 * empty log message * nipkow parents: diff changeset	55	\begin{quote}\em
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	56	Command \isacommand{proof} automatically tries select an introduction rule
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	57	based on the goal and a predefined list of rules.
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	58	\end{quote}
502f69ea6627 * empty log message * nipkow parents: diff changeset	59	Here @{thm[source]impI} is applied automatically:
502f69ea6627 * empty log message * nipkow parents: diff changeset	60	*}
502f69ea6627 * empty log message * nipkow parents: diff changeset	61
502f69ea6627 * empty log message * nipkow parents: diff changeset	62	lemma "A \<longrightarrow> A"
502f69ea6627 * empty log message * nipkow parents: diff changeset	63	proof
502f69ea6627 * empty log message * nipkow parents: diff changeset	64	assume A: "A"
502f69ea6627 * empty log message * nipkow parents: diff changeset	65	show "A" by(rule A)
502f69ea6627 * empty log message * nipkow parents: diff changeset	66	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	67
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	68	text{* Trivial proofs, in particular those by assumption, should be trivial
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	69	to perform. Method "." does just that (and a bit more --- see later). Thus
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	70	naming of assumptions is often superfluous: *}
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	71
502f69ea6627 * empty log message * nipkow parents: diff changeset	72	lemma "A \<longrightarrow> A"
502f69ea6627 * empty log message * nipkow parents: diff changeset	73	proof
502f69ea6627 * empty log message * nipkow parents: diff changeset	74	assume "A"
502f69ea6627 * empty log message * nipkow parents: diff changeset	75	have "A" .
502f69ea6627 * empty log message * nipkow parents: diff changeset	76	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	77
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	78	text{* To hide proofs by assumption further, \isacommand{by}@{text"(method)"}
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	79	first applies @{text method} and then tries to solve all remaining subgoals
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	80	by assumption: *}
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	81
502f69ea6627 * empty log message * nipkow parents: diff changeset	82	lemma "A \<longrightarrow> A & A"
502f69ea6627 * empty log message * nipkow parents: diff changeset	83	proof
502f69ea6627 * empty log message * nipkow parents: diff changeset	84	assume A
502f69ea6627 * empty log message * nipkow parents: diff changeset	85	show "A & A" by(rule conjI)
502f69ea6627 * empty log message * nipkow parents: diff changeset	86	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	87
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	88	text{*\noindent A drawback of these implicit proofs by assumption is that it
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	89	is no longer obvious where an assumption is used.
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	90
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	91	Proofs of the form \isacommand{by}@{text"(rule <name>)"} can be abbreviated
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	92	to ".." if @{text"<name>"} is one of the predefined introduction rules. Thus
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	93	*}
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	94
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	95	lemma "A \<longrightarrow> A \<and> A"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	96	proof
502f69ea6627 * empty log message * nipkow parents: diff changeset	97	assume A
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	98	show "A \<and> A" ..
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	99	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	100
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	101	text{*\noindent
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	102	What happens: first the matching introduction rule @{thm[source]conjI}
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	103	is applied (first "."), then the two subgoals are solved by assumption
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	104	(second "."). *}
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	105
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	106	subsubsection{Elimination rules}
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	107
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	108	text{*A typical elimination rule is @{thm[source]conjE}, $\land$-elimination:
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	109	@{thm[display,indent=5]conjE[no_vars]} In the following proof it is applied
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	110	by hand, after its first (``\emph{major}'') premise has been eliminated via
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	111	@{text"[OF AB]"}: *}
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	112
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	113	lemma "A \<and> B \<longrightarrow> B \<and> A"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	114	proof
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	115	assume AB: "A \<and> B"
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	116	show "B \<and> A"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	117	proof (rule conjE[OF AB])
502f69ea6627 * empty log message * nipkow parents: diff changeset	118	assume A and B
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	119	show ?thesis ..
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	120	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	121	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	122
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	123	text{*\noindent Note that the term @{text"?thesis"} always stands for the
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	124	``current goal'', i.e.\ the enclosing \isacommand{show} (or
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	125	\isacommand{have}).
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	126
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	127	This is too much proof text. Elimination rules should be selected
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	128	automatically based on their major premise, the formula or rather connective
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	129	to be eliminated. In Isar they are triggered by propositions being fed
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	130	\emph{into} a proof block. Syntax:
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	131	\begin{center}
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	132	\isacommand{from} \emph{fact} \isacommand{show} \emph{proposition}
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	133	\end{center}
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	134	where \emph{fact} stands for the name of a previously proved proved
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	135	proposition, e.g.\ an assumption, an intermediate result or some global
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	136	theorem. The fact may also be modified with @{text of}, @{text OF} etc.
