isabelle: doc-src/TutorialI/IsarOverview/Isar/Logic.thy@e4dc78f4e51e (annotated)

13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	1	(<)theory Logic = Main:(>)
13310 d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	2	text{* We begin by looking at a simplified grammar for Isar proofs
d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	3	where paranthesis are used for grouping and $^?$ indicates an optional item:
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	4	\begin{center}
502f69ea6627 * empty log message * nipkow parents: diff changeset	5	\begin{tabular}{lrl}
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	6	\emph{proof} & ::= & \isakeyword{proof} \emph{method}$^?$
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	7	\emph{statement}*
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	8	\isakeyword{qed} \\
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	9	&$\mid$& \isakeyword{by} \emph{method}\\[1ex]
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	10	\emph{statement} &::= & \isakeyword{fix} \emph{variables} \\
13310 d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	11	&$\mid$& \isakeyword{assume} \emph{proposition}
d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	12	(\isakeyword{and} \emph{proposition})*\\
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	13	&$\mid$& (\isakeyword{from} \emph{label}$^*$ $\mid$
13310 d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	14	\isakeyword{then})$^?$
d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	15	(\isakeyword{show} $\mid$ \isakeyword{have})
d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	16	\emph{string} \emph{proof} \\[1ex]
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	17	\emph{proposition} &::=& (\emph{label}{\bf:})$^?$ \emph{string}
502f69ea6627 * empty log message * nipkow parents: diff changeset	18	\end{tabular}
502f69ea6627 * empty log message * nipkow parents: diff changeset	19	\end{center}
502f69ea6627 * empty log message * nipkow parents: diff changeset	20
502f69ea6627 * empty log message * nipkow parents: diff changeset	21	This is a typical proof skeleton:
502f69ea6627 * empty log message * nipkow parents: diff changeset	22	\begin{center}
502f69ea6627 * empty log message * nipkow parents: diff changeset	23	\begin{tabular}{@ {}ll}
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	24	\isakeyword{proof}\\
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	25	\hspace*{3ex}\isakeyword{assume} @{text"\""}\emph{the-assm}@{text"\""}\\
13310 d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	26	\hspace*{3ex}\isakeyword{have} @{text"\""}\dots@{text"\""} & -- intermediate result\\
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	27	\hspace*{3ex}\vdots\\
13310 d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	28	\hspace*{3ex}\isakeyword{have} @{text"\""}\dots@{text"\""} & -- intermediate result\\
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	29	\hspace*{3ex}\isakeyword{show} @{text"\""}\emph{the-concl}@{text"\""}\\
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	30	\isakeyword{qed}
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	31	\end{tabular}
502f69ea6627 * empty log message * nipkow parents: diff changeset	32	\end{center}
13310 d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	33	It proves \emph{the-assm}~@{text"\<Longrightarrow>"}~\emph{the-concl}.
d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	34	Text starting with ``--'' is a comment.
d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	35	*}
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	36
502f69ea6627 * empty log message * nipkow parents: diff changeset	37	section{Logic}
502f69ea6627 * empty log message * nipkow parents: diff changeset	38
502f69ea6627 * empty log message * nipkow parents: diff changeset	39	subsection{Propositional logic}
502f69ea6627 * empty log message * nipkow parents: diff changeset	40
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	41	subsubsection{Introduction rules}
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	42
13310 d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	43	text{* We start with a really trivial toy proof to introduce the basic
d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	44	features of structured proofs. *}
d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	45
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	46	lemma "A \<longrightarrow> A"
502f69ea6627 * empty log message * nipkow parents: diff changeset	47	proof (rule impI)
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	48	assume a: "A"
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	49	show "A" by(rule a)
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	50	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	51
502f69ea6627 * empty log message * nipkow parents: diff changeset	52	text{*\noindent
13310 d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	53	The operational reading: the \isakeyword{assume}-\isakeyword{show} block
d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	54	proves @{prop"A \<Longrightarrow> A"},
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	55	which rule @{thm[source]impI} turns into the desired @{prop"A \<longrightarrow> A"}.
502f69ea6627 * empty log message * nipkow parents: diff changeset	56	However, this text is much too detailled for comfort. Therefore Isar
502f69ea6627 * empty log message * nipkow parents: diff changeset	57	implements the following principle:
502f69ea6627 * empty log message * nipkow parents: diff changeset	58	\begin{quote}\em
13310 d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	59	Command \isakeyword{proof} automatically tries to select an introduction rule
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	60	based on the goal and a predefined list of rules.
