isabelle: doc-src/TutorialI/IsarOverview/Isar/Logic.thy@8060978feaf4 (annotated)

13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	1	(<)theory Logic = Main:(>)
502f69ea6627 * empty log message * nipkow parents: diff changeset	2
13613 531f1f524848 * empty log message * nipkow parents: 13580 diff changeset	3	section{Logic \label{sec:Logic}}
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	4
502f69ea6627 * empty log message * nipkow parents: diff changeset	5	subsection{Propositional logic}
502f69ea6627 * empty log message * nipkow parents: diff changeset	6
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	7	subsubsection{Introduction rules}
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	8
13310 d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	9	text{* We start with a really trivial toy proof to introduce the basic
d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	10	features of structured proofs. *}
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	11	lemma "A \<longrightarrow> A"
502f69ea6627 * empty log message * nipkow parents: diff changeset	12	proof (rule impI)
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	13	assume a: "A"
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	14	show "A" by(rule a)
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	15	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	16	text{*\noindent
13766 fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	17	The operational reading: the \isakeyword{assume}-\isakeyword{show}
fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	18	block proves @{prop"A \<Longrightarrow> A"} (@{term a} is a degenerate rule (no
fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	19	assumptions) that proves @{term A} outright), which rule
fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	20	@{thm[source]impI} (@{thm impI}) turns into the desired @{prop"A \<longrightarrow>
fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	21	A"}. However, this text is much too detailed for comfort. Therefore
fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	22	Isar implements the following principle: \begin{quote}\em Command
fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	23	\isakeyword{proof} automatically tries to select an introduction rule
fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	24	based on the goal and a predefined list of rules. \end{quote} Here
fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	25	@{thm[source]impI} is applied automatically: *}
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	26
502f69ea6627 * empty log message * nipkow parents: diff changeset	27	lemma "A \<longrightarrow> A"
502f69ea6627 * empty log message * nipkow parents: diff changeset	28	proof
13766 fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	29	assume a: A
fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	30	show A by(rule a)
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	31	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	32
13766 fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	33	text{*\noindent Single-identifier formulae such as @{term A} need not
fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	34	be enclosed in double quotes. However, we will continue to do so for
fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	35	uniformity.
fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	36
fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	37	Trivial proofs, in particular those by assumption, should be trivial
13322 3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	38	to perform. Proof ``.'' does just that (and a bit more). Thus
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	39	naming of assumptions is often superfluous: *}
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	40	lemma "A \<longrightarrow> A"
502f69ea6627 * empty log message * nipkow parents: diff changeset	41	proof
502f69ea6627 * empty log message * nipkow parents: diff changeset	42	assume "A"
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	43	show "A" .
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	44	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	45
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	46	text{* To hide proofs by assumption further, \isakeyword{by}@{text"(method)"}
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	47	first applies @{text method} and then tries to solve all remaining subgoals
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	48	by assumption: *}
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	49	lemma "A \<longrightarrow> A \<and> A"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	50	proof
13613 531f1f524848 * empty log message * nipkow parents: 13580 diff changeset	51	assume "A"
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	52	show "A \<and> A" by(rule conjI)
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	53	qed
13619 584291949c23 * empty log message * nipkow parents: 13613 diff changeset	54	text{*\noindent Rule @{thm[source]conjI} is of course @{thm conjI}.
13765 e3c444e805c4 * empty log message * nipkow parents: 13700 diff changeset	55	A drawback of implicit proofs by assumption is that it
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	56	is no longer obvious where an assumption is used.
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	57
13766 fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	58	Proofs of the form \isakeyword{by}@{text"(rule"}~\emph{name}@{text")"}
fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	59	can be abbreviated to ``..'' if \emph{name} refers to one of the
fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	60	predefined introduction rules (or elimination rules, see below): *}
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	61
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	62	lemma "A \<longrightarrow> A \<and> A"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	63	proof
13613 531f1f524848 * empty log message * nipkow parents: 13580 diff changeset	64	assume "A"
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	65	show "A \<and> A" ..
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	66	qed
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	67	text{*\noindent
13310 d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	68	This is what happens: first the matching introduction rule @{thm[source]conjI}
d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	69	is applied (first ``.''), then the two subgoals are solved by assumption
d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	70	(second ``.''). *}
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	71
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	72	subsubsection{Elimination rules}
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	73
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	74	text{*A typical elimination rule is @{thm[source]conjE}, $\land$-elimination:
13619 584291949c23 * empty log message * nipkow parents: 13613 diff changeset	75	@{thm[display,indent=5]conjE} In the following proof it is applied
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	76	by hand, after its first (\emph{major}) premise has been eliminated via
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	77	@{text"[OF AB]"}: *}
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	78	lemma "A \<and> B \<longrightarrow> B \<and> A"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	79	proof
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	80	assume AB: "A \<and> B"
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	81	show "B \<and> A"
13347 867f876589e7 * empty log message * nipkow parents: 13338 diff changeset	82	proof (rule conjE[OF AB]) -- {@{text"conjE[OF AB]"}: @{thm conjE[OF AB]} }
13613 531f1f524848 * empty log message * nipkow parents: 13580 diff changeset	83	assume "A" "B"
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	84	show ?thesis ..
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	85	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	86	qed
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	87	text{*\noindent Note that the term @{text"?thesis"} always stands for the
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	88	``current goal'', i.e.\ the enclosing \isakeyword{show} (or
13322 3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	89	\isakeyword{have}) statement.