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	137	This command applies a elimination rule (from a predefined list)
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	138	whose first premise is solved by the fact. Thus: *}
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	139
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	140	lemma "A \<and> B \<longrightarrow> B \<and> A"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	141	proof
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	142	assume AB: "A \<and> B"
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	143	from AB show "B \<and> A"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	144	proof
502f69ea6627 * empty log message * nipkow parents: diff changeset	145	assume A and B
502f69ea6627 * empty log message * nipkow parents: diff changeset	146	show ?thesis ..
502f69ea6627 * empty log message * nipkow parents: diff changeset	147	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	148	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	149
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	150	text{* Now we come a second important principle:
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	151	\begin{quote}\em
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	152	Try to arrange the sequence of propositions in a UNIX-like pipe,
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	153	such that the proof of each proposition builds on the previous proposition.
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	154	\end{quote}
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	155	The previous proposition can be referred to via the fact @{text this}.
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	156	This greatly reduces the need for explicit naming of propositions:
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	157	*}
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	158
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	159	lemma "A \<and> B \<longrightarrow> B \<and> A"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	160	proof
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	161	assume "A \<and> B"
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	162	from this show "B \<and> A"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	163	proof
502f69ea6627 * empty log message * nipkow parents: diff changeset	164	assume A and B
502f69ea6627 * empty log message * nipkow parents: diff changeset	165	show ?thesis ..
502f69ea6627 * empty log message * nipkow parents: diff changeset	166	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	167	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	168
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	169	text{*\noindent
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	170	A final simplification: \isacommand{from}~@{text this} can be
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	171	abbreviated to \isacommand{thus}.
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	172	\bigskip
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	173
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	174	Here is an alternative proof that operates purely by forward reasoning: *}
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	175
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	176	lemma "A \<and> B \<longrightarrow> B \<and> A"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	177	proof
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	178	assume ab: "A \<and> B"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	179	from ab have a: A ..
502f69ea6627 * empty log message * nipkow parents: diff changeset	180	from ab have b: B ..
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	181	from b a show "B \<and> A" ..
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	182	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	183
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	184	text{*\noindent
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	185	It is worth examining this text in detail because it exhibits a number of new features.
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	186
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	187	For a start, this is the first time we have proved intermediate propositions
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	188	(\isacommand{have}) on the way to the final \isacommand{show}. This is the
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	189	norm in any nontrival proof where one cannot bridge the gap between the
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	190	assumptions and the conclusion in one step. Both \isacommand{have}s above are
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	191	proved automatically via @{thm[source]conjE} triggered by
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	192	\isacommand{from}~@{text ab}.
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	193
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	194	The \isacommand{show} command illustrates two things:
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	195	\begin{itemize}
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	196	\item \isacommand{from} can be followed by any number of facts.
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	197	Given \isacommand{from}~@{text f}$_1$~\dots~@{text f}$_n$, \isacommand{show}
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	198	tries to find an elimination rule whose first $n$ premises can be proved
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	199	by the given facts in the given order.
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	200	\item If there is no matching elimination rule, introduction rules are tried,
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	201	again using the facts to prove the premises.
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	202	\end{itemize}
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	203	In this case, the proof succeeds with @{thm[source]conjI}. Note that the proof would fail if we had written \isacommand{from}~@{text"a b"}
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	204	instead of \isacommand{from}~@{text"b a"}.
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	205
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	206	This treatment of facts fed into a proof is not restricted to implicit
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	207	application of introduction and elimination rules but applies to explicit
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	208	application of rules as well. Thus you could replace the final ``..'' above
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	209	with \isacommand{by}@{text"(rule conjI)"}.
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	210
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	211	Note Isar's predefined introduction and elimination rules include all the
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	212	usual natural deduction rules for propositional logic. We conclude this
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	213	section with an extended example --- which rules are used implicitly where?
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	214	Rule @{thm[source]ccontr} is @{thm ccontr[no_vars]}.
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	215	*}
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	216
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	217	lemma "\<not>(A \<and> B) \<longrightarrow> \<not>A \<or> \<not>B"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	218	proof
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	219	assume n: "\<not>(A \<and> B)"
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	220	show "\<not>A \<or> \<not>B"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	221	proof (rule ccontr)
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	222	assume nn: "\<not>(\<not> A \<or> \<not>B)"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	223	from n show False
502f69ea6627 * empty log message * nipkow parents: diff changeset	224	proof
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	225	show "A \<and> B"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	226	proof
502f69ea6627 * empty log message * nipkow parents: diff changeset	227	show A
502f69ea6627 * empty log message * nipkow parents: diff changeset	228	proof (rule ccontr)
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	229	assume "\<not>A"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	230	have "\<not> A \<or> \<not> B" ..