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	61	\end{quote}
502f69ea6627 * empty log message * nipkow parents: diff changeset	62	Here @{thm[source]impI} is applied automatically:
502f69ea6627 * empty log message * nipkow parents: diff changeset	63	*}
502f69ea6627 * empty log message * nipkow parents: diff changeset	64
502f69ea6627 * empty log message * nipkow parents: diff changeset	65	lemma "A \<longrightarrow> A"
502f69ea6627 * empty log message * nipkow parents: diff changeset	66	proof
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	67	assume a: "A"
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	68	show "A" by(rule a)
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	69	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	70
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	71	text{* Trivial proofs, in particular those by assumption, should be trivial
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	72	to perform. Method ``.'' does just that (and a bit more --- see later). Thus
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	73	naming of assumptions is often superfluous: *}
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	74
502f69ea6627 * empty log message * nipkow parents: diff changeset	75	lemma "A \<longrightarrow> A"
502f69ea6627 * empty log message * nipkow parents: diff changeset	76	proof
502f69ea6627 * empty log message * nipkow parents: diff changeset	77	assume "A"
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	78	show "A" .
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	79	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	80
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	81	text{* To hide proofs by assumption further, \isakeyword{by}@{text"(method)"}
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	82	first applies @{text method} and then tries to solve all remaining subgoals
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	83	by assumption: *}
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	84
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	85	lemma "A \<longrightarrow> A \<and> A"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	86	proof
502f69ea6627 * empty log message * nipkow parents: diff changeset	87	assume A
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	88	show "A \<and> A" by(rule conjI)
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	89	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	90
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	91	text{*\noindent A drawback of these implicit proofs by assumption is that it
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	92	is no longer obvious where an assumption is used.
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	93
13310 d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	94	Proofs of the form \isakeyword{by}@{text"(rule"}~\emph{name}@{text")"} can be
d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	95	abbreviated to ``..''
d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	96	if \emph{name} is one of the predefined introduction rules:
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	97	*}
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	98
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	99	lemma "A \<longrightarrow> A \<and> A"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	100	proof
502f69ea6627 * empty log message * nipkow parents: diff changeset	101	assume A
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	102	show "A \<and> A" ..
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	103	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	104
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	105	text{*\noindent
13310 d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	106	This is what happens: first the matching introduction rule @{thm[source]conjI}
d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	107	is applied (first ``.''), then the two subgoals are solved by assumption
d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	108	(second ``.''). *}
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	109
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	110	subsubsection{Elimination rules}
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	111
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	112	text{*A typical elimination rule is @{thm[source]conjE}, $\land$-elimination:
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	113	@{thm[display,indent=5]conjE[no_vars]} In the following proof it is applied
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	114	by hand, after its first (``\emph{major}'') premise has been eliminated via
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	115	@{text"[OF AB]"}: *}
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	116
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	117	lemma "A \<and> B \<longrightarrow> B \<and> A"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	118	proof
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	119	assume AB: "A \<and> B"
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	120	show "B \<and> A"
13310 d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	121	proof (rule conjE[OF AB]) -- {@{prop"(A \<Longrightarrow> B \<Longrightarrow> R) \<Longrightarrow> R"}}
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	122	assume A and B
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	123	show ?thesis ..
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	124	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	125	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	126
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	127	text{*\noindent Note that the term @{text"?thesis"} always stands for the
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	128	``current goal'', i.e.\ the enclosing \isakeyword{show} (or
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	129	\isakeyword{have}).
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	130
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	131	This is too much proof text. Elimination rules should be selected
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	132	automatically based on their major premise, the formula or rather connective
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	133	to be eliminated. In Isar they are triggered by propositions being fed
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	134	\emph{into} a proof block. Syntax:
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	135	\begin{center}
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	136	\isakeyword{from} \emph{fact} \isakeyword{show} \emph{proposition}
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	137	\end{center}
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	138	where \emph{fact} stands for the name of a previously proved
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	139	proposition, e.g.\ an assumption, an intermediate result or some global
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	140	theorem. The fact may also be modified with @{text of}, @{text OF} etc.
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	141	This command applies an elimination rule (from a predefined list)
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	142	whose first premise is solved by the fact. Thus: *}
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	143
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	144	lemma "A \<and> B \<longrightarrow> B \<and> A"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	145	proof
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	146	assume AB: "A \<and> B"
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	147	from AB show "B \<and> A"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	148	proof
502f69ea6627 * empty log message * nipkow parents: diff changeset	149	assume A and B
502f69ea6627 * empty log message * nipkow parents: diff changeset	150	show ?thesis ..
502f69ea6627 * empty log message * nipkow parents: diff changeset	151	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	152	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	153
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	154	text{* Now we come a second important principle:
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	155	\begin{quote}\em
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	156	Try to arrange the sequence of propositions in a UNIX-like pipe,
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	157	such that the proof of each proposition builds on the previous proposition.
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	158	\end{quote}
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	159	The previous proposition can be referred to via the fact @{text this}.