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	90
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	91	This is too much proof text. Elimination rules should be selected
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	92	automatically based on their major premise, the formula or rather connective
13770 8060978feaf4 * empty log message * nipkow parents: 13769 diff changeset	93	to be eliminated. In Isar they are triggered by facts being fed
13519 36ee816b5ee3 * empty log message * nipkow parents: 13351 diff changeset	94	\emph{into} a proof. Syntax:
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	95	\begin{center}
13519 36ee816b5ee3 * empty log message * nipkow parents: 13351 diff changeset	96	\isakeyword{from} \emph{fact} \isakeyword{show} \emph{proposition} \emph{proof}
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	97	\end{center}
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	98	where \emph{fact} stands for the name of a previously proved
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	99	proposition, e.g.\ an assumption, an intermediate result or some global
13620 61a23a43b783 * empty log message * nipkow parents: 13619 diff changeset	100	theorem, which may also be modified with @{text OF} etc.
13519 36ee816b5ee3 * empty log message * nipkow parents: 13351 diff changeset	101	The \emph{fact} is ``piped'' into the \emph{proof}, which can deal with it
13620 61a23a43b783 * empty log message * nipkow parents: 13619 diff changeset	102	how it chooses. If the \emph{proof} starts with a plain \isakeyword{proof},
13519 36ee816b5ee3 * empty log message * nipkow parents: 13351 diff changeset	103	an elimination rule (from a predefined list) is applied
36ee816b5ee3 * empty log message * nipkow parents: 13351 diff changeset	104	whose first premise is solved by the \emph{fact}. Thus the proof above
36ee816b5ee3 * empty log message * nipkow parents: 13351 diff changeset	105	is equivalent to the following one: *}
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	106
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	107	lemma "A \<and> B \<longrightarrow> B \<and> A"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	108	proof
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	109	assume AB: "A \<and> B"
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	110	from AB show "B \<and> A"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	111	proof
13613 531f1f524848 * empty log message * nipkow parents: 13580 diff changeset	112	assume "A" "B"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	113	show ?thesis ..
502f69ea6627 * empty log message * nipkow parents: diff changeset	114	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	115	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	116
13770 8060978feaf4 * empty log message * nipkow parents: 13769 diff changeset	117	text{* Now we come to a second important principle:
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	118	\begin{quote}\em
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	119	Try to arrange the sequence of propositions in a UNIX-like pipe,
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	120	such that the proof of each proposition builds on the previous proposition.
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	121	\end{quote}
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	122	The previous proposition can be referred to via the fact @{text this}.
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	123	This greatly reduces the need for explicit naming of propositions:
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	124	*}
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	125	lemma "A \<and> B \<longrightarrow> B \<and> A"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	126	proof
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	127	assume "A \<and> B"
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	128	from this show "B \<and> A"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	129	proof
13613 531f1f524848 * empty log message * nipkow parents: 13580 diff changeset	130	assume "A" "B"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	131	show ?thesis ..
502f69ea6627 * empty log message * nipkow parents: diff changeset	132	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	133	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	134
13322 3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	135	text{*\noindent Because of the frequency of \isakeyword{from}~@{text
13766 fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	136	this}, Isar provides two abbreviations:
13322 3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	137	\begin{center}
13766 fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	138	\begin{tabular}{r@ {\quad=\quad}l}
fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	139	\isakeyword{then} & \isakeyword{from} @{text this} \\
fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	140	\isakeyword{thus} & \isakeyword{then} \isakeyword{show}
13322 3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	141	\end{tabular}
3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	142	\end{center}
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	143
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	144	Here is an alternative proof that operates purely by forward reasoning: *}
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	145	lemma "A \<and> B \<longrightarrow> B \<and> A"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	146	proof
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	147	assume ab: "A \<and> B"
13613 531f1f524848 * empty log message * nipkow parents: 13580 diff changeset	148	from ab have a: "A" ..
531f1f524848 * empty log message * nipkow parents: 13580 diff changeset	149	from ab have b: "B" ..
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	150	from b a show "B \<and> A" ..
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	151	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	152
13766 fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	153	text{*\noindent It is worth examining this text in detail because it
fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	154	exhibits a number of new concepts. For a start, it is the first time
fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	155	we have proved intermediate propositions (\isakeyword{have}) on the
fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	156	way to the final \isakeyword{show}. This is the norm in nontrivial
fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	157	proofs where one cannot bridge the gap between the assumptions and the
fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	158	conclusion in one step. To understand how the proof works we need to
fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	159	explain more Isar details.
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	160
13766 fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	161	Method @{text rule} can be given a list of rules, in which case
fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	162	@{text"(rule"}~\textit{rules}@{text")"} applies the first matching
fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	163	rule in the list \textit{rules}. Command \isakeyword{from} can be
fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	164	followed by any number of facts. Given \isakeyword{from}~@{text
fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	165	f}$_1$~\dots~@{text f}$_n$, the proof step
fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	166	@{text"(rule"}~\textit{rules}@{text")"} following a \isakeyword{have}
fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	167	or \isakeyword{show} searches \textit{rules} for a rule whose first
fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	168	$n$ premises can be proved by @{text f}$_1$~\dots~@{text f}$_n$ in the
fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	169	given order. Finally one needs to know that ``..'' is short for
fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	170	@{text"by(rule"}~\textit{elim-rules intro-rules}@{text")"} (or
fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	171	@{text"by(rule"}~\textit{intro-rules}@{text")"} if there are no facts
fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	172	fed into the proof), i.e.\ elimination rules are tried before
fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	173	introduction rules.
