isabelle: doc-src/Intro/foundations.tex@e1f6cd9f682e (annotated)

105 216d6ed87399 Initial revision lcp parents: diff changeset	1	%% $Id$
216d6ed87399 Initial revision lcp parents: diff changeset	2	\part{Foundations}
296 e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	3	The following sections discuss Isabelle's logical foundations in detail:
105 216d6ed87399 Initial revision lcp parents: diff changeset	4	representing logical syntax in the typed $\lambda$-calculus; expressing
216d6ed87399 Initial revision lcp parents: diff changeset	5	inference rules in Isabelle's meta-logic; combining rules by resolution.
296 e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	6
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	7	If you wish to use Isabelle immediately, please turn to
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	8	page~\pageref{chap:getting}. You can always read about foundations later,
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	9	either by returning to this point or by looking up particular items in the
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	10	index.
105 216d6ed87399 Initial revision lcp parents: diff changeset	11
216d6ed87399 Initial revision lcp parents: diff changeset	12	\begin{figure}
216d6ed87399 Initial revision lcp parents: diff changeset	13	\begin{eqnarray*}
216d6ed87399 Initial revision lcp parents: diff changeset	14	\neg P & \hbox{abbreviates} & P\imp\bot \\
216d6ed87399 Initial revision lcp parents: diff changeset	15	P\bimp Q & \hbox{abbreviates} & (P\imp Q) \conj (Q\imp P)
216d6ed87399 Initial revision lcp parents: diff changeset	16	\end{eqnarray*}
216d6ed87399 Initial revision lcp parents: diff changeset	17	\vskip 4ex
216d6ed87399 Initial revision lcp parents: diff changeset	18
216d6ed87399 Initial revision lcp parents: diff changeset	19	\(\begin{array}{c@{\qquad\qquad}c}
216d6ed87399 Initial revision lcp parents: diff changeset	20	\infer[({\conj}I)]{P\conj Q}{P & Q} &
216d6ed87399 Initial revision lcp parents: diff changeset	21	\infer[({\conj}E1)]{P}{P\conj Q} \qquad
216d6ed87399 Initial revision lcp parents: diff changeset	22	\infer[({\conj}E2)]{Q}{P\conj Q} \\[4ex]
216d6ed87399 Initial revision lcp parents: diff changeset	23
216d6ed87399 Initial revision lcp parents: diff changeset	24	\infer[({\disj}I1)]{P\disj Q}{P} \qquad
216d6ed87399 Initial revision lcp parents: diff changeset	25	\infer[({\disj}I2)]{P\disj Q}{Q} &
216d6ed87399 Initial revision lcp parents: diff changeset	26	\infer[({\disj}E)]{R}{P\disj Q & \infer{R}{[P]} & \infer{R}{[Q]}}\\[4ex]
216d6ed87399 Initial revision lcp parents: diff changeset	27
216d6ed87399 Initial revision lcp parents: diff changeset	28	\infer[({\imp}I)]{P\imp Q}{\infer*{Q}{[P]}} &
216d6ed87399 Initial revision lcp parents: diff changeset	29	\infer[({\imp}E)]{Q}{P\imp Q & P} \\[4ex]
216d6ed87399 Initial revision lcp parents: diff changeset	30
216d6ed87399 Initial revision lcp parents: diff changeset	31	&
216d6ed87399 Initial revision lcp parents: diff changeset	32	\infer[({\bot}E)]{P}{\bot}\\[4ex]
216d6ed87399 Initial revision lcp parents: diff changeset	33
216d6ed87399 Initial revision lcp parents: diff changeset	34	\infer[({\forall}I)*]{\forall x.P}{P} &
216d6ed87399 Initial revision lcp parents: diff changeset	35	\infer[({\forall}E)]{P[t/x]}{\forall x.P} \\[3ex]
216d6ed87399 Initial revision lcp parents: diff changeset	36
216d6ed87399 Initial revision lcp parents: diff changeset	37	\infer[({\exists}I)]{\exists x.P}{P[t/x]} &
216d6ed87399 Initial revision lcp parents: diff changeset	38	\infer[({\exists}E)]{Q}{{\exists x.P} & \infer{Q}{[P]} } \\[3ex]
216d6ed87399 Initial revision lcp parents: diff changeset	39
216d6ed87399 Initial revision lcp parents: diff changeset	40	{t=t} \,(refl) & \vcenter{\infer[(subst)]{P[u/x]}{t=u & P[t/x]}}
216d6ed87399 Initial revision lcp parents: diff changeset	41	\end{array} \)
216d6ed87399 Initial revision lcp parents: diff changeset	42
216d6ed87399 Initial revision lcp parents: diff changeset	43	\bigskip\bigskip
216d6ed87399 Initial revision lcp parents: diff changeset	44	*{\em Eigenvariable conditions\/}:
216d6ed87399 Initial revision lcp parents: diff changeset	45
216d6ed87399 Initial revision lcp parents: diff changeset	46	$\forall I$: provided $x$ is not free in the assumptions
216d6ed87399 Initial revision lcp parents: diff changeset	47
216d6ed87399 Initial revision lcp parents: diff changeset	48	$\exists E$: provided $x$ is not free in $Q$ or any assumption except $P$
216d6ed87399 Initial revision lcp parents: diff changeset	49	\caption{Intuitionistic first-order logic} \label{fol-fig}
216d6ed87399 Initial revision lcp parents: diff changeset	50	\end{figure}
216d6ed87399 Initial revision lcp parents: diff changeset	51
296 e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	52	\section{Formalizing logical syntax in Isabelle}\label{sec:logical-syntax}
105 216d6ed87399 Initial revision lcp parents: diff changeset	53	\index{Isabelle!formalizing syntax\|bold}
216d6ed87399 Initial revision lcp parents: diff changeset	54	Figure~\ref{fol-fig} presents intuitionistic first-order logic,
296 e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	55	including equality. Let us see how to formalize
105 216d6ed87399 Initial revision lcp parents: diff changeset	56	this logic in Isabelle, illustrating the main features of Isabelle's
216d6ed87399 Initial revision lcp parents: diff changeset	57	polymorphic meta-logic.
216d6ed87399 Initial revision lcp parents: diff changeset	58
216d6ed87399 Initial revision lcp parents: diff changeset	59	Isabelle represents syntax using the typed $\lambda$-calculus. We declare
216d6ed87399 Initial revision lcp parents: diff changeset	60	a type for each syntactic category of the logic. We declare a constant for
296 e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	61	each symbol of the logic, giving each $n$-place operation an $n$-argument
105 216d6ed87399 Initial revision lcp parents: diff changeset	62	curried function type. Most importantly, $\lambda$-abstraction represents
216d6ed87399 Initial revision lcp parents: diff changeset	63	variable binding in quantifiers.
216d6ed87399 Initial revision lcp parents: diff changeset	64
216d6ed87399 Initial revision lcp parents: diff changeset	65	\index{$\To$\|bold}\index{types}
216d6ed87399 Initial revision lcp parents: diff changeset	66	Isabelle has \ML-style type constructors such as~$(\alpha)list$, where
216d6ed87399 Initial revision lcp parents: diff changeset	67	$(bool)list$ is the type of lists of booleans. Function types have the
296 e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	68	form $\sigma\To\tau$, where $\sigma$ and $\tau$ are types. Curried
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	69	function types may be abbreviated:
105 216d6ed87399 Initial revision lcp parents: diff changeset	70	\[ \sigma@1\To (\cdots \sigma@n\To \tau\cdots) \quad \hbox{as} \quad
296 e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	71	[\sigma@1, \ldots, \sigma@n] \To \tau $$
105 216d6ed87399 Initial revision lcp parents: diff changeset	72
216d6ed87399 Initial revision lcp parents: diff changeset	73	The syntax for terms is summarised below. Note that function application is
216d6ed87399 Initial revision lcp parents: diff changeset	74	written $t(u)$ rather than the usual $t\,u$.
216d6ed87399 Initial revision lcp parents: diff changeset	75	\[
216d6ed87399 Initial revision lcp parents: diff changeset	76	\begin{array}{ll}
296 e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	77	t :: \tau & \hbox{type constraint, on a term or bound variable} \\
105 216d6ed87399 Initial revision lcp parents: diff changeset	78	\lambda x.t & \hbox{abstraction} \\
216d6ed87399 Initial revision lcp parents: diff changeset	79	\lambda x@1\ldots x@n.t
216d6ed87399 Initial revision lcp parents: diff changeset	80	& \hbox{curried abstraction, $\lambda x@1. \ldots \lambda x@n.t$} \\
216d6ed87399 Initial revision lcp parents: diff changeset	81	t(u) & \hbox{application} \\
216d6ed87399 Initial revision lcp parents: diff changeset	82	t (u@1, \ldots, u@n) & \hbox{curried application, $t(u@1)\ldots(u@n)$}
216d6ed87399 Initial revision lcp parents: diff changeset	83	\end{array}
216d6ed87399 Initial revision lcp parents: diff changeset	84	\]
216d6ed87399 Initial revision lcp parents: diff changeset	85
216d6ed87399 Initial revision lcp parents: diff changeset	86
296 e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	87	\subsection{Simple types and constants}\index{types!simple\|bold}
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	88
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	89	The syntactic categories of our logic (Fig.\ts\ref{fol-fig}) are {\bf
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	90	formulae} and {\bf terms}. Formulae denote truth values, so (following
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	91	tradition) let us call their type~$o$. To allow~0 and~$Suc(t)$ as terms,
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	92	let us declare a type~$nat$ of natural numbers. Later, we shall see
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	93	how to admit terms of other types.
105 216d6ed87399 Initial revision lcp parents: diff changeset	94
216d6ed87399 Initial revision lcp parents: diff changeset	95	After declaring the types~$o$ and~$nat$, we may declare constants for the
216d6ed87399 Initial revision lcp parents: diff changeset	96	symbols of our logic. Since $\bot$ denotes a truth value (falsity) and 0
216d6ed87399 Initial revision lcp parents: diff changeset	97	denotes a number, we put \begin{eqnarray*}
216d6ed87399 Initial revision lcp parents: diff changeset	98	\bot & :: & o \\
216d6ed87399 Initial revision lcp parents: diff changeset	99	0 & :: & nat.
216d6ed87399 Initial revision lcp parents: diff changeset	100	\end{eqnarray*}
216d6ed87399 Initial revision lcp parents: diff changeset	101	If a symbol requires operands, the corresponding constant must have a
216d6ed87399 Initial revision lcp parents: diff changeset	102	function type. In our logic, the successor function
216d6ed87399 Initial revision lcp parents: diff changeset	103	($Suc$) is from natural numbers to natural numbers, negation ($\neg$) is a
216d6ed87399 Initial revision lcp parents: diff changeset	104	function from truth values to truth values, and the binary connectives are
216d6ed87399 Initial revision lcp parents: diff changeset	105	curried functions taking two truth values as arguments:
216d6ed87399 Initial revision lcp parents: diff changeset	106	\begin{eqnarray*}
216d6ed87399 Initial revision lcp parents: diff changeset	107	Suc & :: & nat\To nat \\
216d6ed87399 Initial revision lcp parents: diff changeset	108	{\neg} & :: & o\To o \\
216d6ed87399 Initial revision lcp parents: diff changeset	109	\conj,\disj,\imp,\bimp & :: & [o,o]\To o
216d6ed87399 Initial revision lcp parents: diff changeset	110	\end{eqnarray*}
296 e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	111	The binary connectives can be declared as infixes, with appropriate
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	112	precedences, so that we write $P\conj Q\disj R$ instead of
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	113	$\disj(\conj(P,Q), R)$.
105 216d6ed87399 Initial revision lcp parents: diff changeset	114
296 e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	115	\S\ref{sec:defining-theories} below describes the syntax of Isabelle theory
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	116	files and illustrates it by extending our logic with mathematical induction.
105 216d6ed87399 Initial revision lcp parents: diff changeset	117
216d6ed87399 Initial revision lcp parents: diff changeset	118
216d6ed87399 Initial revision lcp parents: diff changeset	119	\subsection{Polymorphic types and constants} \label{polymorphic}
216d6ed87399 Initial revision lcp parents: diff changeset	120	\index{types!polymorphic\|bold}
296 e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	121	\index{equality!polymorphic}
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	122
105 216d6ed87399 Initial revision lcp parents: diff changeset	123	Which type should we assign to the equality symbol? If we tried
216d6ed87399 Initial revision lcp parents: diff changeset	124	$[nat,nat]\To o$, then equality would be restricted to the natural
216d6ed87399 Initial revision lcp parents: diff changeset	125	numbers; we would have to declare different equality symbols for each
216d6ed87399 Initial revision lcp parents: diff changeset	126	type. Isabelle's type system is polymorphic, so we could declare
216d6ed87399 Initial revision lcp parents: diff changeset	127	\begin{eqnarray*}
296 e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	128	{=} & :: & [\alpha,\alpha]\To o,
105 216d6ed87399 Initial revision lcp parents: diff changeset	129	\end{eqnarray*}
296 e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	130	where the type variable~$\alpha$ ranges over all types.
105 216d6ed87399 Initial revision lcp parents: diff changeset	131	But this is also wrong. The declaration is too polymorphic; $\alpha$
296 e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	132	includes types like~$o$ and $nat\To nat$. Thus, it admits
105 216d6ed87399 Initial revision lcp parents: diff changeset	133	$\bot=\neg(\bot)$ and $Suc=Suc$ as formulae, which is acceptable in
216d6ed87399 Initial revision lcp parents: diff changeset	134	higher-order logic but not in first-order logic.
216d6ed87399 Initial revision lcp parents: diff changeset	135
296 e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	136	Isabelle's {\bf type classes}\index{classes} control
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	137	polymorphism~\cite{nipkow-prehofer}. Each type variable belongs to a
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	138	class, which denotes a set of types. Classes are partially ordered by the
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	139	subclass relation, which is essentially the subset relation on the sets of
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	140	types. They closely resemble the classes of the functional language
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	141	Haskell~\cite{haskell-tutorial,haskell-report}.
105 216d6ed87399 Initial revision lcp parents: diff changeset	142
216d6ed87399 Initial revision lcp parents: diff changeset	143	Isabelle provides the built-in class $logic$, which consists of the logical
216d6ed87399 Initial revision lcp parents: diff changeset	144	types: the ones we want to reason about. Let us declare a class $term$, to
216d6ed87399 Initial revision lcp parents: diff changeset	145	consist of all legal types of terms in our logic. The subclass structure
216d6ed87399 Initial revision lcp parents: diff changeset	146	is now $term\le logic$.
216d6ed87399 Initial revision lcp parents: diff changeset	147
296 e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	148	We put $nat$ in class $term$ by declaring $nat{::}term$. We declare the
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	149	equality constant by
105 216d6ed87399 Initial revision lcp parents: diff changeset	150	\begin{eqnarray*}
216d6ed87399 Initial revision lcp parents: diff changeset	151	{=} & :: & [\alpha{::}term,\alpha]\To o
216d6ed87399 Initial revision lcp parents: diff changeset	152	\end{eqnarray*}
296 e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	153	where $\alpha{::}term$ constrains the type variable~$\alpha$ to class
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	154	$term$. Such type variables resemble Standard~\ML's equality type
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	155	variables.
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	156
105 216d6ed87399 Initial revision lcp parents: diff changeset	157	We give function types and~$o$ the class $logic$ rather than~$term$, since
216d6ed87399 Initial revision lcp parents: diff changeset	158	they are not legal types for terms. We may introduce new types of class
216d6ed87399 Initial revision lcp parents: diff changeset	159	$term$ --- for instance, type $string$ or $real$ --- at any time. We can
216d6ed87399 Initial revision lcp parents: diff changeset	160	even declare type constructors such as $(\alpha)list$, and state that type
296 e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	161	$(\tau)list$ belongs to class~$term$ provided $\tau$ does; equality
105 216d6ed87399 Initial revision lcp parents: diff changeset	162	applies to lists of natural numbers but not to lists of formulae. We may
216d6ed87399 Initial revision lcp parents: diff changeset	163	summarize this paragraph by a set of {\bf arity declarations} for type
296 e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	164	constructors: \index{$\To$\|bold}\index{arities!declaring}
105 216d6ed87399 Initial revision lcp parents: diff changeset	165	\begin{eqnarray*}
216d6ed87399 Initial revision lcp parents: diff changeset	166	o & :: & logic \\
216d6ed87399 Initial revision lcp parents: diff changeset	167	{\To} & :: & (logic,logic)logic \\
216d6ed87399 Initial revision lcp parents: diff changeset	168	nat, string, real & :: & term \\
216d6ed87399 Initial revision lcp parents: diff changeset	169	list & :: & (term)term
216d6ed87399 Initial revision lcp parents: diff changeset	170	\end{eqnarray*}
296 e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	171	In higher-order logic, equality does apply to truth values and
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	172	functions; this requires the arity declarations ${o::term}$
105 216d6ed87399 Initial revision lcp parents: diff changeset	173	and ${{\To}::(term,term)term}$. The class system can also handle
216d6ed87399 Initial revision lcp parents: diff changeset	174	overloading.\index{overloading\|bold} We could declare $arith$ to be the
216d6ed87399 Initial revision lcp parents: diff changeset	175	subclass of $term$ consisting of the `arithmetic' types, such as~$nat$.