502f69ea6627 * empty log message * nipkow parents: diff changeset	231	from nn this show False ..
502f69ea6627 * empty log message * nipkow parents: diff changeset	232	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	233	next
502f69ea6627 * empty log message * nipkow parents: diff changeset	234	show B
502f69ea6627 * empty log message * nipkow parents: diff changeset	235	proof (rule ccontr)
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	236	assume "\<not>B"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	237	have "\<not> A \<or> \<not> B" ..
502f69ea6627 * empty log message * nipkow parents: diff changeset	238	from nn this show False ..
502f69ea6627 * empty log message * nipkow parents: diff changeset	239	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	240	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	241	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	242	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	243	qed;
502f69ea6627 * empty log message * nipkow parents: diff changeset	244
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	245	text{*\noindent Apart from demonstrating the strangeness of classical
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	246	arguments by contradiction, this example also introduces a new language
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	247	feature to deal with multiple subgoals: \isacommand{next}. When showing
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	248	@{term"A \<and> B"} we need to show both @{term A} and @{term B}. Each subgoal
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	249	is proved separately, in \emph{any} order. The individual proofs are
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	250	separated by \isacommand{next}. *}
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	251
502f69ea6627 * empty log message * nipkow parents: diff changeset	252	subsection{Becoming more concise}
502f69ea6627 * empty log message * nipkow parents: diff changeset	253
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	254	text{* So far our examples have been a bit unnatural: normally we want to
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	255	prove rules expressed with @{text"\<Longrightarrow>"}, not @{text"\<longrightarrow>"}. Here is an example:
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	256	*}
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	257
502f69ea6627 * empty log message * nipkow parents: diff changeset	258	lemma "\<lbrakk> A \<Longrightarrow> False \<rbrakk> \<Longrightarrow> \<not> A"
502f69ea6627 * empty log message * nipkow parents: diff changeset	259	proof
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	260	assume "A \<Longrightarrow> False" "A"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	261	thus False .
502f69ea6627 * empty log message * nipkow parents: diff changeset	262	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	263
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	264	text{*\noindent The \isacommand{proof} always works on the conclusion,
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	265	@{prop"\<not>A"} in our case, thus selecting $\neg$-introduction. Hence we can
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	266	additionally assume @{prop"A"}.
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	267
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	268	This is all very well as long as formulae are small. Let us now look at some
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	269	devices to avoid repeating (possibly large) formulae. A very general method
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	270	is pattern matching: *}
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	271
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	272	lemma "(large_formula \<Longrightarrow> False) \<Longrightarrow> \<not> large_formula"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	273	(is "(?P \<Longrightarrow> _) \<Longrightarrow> _")
502f69ea6627 * empty log message * nipkow parents: diff changeset	274	proof
502f69ea6627 * empty log message * nipkow parents: diff changeset	275	assume "?P \<Longrightarrow> False" ?P
502f69ea6627 * empty log message * nipkow parents: diff changeset	276	thus False .
502f69ea6627 * empty log message * nipkow parents: diff changeset	277	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	278
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	279	text{*\noindent Any formula may be followed by
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	280	@{text"("}\isacommand{is}~\emph{pattern}@{text")"} which causes the pattern
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	281	to be matched against the formula, instantiating the ?-variables in the
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	282	pattern. Subsequent uses of these variables in other terms simply causes them
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	283	to be replaced by the terms they stand for.
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	284
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	285	We can simplify things even more by stating the theorem by means of the
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	286	\isacommand{assumes} and \isacommand{shows} primitives which allow direct
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	287	naming of assumptions: *}
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	288
502f69ea6627 * empty log message * nipkow parents: diff changeset	289	lemma assumes A: "large_formula \<Longrightarrow> False"
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	290	shows "\<not> large_formula" (is "\<not> ?P")
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	291	proof
502f69ea6627 * empty log message * nipkow parents: diff changeset	292	assume ?P
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	293	with A show False .