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	174
13766 fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	175	Thus in the above proof both \isakeyword{have}s are proved via
fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	176	@{thm[source]conjE} triggered by \isakeyword{from}~@{text ab} whereas
fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	177	in the \isakeyword{show} step no elimination rule is applicable and
fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	178	the proof succeeds with @{thm[source]conjI}. The latter would fail had
fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	179	we written \isakeyword{from}~@{text"a b"} instead of
fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	180	\isakeyword{from}~@{text"b a"}.
fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	181
fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	182	Proofs starting with a plain @{text proof} behave the same because the
fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	183	latter is short for @{text"proof (rule"}~\textit{elim-rules
fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	184	intro-rules}@{text")"} (or @{text"proof
fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	185	(rule"}~\textit{intro-rules}@{text")"} if there are no facts fed into
fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	186	the proof). *}
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	187
13555 fc529625b494 * empty log message * nipkow parents: 13519 diff changeset	188	subsection{More constructs}
fc529625b494 * empty log message * nipkow parents: 13519 diff changeset	189
fc529625b494 * empty log message * nipkow parents: 13519 diff changeset	190	text{* In the previous proof of @{prop"A \<and> B \<longrightarrow> B \<and> A"} we needed to feed
fc529625b494 * empty log message * nipkow parents: 13519 diff changeset	191	more than one fact into a proof step, a frequent situation. Then the
fc529625b494 * empty log message * nipkow parents: 13519 diff changeset	192	UNIX-pipe model appears to break down and we need to name the different
fc529625b494 * empty log message * nipkow parents: 13519 diff changeset	193	facts to refer to them. But this can be avoided:
fc529625b494 * empty log message * nipkow parents: 13519 diff changeset	194	*}
fc529625b494 * empty log message * nipkow parents: 13519 diff changeset	195	lemma "A \<and> B \<longrightarrow> B \<and> A"
fc529625b494 * empty log message * nipkow parents: 13519 diff changeset	196	proof
fc529625b494 * empty log message * nipkow parents: 13519 diff changeset	197	assume ab: "A \<and> B"
13613 531f1f524848 * empty log message * nipkow parents: 13580 diff changeset	198	from ab have "B" ..
13555 fc529625b494 * empty log message * nipkow parents: 13519 diff changeset	199	moreover
13613 531f1f524848 * empty log message * nipkow parents: 13580 diff changeset	200	from ab have "A" ..
13555 fc529625b494 * empty log message * nipkow parents: 13519 diff changeset	201	ultimately show "B \<and> A" ..
fc529625b494 * empty log message * nipkow parents: 13519 diff changeset	202	qed
fc529625b494 * empty log message * nipkow parents: 13519 diff changeset	203	text{*\noindent You can combine any number of facts @{term A1} \dots\ @{term
fc529625b494 * empty log message * nipkow parents: 13519 diff changeset	204	An} into a sequence by separating their proofs with
fc529625b494 * empty log message * nipkow parents: 13519 diff changeset	205	\isakeyword{moreover}. After the final fact, \isakeyword{ultimately} stands
fc529625b494 * empty log message * nipkow parents: 13519 diff changeset	206	for \isakeyword{from}~@{term A1}~\dots~@{term An}. This avoids having to
fc529625b494 * empty log message * nipkow parents: 13519 diff changeset	207	introduce names for all of the sequence elements. *}
fc529625b494 * empty log message * nipkow parents: 13519 diff changeset	208
13620 61a23a43b783 * empty log message * nipkow parents: 13619 diff changeset	209	text{* Although we have only seen a few introduction and elimination rules so
13555 fc529625b494 * empty log message * nipkow parents: 13519 diff changeset	210	far, Isar's predefined rules include all the usual natural deduction
fc529625b494 * empty log message * nipkow parents: 13519 diff changeset	211	rules. We conclude our exposition of propositional logic with an extended
fc529625b494 * empty log message * nipkow parents: 13519 diff changeset	212	example --- which rules are used implicitly where? *}
13326 900f220c800d * empty log message * nipkow parents: 13322 diff changeset	213	lemma "\<not> (A \<and> B) \<longrightarrow> \<not> A \<or> \<not> B"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	214	proof
13326 900f220c800d * empty log message * nipkow parents: 13322 diff changeset	215	assume n: "\<not> (A \<and> B)"
900f220c800d * empty log message * nipkow parents: 13322 diff changeset	216	show "\<not> A \<or> \<not> B"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	217	proof (rule ccontr)
13326 900f220c800d * empty log message * nipkow parents: 13322 diff changeset	218	assume nn: "\<not> (\<not> A \<or> \<not> B)"
900f220c800d * empty log message * nipkow parents: 13322 diff changeset	219	have "\<not> A"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	220	proof
13613 531f1f524848 * empty log message * nipkow parents: 13580 diff changeset	221	assume "A"
13326 900f220c800d * empty log message * nipkow parents: 13322 diff changeset	222	have "\<not> B"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	223	proof
13613 531f1f524848 * empty log message * nipkow parents: 13580 diff changeset	224	assume "B"
13326 900f220c800d * empty log message * nipkow parents: 13322 diff changeset	225	have "A \<and> B" ..
900f220c800d * empty log message * nipkow parents: 13322 diff changeset	226	with n show False ..
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	227	qed
13326 900f220c800d * empty log message * nipkow parents: 13322 diff changeset	228	hence "\<not> A \<or> \<not> B" ..
900f220c800d * empty log message * nipkow parents: 13322 diff changeset	229	with nn show False ..
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	230	qed
13326 900f220c800d * empty log message * nipkow parents: 13322 diff changeset	231	hence "\<not> A \<or> \<not> B" ..
900f220c800d * empty log message * nipkow parents: 13322 diff changeset	232	with nn show False ..