216d6ed87399 Initial revision lcp parents: diff changeset	176	Then we could declare the operators
216d6ed87399 Initial revision lcp parents: diff changeset	177	\begin{eqnarray*}
216d6ed87399 Initial revision lcp parents: diff changeset	178	{+},{-},{\times},{/} & :: & [\alpha{::}arith,\alpha]\To \alpha
216d6ed87399 Initial revision lcp parents: diff changeset	179	\end{eqnarray*}
216d6ed87399 Initial revision lcp parents: diff changeset	180	If we declare new types $real$ and $complex$ of class $arith$, then we
216d6ed87399 Initial revision lcp parents: diff changeset	181	effectively have three sets of operators:
216d6ed87399 Initial revision lcp parents: diff changeset	182	\begin{eqnarray*}
216d6ed87399 Initial revision lcp parents: diff changeset	183	{+},{-},{\times},{/} & :: & [nat,nat]\To nat \\
216d6ed87399 Initial revision lcp parents: diff changeset	184	{+},{-},{\times},{/} & :: & [real,real]\To real \\
216d6ed87399 Initial revision lcp parents: diff changeset	185	{+},{-},{\times},{/} & :: & [complex,complex]\To complex
216d6ed87399 Initial revision lcp parents: diff changeset	186	\end{eqnarray*}
216d6ed87399 Initial revision lcp parents: diff changeset	187	Isabelle will regard these as distinct constants, each of which can be defined
296 e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	188	separately. We could even introduce the type $(\alpha)vector$ and declare
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	189	its arity as $(arith)arith$. Then we could declare the constant
105 216d6ed87399 Initial revision lcp parents: diff changeset	190	\begin{eqnarray*}
296 e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	191	{+} & :: & [(\alpha)vector,(\alpha)vector]\To (\alpha)vector
105 216d6ed87399 Initial revision lcp parents: diff changeset	192	\end{eqnarray*}
296 e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	193	and specify it in terms of ${+} :: [\alpha,\alpha]\To \alpha$.
105 216d6ed87399 Initial revision lcp parents: diff changeset	194
296 e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	195	A type variable may belong to any finite number of classes. Suppose that
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	196	we had declared yet another class $ord \le term$, the class of all
105 216d6ed87399 Initial revision lcp parents: diff changeset	197	`ordered' types, and a constant
216d6ed87399 Initial revision lcp parents: diff changeset	198	\begin{eqnarray*}
216d6ed87399 Initial revision lcp parents: diff changeset	199	{\le} & :: & [\alpha{::}ord,\alpha]\To o.
216d6ed87399 Initial revision lcp parents: diff changeset	200	\end{eqnarray*}
216d6ed87399 Initial revision lcp parents: diff changeset	201	In this context the variable $x$ in $x \le (x+x)$ will be assigned type
296 e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	202	$\alpha{::}\{arith,ord\}$, which means $\alpha$ belongs to both $arith$ and
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	203	$ord$. Semantically the set $\{arith,ord\}$ should be understood as the
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	204	intersection of the sets of types represented by $arith$ and $ord$. Such
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	205	intersections of classes are called \bfindex{sorts}. The empty
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	206	intersection of classes, $\{\}$, contains all types and is thus the {\bf
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	207	universal sort}.
105 216d6ed87399 Initial revision lcp parents: diff changeset	208
296 e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	209	Even with overloading, each term has a unique, most general type. For this
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	210	to be possible, the class and type declarations must satisfy certain
105 216d6ed87399 Initial revision lcp parents: diff changeset	211	technical constraints~\cite{nipkow-prehofer}.
216d6ed87399 Initial revision lcp parents: diff changeset	212
296 e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	213
105 216d6ed87399 Initial revision lcp parents: diff changeset	214	\subsection{Higher types and quantifiers}
216d6ed87399 Initial revision lcp parents: diff changeset	215	\index{types!higher\|bold}
216d6ed87399 Initial revision lcp parents: diff changeset	216	Quantifiers are regarded as operations upon functions. Ignoring polymorphism
216d6ed87399 Initial revision lcp parents: diff changeset	217	for the moment, consider the formula $\forall x. P(x)$, where $x$ ranges
216d6ed87399 Initial revision lcp parents: diff changeset	218	over type~$nat$. This is true if $P(x)$ is true for all~$x$. Abstracting
216d6ed87399 Initial revision lcp parents: diff changeset	219	$P(x)$ into a function, this is the same as saying that $\lambda x.P(x)$
216d6ed87399 Initial revision lcp parents: diff changeset	220	returns true for all arguments. Thus, the universal quantifier can be
216d6ed87399 Initial revision lcp parents: diff changeset	221	represented by a constant
216d6ed87399 Initial revision lcp parents: diff changeset	222	\begin{eqnarray*}
216d6ed87399 Initial revision lcp parents: diff changeset	223	\forall & :: & (nat\To o) \To o,
216d6ed87399 Initial revision lcp parents: diff changeset	224	\end{eqnarray*}
216d6ed87399 Initial revision lcp parents: diff changeset	225	which is essentially an infinitary truth table. The representation of $\forall
216d6ed87399 Initial revision lcp parents: diff changeset	226	x. P(x)$ is $\forall(\lambda x. P(x))$.
216d6ed87399 Initial revision lcp parents: diff changeset	227
216d6ed87399 Initial revision lcp parents: diff changeset	228	The existential quantifier is treated
216d6ed87399 Initial revision lcp parents: diff changeset	229	in the same way. Other binding operators are also easily handled; for
216d6ed87399 Initial revision lcp parents: diff changeset	230	instance, the summation operator $\Sigma@{k=i}^j f(k)$ can be represented as
216d6ed87399 Initial revision lcp parents: diff changeset	231	$\Sigma(i,j,\lambda k.f(k))$, where
216d6ed87399 Initial revision lcp parents: diff changeset	232	\begin{eqnarray*}
216d6ed87399 Initial revision lcp parents: diff changeset	233	\Sigma & :: & [nat,nat, nat\To nat] \To nat.
216d6ed87399 Initial revision lcp parents: diff changeset	234	\end{eqnarray*}
216d6ed87399 Initial revision lcp parents: diff changeset	235	Quantifiers may be polymorphic. We may define $\forall$ and~$\exists$ over
216d6ed87399 Initial revision lcp parents: diff changeset	236	all legal types of terms, not just the natural numbers, and
216d6ed87399 Initial revision lcp parents: diff changeset	237	allow summations over all arithmetic types:
216d6ed87399 Initial revision lcp parents: diff changeset	238	\begin{eqnarray*}
216d6ed87399 Initial revision lcp parents: diff changeset	239	\forall,\exists & :: & (\alpha{::}term\To o) \To o \\
216d6ed87399 Initial revision lcp parents: diff changeset	240	\Sigma & :: & [nat,nat, nat\To \alpha{::}arith] \To \alpha
216d6ed87399 Initial revision lcp parents: diff changeset	241	\end{eqnarray*}
216d6ed87399 Initial revision lcp parents: diff changeset	242	Observe that the index variables still have type $nat$, while the values
216d6ed87399 Initial revision lcp parents: diff changeset	243	being summed may belong to any arithmetic type.
216d6ed87399 Initial revision lcp parents: diff changeset	244
216d6ed87399 Initial revision lcp parents: diff changeset	245
216d6ed87399 Initial revision lcp parents: diff changeset	246	\section{Formalizing logical rules in Isabelle}
216d6ed87399 Initial revision lcp parents: diff changeset	247	\index{meta-logic\|bold}
216d6ed87399 Initial revision lcp parents: diff changeset	248	\index{Isabelle!formalizing rules\|bold}
216d6ed87399 Initial revision lcp parents: diff changeset	249	\index{$\Imp$\|bold}\index{$\Forall$\|bold}\index{$\equiv$\|bold}
216d6ed87399 Initial revision lcp parents: diff changeset	250	\index{implication!meta-level\|bold}
216d6ed87399 Initial revision lcp parents: diff changeset	251	\index{quantifiers!meta-level\|bold}
216d6ed87399 Initial revision lcp parents: diff changeset	252	\index{equality!meta-level\|bold}
296 e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	253
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	254	Object-logics are formalized by extending Isabelle's
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	255	meta-logic~\cite{paulson89}, which is intuitionistic higher-order logic.
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	256	The meta-level connectives are {\bf implication}, the {\bf universal
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	257	quantifier}, and {\bf equality}.
105 216d6ed87399 Initial revision lcp parents: diff changeset	258	\begin{itemize}
216d6ed87399 Initial revision lcp parents: diff changeset	259	\item The implication $\phi\Imp \psi$ means `$\phi$ implies
216d6ed87399 Initial revision lcp parents: diff changeset	260	$\psi$', and expresses logical {\bf entailment}.
216d6ed87399 Initial revision lcp parents: diff changeset	261
216d6ed87399 Initial revision lcp parents: diff changeset	262	\item The quantification $\Forall x.\phi$ means `$\phi$ is true for
216d6ed87399 Initial revision lcp parents: diff changeset	263	all $x$', and expresses {\bf generality} in rules and axiom schemes.
216d6ed87399 Initial revision lcp parents: diff changeset	264
216d6ed87399 Initial revision lcp parents: diff changeset	265	\item The equality $a\equiv b$ means `$a$ equals $b$', for expressing
216d6ed87399 Initial revision lcp parents: diff changeset	266	\bfindex{definitions} (see~\S\ref{definitions}). Equalities left over
216d6ed87399 Initial revision lcp parents: diff changeset	267	from the unification process, so called \bfindex{flex-flex equations},
216d6ed87399 Initial revision lcp parents: diff changeset	268	are written $a\qeq b$. The two equality symbols have the same logical
216d6ed87399 Initial revision lcp parents: diff changeset	269	meaning.
216d6ed87399 Initial revision lcp parents: diff changeset	270
216d6ed87399 Initial revision lcp parents: diff changeset	271	\end{itemize}
216d6ed87399 Initial revision lcp parents: diff changeset	272	The syntax of the meta-logic is formalized in precisely in the same manner
216d6ed87399 Initial revision lcp parents: diff changeset	273	as object-logics, using the typed $\lambda$-calculus. Analogous to
216d6ed87399 Initial revision lcp parents: diff changeset	274	type~$o$ above, there is a built-in type $prop$ of meta-level truth values.
216d6ed87399 Initial revision lcp parents: diff changeset	275	Meta-level formulae will have this type. Type $prop$ belongs to
216d6ed87399 Initial revision lcp parents: diff changeset	276	class~$logic$; also, $\sigma\To\tau$ belongs to $logic$ provided $\sigma$
216d6ed87399 Initial revision lcp parents: diff changeset	277	and $\tau$ do. Here are the types of the built-in connectives:
216d6ed87399 Initial revision lcp parents: diff changeset	278	\begin{eqnarray*}
216d6ed87399 Initial revision lcp parents: diff changeset	279	\Imp & :: & [prop,prop]\To prop \\
216d6ed87399 Initial revision lcp parents: diff changeset	280	\Forall & :: & (\alpha{::}logic\To prop) \To prop \\
216d6ed87399 Initial revision lcp parents: diff changeset	281	{\equiv} & :: & [\alpha{::}\{\},\alpha]\To prop \\
216d6ed87399 Initial revision lcp parents: diff changeset	282	\qeq & :: & [\alpha{::}\{\},\alpha]\To prop c
216d6ed87399 Initial revision lcp parents: diff changeset	283	\end{eqnarray*}
216d6ed87399 Initial revision lcp parents: diff changeset	284	The restricted polymorphism in $\Forall$ excludes certain types, those used
216d6ed87399 Initial revision lcp parents: diff changeset	285	just for parsing.
216d6ed87399 Initial revision lcp parents: diff changeset	286
216d6ed87399 Initial revision lcp parents: diff changeset	287	In our formalization of first-order logic, we declared a type~$o$ of
216d6ed87399 Initial revision lcp parents: diff changeset	288	object-level truth values, rather than using~$prop$ for this purpose. If
216d6ed87399 Initial revision lcp parents: diff changeset	289	we declared the object-level connectives to have types such as
216d6ed87399 Initial revision lcp parents: diff changeset	290	${\neg}::prop\To prop$, then these connectives would be applicable to
216d6ed87399 Initial revision lcp parents: diff changeset	291	meta-level formulae. Keeping $prop$ and $o$ as separate types maintains
216d6ed87399 Initial revision lcp parents: diff changeset	292	the distinction between the meta-level and the object-level. To formalize
216d6ed87399 Initial revision lcp parents: diff changeset	293	the inference rules, we shall need to relate the two levels; accordingly,
216d6ed87399 Initial revision lcp parents: diff changeset	294	we declare the constant
216d6ed87399 Initial revision lcp parents: diff changeset	295	\index{Trueprop@{$Trueprop$}}
216d6ed87399 Initial revision lcp parents: diff changeset	296	\begin{eqnarray*}
216d6ed87399 Initial revision lcp parents: diff changeset	297	Trueprop & :: & o\To prop.
216d6ed87399 Initial revision lcp parents: diff changeset	298	\end{eqnarray*}
216d6ed87399 Initial revision lcp parents: diff changeset	299	We may regard $Trueprop$ as a meta-level predicate, reading $Trueprop(P)$ as
216d6ed87399 Initial revision lcp parents: diff changeset	300	`$P$ is true at the object-level.' Put another way, $Trueprop$ is a coercion
216d6ed87399 Initial revision lcp parents: diff changeset	301	from $o$ to $prop$.
216d6ed87399 Initial revision lcp parents: diff changeset	302
216d6ed87399 Initial revision lcp parents: diff changeset	303
216d6ed87399 Initial revision lcp parents: diff changeset	304	\subsection{Expressing propositional rules}
216d6ed87399 Initial revision lcp parents: diff changeset	305	\index{rules!propositional\|bold}
216d6ed87399 Initial revision lcp parents: diff changeset	306	We shall illustrate the use of the meta-logic by formalizing the rules of
296 e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	307	Fig.\ts\ref{fol-fig}. Each object-level rule is expressed as a meta-level
105 216d6ed87399 Initial revision lcp parents: diff changeset	308	axiom.
216d6ed87399 Initial revision lcp parents: diff changeset	309
216d6ed87399 Initial revision lcp parents: diff changeset	310	One of the simplest rules is $(\conj E1)$. Making
216d6ed87399 Initial revision lcp parents: diff changeset	311	everything explicit, its formalization in the meta-logic is
216d6ed87399 Initial revision lcp parents: diff changeset	312	$$ \Forall P\;Q. Trueprop(P\conj Q) \Imp Trueprop(P). \eqno(\conj E1) $$
216d6ed87399 Initial revision lcp parents: diff changeset	313	This may look formidable, but it has an obvious reading: for all object-level
216d6ed87399 Initial revision lcp parents: diff changeset	314	truth values $P$ and~$Q$, if $P\conj Q$ is true then so is~$P$. The
216d6ed87399 Initial revision lcp parents: diff changeset	315	reading is correct because the meta-logic has simple models, where
216d6ed87399 Initial revision lcp parents: diff changeset	316	types denote sets and $\Forall$ really means `for all.'
216d6ed87399 Initial revision lcp parents: diff changeset	317
216d6ed87399 Initial revision lcp parents: diff changeset	318	\index{Trueprop@{$Trueprop$}}
216d6ed87399 Initial revision lcp parents: diff changeset	319	Isabelle adopts notational conventions to ease the writing of rules. We may
216d6ed87399 Initial revision lcp parents: diff changeset	320	hide the occurrences of $Trueprop$ by making it an implicit coercion.