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	160	This greatly reduces the need for explicit naming of propositions:
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	161	*}
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	162
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	163	lemma "A \<and> B \<longrightarrow> B \<and> A"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	164	proof
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	165	assume "A \<and> B"
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	166	from this show "B \<and> A"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	167	proof
502f69ea6627 * empty log message * nipkow parents: diff changeset	168	assume A and B
502f69ea6627 * empty log message * nipkow parents: diff changeset	169	show ?thesis ..
502f69ea6627 * empty log message * nipkow parents: diff changeset	170	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	171	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	172
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	173	text{*\noindent
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	174	A final simplification: \isakeyword{from}~@{text this} can be
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	175	abbreviated to \isakeyword{thus}.
13310 d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	176	\medskip
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	177
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	178	Here is an alternative proof that operates purely by forward reasoning: *}
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	179
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	180	lemma "A \<and> B \<longrightarrow> B \<and> A"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	181	proof
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	182	assume ab: "A \<and> B"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	183	from ab have a: A ..
502f69ea6627 * empty log message * nipkow parents: diff changeset	184	from ab have b: B ..
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	185	from b a show "B \<and> A" ..
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	186	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	187
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	188	text{*\noindent
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	189	It is worth examining this text in detail because it exhibits a number of new features.
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	190
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	191	For a start, this is the first time we have proved intermediate propositions
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	192	(\isakeyword{have}) on the way to the final \isakeyword{show}. This is the
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	193	norm in any nontrival proof where one cannot bridge the gap between the
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	194	assumptions and the conclusion in one step. Both \isakeyword{have}s above are
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	195	proved automatically via @{thm[source]conjE} triggered by
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	196	\isakeyword{from}~@{text ab}.
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	197
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	198	The \isakeyword{show} command illustrates two things:
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	199	\begin{itemize}
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	200	\item \isakeyword{from} can be followed by any number of facts.
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	201	Given \isakeyword{from}~@{text f}$_1$~\dots~@{text f}$_n$, \isakeyword{show}
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	202	tries to find an elimination rule whose first $n$ premises can be proved
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	203	by the given facts in the given order.
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	204	\item If there is no matching elimination rule, introduction rules are tried,
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	205	again using the facts to prove the premises.
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	206	\end{itemize}
13310 d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	207	In this case, the proof succeeds with @{thm[source]conjI}. Note that the proof
d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	208	would fail if we had written \isakeyword{from}~@{text"a b"}
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	209	instead of \isakeyword{from}~@{text"b a"}.
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	210
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	211	This treatment of facts fed into a proof is not restricted to implicit
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	212	application of introduction and elimination rules but applies to explicit
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	213	application of rules as well. Thus you could replace the final ``..'' above
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	214	with \isakeyword{by}@{text"(rule conjI)"}.
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	215
13310 d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	216	Note that Isar's predefined introduction and elimination rules include all the
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	217	usual natural deduction rules for propositional logic. We conclude this
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	218	section with an extended example --- which rules are used implicitly where?
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	219	Rule @{thm[source]ccontr} is @{thm ccontr[no_vars]}.
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	220	*}
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	221
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	222	lemma "\<not>(A \<and> B) \<longrightarrow> \<not>A \<or> \<not>B"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	223	proof
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	224	assume n: "\<not>(A \<and> B)"
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	225	show "\<not>A \<or> \<not>B"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	226	proof (rule ccontr)
13310 d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	227	assume nn: "\<not>(\<not>A \<or> \<not>B)"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	228	from n show False
502f69ea6627 * empty log message * nipkow parents: diff changeset	229	proof
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	230	show "A \<and> B"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	231	proof
502f69ea6627 * empty log message * nipkow parents: diff changeset	232	show A
502f69ea6627 * empty log message * nipkow parents: diff changeset	233	proof (rule ccontr)
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	234	assume "\<not>A"
13310 d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	235	have "\<not>A \<or> \<not>B" ..
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	236	from nn this show False ..
502f69ea6627 * empty log message * nipkow parents: diff changeset	237	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	238	next
502f69ea6627 * empty log message * nipkow parents: diff changeset	239	show B
502f69ea6627 * empty log message * nipkow parents: diff changeset	240	proof (rule ccontr)
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	241	assume "\<not>B"
13310 d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	242	have "\<not>A \<or> \<not>B" ..
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	243	from nn this show False ..