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	233	qed
13326 900f220c800d * empty log message * nipkow parents: 13322 diff changeset	234	qed
13555 fc529625b494 * empty log message * nipkow parents: 13519 diff changeset	235	text{*\noindent
fc529625b494 * empty log message * nipkow parents: 13519 diff changeset	236	Rule @{thm[source]ccontr} (``classical contradiction'') is
fc529625b494 * empty log message * nipkow parents: 13519 diff changeset	237	@{thm ccontr[no_vars]}.
fc529625b494 * empty log message * nipkow parents: 13519 diff changeset	238	Apart from demonstrating the strangeness of classical
13329 53c4ec15cae0 * empty log message * nipkow parents: 13326 diff changeset	239	arguments by contradiction, this example also introduces two new
13330 c9e9b6add754 * empty log message * nipkow parents: 13329 diff changeset	240	abbreviations:
13329 53c4ec15cae0 * empty log message * nipkow parents: 13326 diff changeset	241	\begin{center}
13766 fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	242	\begin{tabular}{l@ {\quad=\quad}l}
fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	243	\isakeyword{hence} & \isakeyword{then} \isakeyword{have} \\
fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	244	\isakeyword{with}~\emph{facts} &
13613 531f1f524848 * empty log message * nipkow parents: 13580 diff changeset	245	\isakeyword{from}~\emph{facts} @{text this}
13329 53c4ec15cae0 * empty log message * nipkow parents: 13326 diff changeset	246	\end{tabular}
53c4ec15cae0 * empty log message * nipkow parents: 13326 diff changeset	247	\end{center}
13326 900f220c800d * empty log message * nipkow parents: 13322 diff changeset	248	*}
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	249
13310 d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	250	subsection{Avoiding duplication}
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	251
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	252	text{* So far our examples have been a bit unnatural: normally we want to
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	253	prove rules expressed with @{text"\<Longrightarrow>"}, not @{text"\<longrightarrow>"}. Here is an example:
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	254	*}
13322 3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	255	lemma "A \<and> B \<Longrightarrow> B \<and> A"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	256	proof
13322 3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	257	assume "A \<and> B" thus "B" ..
3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	258	next
3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	259	assume "A \<and> B" thus "A" ..
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	260	qed
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	261	text{*\noindent The \isakeyword{proof} always works on the conclusion,
13322 3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	262	@{prop"B \<and> A"} in our case, thus selecting $\land$-introduction. Hence
3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	263	we must show @{prop B} and @{prop A}; both are proved by
13329 53c4ec15cae0 * empty log message * nipkow parents: 13326 diff changeset	264	$\land$-elimination and the proofs are separated by \isakeyword{next}:
53c4ec15cae0 * empty log message * nipkow parents: 13326 diff changeset	265	\begin{description}
53c4ec15cae0 * empty log message * nipkow parents: 13326 diff changeset	266	\item[\isakeyword{next}] deals with multiple subgoals. For example,
53c4ec15cae0 * empty log message * nipkow parents: 13326 diff changeset	267	when showing @{term"A \<and> B"} we need to show both @{term A} and @{term
53c4ec15cae0 * empty log message * nipkow parents: 13326 diff changeset	268	B}. Each subgoal is proved separately, in \emph{any} order. The
13770 8060978feaf4 * empty log message * nipkow parents: 13769 diff changeset	269	individual proofs are separated by \isakeyword{next}. \footnote{Each
8060978feaf4 * empty log message * nipkow parents: 13769 diff changeset	270	\isakeyword{show} must prove one of the pending subgoals. If a
8060978feaf4 * empty log message * nipkow parents: 13769 diff changeset	271	\isakeyword{show} matches multiple subgoals, e.g.\ if the subgoals
8060978feaf4 * empty log message * nipkow parents: 13769 diff changeset	272	contain ?-variables, the first one is proved. Thus the order in which
8060978feaf4 * empty log message * nipkow parents: 13769 diff changeset	273	the subgoals are proved can matter --- see
8060978feaf4 * empty log message * nipkow parents: 13769 diff changeset	274	\S\ref{sec:CaseDistinction} for an example.}
13766 fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	275
fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	276	Strictly speaking \isakeyword{next} is only required if the subgoals
fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	277	are proved in different assumption contexts which need to be
fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	278	separated, which is not the case above. For clarity we
fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	279	have employed \isakeyword{next} anyway and will continue to do so.
13329 53c4ec15cae0 * empty log message * nipkow parents: 13326 diff changeset	280	\end{description}
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	281
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	282	This is all very well as long as formulae are small. Let us now look at some
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	283	devices to avoid repeating (possibly large) formulae. A very general method
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	284	is pattern matching: *}
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	285
13322 3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	286	lemma "large_A \<and> large_B \<Longrightarrow> large_B \<and> large_A"
3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	287	(is "?AB \<Longrightarrow> ?B \<and> ?A")
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	288	proof
13613 531f1f524848 * empty log message * nipkow parents: 13580 diff changeset	289	assume "?AB" thus "?B" ..
13322 3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	290	next
13613 531f1f524848 * empty log message * nipkow parents: 13580 diff changeset	291	assume "?AB" thus "?A" ..
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	292	qed
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	293	text{*\noindent Any formula may be followed by
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	294	@{text"("}\isakeyword{is}~\emph{pattern}@{text")"} which causes the pattern
13310 d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	295	to be matched against the formula, instantiating the @{text"?"}-variables in
13620 61a23a43b783 * empty log message * nipkow parents: 13619 diff changeset	296	the pattern. Subsequent uses of these variables in other terms causes
13310 d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	297	them to be replaced by the terms they stand for.
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	298
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	299	We can simplify things even more by stating the theorem by means of the
13322 3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	300	\isakeyword{assumes} and \isakeyword{shows} elements which allow direct
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	301	naming of assumptions: *}
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	302
13322 3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	303	lemma assumes AB: "large_A \<and> large_B"
3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	304	shows "large_B \<and> large_A" (is "?B \<and> ?A")
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	305	proof
13613 531f1f524848 * empty log message * nipkow parents: 13580 diff changeset	306	from AB show "?B" ..