216d6ed87399 Initial revision lcp parents: diff changeset	321	Outer universal quantifiers may be dropped. Finally, the nested implication
216d6ed87399 Initial revision lcp parents: diff changeset	322	\[ \phi@1\Imp(\cdots \phi@n\Imp\psi\cdots) \]
216d6ed87399 Initial revision lcp parents: diff changeset	323	may be abbreviated as $\List{\phi@1; \ldots; \phi@n} \Imp \psi$, which
216d6ed87399 Initial revision lcp parents: diff changeset	324	formalizes a rule of $n$~premises.
216d6ed87399 Initial revision lcp parents: diff changeset	325
216d6ed87399 Initial revision lcp parents: diff changeset	326	Using these conventions, the conjunction rules become the following axioms.
216d6ed87399 Initial revision lcp parents: diff changeset	327	These fully specify the properties of~$\conj$:
216d6ed87399 Initial revision lcp parents: diff changeset	328	$$ \List{P; Q} \Imp P\conj Q \eqno(\conj I) $$
216d6ed87399 Initial revision lcp parents: diff changeset	329	$$ P\conj Q \Imp P \qquad P\conj Q \Imp Q \eqno(\conj E1,2) $$
216d6ed87399 Initial revision lcp parents: diff changeset	330
216d6ed87399 Initial revision lcp parents: diff changeset	331	\noindent
216d6ed87399 Initial revision lcp parents: diff changeset	332	Next, consider the disjunction rules. The discharge of assumption in
216d6ed87399 Initial revision lcp parents: diff changeset	333	$(\disj E)$ is expressed using $\Imp$:
216d6ed87399 Initial revision lcp parents: diff changeset	334	$$ P \Imp P\disj Q \qquad Q \Imp P\disj Q \eqno(\disj I1,2) $$
216d6ed87399 Initial revision lcp parents: diff changeset	335	$$ \List{P\disj Q; P\Imp R; Q\Imp R} \Imp R \eqno(\disj E) $$
216d6ed87399 Initial revision lcp parents: diff changeset	336
216d6ed87399 Initial revision lcp parents: diff changeset	337	\noindent
216d6ed87399 Initial revision lcp parents: diff changeset	338	To understand this treatment of assumptions\index{assumptions} in natural
216d6ed87399 Initial revision lcp parents: diff changeset	339	deduction, look at implication. The rule $({\imp}I)$ is the classic
216d6ed87399 Initial revision lcp parents: diff changeset	340	example of natural deduction: to prove that $P\imp Q$ is true, assume $P$
216d6ed87399 Initial revision lcp parents: diff changeset	341	is true and show that $Q$ must then be true. More concisely, if $P$
216d6ed87399 Initial revision lcp parents: diff changeset	342	implies $Q$ (at the meta-level), then $P\imp Q$ is true (at the
216d6ed87399 Initial revision lcp parents: diff changeset	343	object-level). Showing the coercion explicitly, this is formalized as
216d6ed87399 Initial revision lcp parents: diff changeset	344	\[ (Trueprop(P)\Imp Trueprop(Q)) \Imp Trueprop(P\imp Q). \]
216d6ed87399 Initial revision lcp parents: diff changeset	345	The rule $({\imp}E)$ is straightforward; hiding $Trueprop$, the axioms to
216d6ed87399 Initial revision lcp parents: diff changeset	346	specify $\imp$ are
216d6ed87399 Initial revision lcp parents: diff changeset	347	$$ (P \Imp Q) \Imp P\imp Q \eqno({\imp}I) $$
216d6ed87399 Initial revision lcp parents: diff changeset	348	$$ \List{P\imp Q; P} \Imp Q. \eqno({\imp}E) $$
216d6ed87399 Initial revision lcp parents: diff changeset	349
216d6ed87399 Initial revision lcp parents: diff changeset	350	\noindent
216d6ed87399 Initial revision lcp parents: diff changeset	351	Finally, the intuitionistic contradiction rule is formalized as the axiom
216d6ed87399 Initial revision lcp parents: diff changeset	352	$$ \bot \Imp P. \eqno(\bot E) $$
216d6ed87399 Initial revision lcp parents: diff changeset	353
216d6ed87399 Initial revision lcp parents: diff changeset	354	\begin{warn}
216d6ed87399 Initial revision lcp parents: diff changeset	355	Earlier versions of Isabelle, and certain
216d6ed87399 Initial revision lcp parents: diff changeset	356	papers~\cite{paulson89,paulson700}, use $\List{P}$ to mean $Trueprop(P)$.
216d6ed87399 Initial revision lcp parents: diff changeset	357	\index{Trueprop@{$Trueprop$}}
216d6ed87399 Initial revision lcp parents: diff changeset	358	\end{warn}
216d6ed87399 Initial revision lcp parents: diff changeset	359
216d6ed87399 Initial revision lcp parents: diff changeset	360	\subsection{Quantifier rules and substitution}
216d6ed87399 Initial revision lcp parents: diff changeset	361	\index{rules!quantifier\|bold}\index{substitution\|bold}
216d6ed87399 Initial revision lcp parents: diff changeset	362	\index{variables!bound}
216d6ed87399 Initial revision lcp parents: diff changeset	363	Isabelle expresses variable binding using $\lambda$-abstraction; for instance,
216d6ed87399 Initial revision lcp parents: diff changeset	364	$\forall x.P$ is formalized as $\forall(\lambda x.P)$. Recall that $F(t)$
216d6ed87399 Initial revision lcp parents: diff changeset	365	is Isabelle's syntax for application of the function~$F$ to the argument~$t$;
216d6ed87399 Initial revision lcp parents: diff changeset	366	it is not a meta-notation for substitution. On the other hand, a substitution
216d6ed87399 Initial revision lcp parents: diff changeset	367	will take place if $F$ has the form $\lambda x.P$; Isabelle transforms
216d6ed87399 Initial revision lcp parents: diff changeset	368	$(\lambda x.P)(t)$ to~$P[t/x]$ by $\beta$-conversion. Thus, we can express
216d6ed87399 Initial revision lcp parents: diff changeset	369	inference rules that involve substitution for bound variables.
216d6ed87399 Initial revision lcp parents: diff changeset	370
216d6ed87399 Initial revision lcp parents: diff changeset	371	\index{parameters\|bold}\index{eigenvariables\|see{parameters}}
216d6ed87399 Initial revision lcp parents: diff changeset	372	A logic may attach provisos to certain of its rules, especially quantifier
216d6ed87399 Initial revision lcp parents: diff changeset	373	rules. We cannot hope to formalize arbitrary provisos. Fortunately, those
216d6ed87399 Initial revision lcp parents: diff changeset	374	typical of quantifier rules always have the same form, namely `$x$ not free in
216d6ed87399 Initial revision lcp parents: diff changeset	375	\ldots {\it (some set of formulae)},' where $x$ is a variable (called a {\bf
216d6ed87399 Initial revision lcp parents: diff changeset	376	parameter} or {\bf eigenvariable}) in some premise. Isabelle treats
216d6ed87399 Initial revision lcp parents: diff changeset	377	provisos using~$\Forall$, its inbuilt notion of `for all'.
216d6ed87399 Initial revision lcp parents: diff changeset	378
216d6ed87399 Initial revision lcp parents: diff changeset	379	\index{$\Forall$}
216d6ed87399 Initial revision lcp parents: diff changeset	380	The purpose of the proviso `$x$ not free in \ldots' is
216d6ed87399 Initial revision lcp parents: diff changeset	381	to ensure that the premise may not make assumptions about the value of~$x$,
216d6ed87399 Initial revision lcp parents: diff changeset	382	and therefore holds for all~$x$. We formalize $(\forall I)$ by
216d6ed87399 Initial revision lcp parents: diff changeset	383	\[ \left(\Forall x. Trueprop(P(x))\right) \Imp Trueprop(\forall x.P(x)). \]
216d6ed87399 Initial revision lcp parents: diff changeset	384	This means, `if $P(x)$ is true for all~$x$, then $\forall x.P(x)$ is true.'
216d6ed87399 Initial revision lcp parents: diff changeset	385	The $\forall E$ rule exploits $\beta$-conversion. Hiding $Trueprop$, the
216d6ed87399 Initial revision lcp parents: diff changeset	386	$\forall$ axioms are
216d6ed87399 Initial revision lcp parents: diff changeset	387	$$ \left(\Forall x. P(x)\right) \Imp \forall x.P(x) \eqno(\forall I) $$
296 e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	388	$$ (\forall x.P(x)) \Imp P(t). \eqno(\forall E)$$
105 216d6ed87399 Initial revision lcp parents: diff changeset	389
216d6ed87399 Initial revision lcp parents: diff changeset	390	\noindent
216d6ed87399 Initial revision lcp parents: diff changeset	391	We have defined the object-level universal quantifier~($\forall$)
216d6ed87399 Initial revision lcp parents: diff changeset	392	using~$\Forall$. But we do not require meta-level counterparts of all the
216d6ed87399 Initial revision lcp parents: diff changeset	393	connectives of the object-logic! Consider the existential quantifier:
216d6ed87399 Initial revision lcp parents: diff changeset	394	$$ P(t) \Imp \exists x.P(x) \eqno(\exists I)$$
216d6ed87399 Initial revision lcp parents: diff changeset	395	$$ \List{\exists x.P(x);\; \Forall x. P(x)\Imp Q} \Imp Q \eqno(\exists E) $$
216d6ed87399 Initial revision lcp parents: diff changeset	396	Let us verify $(\exists E)$ semantically. Suppose that the premises
216d6ed87399 Initial revision lcp parents: diff changeset	397	hold; since $\exists x.P(x)$ is true, we may choose $a$ such that $P(a)$ is
216d6ed87399 Initial revision lcp parents: diff changeset	398	true. Instantiating $\Forall x. P(x)\Imp Q$ with $a$ yields $P(a)\Imp Q$, and
216d6ed87399 Initial revision lcp parents: diff changeset	399	we obtain the desired conclusion, $Q$.
216d6ed87399 Initial revision lcp parents: diff changeset	400
216d6ed87399 Initial revision lcp parents: diff changeset	401	The treatment of substitution deserves mention. The rule
216d6ed87399 Initial revision lcp parents: diff changeset	402	\[ \infer{P[u/t]}{t=u & P} \]
216d6ed87399 Initial revision lcp parents: diff changeset	403	would be hard to formalize in Isabelle. It calls for replacing~$t$ by $u$
216d6ed87399 Initial revision lcp parents: diff changeset	404	throughout~$P$, which cannot be expressed using $\beta$-conversion. Our
216d6ed87399 Initial revision lcp parents: diff changeset	405	rule~$(subst)$ uses the occurrences of~$x$ in~$P$ as a template for
216d6ed87399 Initial revision lcp parents: diff changeset	406	substitution, inferring $P[u/x]$ from~$P[t/x]$. When we formalize this as
216d6ed87399 Initial revision lcp parents: diff changeset	407	an axiom, the template becomes a function variable:
216d6ed87399 Initial revision lcp parents: diff changeset	408	$$ \List{t=u; P(t)} \Imp P(u). \eqno(subst)$$
216d6ed87399 Initial revision lcp parents: diff changeset	409
216d6ed87399 Initial revision lcp parents: diff changeset	410
216d6ed87399 Initial revision lcp parents: diff changeset	411	\subsection{Signatures and theories}
216d6ed87399 Initial revision lcp parents: diff changeset	412	\index{signatures\|bold}\index{theories\|bold}
216d6ed87399 Initial revision lcp parents: diff changeset	413	A {\bf signature} contains the information necessary for type checking,
216d6ed87399 Initial revision lcp parents: diff changeset	414	parsing and pretty printing. It specifies classes and their
216d6ed87399 Initial revision lcp parents: diff changeset	415	relationships; types, with their arities, and constants, with
216d6ed87399 Initial revision lcp parents: diff changeset	416	their types. It also contains syntax rules, specified using mixfix
216d6ed87399 Initial revision lcp parents: diff changeset	417	declarations.
216d6ed87399 Initial revision lcp parents: diff changeset	418
216d6ed87399 Initial revision lcp parents: diff changeset	419	Two signatures can be merged provided their specifications are compatible ---
216d6ed87399 Initial revision lcp parents: diff changeset	420	they must not, for example, assign different types to the same constant.
216d6ed87399 Initial revision lcp parents: diff changeset	421	Under similar conditions, a signature can be extended. Signatures are
216d6ed87399 Initial revision lcp parents: diff changeset	422	managed internally by Isabelle; users seldom encounter them.
216d6ed87399 Initial revision lcp parents: diff changeset	423
216d6ed87399 Initial revision lcp parents: diff changeset	424	A {\bf theory} consists of a signature plus a collection of axioms. The
216d6ed87399 Initial revision lcp parents: diff changeset	425	{\bf pure} theory contains only the meta-logic. Theories can be combined
216d6ed87399 Initial revision lcp parents: diff changeset	426	provided their signatures are compatible. A theory definition extends an
216d6ed87399 Initial revision lcp parents: diff changeset	427	existing theory with further signature specifications --- classes, types,
216d6ed87399 Initial revision lcp parents: diff changeset	428	constants and mixfix declarations --- plus a list of axioms, expressed as
216d6ed87399 Initial revision lcp parents: diff changeset	429	strings to be parsed. A theory can formalize a small piece of mathematics,
216d6ed87399 Initial revision lcp parents: diff changeset	430	such as lists and their operations, or an entire logic. A mathematical
216d6ed87399 Initial revision lcp parents: diff changeset	431	development typically involves many theories in a hierarchy. For example,
216d6ed87399 Initial revision lcp parents: diff changeset	432	the pure theory could be extended to form a theory for
296 e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	433	Fig.\ts\ref{fol-fig}; this could be extended in two separate ways to form a
105 216d6ed87399 Initial revision lcp parents: diff changeset	434	theory for natural numbers and a theory for lists; the union of these two
216d6ed87399 Initial revision lcp parents: diff changeset	435	could be extended into a theory defining the length of a list:
296 e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	436	\begin{tt}
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	437	\[
105 216d6ed87399 Initial revision lcp parents: diff changeset	438	\begin{array}{c@{}c@{}c@{}c@{}c}
216d6ed87399 Initial revision lcp parents: diff changeset	439	{} & {} & \hbox{Length} & {} & {} \\
216d6ed87399 Initial revision lcp parents: diff changeset	440	{} & {} & \uparrow & {} & {} \\
216d6ed87399 Initial revision lcp parents: diff changeset	441	{} & {} &\hbox{Nat}+\hbox{List}& {} & {} \\
216d6ed87399 Initial revision lcp parents: diff changeset	442	{} & \nearrow & {} & \nwarrow & {} \\
216d6ed87399 Initial revision lcp parents: diff changeset	443	\hbox{Nat} & {} & {} & {} & \hbox{List} \\
216d6ed87399 Initial revision lcp parents: diff changeset	444	{} & \nwarrow & {} & \nearrow & {} \\
216d6ed87399 Initial revision lcp parents: diff changeset	445	{} & {} &\hbox{FOL} & {} & {} \\
216d6ed87399 Initial revision lcp parents: diff changeset	446	{} & {} & \uparrow & {} & {} \\
216d6ed87399 Initial revision lcp parents: diff changeset	447	{} & {} &\hbox{Pure}& {} & {}
216d6ed87399 Initial revision lcp parents: diff changeset	448	\end{array}
216d6ed87399 Initial revision lcp parents: diff changeset	449	\]
296 e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	450	\end{tt}
105 216d6ed87399 Initial revision lcp parents: diff changeset	451	Each Isabelle proof typically works within a single theory, which is
216d6ed87399 Initial revision lcp parents: diff changeset	452	associated with the proof state. However, many different theories may
216d6ed87399 Initial revision lcp parents: diff changeset	453	coexist at the same time, and you may work in each of these during a single
216d6ed87399 Initial revision lcp parents: diff changeset	454	session.
216d6ed87399 Initial revision lcp parents: diff changeset	455
296 e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	456	\begin{warn}
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	457	Confusing problems arise if you work in the wrong theory. Each theory
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	458	defines its own syntax. An identifier may be regarded in one theory as a
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	459	constant and in another as a variable.
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	460	\end{warn}
105 216d6ed87399 Initial revision lcp parents: diff changeset	461
216d6ed87399 Initial revision lcp parents: diff changeset	462	\section{Proof construction in Isabelle}
296 e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	463	\index{Isabelle!proof construction in\|bold}
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	464
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	465	I have elsewhere described the meta-logic and demonstrated it by
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	466	formalizing first-order logic~\cite{paulson89}. There is a one-to-one
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	467	correspondence between meta-level proofs and object-level proofs. To each
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	468	use of a meta-level axiom, such as $(\forall I)$, there is a use of the
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	469	corresponding object-level rule. Object-level assumptions and parameters
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	470	have meta-level counterparts. The meta-level formalization is {\bf
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	471	faithful}, admitting no incorrect object-level inferences, and {\bf
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	472	adequate}, admitting all correct object-level inferences. These
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	473	properties must be demonstrated separately for each object-logic.