502f69ea6627 * empty log message * nipkow parents: diff changeset	244	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	245	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	246	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	247	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	248	qed;
502f69ea6627 * empty log message * nipkow parents: diff changeset	249
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	250	text{*\noindent Apart from demonstrating the strangeness of classical
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	251	arguments by contradiction, this example also introduces a new language
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	252	feature to deal with multiple subgoals: \isakeyword{next}. When showing
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	253	@{term"A \<and> B"} we need to show both @{term A} and @{term B}. Each subgoal
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	254	is proved separately, in \emph{any} order. The individual proofs are
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	255	separated by \isakeyword{next}. *}
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	256
13310 d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	257	subsection{Avoiding duplication}
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	258
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	259	text{* So far our examples have been a bit unnatural: normally we want to
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	260	prove rules expressed with @{text"\<Longrightarrow>"}, not @{text"\<longrightarrow>"}. Here is an example:
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	261	*}
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	262
13310 d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	263	lemma "(A \<Longrightarrow> False) \<Longrightarrow> \<not> A"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	264	proof
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	265	assume "A \<Longrightarrow> False" "A"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	266	thus False .
502f69ea6627 * empty log message * nipkow parents: diff changeset	267	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	268
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	269	text{*\noindent The \isakeyword{proof} always works on the conclusion,
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	270	@{prop"\<not>A"} in our case, thus selecting $\neg$-introduction. Hence we can
13310 d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	271	additionally assume @{prop"A"}. Why does ``.'' prove @{prop False}? Because
d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	272	``.'' tries any of the assumptions, including proper rules (here: @{prop"A \<Longrightarrow>
d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	273	False"}), such that all of its premises can be solved directly by some other
d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	274	assumption (here: @{prop A}).
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	275
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	276	This is all very well as long as formulae are small. Let us now look at some
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	277	devices to avoid repeating (possibly large) formulae. A very general method
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	278	is pattern matching: *}
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	279
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	280	lemma "(large_formula \<Longrightarrow> False) \<Longrightarrow> \<not> large_formula"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	281	(is "(?P \<Longrightarrow> _) \<Longrightarrow> _")
502f69ea6627 * empty log message * nipkow parents: diff changeset	282	proof
502f69ea6627 * empty log message * nipkow parents: diff changeset	283	assume "?P \<Longrightarrow> False" ?P
502f69ea6627 * empty log message * nipkow parents: diff changeset	284	thus False .
502f69ea6627 * empty log message * nipkow parents: diff changeset	285	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	286
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	287	text{*\noindent Any formula may be followed by
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	288	@{text"("}\isakeyword{is}~\emph{pattern}@{text")"} which causes the pattern
13310 d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	289	to be matched against the formula, instantiating the @{text"?"}-variables in
d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	290	the pattern. Subsequent uses of these variables in other terms simply causes
d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	291	them to be replaced by the terms they stand for.
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	292
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	293	We can simplify things even more by stating the theorem by means of the
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	294	\isakeyword{assumes} and \isakeyword{shows} primitives which allow direct
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	295	naming of assumptions: *}
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	296
502f69ea6627 * empty log message * nipkow parents: diff changeset	297	lemma assumes A: "large_formula \<Longrightarrow> False"
13310 d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	298	shows "\<not> large_formula" (is "\<not> ?P")
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	299	proof
502f69ea6627 * empty log message * nipkow parents: diff changeset	300	assume ?P
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	301	with A show False .
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	302	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	303
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	304	text{*\noindent Here we have used the abbreviation
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	305	\begin{center}
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	306	\isakeyword{with}~\emph{facts} \quad = \quad
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	307	\isakeyword{from}~\emph{facts} \isakeyword{and} @{text this}
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	308	\end{center}
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	309
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	310	Sometimes it is necessary to supress the implicit application of rules in a
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	311	\isakeyword{proof}. For example \isakeyword{show}~@{prop"A \<or> B"} would
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	312	trigger $\lor$-introduction, requiring us to prove @{prop A}. A simple
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	313	``@{text"-"}'' prevents this \emph{faut pas}: *}
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	314
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	315	lemma assumes AB: "A \<or> B" shows "B \<or> A"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	316	proof -
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	317	from AB show ?thesis
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	318	proof
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	319	assume A show ?thesis ..
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	320	next
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	321	assume B show ?thesis ..
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	322	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	323	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	324
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	325	subsection{Predicate calculus}
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	326
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	327	text{* Command \isakeyword{fix} introduces new local variables into a
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	328	proof. It corresponds to @{text"\<And>"} (the universal quantifier at the
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	329	meta-level) just like \isakeyword{assume}-\isakeyword{show} corresponds to
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	330	@{text"\<Longrightarrow>"}. Here is a sample proof, annotated with the rules that are
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	331	applied implictly: *}
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	332
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	333	lemma assumes P: "\<forall>x. P x" shows "\<forall>x. P(f x)"
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	334	proof -- "@{thm[source]allI}: @{thm allI[no_vars]}"
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	335	fix a
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	336	from P show "P(f a)" .. --"@{thm[source]allE}: @{thm allE[no_vars]}"
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	337	qed
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	338
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	339	text{*\noindent Note that in the proof we have chosen to call the bound
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	340	variable @{term a} instead of @{term x} merely to show that the choice of
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	341	names is irrelevant.