13322 3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	307	next
13613 531f1f524848 * empty log message * nipkow parents: 13580 diff changeset	308	from AB show "?A" ..
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	309	qed
13322 3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	310	text{*\noindent Note the difference between @{text ?AB}, a term, and
3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	311	@{text AB}, a fact.
3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	312
3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	313	Finally we want to start the proof with $\land$-elimination so we
3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	314	don't have to perform it twice, as above. Here is a slick way to
3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	315	achieve this: *}
3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	316
3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	317	lemma assumes AB: "large_A \<and> large_B"
3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	318	shows "large_B \<and> large_A" (is "?B \<and> ?A")
3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	319	using AB
3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	320	proof
13613 531f1f524848 * empty log message * nipkow parents: 13580 diff changeset	321	assume "?A" "?B" show ?thesis ..
13322 3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	322	qed
3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	323	text{*\noindent Command \isakeyword{using} can appear before a proof
3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	324	and adds further facts to those piped into the proof. Here @{text AB}
3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	325	is the only such fact and it triggers $\land$-elimination. Another
13619 584291949c23 * empty log message * nipkow parents: 13613 diff changeset	326	frequent idiom is as follows:
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	327	\begin{center}
13700 80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	328	\isakeyword{from} \emph{major-facts}~
13619 584291949c23 * empty log message * nipkow parents: 13613 diff changeset	329	\isakeyword{show} \emph{proposition}~
13700 80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	330	\isakeyword{using} \emph{minor-facts}~
13619 584291949c23 * empty log message * nipkow parents: 13613 diff changeset	331	\emph{proof}
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	332	\end{center}
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	333
13330 c9e9b6add754 * empty log message * nipkow parents: 13329 diff changeset	334	Sometimes it is necessary to suppress the implicit application of rules in a
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	335	\isakeyword{proof}. For example \isakeyword{show}~@{prop"A \<or> B"} would
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	336	trigger $\lor$-introduction, requiring us to prove @{prop A}. A simple
13613 531f1f524848 * empty log message * nipkow parents: 13580 diff changeset	337	``@{text"-"}'' prevents this \emph{faux pas}: *}
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	338
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	339	lemma assumes AB: "A \<or> B" shows "B \<or> A"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	340	proof -
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	341	from AB show ?thesis
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	342	proof
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	343	assume A show ?thesis ..
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	344	next
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	345	assume B show ?thesis ..
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	346	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	347	qed
13765 e3c444e805c4 * empty log message * nipkow parents: 13700 diff changeset	348
13317 bb74918cc0dd * empty log message * nipkow parents: 13313 diff changeset	349
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	350	subsection{Predicate calculus}
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	351
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	352	text{* Command \isakeyword{fix} introduces new local variables into a
13322 3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	353	proof. The pair \isakeyword{fix}-\isakeyword{show} corresponds to @{text"\<And>"}
3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	354	(the universal quantifier at the
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	355	meta-level) just like \isakeyword{assume}-\isakeyword{show} corresponds to
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	356	@{text"\<Longrightarrow>"}. Here is a sample proof, annotated with the rules that are
13330 c9e9b6add754 * empty log message * nipkow parents: 13329 diff changeset	357	applied implicitly: *}
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	358	lemma assumes P: "\<forall>x. P x" shows "\<forall>x. P(f x)"
13351 bc1fb6941b54 * empty log message * nipkow parents: 13347 diff changeset	359	proof --"@{thm[source]allI}: @{thm allI}"
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	360	fix a
13351 bc1fb6941b54 * empty log message * nipkow parents: 13347 diff changeset	361	from P show "P(f a)" .. --"@{thm[source]allE}: @{thm allE}"
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	362	qed
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	363	text{*\noindent Note that in the proof we have chosen to call the bound
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	364	variable @{term a} instead of @{term x} merely to show that the choice of
13322 3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	365	local names is irrelevant.
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	366
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	367	Next we look at @{text"\<exists>"} which is a bit more tricky.
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	368	*}
502f69ea6627 * empty log message * nipkow parents: diff changeset	369
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	370	lemma assumes Pf: "\<exists>x. P(f x)" shows "\<exists>y. P y"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	371	proof -
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	372	from Pf show ?thesis
13351 bc1fb6941b54 * empty log message * nipkow parents: 13347 diff changeset	373	proof -- "@{thm[source]exE}: @{thm exE}"
bc1fb6941b54 * empty log message * nipkow parents: 13347 diff changeset	374	fix x
bc1fb6941b54 * empty log message * nipkow parents: 13347 diff changeset	375	assume "P(f x)"
bc1fb6941b54 * empty log message * nipkow parents: 13347 diff changeset	376	show ?thesis .. -- "@{thm[source]exI}: @{thm exI}"
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	377	qed
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	378	qed
13317 bb74918cc0dd * empty log message * nipkow parents: 13313 diff changeset	379	text{*\noindent Explicit $\exists$-elimination as seen above can become
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	380	cumbersome in practice. The derived Isar language element
13767 731171c27be9 * empty log message * nipkow parents: 13766 diff changeset	381	\isakeyword{obtain} provides a more appealing form of generalised
13317 bb74918cc0dd * empty log message * nipkow parents: 13313 diff changeset	382	existence reasoning: *}
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	383
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	384	lemma assumes Pf: "\<exists>x. P(f x)" shows "\<exists>y. P y"
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	385	proof -
13322 3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	386	from Pf obtain x where "P(f x)" ..
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	387	thus "\<exists>y. P y" ..