105 216d6ed87399 Initial revision lcp parents: diff changeset	474
216d6ed87399 Initial revision lcp parents: diff changeset	475	The meta-logic is defined by a collection of inference rules, including
216d6ed87399 Initial revision lcp parents: diff changeset	476	equational rules for the $\lambda$-calculus, and logical rules. The rules
216d6ed87399 Initial revision lcp parents: diff changeset	477	for~$\Imp$ and~$\Forall$ resemble those for~$\imp$ and~$\forall$ in
296 e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	478	Fig.\ts\ref{fol-fig}. Proofs performed using the primitive meta-rules
105 216d6ed87399 Initial revision lcp parents: diff changeset	479	would be lengthy; Isabelle proofs normally use certain derived rules.
216d6ed87399 Initial revision lcp parents: diff changeset	480	{\bf Resolution}, in particular, is convenient for backward proof.
216d6ed87399 Initial revision lcp parents: diff changeset	481
216d6ed87399 Initial revision lcp parents: diff changeset	482	Unification is central to theorem proving. It supports quantifier
216d6ed87399 Initial revision lcp parents: diff changeset	483	reasoning by allowing certain `unknown' terms to be instantiated later,
216d6ed87399 Initial revision lcp parents: diff changeset	484	possibly in stages. When proving that the time required to sort $n$
216d6ed87399 Initial revision lcp parents: diff changeset	485	integers is proportional to~$n^2$, we need not state the constant of
216d6ed87399 Initial revision lcp parents: diff changeset	486	proportionality; when proving that a hardware adder will deliver the sum of
216d6ed87399 Initial revision lcp parents: diff changeset	487	its inputs, we need not state how many clock ticks will be required. Such
216d6ed87399 Initial revision lcp parents: diff changeset	488	quantities often emerge from the proof.
216d6ed87399 Initial revision lcp parents: diff changeset	489
216d6ed87399 Initial revision lcp parents: diff changeset	490	Isabelle provides {\bf schematic variables}, or \bfindex{unknowns}, for
296 e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	491	unification. Logically, unknowns are free variables. But while ordinary
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	492	variables remain fixed, unification may instantiate unknowns. Unknowns are
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	493	written with a ?\ prefix and are frequently subscripted: $\Var{a}$,
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	494	$\Var{a@1}$, $\Var{a@2}$, \ldots, $\Var{P}$, $\Var{P@1}$, \ldots.
105 216d6ed87399 Initial revision lcp parents: diff changeset	495
216d6ed87399 Initial revision lcp parents: diff changeset	496	Recall that an inference rule of the form
216d6ed87399 Initial revision lcp parents: diff changeset	497	\[ \infer{\phi}{\phi@1 & \ldots & \phi@n} \]
216d6ed87399 Initial revision lcp parents: diff changeset	498	is formalized in Isabelle's meta-logic as the axiom
216d6ed87399 Initial revision lcp parents: diff changeset	499	$\List{\phi@1; \ldots; \phi@n} \Imp \phi$.
296 e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	500	Such axioms resemble Prolog's Horn clauses, and can be combined by
105 216d6ed87399 Initial revision lcp parents: diff changeset	501	resolution --- Isabelle's principal proof method. Resolution yields both
216d6ed87399 Initial revision lcp parents: diff changeset	502	forward and backward proof. Backward proof works by unifying a goal with
216d6ed87399 Initial revision lcp parents: diff changeset	503	the conclusion of a rule, whose premises become new subgoals. Forward proof
216d6ed87399 Initial revision lcp parents: diff changeset	504	works by unifying theorems with the premises of a rule, deriving a new theorem.
216d6ed87399 Initial revision lcp parents: diff changeset	505
296 e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	506	Isabelle axioms require an extended notion of resolution.
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	507	They differ from Horn clauses in two major respects:
105 216d6ed87399 Initial revision lcp parents: diff changeset	508	\begin{itemize}
216d6ed87399 Initial revision lcp parents: diff changeset	509	\item They are written in the typed $\lambda$-calculus, and therefore must be
216d6ed87399 Initial revision lcp parents: diff changeset	510	resolved using higher-order unification.
216d6ed87399 Initial revision lcp parents: diff changeset	511
296 e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	512	\item The constituents of a clause need not be atomic formulae. Any
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	513	formula of the form $Trueprop(\cdots)$ is atomic, but axioms such as
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	514	${\imp}I$ and $\forall I$ contain non-atomic formulae.
105 216d6ed87399 Initial revision lcp parents: diff changeset	515	\end{itemize}
296 e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	516	Isabelle has little in common with classical resolution theorem provers
105 216d6ed87399 Initial revision lcp parents: diff changeset	517	such as Otter~\cite{wos-bledsoe}. At the meta-level, Isabelle proves
216d6ed87399 Initial revision lcp parents: diff changeset	518	theorems in their positive form, not by refutation. However, an
216d6ed87399 Initial revision lcp parents: diff changeset	519	object-logic that includes a contradiction rule may employ a refutation
216d6ed87399 Initial revision lcp parents: diff changeset	520	proof procedure.
216d6ed87399 Initial revision lcp parents: diff changeset	521
216d6ed87399 Initial revision lcp parents: diff changeset	522
216d6ed87399 Initial revision lcp parents: diff changeset	523	\subsection{Higher-order unification}
216d6ed87399 Initial revision lcp parents: diff changeset	524	\index{unification!higher-order\|bold}
216d6ed87399 Initial revision lcp parents: diff changeset	525	Unification is equation solving. The solution of $f(\Var{x},c) \qeq
216d6ed87399 Initial revision lcp parents: diff changeset	526	f(d,\Var{y})$ is $\Var{x}\equiv d$ and $\Var{y}\equiv c$. {\bf
216d6ed87399 Initial revision lcp parents: diff changeset	527	Higher-order unification} is equation solving for typed $\lambda$-terms.
216d6ed87399 Initial revision lcp parents: diff changeset	528	To handle $\beta$-conversion, it must reduce $(\lambda x.t)u$ to $t[u/x]$.
216d6ed87399 Initial revision lcp parents: diff changeset	529	That is easy --- in the typed $\lambda$-calculus, all reduction sequences
216d6ed87399 Initial revision lcp parents: diff changeset	530	terminate at a normal form. But it must guess the unknown
216d6ed87399 Initial revision lcp parents: diff changeset	531	function~$\Var{f}$ in order to solve the equation
216d6ed87399 Initial revision lcp parents: diff changeset	532	\begin{equation} \label{hou-eqn}
216d6ed87399 Initial revision lcp parents: diff changeset	533	\Var{f}(t) \qeq g(u@1,\ldots,u@k).
216d6ed87399 Initial revision lcp parents: diff changeset	534	\end{equation}
216d6ed87399 Initial revision lcp parents: diff changeset	535	Huet's~\cite{huet75} search procedure solves equations by imitation and
216d6ed87399 Initial revision lcp parents: diff changeset	536	projection. {\bf Imitation}\index{imitation\|bold} makes~$\Var{f}$ apply
216d6ed87399 Initial revision lcp parents: diff changeset	537	leading symbol (if a constant) of the right-hand side. To solve
216d6ed87399 Initial revision lcp parents: diff changeset	538	equation~(\ref{hou-eqn}), it guesses
216d6ed87399 Initial revision lcp parents: diff changeset	539	\[ \Var{f} \equiv \lambda x. g(\Var{h@1}(x),\ldots,\Var{h@k}(x)), \]
216d6ed87399 Initial revision lcp parents: diff changeset	540	where $\Var{h@1}$, \ldots, $\Var{h@k}$ are new unknowns. Assuming there are no
216d6ed87399 Initial revision lcp parents: diff changeset	541	other occurrences of~$\Var{f}$, equation~(\ref{hou-eqn}) simplifies to the
216d6ed87399 Initial revision lcp parents: diff changeset	542	set of equations
216d6ed87399 Initial revision lcp parents: diff changeset	543	\[ \Var{h@1}(t)\qeq u@1 \quad\ldots\quad \Var{h@k}(t)\qeq u@k. \]
216d6ed87399 Initial revision lcp parents: diff changeset	544	If the procedure solves these equations, instantiating $\Var{h@1}$, \ldots,
216d6ed87399 Initial revision lcp parents: diff changeset	545	$\Var{h@k}$, then it yields an instantiation for~$\Var{f}$.
216d6ed87399 Initial revision lcp parents: diff changeset	546
216d6ed87399 Initial revision lcp parents: diff changeset	547	\index{projection\|bold}
216d6ed87399 Initial revision lcp parents: diff changeset	548	{\bf Projection} makes $\Var{f}$ apply one of its arguments. To solve
216d6ed87399 Initial revision lcp parents: diff changeset	549	equation~(\ref{hou-eqn}), if $t$ expects~$m$ arguments and delivers a
216d6ed87399 Initial revision lcp parents: diff changeset	550	result of suitable type, it guesses
216d6ed87399 Initial revision lcp parents: diff changeset	551	\[ \Var{f} \equiv \lambda x. x(\Var{h@1}(x),\ldots,\Var{h@m}(x)), \]
216d6ed87399 Initial revision lcp parents: diff changeset	552	where $\Var{h@1}$, \ldots, $\Var{h@m}$ are new unknowns. Assuming there are no
216d6ed87399 Initial revision lcp parents: diff changeset	553	other occurrences of~$\Var{f}$, equation~(\ref{hou-eqn}) simplifies to the
216d6ed87399 Initial revision lcp parents: diff changeset	554	equation
216d6ed87399 Initial revision lcp parents: diff changeset	555	\[ t(\Var{h@1}(t),\ldots,\Var{h@m}(t)) \qeq g(u@1,\ldots,u@k). $$
216d6ed87399 Initial revision lcp parents: diff changeset	556
216d6ed87399 Initial revision lcp parents: diff changeset	557	\begin{warn}
216d6ed87399 Initial revision lcp parents: diff changeset	558	Huet's unification procedure is complete. Isabelle's polymorphic version,
216d6ed87399 Initial revision lcp parents: diff changeset	559	which solves for type unknowns as well as for term unknowns, is incomplete.
216d6ed87399 Initial revision lcp parents: diff changeset	560	The problem is that projection requires type information. In
216d6ed87399 Initial revision lcp parents: diff changeset	561	equation~(\ref{hou-eqn}), if the type of~$t$ is unknown, then projections
216d6ed87399 Initial revision lcp parents: diff changeset	562	are possible for all~$m\geq0$, and the types of the $\Var{h@i}$ will be
216d6ed87399 Initial revision lcp parents: diff changeset	563	similarly unconstrained. Therefore, Isabelle never attempts such
216d6ed87399 Initial revision lcp parents: diff changeset	564	projections, and may fail to find unifiers where a type unknown turns out
216d6ed87399 Initial revision lcp parents: diff changeset	565	to be a function type.
216d6ed87399 Initial revision lcp parents: diff changeset	566	\end{warn}
216d6ed87399 Initial revision lcp parents: diff changeset	567
216d6ed87399 Initial revision lcp parents: diff changeset	568	\index{unknowns!of function type\|bold}
216d6ed87399 Initial revision lcp parents: diff changeset	569	Given $\Var{f}(t@1,\ldots,t@n)\qeq u$, Huet's procedure could make up to
216d6ed87399 Initial revision lcp parents: diff changeset	570	$n+1$ guesses. The search tree and set of unifiers may be infinite. But
216d6ed87399 Initial revision lcp parents: diff changeset	571	higher-order unification can work effectively, provided you are careful
216d6ed87399 Initial revision lcp parents: diff changeset	572	with {\bf function unknowns}:
216d6ed87399 Initial revision lcp parents: diff changeset	573	\begin{itemize}
216d6ed87399 Initial revision lcp parents: diff changeset	574	\item Equations with no function unknowns are solved using first-order
216d6ed87399 Initial revision lcp parents: diff changeset	575	unification, extended to treat bound variables. For example, $\lambda x.x
216d6ed87399 Initial revision lcp parents: diff changeset	576	\qeq \lambda x.\Var{y}$ has no solution because $\Var{y}\equiv x$ would
216d6ed87399 Initial revision lcp parents: diff changeset	577	capture the free variable~$x$.
216d6ed87399 Initial revision lcp parents: diff changeset	578
216d6ed87399 Initial revision lcp parents: diff changeset	579	\item An occurrence of the term $\Var{f}(x,y,z)$, where the arguments are
216d6ed87399 Initial revision lcp parents: diff changeset	580	distinct bound variables, causes no difficulties. Its projections can only
216d6ed87399 Initial revision lcp parents: diff changeset	581	match the corresponding variables.
216d6ed87399 Initial revision lcp parents: diff changeset	582
216d6ed87399 Initial revision lcp parents: diff changeset	583	\item Even an equation such as $\Var{f}(a)\qeq a+a$ is all right. It has
216d6ed87399 Initial revision lcp parents: diff changeset	584	four solutions, but Isabelle evaluates them lazily, trying projection before
216d6ed87399 Initial revision lcp parents: diff changeset	585	imitation. The first solution is usually the one desired:
216d6ed87399 Initial revision lcp parents: diff changeset	586	\[ \Var{f}\equiv \lambda x. x+x \quad
216d6ed87399 Initial revision lcp parents: diff changeset	587	\Var{f}\equiv \lambda x. a+x \quad
216d6ed87399 Initial revision lcp parents: diff changeset	588	\Var{f}\equiv \lambda x. x+a \quad
216d6ed87399 Initial revision lcp parents: diff changeset	589	\Var{f}\equiv \lambda x. a+a \]
216d6ed87399 Initial revision lcp parents: diff changeset	590	\item Equations such as $\Var{f}(\Var{x},\Var{y})\qeq t$ and
216d6ed87399 Initial revision lcp parents: diff changeset	591	$\Var{f}(\Var{g}(x))\qeq t$ admit vast numbers of unifiers, and must be
216d6ed87399 Initial revision lcp parents: diff changeset	592	avoided.
216d6ed87399 Initial revision lcp parents: diff changeset	593	\end{itemize}
216d6ed87399 Initial revision lcp parents: diff changeset	594	In problematic cases, you may have to instantiate some unknowns before
216d6ed87399 Initial revision lcp parents: diff changeset	595	invoking unification.
216d6ed87399 Initial revision lcp parents: diff changeset	596
216d6ed87399 Initial revision lcp parents: diff changeset	597
216d6ed87399 Initial revision lcp parents: diff changeset	598	\subsection{Joining rules by resolution} \label{joining}
216d6ed87399 Initial revision lcp parents: diff changeset	599	\index{resolution\|bold}
216d6ed87399 Initial revision lcp parents: diff changeset	600	Let $\List{\psi@1; \ldots; \psi@m} \Imp \psi$ and $\List{\phi@1; \ldots;
216d6ed87399 Initial revision lcp parents: diff changeset	601	\phi@n} \Imp \phi$ be two Isabelle theorems, representing object-level rules.
216d6ed87399 Initial revision lcp parents: diff changeset	602	Choosing some~$i$ from~1 to~$n$, suppose that $\psi$ and $\phi@i$ have a
216d6ed87399 Initial revision lcp parents: diff changeset	603	higher-order unifier. Writing $Xs$ for the application of substitution~$s$ to
216d6ed87399 Initial revision lcp parents: diff changeset	604	expression~$X$, this means there is some~$s$ such that $\psi s\equiv \phi@i s$.
216d6ed87399 Initial revision lcp parents: diff changeset	605	By resolution, we may conclude
216d6ed87399 Initial revision lcp parents: diff changeset	606	\[ (\List{\phi@1; \ldots; \phi@{i-1}; \psi@1; \ldots; \psi@m;
216d6ed87399 Initial revision lcp parents: diff changeset	607	\phi@{i+1}; \ldots; \phi@n} \Imp \phi)s.