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	342
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	343	Next we look at @{text"\<exists>"} which is a bit more tricky.
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	344	*}
502f69ea6627 * empty log message * nipkow parents: diff changeset	345
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	346	lemma assumes Pf: "\<exists>x. P(f x)" shows "\<exists>y. P y"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	347	proof -
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	348	from Pf show ?thesis
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	349	proof -- "@{thm[source]exE}: @{thm exE[no_vars]}"
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	350	fix a
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	351	assume "P(f a)"
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	352	show ?thesis .. --"@{thm[source]exI}: @{thm exI[no_vars]}"
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	353	qed
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	354	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	355
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	356	text {*\noindent
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	357	Explicit $\exists$-elimination as seen above can become
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	358	cumbersome in practice. The derived Isar language element
13310 d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	359	\isakeyword{obtain} provides a more handsome way to perform
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	360	generalized existence reasoning:
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	361	*}
502f69ea6627 * empty log message * nipkow parents: diff changeset	362
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	363	lemma assumes Pf: "\<exists>x. P(f x)" shows "\<exists>y. P y"
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	364	proof -
13310 d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	365	from Pf obtain a where "P(f a)" ..
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	366	thus "\<exists>y. P y" ..
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	367	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	368
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	369	text {*\noindent Note how the proof text follows the usual mathematical style
13310 d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	370	of concluding $P(x)$ from $\exists x. P(x)$, while carefully introducing $x$
d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	371	as a new local variable. Technically, \isakeyword{obtain} is similar to
d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	372	\isakeyword{fix} and \isakeyword{assume} together with a soundness proof of
d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	373	the elimination involved. Thus it behaves similar to any other forward proof
d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	374	element.
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	375
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	376	Here is a proof of a well known tautology which employs another useful
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	377	abbreviation: \isakeyword{hence} abbreviates \isakeyword{from}~@{text
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	378	this}~\isakeyword{have}. Figure out which rule is used where! *}
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	379
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	380	lemma assumes ex: "\<exists>x. \<forall>y. P x y" shows "\<forall>y. \<exists>x. P x y"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	381	proof
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	382	fix y
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	383	from ex obtain x where "\<forall>y. P x y" ..
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	384	hence "P x y" ..
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	385	thus "\<exists>x. P x y" ..
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	386	qed
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	387
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	388	text{* So far we have confined ourselves to single step proofs. Of course
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	389	powerful automatic methods can be used just as well. Here is an example,
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	390	Cantor's theorem that there is no surjective function from a set to its
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	391	powerset: *}
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	392
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	393	theorem "\<exists>S. S \<notin> range (f :: 'a \<Rightarrow> 'a set)"
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	394	proof
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	395	let ?S = "{x. x \<notin> f x}"
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	396	show "?S \<notin> range f"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	397	proof
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	398	assume "?S \<in> range f"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	399	then obtain y where fy: "?S = f y" ..
502f69ea6627 * empty log message * nipkow parents: diff changeset	400	show False
13310 d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	401	proof cases
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	402	assume "y \<in> ?S"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	403	with fy show False by blast
502f69ea6627 * empty log message * nipkow parents: diff changeset	404	next
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	405	assume "y \<notin> ?S"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	406	with fy show False by blast
502f69ea6627 * empty log message * nipkow parents: diff changeset	407	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	408	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	409	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	410
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	411	text{*\noindent
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	412	For a start, the example demonstrates two new language elements:
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	413	\begin{itemize}
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	414	\item \isakeyword{let} introduces an abbreviation for a term, in our case
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	415	the witness for the claim, because the term occurs multiple times in the proof.
13310 d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	416	\item Proof by @{text"cases"} starts a proof by cases. Note that it remains
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	417	implicit what the two cases are: it is merely expected that the two subproofs
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	418	prove @{prop"P \<Longrightarrow> Q"} and @{prop"\<not>P \<Longrightarrow> Q"} for suitable @{term P} and
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	419	@{term Q}.
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	420	\end{itemize}
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	421	If you wonder how to \isakeyword{obtain} @{term y}:
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	422	via the predefined elimination rule @{thm rangeE[no_vars]}.
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	423
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	424	Method @{text blast} is used because the contradiction does not follow easily
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	425	by just a single rule. If you find the proof too cryptic for human
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	426	consumption, here is a more detailed version; the beginning up to
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	427	\isakeyword{obtain} stays unchanged. *}
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	428
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	429	theorem "\<exists>S. S \<notin> range (f :: 'a \<Rightarrow> 'a set)"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	430	proof
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	431	let ?S = "{x. x \<notin> f x}"
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	432	show "?S \<notin> range f"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	433	proof
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	434	assume "?S \<in> range f"
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	435	then obtain y where fy: "?S = f y" ..