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	388	qed
13317 bb74918cc0dd * empty log message * nipkow parents: 13313 diff changeset	389	text{*\noindent Note how the proof text follows the usual mathematical style
13310 d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	390	of concluding $P(x)$ from $\exists x. P(x)$, while carefully introducing $x$
d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	391	as a new local variable. Technically, \isakeyword{obtain} is similar to
d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	392	\isakeyword{fix} and \isakeyword{assume} together with a soundness proof of
13322 3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	393	the elimination involved.
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	394
13329 53c4ec15cae0 * empty log message * nipkow parents: 13326 diff changeset	395	Here is a proof of a well known tautology.
13766 fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	396	Which rule is used where? *}
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	397
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	398	lemma assumes ex: "\<exists>x. \<forall>y. P x y" shows "\<forall>y. \<exists>x. P x y"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	399	proof
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	400	fix y
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	401	from ex obtain x where "\<forall>y. P x y" ..
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	402	hence "P x y" ..
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	403	thus "\<exists>x. P x y" ..
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	404	qed
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	405
13700 80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	406	subsection{Making bigger steps}
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	407
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	408	text{* So far we have confined ourselves to single step proofs. Of course
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	409	powerful automatic methods can be used just as well. Here is an example,
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	410	Cantor's theorem that there is no surjective function from a set to its
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	411	powerset: *}
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	412	theorem "\<exists>S. S \<notin> range (f :: 'a \<Rightarrow> 'a set)"
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	413	proof
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	414	let ?S = "{x. x \<notin> f x}"
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	415	show "?S \<notin> range f"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	416	proof
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	417	assume "?S \<in> range f"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	418	then obtain y where fy: "?S = f y" ..
502f69ea6627 * empty log message * nipkow parents: diff changeset	419	show False
13310 d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	420	proof cases
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	421	assume "y \<in> ?S"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	422	with fy show False by blast
502f69ea6627 * empty log message * nipkow parents: diff changeset	423	next
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	424	assume "y \<notin> ?S"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	425	with fy show False by blast
502f69ea6627 * empty log message * nipkow parents: diff changeset	426	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	427	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	428	qed
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	429	text{*\noindent
13329 53c4ec15cae0 * empty log message * nipkow parents: 13326 diff changeset	430	For a start, the example demonstrates two new constructs:
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	431	\begin{itemize}
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	432	\item \isakeyword{let} introduces an abbreviation for a term, in our case
13580 a0febf6b0e9f * empty log message * nipkow parents: 13555 diff changeset	433	the witness for the claim.
13310 d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	434	\item Proof by @{text"cases"} starts a proof by cases. Note that it remains
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	435	implicit what the two cases are: it is merely expected that the two subproofs
13580 a0febf6b0e9f * empty log message * nipkow parents: 13555 diff changeset	436	prove @{text"P \<Longrightarrow> ?thesis"} and @{text"\<not>P \<Longrightarrow> ?thesis"} (in that order)
a0febf6b0e9f * empty log message * nipkow parents: 13555 diff changeset	437	for some @{term P}.
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	438	\end{itemize}
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	439	If you wonder how to \isakeyword{obtain} @{term y}:
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	440	via the predefined elimination rule @{thm rangeE[no_vars]}.
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	441
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	442	Method @{text blast} is used because the contradiction does not follow easily
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	443	by just a single rule. If you find the proof too cryptic for human
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	444	consumption, here is a more detailed version; the beginning up to
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	445	\isakeyword{obtain} stays unchanged. *}
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	446
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	447	theorem "\<exists>S. S \<notin> range (f :: 'a \<Rightarrow> 'a set)"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	448	proof
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	449	let ?S = "{x. x \<notin> f x}"
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	450	show "?S \<notin> range f"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	451	proof
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	452	assume "?S \<in> range f"
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	453	then obtain y where fy: "?S = f y" ..
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	454	show False
13310 d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	455	proof cases
13580 a0febf6b0e9f * empty log message * nipkow parents: 13555 diff changeset	456	assume "y \<in> ?S"
a0febf6b0e9f * empty log message * nipkow parents: 13555 diff changeset	457	hence "y \<notin> f y" by simp
a0febf6b0e9f * empty log message * nipkow parents: 13555 diff changeset	458	hence "y \<notin> ?S" by(simp add:fy)
13620 61a23a43b783 * empty log message * nipkow parents: 13619 diff changeset	459	thus False by contradiction
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	460	next
13580 a0febf6b0e9f * empty log message * nipkow parents: 13555 diff changeset	461	assume "y \<notin> ?S"
a0febf6b0e9f * empty log message * nipkow parents: 13555 diff changeset	462	hence "y \<in> f y" by simp
a0febf6b0e9f * empty log message * nipkow parents: 13555 diff changeset	463	hence "y \<in> ?S" by(simp add:fy)
13620 61a23a43b783 * empty log message * nipkow parents: 13619 diff changeset	464	thus False by contradiction
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	465	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	466	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	467	qed
13317 bb74918cc0dd * empty log message * nipkow parents: 13313 diff changeset	468	text{*\noindent Method @{text contradiction} succeeds if both $P$ and
13322 3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	469	$\neg P$ are among the assumptions and the facts fed into that step, in any order.