216d6ed87399 Initial revision lcp parents: diff changeset	608	\]
216d6ed87399 Initial revision lcp parents: diff changeset	609	The substitution~$s$ may instantiate unknowns in both rules. In short,
216d6ed87399 Initial revision lcp parents: diff changeset	610	resolution is the following rule:
216d6ed87399 Initial revision lcp parents: diff changeset	611	\[ \infer[(\psi s\equiv \phi@i s)]
216d6ed87399 Initial revision lcp parents: diff changeset	612	{(\List{\phi@1; \ldots; \phi@{i-1}; \psi@1; \ldots; \psi@m;
216d6ed87399 Initial revision lcp parents: diff changeset	613	\phi@{i+1}; \ldots; \phi@n} \Imp \phi)s}
216d6ed87399 Initial revision lcp parents: diff changeset	614	{\List{\psi@1; \ldots; \psi@m} \Imp \psi & &
216d6ed87399 Initial revision lcp parents: diff changeset	615	\List{\phi@1; \ldots; \phi@n} \Imp \phi}
216d6ed87399 Initial revision lcp parents: diff changeset	616	\]
216d6ed87399 Initial revision lcp parents: diff changeset	617	It operates at the meta-level, on Isabelle theorems, and is justified by
216d6ed87399 Initial revision lcp parents: diff changeset	618	the properties of $\Imp$ and~$\Forall$. It takes the number~$i$ (for
216d6ed87399 Initial revision lcp parents: diff changeset	619	$1\leq i\leq n$) as a parameter and may yield infinitely many conclusions,
216d6ed87399 Initial revision lcp parents: diff changeset	620	one for each unifier of $\psi$ with $\phi@i$. Isabelle returns these
216d6ed87399 Initial revision lcp parents: diff changeset	621	conclusions as a sequence (lazy list).
216d6ed87399 Initial revision lcp parents: diff changeset	622
216d6ed87399 Initial revision lcp parents: diff changeset	623	Resolution expects the rules to have no outer quantifiers~($\Forall$). It
216d6ed87399 Initial revision lcp parents: diff changeset	624	may rename or instantiate any schematic variables, but leaves free
216d6ed87399 Initial revision lcp parents: diff changeset	625	variables unchanged. When constructing a theory, Isabelle puts the rules
216d6ed87399 Initial revision lcp parents: diff changeset	626	into a standard form containing no free variables; for instance, $({\imp}E)$
216d6ed87399 Initial revision lcp parents: diff changeset	627	becomes
216d6ed87399 Initial revision lcp parents: diff changeset	628	\[ \List{\Var{P}\imp \Var{Q}; \Var{P}} \Imp \Var{Q}.
216d6ed87399 Initial revision lcp parents: diff changeset	629	\]
216d6ed87399 Initial revision lcp parents: diff changeset	630	When resolving two rules, the unknowns in the first rule are renamed, by
216d6ed87399 Initial revision lcp parents: diff changeset	631	subscripting, to make them distinct from the unknowns in the second rule. To
216d6ed87399 Initial revision lcp parents: diff changeset	632	resolve $({\imp}E)$ with itself, the first copy of the rule would become
216d6ed87399 Initial revision lcp parents: diff changeset	633	\[ \List{\Var{P@1}\imp \Var{Q@1}; \Var{P@1}} \Imp \Var{Q@1}. \]
216d6ed87399 Initial revision lcp parents: diff changeset	634	Resolving this with $({\imp}E)$ in the first premise, unifying $\Var{Q@1}$ with
216d6ed87399 Initial revision lcp parents: diff changeset	635	$\Var{P}\imp \Var{Q}$, is the meta-level inference
216d6ed87399 Initial revision lcp parents: diff changeset	636	\[ \infer{\List{\Var{P@1}\imp (\Var{P}\imp \Var{Q}); \Var{P@1}; \Var{P}}
216d6ed87399 Initial revision lcp parents: diff changeset	637	\Imp\Var{Q}.}
216d6ed87399 Initial revision lcp parents: diff changeset	638	{\List{\Var{P@1}\imp \Var{Q@1}; \Var{P@1}} \Imp \Var{Q@1} & &
216d6ed87399 Initial revision lcp parents: diff changeset	639	\List{\Var{P}\imp \Var{Q}; \Var{P}} \Imp \Var{Q}}
216d6ed87399 Initial revision lcp parents: diff changeset	640	\]
216d6ed87399 Initial revision lcp parents: diff changeset	641	Renaming the unknowns in the resolvent, we have derived the
216d6ed87399 Initial revision lcp parents: diff changeset	642	object-level rule
216d6ed87399 Initial revision lcp parents: diff changeset	643	\[ \infer{Q.}{R\imp (P\imp Q) & R & P} \]
216d6ed87399 Initial revision lcp parents: diff changeset	644	\index{rules!derived}
216d6ed87399 Initial revision lcp parents: diff changeset	645	Joining rules in this fashion is a simple way of proving theorems. The
216d6ed87399 Initial revision lcp parents: diff changeset	646	derived rules are conservative extensions of the object-logic, and may permit
216d6ed87399 Initial revision lcp parents: diff changeset	647	simpler proofs. Let us consider another example. Suppose we have the axiom
216d6ed87399 Initial revision lcp parents: diff changeset	648	$$ \forall x\,y. Suc(x)=Suc(y)\imp x=y. \eqno (inject) $$
216d6ed87399 Initial revision lcp parents: diff changeset	649
216d6ed87399 Initial revision lcp parents: diff changeset	650	\noindent
216d6ed87399 Initial revision lcp parents: diff changeset	651	The standard form of $(\forall E)$ is
216d6ed87399 Initial revision lcp parents: diff changeset	652	$\forall x.\Var{P}(x) \Imp \Var{P}(\Var{t})$.
216d6ed87399 Initial revision lcp parents: diff changeset	653	Resolving $(inject)$ with $(\forall E)$ replaces $\Var{P}$ by
216d6ed87399 Initial revision lcp parents: diff changeset	654	$\lambda x. \forall y. Suc(x)=Suc(y)\imp x=y$ and leaves $\Var{t}$
216d6ed87399 Initial revision lcp parents: diff changeset	655	unchanged, yielding
216d6ed87399 Initial revision lcp parents: diff changeset	656	\[ \forall y. Suc(\Var{t})=Suc(y)\imp \Var{t}=y. \]
216d6ed87399 Initial revision lcp parents: diff changeset	657	Resolving this with $(\forall E)$ puts a subscript on~$\Var{t}$
216d6ed87399 Initial revision lcp parents: diff changeset	658	and yields
216d6ed87399 Initial revision lcp parents: diff changeset	659	\[ Suc(\Var{t@1})=Suc(\Var{t})\imp \Var{t@1}=\Var{t}. \]
216d6ed87399 Initial revision lcp parents: diff changeset	660	Resolving this with $({\imp}E)$ increases the subscripts and yields
216d6ed87399 Initial revision lcp parents: diff changeset	661	\[ Suc(\Var{t@2})=Suc(\Var{t@1})\Imp \Var{t@2}=\Var{t@1}.
216d6ed87399 Initial revision lcp parents: diff changeset	662	\]
216d6ed87399 Initial revision lcp parents: diff changeset	663	We have derived the rule
216d6ed87399 Initial revision lcp parents: diff changeset	664	\[ \infer{m=n,}{Suc(m)=Suc(n)} \]
216d6ed87399 Initial revision lcp parents: diff changeset	665	which goes directly from $Suc(m)=Suc(n)$ to $m=n$. It is handy for simplifying
216d6ed87399 Initial revision lcp parents: diff changeset	666	an equation like $Suc(Suc(Suc(m)))=Suc(Suc(Suc(0)))$.
216d6ed87399 Initial revision lcp parents: diff changeset	667
216d6ed87399 Initial revision lcp parents: diff changeset	668
296 e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	669	\section{Lifting a rule into a context}
105 216d6ed87399 Initial revision lcp parents: diff changeset	670	The rules $({\imp}I)$ and $(\forall I)$ may seem unsuitable for
216d6ed87399 Initial revision lcp parents: diff changeset	671	resolution. They have non-atomic premises, namely $P\Imp Q$ and $\Forall
216d6ed87399 Initial revision lcp parents: diff changeset	672	x.P(x)$, while the conclusions of all the rules are atomic (they have the form
216d6ed87399 Initial revision lcp parents: diff changeset	673	$Trueprop(\cdots)$). Isabelle gets round the problem through a meta-inference
216d6ed87399 Initial revision lcp parents: diff changeset	674	called \bfindex{lifting}. Let us consider how to construct proofs such as
216d6ed87399 Initial revision lcp parents: diff changeset	675	\[ \infer[({\imp}I)]{P\imp(Q\imp R)}
216d6ed87399 Initial revision lcp parents: diff changeset	676	{\infer[({\imp}I)]{Q\imp R}
296 e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	677	{\infer*{R}{[P,Q]}}}
105 216d6ed87399 Initial revision lcp parents: diff changeset	678	\qquad
216d6ed87399 Initial revision lcp parents: diff changeset	679	\infer[(\forall I)]{\forall x\,y.P(x,y)}
216d6ed87399 Initial revision lcp parents: diff changeset	680	{\infer[(\forall I)]{\forall y.P(x,y)}{P(x,y)}}
216d6ed87399 Initial revision lcp parents: diff changeset	681	\]
216d6ed87399 Initial revision lcp parents: diff changeset	682
296 e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	683	\subsection{Lifting over assumptions}
105 216d6ed87399 Initial revision lcp parents: diff changeset	684	\index{lifting!over assumptions\|bold}
216d6ed87399 Initial revision lcp parents: diff changeset	685	Lifting over $\theta\Imp{}$ is the following meta-inference rule:
216d6ed87399 Initial revision lcp parents: diff changeset	686	\[ \infer{\List{\theta\Imp\phi@1; \ldots; \theta\Imp\phi@n} \Imp
216d6ed87399 Initial revision lcp parents: diff changeset	687	(\theta \Imp \phi)}
216d6ed87399 Initial revision lcp parents: diff changeset	688	{\List{\phi@1; \ldots; \phi@n} \Imp \phi} \]
216d6ed87399 Initial revision lcp parents: diff changeset	689	This is clearly sound: if $\List{\phi@1; \ldots; \phi@n} \Imp \phi$ is true and
296 e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	690	$\theta\Imp\phi@1$, \ldots, $\theta\Imp\phi@n$ and $\theta$ are all true then
105 216d6ed87399 Initial revision lcp parents: diff changeset	691	$\phi$ must be true. Iterated lifting over a series of meta-formulae
216d6ed87399 Initial revision lcp parents: diff changeset	692	$\theta@k$, \ldots, $\theta@1$ yields an object-rule whose conclusion is
216d6ed87399 Initial revision lcp parents: diff changeset	693	$\List{\theta@1; \ldots; \theta@k} \Imp \phi$. Typically the $\theta@i$ are
216d6ed87399 Initial revision lcp parents: diff changeset	694	the assumptions in a natural deduction proof; lifting copies them into a rule's
216d6ed87399 Initial revision lcp parents: diff changeset	695	premises and conclusion.
216d6ed87399 Initial revision lcp parents: diff changeset	696
216d6ed87399 Initial revision lcp parents: diff changeset	697	When resolving two rules, Isabelle lifts the first one if necessary. The
216d6ed87399 Initial revision lcp parents: diff changeset	698	standard form of $({\imp}I)$ is
216d6ed87399 Initial revision lcp parents: diff changeset	699	\[ (\Var{P} \Imp \Var{Q}) \Imp \Var{P}\imp \Var{Q}. \]
216d6ed87399 Initial revision lcp parents: diff changeset	700	To resolve this rule with itself, Isabelle modifies one copy as follows: it
216d6ed87399 Initial revision lcp parents: diff changeset	701	renames the unknowns to $\Var{P@1}$ and $\Var{Q@1}$, then lifts the rule over
296 e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	702	$\Var{P}\Imp{}$ to obtain
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	703	\[ (\Var{P}\Imp (\Var{P@1} \Imp \Var{Q@1})) \Imp (\Var{P} \Imp
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	704	(\Var{P@1}\imp \Var{Q@1})). \]
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	705	Using the $\List{\cdots}$ abbreviation, this can be written as
105 216d6ed87399 Initial revision lcp parents: diff changeset	706	\[ \List{\List{\Var{P}; \Var{P@1}} \Imp \Var{Q@1}; \Var{P}}
216d6ed87399 Initial revision lcp parents: diff changeset	707	\Imp \Var{P@1}\imp \Var{Q@1}. \]
216d6ed87399 Initial revision lcp parents: diff changeset	708	Unifying $\Var{P}\Imp \Var{P@1}\imp\Var{Q@1}$ with $\Var{P} \Imp
216d6ed87399 Initial revision lcp parents: diff changeset	709	\Var{Q}$ instantiates $\Var{Q}$ to ${\Var{P@1}\imp\Var{Q@1}}$.
216d6ed87399 Initial revision lcp parents: diff changeset	710	Resolution yields
216d6ed87399 Initial revision lcp parents: diff changeset	711	\[ (\List{\Var{P}; \Var{P@1}} \Imp \Var{Q@1}) \Imp
216d6ed87399 Initial revision lcp parents: diff changeset	712	\Var{P}\imp(\Var{P@1}\imp\Var{Q@1}). \]
216d6ed87399 Initial revision lcp parents: diff changeset	713	This represents the derived rule
216d6ed87399 Initial revision lcp parents: diff changeset	714	\[ \infer{P\imp(Q\imp R).}{\infer*{R}{[P,Q]}} \]
216d6ed87399 Initial revision lcp parents: diff changeset	715
296 e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	716	\subsection{Lifting over parameters}
105 216d6ed87399 Initial revision lcp parents: diff changeset	717	\index{lifting!over parameters\|bold}
216d6ed87399 Initial revision lcp parents: diff changeset	718	An analogous form of lifting handles premises of the form $\Forall x\ldots\,$.
216d6ed87399 Initial revision lcp parents: diff changeset	719	Here, lifting prefixes an object-rule's premises and conclusion with $\Forall
216d6ed87399 Initial revision lcp parents: diff changeset	720	x$. At the same time, lifting introduces a dependence upon~$x$. It replaces
216d6ed87399 Initial revision lcp parents: diff changeset	721	each unknown $\Var{a}$ in the rule by $\Var{a'}(x)$, where $\Var{a'}$ is a new
216d6ed87399 Initial revision lcp parents: diff changeset	722	unknown (by subscripting) of suitable type --- necessarily a function type. In
216d6ed87399 Initial revision lcp parents: diff changeset	723	short, lifting is the meta-inference
216d6ed87399 Initial revision lcp parents: diff changeset	724	\[ \infer{\List{\Forall x.\phi@1^x; \ldots; \Forall x.\phi@n^x}
216d6ed87399 Initial revision lcp parents: diff changeset	725	\Imp \Forall x.\phi^x,}
216d6ed87399 Initial revision lcp parents: diff changeset	726	{\List{\phi@1; \ldots; \phi@n} \Imp \phi} \]
296 e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	727	%
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	728	where $\phi^x$ stands for the result of lifting unknowns over~$x$ in
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	729	$\phi$. It is not hard to verify that this meta-inference is sound. If
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	730	$\phi\Imp\psi$ then $\phi^x\Imp\psi^x$ for all~$x$; so if $\phi^x$ is true
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	731	for all~$x$ then so is $\psi^x$. Thus, from $\phi\Imp\psi$ we conclude
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	732	$(\Forall x.\phi^x) \Imp (\Forall x.\psi^x)$.
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	733
105 216d6ed87399 Initial revision lcp parents: diff changeset	734	For example, $(\disj I)$ might be lifted to
216d6ed87399 Initial revision lcp parents: diff changeset	735	\[ (\Forall x.\Var{P@1}(x)) \Imp (\Forall x. \Var{P@1}(x)\disj \Var{Q@1}(x))\]
216d6ed87399 Initial revision lcp parents: diff changeset	736	and $(\forall I)$ to
216d6ed87399 Initial revision lcp parents: diff changeset	737	\[ (\Forall x\,y.\Var{P@1}(x,y)) \Imp (\Forall x. \forall y.\Var{P@1}(x,y)). \]
216d6ed87399 Initial revision lcp parents: diff changeset	738	Isabelle has renamed a bound variable in $(\forall I)$ from $x$ to~$y$,
216d6ed87399 Initial revision lcp parents: diff changeset	739	avoiding a clash. Resolving the above with $(\forall I)$ is the meta-inference
216d6ed87399 Initial revision lcp parents: diff changeset	740	\[ \infer{\Forall x\,y.\Var{P@1}(x,y)) \Imp \forall x\,y.\Var{P@1}(x,y)) }
216d6ed87399 Initial revision lcp parents: diff changeset	741	{(\Forall x\,y.\Var{P@1}(x,y)) \Imp
216d6ed87399 Initial revision lcp parents: diff changeset	742	(\Forall x. \forall y.\Var{P@1}(x,y)) &
216d6ed87399 Initial revision lcp parents: diff changeset	743	(\Forall x.\Var{P}(x)) \Imp (\forall x.\Var{P}(x))} \]
216d6ed87399 Initial revision lcp parents: diff changeset	744	Here, $\Var{P}$ is replaced by $\lambda x.\forall y.\Var{P@1}(x,y)$; the
216d6ed87399 Initial revision lcp parents: diff changeset	745	resolvent expresses the derived rule
216d6ed87399 Initial revision lcp parents: diff changeset	746	\[ \vcenter{ \infer{\forall x\,y.Q(x,y)}{Q(x,y)} }
216d6ed87399 Initial revision lcp parents: diff changeset	747	\quad\hbox{provided $x$, $y$ not free in the assumptions}
216d6ed87399 Initial revision lcp parents: diff changeset	748	\]
216d6ed87399 Initial revision lcp parents: diff changeset	749	I discuss lifting and parameters at length elsewhere~\cite{paulson89}.