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	436	show False
13310 d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	437	proof cases
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	438	assume A: "y \<in> ?S"
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	439	hence isin: "y \<in> f y" by(simp add:fy)
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	440	from A have "y \<notin> f y" by simp
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	441	with isin show False by contradiction
502f69ea6627 * empty log message * nipkow parents: diff changeset	442	next
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	443	assume A: "y \<notin> ?S"
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	444	hence notin: "y \<notin> f y" by(simp add:fy)
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	445	from A have "y \<in> f y" by simp
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	446	with notin show False by contradiction
502f69ea6627 * empty log message * nipkow parents: diff changeset	447	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	448	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	449	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	450
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	451	text {*\noindent Method @{text contradiction} succeeds if both $P$ and
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	452	$\neg P$ are among the assumptions and the facts fed into that step.
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	453
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	454	As it happens, Cantor's theorem can be proved automatically by best-first
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	455	search. Depth-first search would diverge, but best-first search successfully
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	456	navigates through the large search space:
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	457	*}
502f69ea6627 * empty log message * nipkow parents: diff changeset	458
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	459	theorem "\<exists>S. S \<notin> range (f :: 'a \<Rightarrow> 'a set)"
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	460	by best
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	461
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	462	text{*\noindent Of course this only works in the context of HOL's carefully
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	463	constructed introduction and elimination rules for set theory.
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	464
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	465	Finally, whole scripts may appear in the leaves of the proof tree, although
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	466	this is best avoided. Here is a contrived example: *}
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	467
502f69ea6627 * empty log message * nipkow parents: diff changeset	468	lemma "A \<longrightarrow> (A \<longrightarrow>B) \<longrightarrow> B"
502f69ea6627 * empty log message * nipkow parents: diff changeset	469	proof
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	470	assume a: A
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	471	show "(A \<longrightarrow>B) \<longrightarrow> B"
502f69ea6627 * empty log message * nipkow parents: diff changeset	472	apply(rule impI)
502f69ea6627 * empty log message * nipkow parents: diff changeset	473	apply(erule impE)
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	474	apply(rule a)
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	475	apply assumption
502f69ea6627 * empty log message * nipkow parents: diff changeset	476	done
502f69ea6627 * empty log message * nipkow parents: diff changeset	477	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	478
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	479	text{*\noindent You may need to resort to this technique if an automatic step
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	480	fails to prove the desired proposition. *}
13305 f88d0c363582 * empty log message * nipkow parents: 13294 diff changeset	481
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	482
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	483	section{Case distinction and induction}
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	484
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	485
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	486	subsection{Case distinction}
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	487
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	488	text{* We have already met the @{text cases} method for performing
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	489	binary case splits. Here is another example: *}
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	490
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	491	lemma "P \<or> \<not> P"
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	492	proof cases
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	493	assume "P" thus ?thesis ..
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	494	next
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	495	assume "\<not> P" thus ?thesis ..
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	496	qed
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	497
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	498	text{*\noindent As always, the cases can be tackled in any order.
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	499
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	500	This form is appropriate if @{term P} is textually small. However, if
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	501	@{term P} is large, we don't want to repeat it. This can be avoided by
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	502	the following idiom *}
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	503
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	504	lemma "P \<or> \<not> P"
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	505	proof (cases "P")
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	506	case True thus ?thesis ..
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	507	next
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	508	case False thus ?thesis ..
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	509	qed
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	510
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	511	text{*\noindent which is simply a shorthand for the previous
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	512	proof. More precisely, the phrases \isakeyword{case}~@{prop
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	513	True}/@{prop False} abbreviate the corresponding assumptions @{prop P}
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	514	and @{prop"\<not>P"}.
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	515
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	516	The same game can be played with other datatypes, for example lists:
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	517	*}
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	518	(<)declare length_tl[simp del](>)
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	519	lemma "length(tl xs) = length xs - 1"
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	520	proof (cases xs)
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	521	case Nil thus ?thesis by simp
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	522	next
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	523	case Cons thus ?thesis by simp
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	524	qed
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	525
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	526	text{*\noindent Here \isakeyword{case}~@{text Nil} abbreviates
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	527	\isakeyword{assume}~@{prop"x = []"} and \isakeyword{case}~@{text Cons}
13310 d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	528	abbreviates \isakeyword{assume}~@{text"xs = _ # _"}. The names of the head
d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	529	and tail of @{text xs} have been chosen by the system. Therefore we cannot
d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	530	refer to them (this would lead to brittle proofs) and have not even shown
d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	531	them. Luckily, the proof is simple enough we do not need to refer to them.