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	470
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	471	As it happens, Cantor's theorem can be proved automatically by best-first
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	472	search. Depth-first search would diverge, but best-first search successfully
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	473	navigates through the large search space:
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	474	*}
502f69ea6627 * empty log message * nipkow parents: diff changeset	475
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	476	theorem "\<exists>S. S \<notin> range (f :: 'a \<Rightarrow> 'a set)"
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	477	by best
13765 e3c444e805c4 * empty log message * nipkow parents: 13700 diff changeset	478	(* Of course this only works in the context of HOL's carefully
e3c444e805c4 * empty log message * nipkow parents: 13700 diff changeset	479	constructed introduction and elimination rules for set theory.*)
13700 80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	480
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	481	subsection{Raw proof blocks}
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	482
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	483	text{* Although we have shown how to employ powerful automatic methods like
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	484	@{text blast} to achieve bigger proof steps, there may still be the
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	485	tendency to use the default introduction and elimination rules to
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	486	decompose goals and facts. This can lead to very tedious proofs:
13770 8060978feaf4 * empty log message * nipkow parents: 13769 diff changeset	487	\Tweakskip
13619 584291949c23 * empty log message * nipkow parents: 13613 diff changeset	488	*}
13700 80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	489	(<)ML"set quick_and_dirty"(>)
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	490	lemma "\<forall>x y. A x y \<and> B x y \<longrightarrow> C x y"
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	491	proof
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	492	fix x show "\<forall>y. A x y \<and> B x y \<longrightarrow> C x y"
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	493	proof
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	494	fix y show "A x y \<and> B x y \<longrightarrow> C x y"
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	495	proof
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	496	assume "A x y \<and> B x y"
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	497	show "C x y" sorry
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	498	qed
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	499	qed
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	500	qed
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	501	text{*\noindent Since we are only interested in the decomposition and not the
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	502	actual proof, the latter has been replaced by
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	503	\isakeyword{sorry}. Command \isakeyword{sorry} proves anything but is
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	504	only allowed in quick and dirty mode, the default interactive mode. It
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	505	is very convenient for top down proof development.
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	506
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	507	Luckily we can avoid this step by step decomposition very easily: *}
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	508
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	509	lemma "\<forall>x y. A x y \<and> B x y \<longrightarrow> C x y"
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	510	proof -
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	511	have "\<And>x y. \<lbrakk> A x y; B x y \<rbrakk> \<Longrightarrow> C x y"
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	512	proof -
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	513	fix x y assume "A x y" "B x y"
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	514	show "C x y" sorry
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	515	qed
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	516	thus ?thesis by blast
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	517	qed
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	518
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	519	text{*\noindent
13765 e3c444e805c4 * empty log message * nipkow parents: 13700 diff changeset	520	This can be simplified further by \emph{raw proof blocks}, i.e.\
e3c444e805c4 * empty log message * nipkow parents: 13700 diff changeset	521	proofs enclosed in braces: *}
13700 80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	522
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	523	lemma "\<forall>x y. A x y \<and> B x y \<longrightarrow> C x y"
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	524	proof -
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	525	{ fix x y assume "A x y" "B x y"
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	526	have "C x y" sorry }
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	527	thus ?thesis by blast
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	528	qed
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	529
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	530	text{*\noindent The result of the raw proof block is the same theorem
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	531	as above, namely @{prop"\<And>x y. \<lbrakk> A x y; B x y \<rbrakk> \<Longrightarrow> C x y"}. Raw
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	532	proof blocks are like ordinary proofs except that they do not prove
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	533	some explicitly stated property but that the property emerges directly
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	534	out of the \isakeyword{fixe}s, \isakeyword{assume}s and
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	535	\isakeyword{have} in the block. Thus they again serve to avoid
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	536	duplication. Note that the conclusion of a raw proof block is stated with
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	537	\isakeyword{have} rather than \isakeyword{show} because it is not the
13765 e3c444e805c4 * empty log message * nipkow parents: 13700 diff changeset	538	conclusion of some pending goal but some independent claim.
13700 80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	539
13765 e3c444e805c4 * empty log message * nipkow parents: 13700 diff changeset	540	The general idea demonstrated in this subsection is very
13700 80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	541	important in Isar and distinguishes it from tactic-style proofs:
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	542	\begin{quote}\em
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	543	Do not manipulate the proof state into a particular form by applying
13767 731171c27be9 * empty log message * nipkow parents: 13766 diff changeset	544	tactics but state the desired form explicitly and let the tactic verify
13700 80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	545	that from this form the original goal follows.
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	546	\end{quote}
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	547	This yields more readable and also more robust proofs. *}
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	548
13619 584291949c23 * empty log message * nipkow parents: 13613 diff changeset	549	subsection{Further refinements}
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	550
13700 80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	551	text{* This subsection discusses some further tricks that can make
13765 e3c444e805c4 * empty log message * nipkow parents: 13700 diff changeset	552	life easier although they are not essential. *}
13619 584291949c23 * empty log message * nipkow parents: 13613 diff changeset	553
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	554	subsubsection{\isakeyword{and}}
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	555
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	556	text{* Propositions (following \isakeyword{assume} etc) may but need not be
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	557	separated by \isakeyword{and}. This is not just for readability
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	558	(\isakeyword{from} \isa{A} \isakeyword{and} \isa{B} looks nicer than
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	559	\isakeyword{from} \isa{A} \isa{B}) but for structuring lists of propositions
13765 e3c444e805c4 * empty log message * nipkow parents: 13700 diff changeset	560	into possibly named blocks. In
13619 584291949c23 * empty log message * nipkow parents: 13613 diff changeset	561	\begin{center}
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	562	\isakeyword{assume} \isa{A:} $A_1$ $A_2$ \isakeyword{and} \isa{B:} $A_3$
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	563	\isakeyword{and} $A_4$
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	564	\end{center}
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	565	label \isa{A} refers to the list of propositions $A_1$ $A_2$ and
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	566	label \isa{B} to $A_3$. *}
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	567
13765 e3c444e805c4 * empty log message * nipkow parents: 13700 diff changeset	568	subsubsection{\isakeyword{note}}
e3c444e805c4 * empty log message * nipkow parents: 13700 diff changeset	569	text{* If you want to remember intermediate fact(s) that cannot be
e3c444e805c4 * empty log message * nipkow parents: 13700 diff changeset	570	named directly, use \isakeyword{note}. For example the result of raw
e3c444e805c4 * empty log message * nipkow parents: 13700 diff changeset	571	proof block can be named by following it with
13766 fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	572	\isakeyword{note}~@{text"some_name = this"}. As a side effect,
13765 e3c444e805c4 * empty log message * nipkow parents: 13700 diff changeset	573	@{text this} is set to the list of facts on the right-hand side. You
e3c444e805c4 * empty log message * nipkow parents: 13700 diff changeset	574	can also say @{text"note some_fact"}, which simply sets @{text this},
13766 fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	575	i.e.\ recalls @{text"some_fact"}, e.g.\ in a \isakeyword{moreover} sequence. *}
13765 e3c444e805c4 * empty log message * nipkow parents: 13700 diff changeset	576
e3c444e805c4 * empty log message * nipkow parents: 13700 diff changeset	577
13619 584291949c23 * empty log message * nipkow parents: 13613 diff changeset	578	subsubsection{\isakeyword{fixes}}
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	579
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	580	text{* Sometimes it is necessary to decorate a proposition with type
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	581	constraints, as in Cantor's theorem above. These type constraints tend
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	582	to make the theorem less readable. The situation can be improved a
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	583	little by combining the type constraint with an outer @{text"\<And>"}: *}
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	584
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	585	theorem "\<And>f :: 'a \<Rightarrow> 'a set. \<exists>S. S \<notin> range f"
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	586	(<)oops(>)
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	587	text{*\noindent However, now @{term f} is bound and we need a
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	588	\isakeyword{fix}~\isa{f} in the proof before we can refer to @{term f}.