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	294	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	295
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	296	text{*\noindent Here we have used the abbreviation
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	297	\begin{center}
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	298	\isacommand{with}~\emph{facts} \quad = \quad
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	299	\isacommand{from}~\emph{facts} \isacommand{and} @{text this}
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	300	\end{center}
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	301
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	302	Sometimes it is necessary to supress the implicit application of rules in a
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	303	\isacommand{proof}. For example \isacommand{show}~@{prop"A \<or> B"} would
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	304	trigger $\lor$-introduction, requiring us to prove @{prop A}. A simple
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	305	``@{text"-"}'' prevents this \emph{faut pas}: *}
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	306
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	307	lemma assumes AB: "A \<or> B" shows "B \<or> A"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	308	proof -
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	309	from AB show ?thesis
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	310	proof
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	311	assume A show ?thesis ..
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	312	next
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	313	assume B show ?thesis ..
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	314	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	315	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	316
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	317	subsection{Predicate calculus}
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	318
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	319	text{* Command \isacommand{fix} introduces new local variables into a
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	320	proof. It corresponds to @{text"\<And>"} (the universal quantifier at the
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	321	meta-level) just like \isacommand{assume}-\isacommand{show} corresponds to
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	322	@{text"\<Longrightarrow>"}. Here is a sample proof, annotated with the rules that are
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	323	applied implictly: *}
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	324
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	325	lemma assumes P: "\<forall>x. P x" shows "\<forall>x. P(f x)"
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	326	proof -- "@{thm[source]allI}: @{thm allI[no_vars]}"
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	327	fix a
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	328	from P show "P(f a)" .. --"@{thm[source]allE}: @{thm allE[no_vars]}"
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	329	qed
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	330
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	331	text{*\noindent Note that in the proof we have chosen to call the bound
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	332	variable @{term a} instead of @{term x} merely to show that the choice of
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	333	names is irrelevant.
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	334
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	335	Next we look at @{text"\<exists>"} which is a bit more tricky.
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	336	*}
502f69ea6627 * empty log message * nipkow parents: diff changeset	337
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	338	lemma assumes Pf: "\<exists>x. P(f x)" shows "\<exists>y. P y"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	339	proof -
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	340	from Pf show ?thesis
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	341	proof -- "@{thm[source]exE}: @{thm exE[no_vars]}"
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	342	fix a
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	343	assume "P(f a)"
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	344	show ?thesis .. --"@{thm[source]exI}: @{thm exI[no_vars]}"
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	345	qed
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	346	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	347
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	348	text {*\noindent
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	349	Explicit $\exists$-elimination as seen above can become
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	350	cumbersome in practice. The derived Isar language element
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	351	``\isakeyword{obtain}'' provides a more handsome way to perform
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	352	generalized existence reasoning:
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	353	*}
502f69ea6627 * empty log message * nipkow parents: diff changeset	354
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	355	lemma assumes Pf: "\<exists>x. P(f x)" shows "\<exists>y. P y"
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	356	proof -
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	357	from Pf obtain x where "P(f x)" ..
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	358	thus "\<exists>y. P y" ..
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	359	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	360
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	361	text {*\noindent Note how the proof text follows the usual mathematical style
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	362	of concluding $P x$ from $\exists x. P(x)$, while carefully introducing $x$
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	363	as a new local variable.
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	364	Technically, \isakeyword{obtain} is similar to \isakeyword{fix} and
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	365	\isakeyword{assume} together with a soundness proof of the
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	366	elimination involved. Thus it behaves similar to any other forward
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	367	proof element.
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	368
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	369	Here is a proof of a well known tautology which employs another useful
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	370	abbreviation: \isakeyword{hence} abbreviates \isakeyword{from}~@{text
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	371	this}~\isakeyword{have}. Figure out which rule is used where! *}
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	372
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	373	lemma assumes ex: "\<exists>x. \<forall>y. P x y" shows "\<forall>y. \<exists>x. P x y"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	374	proof
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	375	fix y
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	376	from ex obtain x where "\<forall>y. P x y" ..
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	377	hence "P x y" ..
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	378	thus "\<exists>x. P x y" ..
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	379	qed
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	380
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	381	text{* So far we have confined ourselves to single step proofs. Of course
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	382	powerful automatic methods can be used just as well. Here is an example,
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	383	Cantor's theorem that there is no surjective function from a set to its
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	384	powerset: *}
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	385
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	386	theorem "\<exists>S. S \<notin> range (f :: 'a \<Rightarrow> 'a set)"
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	387	proof
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	388	let ?S = "{x. x \<notin> f x}"
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	389	show "?S \<notin> range f"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	390	proof
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	391	assume "?S \<in> range f"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	392	then obtain y where fy: "?S = f y" ..