d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	532	However, in general one may have to. Hence Isar offers a simple scheme for
d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	533	naming those variables: Replace the anonymous @{text Cons} by, for example,
d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	534	@{text"(Cons y ys)"}, which abbreviates \isakeyword{fix}~@{text"y ys"}
d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	535	\isakeyword{assume}~@{text"xs = Cons y ys"}, i.e.\ @{prop"xs = y # ys"}. Here
d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	536	is a (somewhat contrived) example: *}
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	537
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	538	lemma "length(tl xs) = length xs - 1"
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	539	proof (cases xs)
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	540	case Nil thus ?thesis by simp
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	541	next
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	542	case (Cons y ys)
13310 d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	543	hence "length(tl xs) = length ys \<and> length xs = length ys + 1"
d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	544	by simp
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	545	thus ?thesis by simp
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	546	qed
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	547
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	548	text{* New case distincion rules can be declared any time, even with
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	549	named cases. *}
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	550
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	551
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	552	subsection{Induction}
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	553
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	554
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	555	subsubsection{Structural induction}
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	556
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	557	text{* We start with a simple inductive proof where both cases are proved automatically: *}
13305 f88d0c363582 * empty log message * nipkow parents: 13294 diff changeset	558
f88d0c363582 * empty log message * nipkow parents: 13294 diff changeset	559	lemma "2 * (\<Sum>i<n+1. i) = n*(n+1)"
f88d0c363582 * empty log message * nipkow parents: 13294 diff changeset	560	by (induct n, simp_all)
f88d0c363582 * empty log message * nipkow parents: 13294 diff changeset	561
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	562	text{*\noindent If we want to expose more of the structure of the
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	563	proof, we can use pattern matching to avoid having to repeat the goal
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	564	statement: *}
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	565
13305 f88d0c363582 * empty log message * nipkow parents: 13294 diff changeset	566	lemma "2 * (\<Sum>i<n+1. i) = n*(n+1)" (is "?P n")
f88d0c363582 * empty log message * nipkow parents: 13294 diff changeset	567	proof (induct n)
f88d0c363582 * empty log message * nipkow parents: 13294 diff changeset	568	show "?P 0" by simp
f88d0c363582 * empty log message * nipkow parents: 13294 diff changeset	569	next
f88d0c363582 * empty log message * nipkow parents: 13294 diff changeset	570	fix n assume "?P n"
f88d0c363582 * empty log message * nipkow parents: 13294 diff changeset	571	thus "?P(Suc n)" by simp
f88d0c363582 * empty log message * nipkow parents: 13294 diff changeset	572	qed
f88d0c363582 * empty log message * nipkow parents: 13294 diff changeset	573
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	574	text{* \noindent We could refine this further to show more of the equational
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	575	proof. Instead we explore the same avenue as for case distinctions:
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	576	introducing context via the \isakeyword{case} command: *}
13305 f88d0c363582 * empty log message * nipkow parents: 13294 diff changeset	577
f88d0c363582 * empty log message * nipkow parents: 13294 diff changeset	578	lemma "2 * (\<Sum>i<n+1. i) = n*(n+1)"
f88d0c363582 * empty log message * nipkow parents: 13294 diff changeset	579	proof (induct n)
f88d0c363582 * empty log message * nipkow parents: 13294 diff changeset	580	case 0 show ?case by simp
f88d0c363582 * empty log message * nipkow parents: 13294 diff changeset	581	next
f88d0c363582 * empty log message * nipkow parents: 13294 diff changeset	582	case Suc thus ?case by simp
f88d0c363582 * empty log message * nipkow parents: 13294 diff changeset	583	qed
f88d0c363582 * empty log message * nipkow parents: 13294 diff changeset	584
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	585	text{* \noindent The implicitly defined @{text ?case} refers to the
13310 d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	586	corresponding case to be proved, i.e.\ @{text"?P 0"} in the first case and
d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	587	@{text"?P(Suc n)"} in the second case. Context \isakeyword{case}~@{text 0} is
d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	588	empty whereas \isakeyword{case}~@{text Suc} assumes @{text"?P n"}. Again we
d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	589	have the same problem as with case distinctions: we cannot refer to @{term n}
d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	590	in the induction step because it has not been introduced via \isakeyword{fix}
d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	591	(in contrast to the previous proof). The solution is the same as above:
d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	592	replace @{term Suc} by @{text"(Suc i)"}: *}
13305 f88d0c363582 * empty log message * nipkow parents: 13294 diff changeset	593
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	594	lemma fixes n::nat shows "n < n*n + 1"
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	595	proof (induct n)
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	596	case 0 show ?case by simp
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	597	next
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	598	case (Suc i) thus "Suc i < Suc i * Suc i + 1" by simp
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	599	qed
13305 f88d0c363582 * empty log message * nipkow parents: 13294 diff changeset	600
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	601	text{* \noindent Of course we could again have written
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	602	\isakeyword{thus}~@{text ?case} instead of giving the term explicitly
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	603	but we wanted to use @{term i} somewehere.