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	589	This is avoided by \isakeyword{fixes}: *}
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	590
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	591	theorem fixes f :: "'a \<Rightarrow> 'a set" shows "\<exists>S. S \<notin> range f"
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	592	(<)oops(>)
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	593	text{* \noindent
13765 e3c444e805c4 * empty log message * nipkow parents: 13700 diff changeset	594	Even better, \isakeyword{fixes} allows to introduce concrete syntax locally:*}
13619 584291949c23 * empty log message * nipkow parents: 13613 diff changeset	595
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	596	lemma comm_mono:
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	597	fixes r :: "'a \<Rightarrow> 'a \<Rightarrow> bool" (infix ">" 60) and
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	598	f :: "'a \<Rightarrow> 'a \<Rightarrow> 'a" (infixl "++" 70)
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	599	assumes comm: "\<And>x y::'a. x ++ y = y ++ x" and
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	600	mono: "\<And>x y z::'a. x > y \<Longrightarrow> x ++ z > y ++ z"
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	601	shows "x > y \<Longrightarrow> z ++ x > z ++ y"
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	602	by(simp add: comm mono)
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	603
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	604	text{*\noindent The concrete syntax is dropped at the end of the proof and the
13766 fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	605	theorem becomes @{thm[display,margin=60]comm_mono}
fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	606	\tweakskip *}
13619 584291949c23 * empty log message * nipkow parents: 13613 diff changeset	607
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	608	subsubsection{\isakeyword{obtain}}
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	609
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	610	text{* The \isakeyword{obtain} construct can introduce multiple
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	611	witnesses and propositions as in the following proof fragment:*}
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	612
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	613	lemma assumes A: "\<exists>x y. P x y \<and> Q x y" shows "R"
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	614	proof -
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	615	from A obtain x y where P: "P x y" and Q: "Q x y" by blast
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	616	(<)oops(>)
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	617	text{* Remember also that one does not even need to start with a formula
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	618	containing @{text"\<exists>"} as we saw in the proof of Cantor's theorem.
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	619	*}
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	620
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	621	subsubsection{Combining proof styles}
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	622
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	623	text{* Finally, whole ``scripts'' (tactic-based proofs in the style of
13519 36ee816b5ee3 * empty log message * nipkow parents: 13351 diff changeset	624	\cite{LNCS2283}) may appear in the leaves of the proof tree, although this is
36ee816b5ee3 * empty log message * nipkow parents: 13351 diff changeset	625	best avoided. Here is a contrived example: *}
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	626
13322 3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	627	lemma "A \<longrightarrow> (A \<longrightarrow> B) \<longrightarrow> B"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	628	proof
13613 531f1f524848 * empty log message * nipkow parents: 13580 diff changeset	629	assume a: "A"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	630	show "(A \<longrightarrow>B) \<longrightarrow> B"
502f69ea6627 * empty log message * nipkow parents: diff changeset	631	apply(rule impI)
502f69ea6627 * empty log message * nipkow parents: diff changeset	632	apply(erule impE)
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	633	apply(rule a)
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	634	apply assumption
502f69ea6627 * empty log message * nipkow parents: diff changeset	635	done
502f69ea6627 * empty log message * nipkow parents: diff changeset	636	qed
13619 584291949c23 * empty log message * nipkow parents: 13613 diff changeset	637
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	638	text{*\noindent You may need to resort to this technique if an
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	639	automatic step fails to prove the desired proposition.
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	640
13620 61a23a43b783 * empty log message * nipkow parents: 13619 diff changeset	641	When converting a proof from tactic-style into Isar you can proceed
13619 584291949c23 * empty log message * nipkow parents: 13613 diff changeset	642	in a top-down manner: parts of the proof can be left in script form
13769 a9f000d3ecae * empty log message * nipkow parents: 13768 diff changeset	643	while the outer structure is already expressed in Isar. *}
13305 f88d0c363582 * empty log message * nipkow parents: 13294 diff changeset	644
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	645	(<)end(>)

author	nipkow
	Fri, 03 Jan 2003 10:24:24 +0100
changeset 13770	8060978feaf4
parent 13769	a9f000d3ecae
child 13777	23e743ac9cec
permissions	-rw-r--r--