296 e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	750	Miller goes into even greater detail~\cite{miller-mixed}.
105 216d6ed87399 Initial revision lcp parents: diff changeset	751
216d6ed87399 Initial revision lcp parents: diff changeset	752
216d6ed87399 Initial revision lcp parents: diff changeset	753	\section{Backward proof by resolution}
296 e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	754	\index{resolution!in backward proof}\index{proof!backward\|bold}
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	755	\index{tactics}\index{tacticals}
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	756
105 216d6ed87399 Initial revision lcp parents: diff changeset	757	Resolution is convenient for deriving simple rules and for reasoning
216d6ed87399 Initial revision lcp parents: diff changeset	758	forward from facts. It can also support backward proof, where we start
216d6ed87399 Initial revision lcp parents: diff changeset	759	with a goal and refine it to progressively simpler subgoals until all have
296 e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	760	been solved. {\sc lcf} and its descendants {\sc hol} and Nuprl provide
105 216d6ed87399 Initial revision lcp parents: diff changeset	761	tactics and tacticals, which constitute a high-level language for
296 e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	762	expressing proof searches. {\bf Tactics} refine subgoals while {\bf
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	763	tacticals} combine tactics.
105 216d6ed87399 Initial revision lcp parents: diff changeset	764
216d6ed87399 Initial revision lcp parents: diff changeset	765	\index{LCF}
216d6ed87399 Initial revision lcp parents: diff changeset	766	Isabelle's tactics and tacticals work differently from {\sc lcf}'s. An
296 e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	767	Isabelle rule is bidirectional: there is no distinction between
105 216d6ed87399 Initial revision lcp parents: diff changeset	768	inputs and outputs. {\sc lcf} has a separate tactic for each rule;
216d6ed87399 Initial revision lcp parents: diff changeset	769	Isabelle performs refinement by any rule in a uniform fashion, using
216d6ed87399 Initial revision lcp parents: diff changeset	770	resolution.
216d6ed87399 Initial revision lcp parents: diff changeset	771
216d6ed87399 Initial revision lcp parents: diff changeset	772	\index{subgoals\|bold}\index{main goal\|bold}
216d6ed87399 Initial revision lcp parents: diff changeset	773	Isabelle works with meta-level theorems of the form
216d6ed87399 Initial revision lcp parents: diff changeset	774	$ \List{\phi@1; \ldots; \phi@n} \Imp \phi $.
216d6ed87399 Initial revision lcp parents: diff changeset	775	We have viewed this as the {\bf rule} with premises
216d6ed87399 Initial revision lcp parents: diff changeset	776	$\phi@1$,~\ldots,~$\phi@n$ and conclusion~$\phi$. It can also be viewed as
216d6ed87399 Initial revision lcp parents: diff changeset	777	the \bfindex{proof state} with subgoals $\phi@1$,~\ldots,~$\phi@n$ and main
216d6ed87399 Initial revision lcp parents: diff changeset	778	goal~$\phi$.
216d6ed87399 Initial revision lcp parents: diff changeset	779
216d6ed87399 Initial revision lcp parents: diff changeset	780	To prove the formula~$\phi$, take $\phi\Imp \phi$ as the initial proof
216d6ed87399 Initial revision lcp parents: diff changeset	781	state. This assertion is, trivially, a theorem. At a later stage in the
216d6ed87399 Initial revision lcp parents: diff changeset	782	backward proof, a typical proof state is $\List{\phi@1; \ldots; \phi@n}
296 e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	783	\Imp \phi$. This proof state is a theorem, ensuring that the subgoals
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	784	$\phi@1$,~\ldots,~$\phi@n$ imply~$\phi$. If $n=0$ then we have
105 216d6ed87399 Initial revision lcp parents: diff changeset	785	proved~$\phi$ outright. If $\phi$ contains unknowns, they may become
216d6ed87399 Initial revision lcp parents: diff changeset	786	instantiated during the proof; a proof state may be $\List{\phi@1; \ldots;
216d6ed87399 Initial revision lcp parents: diff changeset	787	\phi@n} \Imp \phi'$, where $\phi'$ is an instance of~$\phi$.
216d6ed87399 Initial revision lcp parents: diff changeset	788
216d6ed87399 Initial revision lcp parents: diff changeset	789	\subsection{Refinement by resolution}
216d6ed87399 Initial revision lcp parents: diff changeset	790	\index{refinement\|bold}
216d6ed87399 Initial revision lcp parents: diff changeset	791	To refine subgoal~$i$ of a proof state by a rule, perform the following
216d6ed87399 Initial revision lcp parents: diff changeset	792	resolution:
216d6ed87399 Initial revision lcp parents: diff changeset	793	\[ \infer{\hbox{new proof state}}{\hbox{rule} & & \hbox{proof state}} \]
216d6ed87399 Initial revision lcp parents: diff changeset	794	If the rule is $\List{\psi'@1; \ldots; \psi'@m} \Imp \psi'$ after lifting
216d6ed87399 Initial revision lcp parents: diff changeset	795	over subgoal~$i$, and the proof state is $\List{\phi@1; \ldots; \phi@n}
216d6ed87399 Initial revision lcp parents: diff changeset	796	\Imp \phi$, then the new proof state is (for~$1\leq i\leq n$)
216d6ed87399 Initial revision lcp parents: diff changeset	797	\[ (\List{\phi@1; \ldots; \phi@{i-1}; \psi'@1;
216d6ed87399 Initial revision lcp parents: diff changeset	798	\ldots; \psi'@m; \phi@{i+1}; \ldots; \phi@n} \Imp \phi)s. \]
216d6ed87399 Initial revision lcp parents: diff changeset	799	Substitution~$s$ unifies $\psi'$ with~$\phi@i$. In the proof state,
216d6ed87399 Initial revision lcp parents: diff changeset	800	subgoal~$i$ is replaced by $m$ new subgoals, the rule's instantiated premises.
216d6ed87399 Initial revision lcp parents: diff changeset	801	If some of the rule's unknowns are left un-instantiated, they become new
216d6ed87399 Initial revision lcp parents: diff changeset	802	unknowns in the proof state. Refinement by~$(\exists I)$, namely
216d6ed87399 Initial revision lcp parents: diff changeset	803	\[ \Var{P}(\Var{t}) \Imp \exists x. \Var{P}(x), \]
216d6ed87399 Initial revision lcp parents: diff changeset	804	inserts a new unknown derived from~$\Var{t}$ by subscripting and lifting.
216d6ed87399 Initial revision lcp parents: diff changeset	805	We do not have to specify an `existential witness' when
216d6ed87399 Initial revision lcp parents: diff changeset	806	applying~$(\exists I)$. Further resolutions may instantiate unknowns in
216d6ed87399 Initial revision lcp parents: diff changeset	807	the proof state.
216d6ed87399 Initial revision lcp parents: diff changeset	808
216d6ed87399 Initial revision lcp parents: diff changeset	809	\subsection{Proof by assumption}
216d6ed87399 Initial revision lcp parents: diff changeset	810	\index{proof!by assumption\|bold}
216d6ed87399 Initial revision lcp parents: diff changeset	811	In the course of a natural deduction proof, parameters $x@1$, \ldots,~$x@l$ and
216d6ed87399 Initial revision lcp parents: diff changeset	812	assumptions $\theta@1$, \ldots, $\theta@k$ accumulate, forming a context for
216d6ed87399 Initial revision lcp parents: diff changeset	813	each subgoal. Repeated lifting steps can lift a rule into any context. To
216d6ed87399 Initial revision lcp parents: diff changeset	814	aid readability, Isabelle puts contexts into a normal form, gathering the
216d6ed87399 Initial revision lcp parents: diff changeset	815	parameters at the front:
216d6ed87399 Initial revision lcp parents: diff changeset	816	\begin{equation} \label{context-eqn}
216d6ed87399 Initial revision lcp parents: diff changeset	817	\Forall x@1 \ldots x@l. \List{\theta@1; \ldots; \theta@k}\Imp\theta.
216d6ed87399 Initial revision lcp parents: diff changeset	818	\end{equation}
216d6ed87399 Initial revision lcp parents: diff changeset	819	Under the usual reading of the connectives, this expresses that $\theta$
216d6ed87399 Initial revision lcp parents: diff changeset	820	follows from $\theta@1$,~\ldots~$\theta@k$ for arbitrary
216d6ed87399 Initial revision lcp parents: diff changeset	821	$x@1$,~\ldots,~$x@l$. It is trivially true if $\theta$ equals any of
216d6ed87399 Initial revision lcp parents: diff changeset	822	$\theta@1$,~\ldots~$\theta@k$, or is unifiable with any of them. This
216d6ed87399 Initial revision lcp parents: diff changeset	823	models proof by assumption in natural deduction.
216d6ed87399 Initial revision lcp parents: diff changeset	824
216d6ed87399 Initial revision lcp parents: diff changeset	825	Isabelle automates the meta-inference for proof by assumption. Its arguments
216d6ed87399 Initial revision lcp parents: diff changeset	826	are the meta-theorem $\List{\phi@1; \ldots; \phi@n} \Imp \phi$, and some~$i$
216d6ed87399 Initial revision lcp parents: diff changeset	827	from~1 to~$n$, where $\phi@i$ has the form~(\ref{context-eqn}). Its results
216d6ed87399 Initial revision lcp parents: diff changeset	828	are meta-theorems of the form
216d6ed87399 Initial revision lcp parents: diff changeset	829	\[ (\List{\phi@1; \ldots; \phi@{i-1}; \phi@{i+1}; \phi@n} \Imp \phi)s \]
216d6ed87399 Initial revision lcp parents: diff changeset	830	for each $s$ and~$j$ such that $s$ unifies $\lambda x@1 \ldots x@l. \theta@j$
216d6ed87399 Initial revision lcp parents: diff changeset	831	with $\lambda x@1 \ldots x@l. \theta$. Isabelle supplies the parameters
216d6ed87399 Initial revision lcp parents: diff changeset	832	$x@1$,~\ldots,~$x@l$ to higher-order unification as bound variables, which
216d6ed87399 Initial revision lcp parents: diff changeset	833	regards them as unique constants with a limited scope --- this enforces
216d6ed87399 Initial revision lcp parents: diff changeset	834	parameter provisos~\cite{paulson89}.
216d6ed87399 Initial revision lcp parents: diff changeset	835
296 e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	836	The premise represents a proof state with~$n$ subgoals, of which the~$i$th
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	837	is to be solved by assumption. Isabelle searches the subgoal's context for
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	838	an assumption~$\theta@j$ that can solve it. For each unifier, the
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	839	meta-inference returns an instantiated proof state from which the $i$th
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	840	subgoal has been removed. Isabelle searches for a unifying assumption; for
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	841	readability and robustness, proofs do not refer to assumptions by number.
105 216d6ed87399 Initial revision lcp parents: diff changeset	842
296 e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	843	Consider the proof state
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	844	\[ (\List{P(a); P(b)} \Imp P(\Var{x})) \Imp Q(\Var{x}). \]
105 216d6ed87399 Initial revision lcp parents: diff changeset	845	Proof by assumption (with $i=1$, the only possibility) yields two results:
216d6ed87399 Initial revision lcp parents: diff changeset	846	\begin{itemize}
216d6ed87399 Initial revision lcp parents: diff changeset	847	\item $Q(a)$, instantiating $\Var{x}\equiv a$
216d6ed87399 Initial revision lcp parents: diff changeset	848	\item $Q(b)$, instantiating $\Var{x}\equiv b$
216d6ed87399 Initial revision lcp parents: diff changeset	849	\end{itemize}
216d6ed87399 Initial revision lcp parents: diff changeset	850	Here, proof by assumption affects the main goal. It could also affect
296 e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	851	other subgoals; if we also had the subgoal ${\List{P(b); P(c)} \Imp
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	852	P(\Var{x})}$, then $\Var{x}\equiv a$ would transform it to ${\List{P(b);
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	853	P(c)} \Imp P(a)}$, which might be unprovable.
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	854
105 216d6ed87399 Initial revision lcp parents: diff changeset	855
216d6ed87399 Initial revision lcp parents: diff changeset	856	\subsection{A propositional proof} \label{prop-proof}
216d6ed87399 Initial revision lcp parents: diff changeset	857	\index{examples!propositional}
216d6ed87399 Initial revision lcp parents: diff changeset	858	Our first example avoids quantifiers. Given the main goal $P\disj P\imp
216d6ed87399 Initial revision lcp parents: diff changeset	859	P$, Isabelle creates the initial state
296 e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	860	\[ (P\disj P\imp P)\Imp (P\disj P\imp P). \]
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	861	%
105 216d6ed87399 Initial revision lcp parents: diff changeset	862	Bear in mind that every proof state we derive will be a meta-theorem,
296 e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	863	expressing that the subgoals imply the main goal. Our aim is to reach the
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	864	state $P\disj P\imp P$; this meta-theorem is the desired result.
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	865
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	866	The first step is to refine subgoal~1 by (${\imp}I)$, creating a new state
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	867	where $P\disj P$ is an assumption:
105 216d6ed87399 Initial revision lcp parents: diff changeset	868	\[ (P\disj P\Imp P)\Imp (P\disj P\imp P) \]
216d6ed87399 Initial revision lcp parents: diff changeset	869	The next step is $(\disj E)$, which replaces subgoal~1 by three new subgoals.
216d6ed87399 Initial revision lcp parents: diff changeset	870	Because of lifting, each subgoal contains a copy of the context --- the
216d6ed87399 Initial revision lcp parents: diff changeset	871	assumption $P\disj P$. (In fact, this assumption is now redundant; we shall
216d6ed87399 Initial revision lcp parents: diff changeset	872	shortly see how to get rid of it!) The new proof state is the following
216d6ed87399 Initial revision lcp parents: diff changeset	873	meta-theorem, laid out for clarity:
216d6ed87399 Initial revision lcp parents: diff changeset	874	\[ \begin{array}{l@{}l@{\qquad\qquad}l}
216d6ed87399 Initial revision lcp parents: diff changeset	875	\lbrakk\;& P\disj P\Imp \Var{P@1}\disj\Var{Q@1}; & \hbox{(subgoal 1)} \\
216d6ed87399 Initial revision lcp parents: diff changeset	876	& \List{P\disj P; \Var{P@1}} \Imp P; & \hbox{(subgoal 2)} \\
216d6ed87399 Initial revision lcp parents: diff changeset	877	& \List{P\disj P; \Var{Q@1}} \Imp P & \hbox{(subgoal 3)} \\
216d6ed87399 Initial revision lcp parents: diff changeset	878	\rbrakk\;& \Imp (P\disj P\imp P) & \hbox{(main goal)}
216d6ed87399 Initial revision lcp parents: diff changeset	879	\end{array}
216d6ed87399 Initial revision lcp parents: diff changeset	880	\]
216d6ed87399 Initial revision lcp parents: diff changeset	881	Notice the unknowns in the proof state. Because we have applied $(\disj E)$,
216d6ed87399 Initial revision lcp parents: diff changeset	882	we must prove some disjunction, $\Var{P@1}\disj\Var{Q@1}$. Of course,
216d6ed87399 Initial revision lcp parents: diff changeset	883	subgoal~1 is provable by assumption. This instantiates both $\Var{P@1}$ and
216d6ed87399 Initial revision lcp parents: diff changeset	884	$\Var{Q@1}$ to~$P$ throughout the proof state:
216d6ed87399 Initial revision lcp parents: diff changeset	885	\[ \begin{array}{l@{}l@{\qquad\qquad}l}
216d6ed87399 Initial revision lcp parents: diff changeset	886	\lbrakk\;& \List{P\disj P; P} \Imp P; & \hbox{(subgoal 1)} \\
216d6ed87399 Initial revision lcp parents: diff changeset	887	& \List{P\disj P; P} \Imp P & \hbox{(subgoal 2)} \\
216d6ed87399 Initial revision lcp parents: diff changeset	888	\rbrakk\;& \Imp (P\disj P\imp P) & \hbox{(main goal)}
216d6ed87399 Initial revision lcp parents: diff changeset	889	\end{array} \]
216d6ed87399 Initial revision lcp parents: diff changeset	890	Both of the remaining subgoals can be proved by assumption. After two such
296 e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	891	steps, the proof state is $P\disj P\imp P$.