502f69ea6627 * empty log message * nipkow parents: diff changeset	393	show False
502f69ea6627 * empty log message * nipkow parents: diff changeset	394	proof (cases)
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	395	assume "y \<in> ?S"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	396	with fy show False by blast
502f69ea6627 * empty log message * nipkow parents: diff changeset	397	next
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	398	assume "y \<notin> ?S"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	399	with fy show False by blast
502f69ea6627 * empty log message * nipkow parents: diff changeset	400	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	401	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	402	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	403
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	404	text{*\noindent
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	405	For a start, the example demonstrates two new language elements:
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	406	\begin{itemize}
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	407	\item \isakeyword{let} introduces an abbreviation for a term, in our case
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	408	the witness for the claim, because the term occurs multiple times in the proof.
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	409	\item Proof by @{text"(cases)"} starts a proof by cases. Note that it remains
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	410	implicit what the two cases are: it is merely expected that the two subproofs
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	411	prove @{prop"P \<Longrightarrow> Q"} and @{prop"\<not>P \<Longrightarrow> Q"} for suitable @{term P} and
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	412	@{term Q}.
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	413	\end{itemize}
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	414	If you wonder how to \isakeyword{obtain} @{term y}:
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	415	via the predefined elimination rule @{thm rangeE[no_vars]}.
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	416
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	417	Method @{text blast} is used because the contradiction does not follow easily
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	418	by just a single rule. If you find the proof too cryptic for human
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	419	consumption, here is a more detailed version; the beginning up to
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	420	\isakeyword{obtain} stays unchanged. *}
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	421
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	422	theorem "\<exists>S. S \<notin> range (f :: 'a \<Rightarrow> 'a set)"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	423	proof
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	424	let ?S = "{x. x \<notin> f x}"
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	425	show "?S \<notin> range f"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	426	proof
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	427	assume "?S \<in> range f"
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	428	then obtain y where fy: "?S = f y" ..
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	429	show False
502f69ea6627 * empty log message * nipkow parents: diff changeset	430	proof (cases)
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	431	assume A: "y \<in> ?S"
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	432	hence isin: "y \<in> f y" by(simp add:fy)
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	433	from A have "y \<notin> f y" by simp
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	434	with isin show False by contradiction
502f69ea6627 * empty log message * nipkow parents: diff changeset	435	next
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	436	assume A: "y \<notin> ?S"
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	437	hence notin: "y \<notin> f y" by(simp add:fy)
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	438	from A have "y \<in> f y" by simp
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	439	with notin show False by contradiction
502f69ea6627 * empty log message * nipkow parents: diff changeset	440	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	441	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	442	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	443
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	444	text {*\noindent Method @{text contradiction} succeeds if both $P$ and
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	445	$\neg P$ are among the assumptions and the facts fed into that step.
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	446
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	447	As it happens, Cantor's theorem can be proved automatically by best-first
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	448	search. Depth-first search would diverge, but best-first search successfully
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	449	navigates through the large search space:
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	450	*}
502f69ea6627 * empty log message * nipkow parents: diff changeset	451
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	452	theorem "\<exists>S. S \<notin> range (f :: 'a \<Rightarrow> 'a set)"
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	453	by best
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	454
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	455	text{*\noindent Of course this only works in the context of HOL's carefully
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	456	constructed introduction and elimination rules for set theory.
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	457
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	458	Finally, whole scripts may appear in the leaves of the proof tree, although
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	459	this is best avoided. Here is a contrived example: *}
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	460
502f69ea6627 * empty log message * nipkow parents: diff changeset	461	lemma "A \<longrightarrow> (A \<longrightarrow>B) \<longrightarrow> B"
502f69ea6627 * empty log message * nipkow parents: diff changeset	462	proof
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	463	assume a: A
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	464	show "(A \<longrightarrow>B) \<longrightarrow> B"
502f69ea6627 * empty log message * nipkow parents: diff changeset	465	apply(rule impI)
502f69ea6627 * empty log message * nipkow parents: diff changeset	466	apply(erule impE)
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	467	apply(rule a)
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	468	apply assumption
502f69ea6627 * empty log message * nipkow parents: diff changeset	469	done
502f69ea6627 * empty log message * nipkow parents: diff changeset	470	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	471
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	472	text{*\noindent You may need to resort to this technique if an automatic step
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	473	fails to prove the desired proposition. *}
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	474	(<)end(>)

author	nipkow
	Thu, 04 Jul 2002 11:13:56 +0200
changeset 13294	5e2016d151bd
parent 13267	502f69ea6627
child 13305	f88d0c363582
permissions	-rw-r--r--