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	892
105 216d6ed87399 Initial revision lcp parents: diff changeset	893
216d6ed87399 Initial revision lcp parents: diff changeset	894	\subsection{A quantifier proof}
216d6ed87399 Initial revision lcp parents: diff changeset	895	\index{examples!with quantifiers}
216d6ed87399 Initial revision lcp parents: diff changeset	896	To illustrate quantifiers and $\Forall$-lifting, let us prove
216d6ed87399 Initial revision lcp parents: diff changeset	897	$(\exists x.P(f(x)))\imp(\exists x.P(x))$. The initial proof
216d6ed87399 Initial revision lcp parents: diff changeset	898	state is the trivial meta-theorem
216d6ed87399 Initial revision lcp parents: diff changeset	899	\[ (\exists x.P(f(x)))\imp(\exists x.P(x)) \Imp
216d6ed87399 Initial revision lcp parents: diff changeset	900	(\exists x.P(f(x)))\imp(\exists x.P(x)). \]
216d6ed87399 Initial revision lcp parents: diff changeset	901	As above, the first step is refinement by (${\imp}I)$:
216d6ed87399 Initial revision lcp parents: diff changeset	902	\[ (\exists x.P(f(x))\Imp \exists x.P(x)) \Imp
216d6ed87399 Initial revision lcp parents: diff changeset	903	(\exists x.P(f(x)))\imp(\exists x.P(x))
216d6ed87399 Initial revision lcp parents: diff changeset	904	\]
216d6ed87399 Initial revision lcp parents: diff changeset	905	The next step is $(\exists E)$, which replaces subgoal~1 by two new subgoals.
216d6ed87399 Initial revision lcp parents: diff changeset	906	Both have the assumption $\exists x.P(f(x))$. The new proof
216d6ed87399 Initial revision lcp parents: diff changeset	907	state is the meta-theorem
216d6ed87399 Initial revision lcp parents: diff changeset	908	\[ \begin{array}{l@{}l@{\qquad\qquad}l}
216d6ed87399 Initial revision lcp parents: diff changeset	909	\lbrakk\;& \exists x.P(f(x)) \Imp \exists x.\Var{P@1}(x); & \hbox{(subgoal 1)} \\
216d6ed87399 Initial revision lcp parents: diff changeset	910	& \Forall x.\List{\exists x.P(f(x)); \Var{P@1}(x)} \Imp
216d6ed87399 Initial revision lcp parents: diff changeset	911	\exists x.P(x) & \hbox{(subgoal 2)} \\
216d6ed87399 Initial revision lcp parents: diff changeset	912	\rbrakk\;& \Imp (\exists x.P(f(x)))\imp(\exists x.P(x)) & \hbox{(main goal)}
216d6ed87399 Initial revision lcp parents: diff changeset	913	\end{array}
216d6ed87399 Initial revision lcp parents: diff changeset	914	\]
216d6ed87399 Initial revision lcp parents: diff changeset	915	The unknown $\Var{P@1}$ appears in both subgoals. Because we have applied
216d6ed87399 Initial revision lcp parents: diff changeset	916	$(\exists E)$, we must prove $\exists x.\Var{P@1}(x)$, where $\Var{P@1}(x)$ may
216d6ed87399 Initial revision lcp parents: diff changeset	917	become any formula possibly containing~$x$. Proving subgoal~1 by assumption
216d6ed87399 Initial revision lcp parents: diff changeset	918	instantiates $\Var{P@1}$ to~$\lambda x.P(f(x))$:
216d6ed87399 Initial revision lcp parents: diff changeset	919	\[ \left(\Forall x.\List{\exists x.P(f(x)); P(f(x))} \Imp
216d6ed87399 Initial revision lcp parents: diff changeset	920	\exists x.P(x)\right)
216d6ed87399 Initial revision lcp parents: diff changeset	921	\Imp (\exists x.P(f(x)))\imp(\exists x.P(x))
216d6ed87399 Initial revision lcp parents: diff changeset	922	\]
216d6ed87399 Initial revision lcp parents: diff changeset	923	The next step is refinement by $(\exists I)$. The rule is lifted into the
296 e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	924	context of the parameter~$x$ and the assumption $P(f(x))$. This copies
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	925	the context to the subgoal and allows the existential witness to
105 216d6ed87399 Initial revision lcp parents: diff changeset	926	depend upon~$x$:
216d6ed87399 Initial revision lcp parents: diff changeset	927	\[ \left(\Forall x.\List{\exists x.P(f(x)); P(f(x))} \Imp
216d6ed87399 Initial revision lcp parents: diff changeset	928	P(\Var{x@2}(x))\right)
216d6ed87399 Initial revision lcp parents: diff changeset	929	\Imp (\exists x.P(f(x)))\imp(\exists x.P(x))
216d6ed87399 Initial revision lcp parents: diff changeset	930	\]
216d6ed87399 Initial revision lcp parents: diff changeset	931	The existential witness, $\Var{x@2}(x)$, consists of an unknown
216d6ed87399 Initial revision lcp parents: diff changeset	932	applied to a parameter. Proof by assumption unifies $\lambda x.P(f(x))$
216d6ed87399 Initial revision lcp parents: diff changeset	933	with $\lambda x.P(\Var{x@2}(x))$, instantiating $\Var{x@2}$ to $f$. The final
216d6ed87399 Initial revision lcp parents: diff changeset	934	proof state contains no subgoals: $(\exists x.P(f(x)))\imp(\exists x.P(x))$.
216d6ed87399 Initial revision lcp parents: diff changeset	935
216d6ed87399 Initial revision lcp parents: diff changeset	936
216d6ed87399 Initial revision lcp parents: diff changeset	937	\subsection{Tactics and tacticals}
216d6ed87399 Initial revision lcp parents: diff changeset	938	\index{tactics\|bold}\index{tacticals\|bold}
216d6ed87399 Initial revision lcp parents: diff changeset	939	{\bf Tactics} perform backward proof. Isabelle tactics differ from those
216d6ed87399 Initial revision lcp parents: diff changeset	940	of {\sc lcf}, {\sc hol} and Nuprl by operating on entire proof states,
216d6ed87399 Initial revision lcp parents: diff changeset	941	rather than on individual subgoals. An Isabelle tactic is a function that
216d6ed87399 Initial revision lcp parents: diff changeset	942	takes a proof state and returns a sequence (lazy list) of possible
296 e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	943	successor states. Lazy lists are coded in ML as functions, a standard
105 216d6ed87399 Initial revision lcp parents: diff changeset	944	technique~\cite{paulson91}. Isabelle represents proof states by theorems.
216d6ed87399 Initial revision lcp parents: diff changeset	945
216d6ed87399 Initial revision lcp parents: diff changeset	946	Basic tactics execute the meta-rules described above, operating on a
216d6ed87399 Initial revision lcp parents: diff changeset	947	given subgoal. The {\bf resolution tactics} take a list of rules and
216d6ed87399 Initial revision lcp parents: diff changeset	948	return next states for each combination of rule and unifier. The {\bf
216d6ed87399 Initial revision lcp parents: diff changeset	949	assumption tactic} examines the subgoal's assumptions and returns next
216d6ed87399 Initial revision lcp parents: diff changeset	950	states for each combination of assumption and unifier. Lazy lists are
216d6ed87399 Initial revision lcp parents: diff changeset	951	essential because higher-order resolution may return infinitely many
216d6ed87399 Initial revision lcp parents: diff changeset	952	unifiers. If there are no matching rules or assumptions then no next
216d6ed87399 Initial revision lcp parents: diff changeset	953	states are generated; a tactic application that returns an empty list is
216d6ed87399 Initial revision lcp parents: diff changeset	954	said to {\bf fail}.
216d6ed87399 Initial revision lcp parents: diff changeset	955
216d6ed87399 Initial revision lcp parents: diff changeset	956	Sequences realize their full potential with {\bf tacticals} --- operators
216d6ed87399 Initial revision lcp parents: diff changeset	957	for combining tactics. Depth-first search, breadth-first search and
216d6ed87399 Initial revision lcp parents: diff changeset	958	best-first search (where a heuristic function selects the best state to
216d6ed87399 Initial revision lcp parents: diff changeset	959	explore) return their outcomes as a sequence. Isabelle provides such
216d6ed87399 Initial revision lcp parents: diff changeset	960	procedures in the form of tacticals. Simpler procedures can be expressed
216d6ed87399 Initial revision lcp parents: diff changeset	961	directly using the basic tacticals {\it THEN}, {\it ORELSE} and {\it REPEAT}:
216d6ed87399 Initial revision lcp parents: diff changeset	962	\begin{description}
216d6ed87399 Initial revision lcp parents: diff changeset	963	\item[$tac1\;THEN\;tac2$] is a tactic for sequential composition. Applied
216d6ed87399 Initial revision lcp parents: diff changeset	964	to a proof state, it returns all states reachable in two steps by applying
216d6ed87399 Initial revision lcp parents: diff changeset	965	$tac1$ followed by~$tac2$.
216d6ed87399 Initial revision lcp parents: diff changeset	966
216d6ed87399 Initial revision lcp parents: diff changeset	967	\item[$tac1\;ORELSE\;tac2$] is a choice tactic. Applied to a state, it
216d6ed87399 Initial revision lcp parents: diff changeset	968	tries~$tac1$ and returns the result if non-empty; otherwise, it uses~$tac2$.
216d6ed87399 Initial revision lcp parents: diff changeset	969
216d6ed87399 Initial revision lcp parents: diff changeset	970	\item[$REPEAT\;tac$] is a repetition tactic. Applied to a state, it
216d6ed87399 Initial revision lcp parents: diff changeset	971	returns all states reachable by applying~$tac$ as long as possible (until
216d6ed87399 Initial revision lcp parents: diff changeset	972	it would fail). $REPEAT$ can be expressed in a few lines of \ML{} using
216d6ed87399 Initial revision lcp parents: diff changeset	973	{\it THEN} and~{\it ORELSE}.
216d6ed87399 Initial revision lcp parents: diff changeset	974	\end{description}
216d6ed87399 Initial revision lcp parents: diff changeset	975	For instance, this tactic repeatedly applies $tac1$ and~$tac2$, giving
216d6ed87399 Initial revision lcp parents: diff changeset	976	$tac1$ priority:
216d6ed87399 Initial revision lcp parents: diff changeset	977	\[ REPEAT(tac1\;ORELSE\;tac2) \]
216d6ed87399 Initial revision lcp parents: diff changeset	978
216d6ed87399 Initial revision lcp parents: diff changeset	979
216d6ed87399 Initial revision lcp parents: diff changeset	980	\section{Variations on resolution}
216d6ed87399 Initial revision lcp parents: diff changeset	981	In principle, resolution and proof by assumption suffice to prove all
216d6ed87399 Initial revision lcp parents: diff changeset	982	theorems. However, specialized forms of resolution are helpful for working
216d6ed87399 Initial revision lcp parents: diff changeset	983	with elimination rules. Elim-resolution applies an elimination rule to an
216d6ed87399 Initial revision lcp parents: diff changeset	984	assumption; destruct-resolution is similar, but applies a rule in a forward
216d6ed87399 Initial revision lcp parents: diff changeset	985	style.
216d6ed87399 Initial revision lcp parents: diff changeset	986
216d6ed87399 Initial revision lcp parents: diff changeset	987	The last part of the section shows how the techniques for proving theorems
216d6ed87399 Initial revision lcp parents: diff changeset	988	can also serve to derive rules.
216d6ed87399 Initial revision lcp parents: diff changeset	989
216d6ed87399 Initial revision lcp parents: diff changeset	990	\subsection{Elim-resolution}
216d6ed87399 Initial revision lcp parents: diff changeset	991	\index{elim-resolution\|bold}
216d6ed87399 Initial revision lcp parents: diff changeset	992	Consider proving the theorem $((R\disj R)\disj R)\disj R\imp R$. By
216d6ed87399 Initial revision lcp parents: diff changeset	993	$({\imp}I)$, we prove $R$ from the assumption $((R\disj R)\disj R)\disj R$.
216d6ed87399 Initial revision lcp parents: diff changeset	994	Applying $(\disj E)$ to this assumption yields two subgoals, one that
216d6ed87399 Initial revision lcp parents: diff changeset	995	assumes~$R$ (and is therefore trivial) and one that assumes $(R\disj
216d6ed87399 Initial revision lcp parents: diff changeset	996	R)\disj R$. This subgoal admits another application of $(\disj E)$. Since
216d6ed87399 Initial revision lcp parents: diff changeset	997	natural deduction never discards assumptions, we eventually generate a
216d6ed87399 Initial revision lcp parents: diff changeset	998	subgoal containing much that is redundant:
216d6ed87399 Initial revision lcp parents: diff changeset	999	\[ \List{((R\disj R)\disj R)\disj R; (R\disj R)\disj R; R\disj R; R} \Imp R. \]
216d6ed87399 Initial revision lcp parents: diff changeset	1000	In general, using $(\disj E)$ on the assumption $P\disj Q$ creates two new
216d6ed87399 Initial revision lcp parents: diff changeset	1001	subgoals with the additional assumption $P$ or~$Q$. In these subgoals,
216d6ed87399 Initial revision lcp parents: diff changeset	1002	$P\disj Q$ is redundant. It wastes space; worse, it could make a theorem
216d6ed87399 Initial revision lcp parents: diff changeset	1003	prover repeatedly apply~$(\disj E)$, looping. Other elimination rules pose
216d6ed87399 Initial revision lcp parents: diff changeset	1004	similar problems. In first-order logic, only universally quantified
216d6ed87399 Initial revision lcp parents: diff changeset	1005	assumptions are sometimes needed more than once --- say, to prove
216d6ed87399 Initial revision lcp parents: diff changeset	1006	$P(f(f(a)))$ from the assumptions $\forall x.P(x)\imp P(f(x))$ and~$P(a)$.
216d6ed87399 Initial revision lcp parents: diff changeset	1007
216d6ed87399 Initial revision lcp parents: diff changeset	1008	Many logics can be formulated as sequent calculi that delete redundant
216d6ed87399 Initial revision lcp parents: diff changeset	1009	assumptions after use. The rule $(\disj E)$ might become
216d6ed87399 Initial revision lcp parents: diff changeset	1010	\[ \infer[\disj\hbox{-left}]
216d6ed87399 Initial revision lcp parents: diff changeset	1011	{\Gamma,P\disj Q,\Delta \turn \Theta}
216d6ed87399 Initial revision lcp parents: diff changeset	1012	{\Gamma,P,\Delta \turn \Theta && \Gamma,Q,\Delta \turn \Theta} \]
216d6ed87399 Initial revision lcp parents: diff changeset	1013	In backward proof, a goal containing $P\disj Q$ on the left of the~$\turn$
216d6ed87399 Initial revision lcp parents: diff changeset	1014	(that is, as an assumption) splits into two subgoals, replacing $P\disj Q$
216d6ed87399 Initial revision lcp parents: diff changeset	1015	by $P$ or~$Q$. But the sequent calculus, with its explicit handling of
216d6ed87399 Initial revision lcp parents: diff changeset	1016	assumptions, can be tiresome to use.
216d6ed87399 Initial revision lcp parents: diff changeset	1017
216d6ed87399 Initial revision lcp parents: diff changeset	1018	Elim-resolution is Isabelle's way of getting sequent calculus behaviour
216d6ed87399 Initial revision lcp parents: diff changeset	1019	from natural deduction rules. It lets an elimination rule consume an
296 e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	1020	assumption. Elim-resolution combines two meta-theorems:
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	1021	\begin{itemize}
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	1022	\item a rule $\List{\psi@1; \ldots; \psi@m} \Imp \psi$
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	1023	\item a proof state $\List{\phi@1; \ldots; \phi@n} \Imp \phi$
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	1024	\end{itemize}
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	1025	The rule must have at least one premise, thus $m>0$. Write the rule's
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	1026	lifted form as $\List{\psi'@1; \ldots; \psi'@m} \Imp \psi'$. Suppose we
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	1027	wish to change subgoal number~$i$.
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	1028
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	1029	Ordinary resolution would attempt to reduce~$\phi@i$,
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	1030	replacing subgoal~$i$ by $m$ new ones. Elim-resolution tries
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	1031	simultaneously to reduce~$\phi@i$ and to solve~$\psi'@1$ by assumption; it
105 216d6ed87399 Initial revision lcp parents: diff changeset	1032	returns a sequence of next states. Each of these replaces subgoal~$i$ by
216d6ed87399 Initial revision lcp parents: diff changeset	1033	instances of $\psi'@2$, \ldots, $\psi'@m$ from which the selected
216d6ed87399 Initial revision lcp parents: diff changeset	1034	assumption has been deleted. Suppose $\phi@i$ has the parameter~$x$ and
216d6ed87399 Initial revision lcp parents: diff changeset	1035	assumptions $\theta@1$,~\ldots,~$\theta@k$. Then $\psi'@1$, the rule's first
216d6ed87399 Initial revision lcp parents: diff changeset	1036	premise after lifting, will be
216d6ed87399 Initial revision lcp parents: diff changeset	1037	$ \Forall x. \List{\theta@1; \ldots; \theta@k}\Imp \psi^{x}@1 $.
296 e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	1038	Elim-resolution tries to unify $\psi'\qeq\phi@i$ and
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	1039	$\lambda x. \theta@j \qeq \lambda x. \psi^{x}@1$ simultaneously, for
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	1040	$j=1$,~\ldots,~$k$.
105 216d6ed87399 Initial revision lcp parents: diff changeset	1041
216d6ed87399 Initial revision lcp parents: diff changeset	1042	Let us redo the example from~\S\ref{prop-proof}. The elimination rule
216d6ed87399 Initial revision lcp parents: diff changeset	1043	is~$(\disj E)$,
216d6ed87399 Initial revision lcp parents: diff changeset	1044	\[ \List{\Var{P}\disj \Var{Q};\; \Var{P}\Imp \Var{R};\; \Var{Q}\Imp \Var{R}}
216d6ed87399 Initial revision lcp parents: diff changeset	1045	\Imp \Var{R} \]
216d6ed87399 Initial revision lcp parents: diff changeset	1046	and the proof state is $(P\disj P\Imp P)\Imp (P\disj P\imp P)$. The
216d6ed87399 Initial revision lcp parents: diff changeset	1047	lifted rule would be
216d6ed87399 Initial revision lcp parents: diff changeset	1048	\[ \begin{array}{l@{}l}
216d6ed87399 Initial revision lcp parents: diff changeset	1049	\lbrakk\;& P\disj P \Imp \Var{P@1}\disj\Var{Q@1}; \\
216d6ed87399 Initial revision lcp parents: diff changeset	1050	& \List{P\disj P ;\; \Var{P@1}} \Imp \Var{R@1}; \\
216d6ed87399 Initial revision lcp parents: diff changeset	1051	& \List{P\disj P ;\; \Var{Q@1}} \Imp \Var{R@1} \\
216d6ed87399 Initial revision lcp parents: diff changeset	1052	\rbrakk\;& \Imp \Var{R@1}
216d6ed87399 Initial revision lcp parents: diff changeset	1053	\end{array}
216d6ed87399 Initial revision lcp parents: diff changeset	1054	\]
216d6ed87399 Initial revision lcp parents: diff changeset	1055	Unification would take the simultaneous equations
216d6ed87399 Initial revision lcp parents: diff changeset	1056	$P\disj P \qeq \Var{P@1}\disj\Var{Q@1}$ and $\Var{R@1} \qeq P$, yielding
216d6ed87399 Initial revision lcp parents: diff changeset	1057	$\Var{P@1}\equiv\Var{Q@1}\equiv\Var{R@1} \equiv P$. The new proof state
216d6ed87399 Initial revision lcp parents: diff changeset	1058	would be simply
216d6ed87399 Initial revision lcp parents: diff changeset	1059	\[ \List{P \Imp P;\; P \Imp P} \Imp (P\disj P\imp P).
216d6ed87399 Initial revision lcp parents: diff changeset	1060	\]
216d6ed87399 Initial revision lcp parents: diff changeset	1061	Elim-resolution's simultaneous unification gives better control
216d6ed87399 Initial revision lcp parents: diff changeset	1062	than ordinary resolution. Recall the substitution rule:
216d6ed87399 Initial revision lcp parents: diff changeset	1063	$$ \List{\Var{t}=\Var{u}; \Var{P}(\Var{t})} \Imp \Var{P}(\Var{u})
216d6ed87399 Initial revision lcp parents: diff changeset	1064	\eqno(subst) $$
216d6ed87399 Initial revision lcp parents: diff changeset	1065	Unsuitable for ordinary resolution because $\Var{P}(\Var{u})$ admits many
216d6ed87399 Initial revision lcp parents: diff changeset	1066	unifiers, $(subst)$ works well with elim-resolution. It deletes some
216d6ed87399 Initial revision lcp parents: diff changeset	1067	assumption of the form $x=y$ and replaces every~$y$ by~$x$ in the subgoal
216d6ed87399 Initial revision lcp parents: diff changeset	1068	formula. The simultaneous unification instantiates $\Var{u}$ to~$y$; if
216d6ed87399 Initial revision lcp parents: diff changeset	1069	$y$ is not an unknown, then $\Var{P}(y)$ can easily be unified with another
216d6ed87399 Initial revision lcp parents: diff changeset	1070	formula.
216d6ed87399 Initial revision lcp parents: diff changeset	1071
216d6ed87399 Initial revision lcp parents: diff changeset	1072	In logical parlance, the premise containing the connective to be eliminated
216d6ed87399 Initial revision lcp parents: diff changeset	1073	is called the \bfindex{major premise}. Elim-resolution expects the major
216d6ed87399 Initial revision lcp parents: diff changeset	1074	premise to come first. The order of the premises is significant in
216d6ed87399 Initial revision lcp parents: diff changeset	1075	Isabelle.
216d6ed87399 Initial revision lcp parents: diff changeset	1076
216d6ed87399 Initial revision lcp parents: diff changeset	1077	\subsection{Destruction rules} \label{destruct}
216d6ed87399 Initial revision lcp parents: diff changeset	1078	\index{destruction rules\|bold}\index{proof!forward}
296 e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	1079	Looking back to Fig.\ts\ref{fol-fig}, notice that there are two kinds of
105 216d6ed87399 Initial revision lcp parents: diff changeset	1080	elimination rule. The rules $({\conj}E1)$, $({\conj}E2)$, $({\imp}E)$ and
216d6ed87399 Initial revision lcp parents: diff changeset	1081	$({\forall}E)$ extract the conclusion from the major premise. In Isabelle
216d6ed87399 Initial revision lcp parents: diff changeset	1082	parlance, such rules are called \bfindex{destruction rules}; they are readable
216d6ed87399 Initial revision lcp parents: diff changeset	1083	and easy to use in forward proof. The rules $({\disj}E)$, $({\bot}E)$ and
216d6ed87399 Initial revision lcp parents: diff changeset	1084	$({\exists}E)$ work by discharging assumptions; they support backward proof
216d6ed87399 Initial revision lcp parents: diff changeset	1085	in a style reminiscent of the sequent calculus.
216d6ed87399 Initial revision lcp parents: diff changeset	1086
216d6ed87399 Initial revision lcp parents: diff changeset	1087	The latter style is the most general form of elimination rule. In natural
216d6ed87399 Initial revision lcp parents: diff changeset	1088	deduction, there is no way to recast $({\disj}E)$, $({\bot}E)$ or
216d6ed87399 Initial revision lcp parents: diff changeset	1089	$({\exists}E)$ as destruction rules. But we can write general elimination
216d6ed87399 Initial revision lcp parents: diff changeset	1090	rules for $\conj$, $\imp$ and~$\forall$:
216d6ed87399 Initial revision lcp parents: diff changeset	1091	\[
216d6ed87399 Initial revision lcp parents: diff changeset	1092	\infer{R}{P\conj Q & \infer*{R}{[P,Q]}} \qquad
216d6ed87399 Initial revision lcp parents: diff changeset	1093	\infer{R}{P\imp Q & P & \infer*{R}{[Q]}} \qquad
216d6ed87399 Initial revision lcp parents: diff changeset	1094	\infer{Q}{\forall x.P & \infer*{Q}{[P[t/x]]}}
216d6ed87399 Initial revision lcp parents: diff changeset	1095	\]
216d6ed87399 Initial revision lcp parents: diff changeset	1096	Because they are concise, destruction rules are simpler to derive than the
216d6ed87399 Initial revision lcp parents: diff changeset	1097	corresponding elimination rules. To facilitate their use in backward
216d6ed87399 Initial revision lcp parents: diff changeset	1098	proof, Isabelle provides a means of transforming a destruction rule such as
216d6ed87399 Initial revision lcp parents: diff changeset	1099	\[ \infer[\quad\hbox{to the elimination rule}\quad]{Q}{P@1 & \ldots & P@m}
216d6ed87399 Initial revision lcp parents: diff changeset	1100	\infer{R.}{P@1 & \ldots & P@m & \infer*{R}{[Q]}}
216d6ed87399 Initial revision lcp parents: diff changeset	1101	\]
216d6ed87399 Initial revision lcp parents: diff changeset	1102	\index{destruct-resolution\|bold}
216d6ed87399 Initial revision lcp parents: diff changeset	1103	{\bf Destruct-resolution} combines this transformation with
216d6ed87399 Initial revision lcp parents: diff changeset	1104	elim-resolution. It applies a destruction rule to some assumption of a
216d6ed87399 Initial revision lcp parents: diff changeset	1105	subgoal. Given the rule above, it replaces the assumption~$P@1$ by~$Q$,
216d6ed87399 Initial revision lcp parents: diff changeset	1106	with new subgoals of showing instances of $P@2$, \ldots,~$P@m$.
216d6ed87399 Initial revision lcp parents: diff changeset	1107	Destruct-resolution works forward from a subgoal's assumptions. Ordinary
216d6ed87399 Initial revision lcp parents: diff changeset	1108	resolution performs forward reasoning from theorems, as illustrated
216d6ed87399 Initial revision lcp parents: diff changeset	1109	in~\S\ref{joining}.
216d6ed87399 Initial revision lcp parents: diff changeset	1110
216d6ed87399 Initial revision lcp parents: diff changeset	1111
216d6ed87399 Initial revision lcp parents: diff changeset	1112	\subsection{Deriving rules by resolution} \label{deriving}
216d6ed87399 Initial revision lcp parents: diff changeset	1113	\index{rules!derived\|bold}
216d6ed87399 Initial revision lcp parents: diff changeset	1114	The meta-logic, itself a form of the predicate calculus, is defined by a
216d6ed87399 Initial revision lcp parents: diff changeset	1115	system of natural deduction rules. Each theorem may depend upon
216d6ed87399 Initial revision lcp parents: diff changeset	1116	meta-assumptions. The theorem that~$\phi$ follows from the assumptions
216d6ed87399 Initial revision lcp parents: diff changeset	1117	$\phi@1$, \ldots, $\phi@n$ is written
216d6ed87399 Initial revision lcp parents: diff changeset	1118	\[ \phi \quad [\phi@1,\ldots,\phi@n]. \]
216d6ed87399 Initial revision lcp parents: diff changeset	1119	A more conventional notation might be $\phi@1,\ldots,\phi@n \turn \phi$,
216d6ed87399 Initial revision lcp parents: diff changeset	1120	but Isabelle's notation is more readable with large formulae.
216d6ed87399 Initial revision lcp parents: diff changeset	1121
216d6ed87399 Initial revision lcp parents: diff changeset	1122	Meta-level natural deduction provides a convenient mechanism for deriving
216d6ed87399 Initial revision lcp parents: diff changeset	1123	new object-level rules. To derive the rule
216d6ed87399 Initial revision lcp parents: diff changeset	1124	\[ \infer{\phi,}{\theta@1 & \ldots & \theta@k} \]
216d6ed87399 Initial revision lcp parents: diff changeset	1125	assume the premises $\theta@1$,~\ldots,~$\theta@k$ at the
216d6ed87399 Initial revision lcp parents: diff changeset	1126	meta-level. Then prove $\phi$, possibly using these assumptions.
216d6ed87399 Initial revision lcp parents: diff changeset	1127	Starting with a proof state $\phi\Imp\phi$, assumptions may accumulate,
216d6ed87399 Initial revision lcp parents: diff changeset	1128	reaching a final state such as
216d6ed87399 Initial revision lcp parents: diff changeset	1129	\[ \phi \quad [\theta@1,\ldots,\theta@k]. \]
216d6ed87399 Initial revision lcp parents: diff changeset	1130	The meta-rule for $\Imp$ introduction discharges an assumption.
216d6ed87399 Initial revision lcp parents: diff changeset	1131	Discharging them in the order $\theta@k,\ldots,\theta@1$ yields the
216d6ed87399 Initial revision lcp parents: diff changeset	1132	meta-theorem $\List{\theta@1; \ldots; \theta@k} \Imp \phi$, with no
216d6ed87399 Initial revision lcp parents: diff changeset	1133	assumptions. This represents the desired rule.
216d6ed87399 Initial revision lcp parents: diff changeset	1134	Let us derive the general $\conj$ elimination rule:
216d6ed87399 Initial revision lcp parents: diff changeset	1135	$$ \infer{R}{P\conj Q & \infer*{R}{[P,Q]}} \eqno(\conj E)$$
216d6ed87399 Initial revision lcp parents: diff changeset	1136	We assume $P\conj Q$ and $\List{P;Q}\Imp R$, and commence backward proof in
216d6ed87399 Initial revision lcp parents: diff changeset	1137	the state $R\Imp R$. Resolving this with the second assumption yields the
216d6ed87399 Initial revision lcp parents: diff changeset	1138	state
216d6ed87399 Initial revision lcp parents: diff changeset	1139	\[ \phantom{\List{P\conj Q;\; P\conj Q}}
216d6ed87399 Initial revision lcp parents: diff changeset	1140	\llap{$\List{P;Q}$}\Imp R \quad [\,\List{P;Q}\Imp R\,]. \]
216d6ed87399 Initial revision lcp parents: diff changeset	1141	Resolving subgoals~1 and~2 with $({\conj}E1)$ and $({\conj}E2)$,
216d6ed87399 Initial revision lcp parents: diff changeset	1142	respectively, yields the state
216d6ed87399 Initial revision lcp parents: diff changeset	1143	\[ \List{P\conj Q;\; P\conj Q}\Imp R \quad [\,\List{P;Q}\Imp R\,]. \]
216d6ed87399 Initial revision lcp parents: diff changeset	1144	Resolving both subgoals with the assumption $P\conj Q$ yields
216d6ed87399 Initial revision lcp parents: diff changeset	1145	\[ R \quad [\, \List{P;Q}\Imp R, P\conj Q \,]. \]
216d6ed87399 Initial revision lcp parents: diff changeset	1146	The proof may use the meta-assumptions in any order, and as often as
216d6ed87399 Initial revision lcp parents: diff changeset	1147	necessary; when finished, we discharge them in the correct order to
216d6ed87399 Initial revision lcp parents: diff changeset	1148	obtain the desired form:
216d6ed87399 Initial revision lcp parents: diff changeset	1149	\[ \List{P\conj Q;\; \List{P;Q}\Imp R} \Imp R \]
216d6ed87399 Initial revision lcp parents: diff changeset	1150	We have derived the rule using free variables, which prevents their
216d6ed87399 Initial revision lcp parents: diff changeset	1151	premature instantiation during the proof; we may now replace them by
216d6ed87399 Initial revision lcp parents: diff changeset	1152	schematic variables.
216d6ed87399 Initial revision lcp parents: diff changeset	1153
216d6ed87399 Initial revision lcp parents: diff changeset	1154	\begin{warn}
296 e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	1155	Schematic variables are not allowed in meta-assumptions because they would
e1f6cd9f682e revisions to first Springer draft lcp parents: 105 diff changeset	1156	complicate lifting. Meta-assumptions remain fixed throughout a proof.
105 216d6ed87399 Initial revision lcp parents: diff changeset	1157	\end{warn}
216d6ed87399 Initial revision lcp parents: diff changeset	1158

author	lcp
	Thu, 24 Mar 1994 13:25:12 +0100
changeset 296	e1f6cd9f682e
parent 105	216d6ed87399
child 312	7ceea59b4748
permissions	-rw-r--r--