13305 f88d0c363582 * empty log message * nipkow parents: 13294 diff changeset	604
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	605	Let us now tackle a more ambitious lemma: proving complete induction
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	606	@{prop[display,indent=5]"(\<And>n. (\<And>m. m < n \<Longrightarrow> P m) \<Longrightarrow> P n) \<Longrightarrow> P n"}
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	607	via structural induction. It is well known that one needs to prove
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	608	something more general first: *}
13305 f88d0c363582 * empty log message * nipkow parents: 13294 diff changeset	609
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	610	lemma cind_lemma:
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	611	assumes A: "(\<And>n. (\<And>m. m < n \<Longrightarrow> P m) \<Longrightarrow> P n)"
13305 f88d0c363582 * empty log message * nipkow parents: 13294 diff changeset	612	shows "\<And>m. m < n \<Longrightarrow> P(m::nat)"
f88d0c363582 * empty log message * nipkow parents: 13294 diff changeset	613	proof (induct n)
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	614	case 0 thus ?case by simp
13305 f88d0c363582 * empty log message * nipkow parents: 13294 diff changeset	615	next
f88d0c363582 * empty log message * nipkow parents: 13294 diff changeset	616	case (Suc n m)
f88d0c363582 * empty log message * nipkow parents: 13294 diff changeset	617	show ?case
13310 d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	618	proof cases
13305 f88d0c363582 * empty log message * nipkow parents: 13294 diff changeset	619	assume eq: "m = n"
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	620	from Suc A have "P n" by blast
13305 f88d0c363582 * empty log message * nipkow parents: 13294 diff changeset	621	with eq show "P m" by simp
f88d0c363582 * empty log message * nipkow parents: 13294 diff changeset	622	next
f88d0c363582 * empty log message * nipkow parents: 13294 diff changeset	623	assume neq: "m \<noteq> n"
f88d0c363582 * empty log message * nipkow parents: 13294 diff changeset	624	with Suc have "m < n" by simp
f88d0c363582 * empty log message * nipkow parents: 13294 diff changeset	625	with Suc show "P m" by blast
f88d0c363582 * empty log message * nipkow parents: 13294 diff changeset	626	qed
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	627	qed
13305 f88d0c363582 * empty log message * nipkow parents: 13294 diff changeset	628
13310 d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	629	text{* \noindent Let us first examine the statement of the lemma.
d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	630	In contrast to the style advertized in the
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	631	Tutorial~\cite{LNCS2283}, structured Isar proofs do not need to
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	632	introduce @{text"\<forall>"} or @{text"\<longrightarrow>"} into a theorem to strengthen it
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	633	for induction --- we use @{text"\<And>"} and @{text"\<Longrightarrow>"} instead. This
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	634	simplifies the proof and means we don't have to convert between the
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	635	two kinds of connectives. As usual, at the end of the proof
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	636	@{text"\<And>"} disappears and the bound variable is turned into a
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	637	@{text"?"}-variable. Thus @{thm[source]cind_lemma} becomes
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	638	@{thm[display,indent=5] cind_lemma} Complete induction is an easy
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	639	corollary: instantiation followed by
13310 d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	640	simplification, @{thm[source] cind_lemma[of _ n "Suc n", simplified]},
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	641	yields @{thm[display,indent=5] cind_lemma[of _ n "Suc n", simplified]}
13305 f88d0c363582 * empty log message * nipkow parents: 13294 diff changeset	642
13310 d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	643	Now we examine the proof. So what is this funny case @{text"(Suc n m)"}? It
d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	644	looks confusing at first and reveals that the very suggestive @{text"(Suc
d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	645	n)"} used above is not the whole truth. The variable names after the case
d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	646	name (here: @{term Suc}) are the names of the parameters of that subgoal. So
d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	647	far the only parameters where the arguments to the constructor, but now we
d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	648	have an additonal parameter coming from the @{text"\<And>m"} in the main
d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	649	\isakeyword{shows} clause. Thus Thus @{text"(Suc n m)"} does not mean that
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	650	constructor @{term Suc} is applied to two arguments but that the two
13310 d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	651	parameters in the @{term Suc} case are to be named @{text n} and @{text
d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	652	m}. *}
13305 f88d0c363582 * empty log message * nipkow parents: 13294 diff changeset	653
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	654	subsubsection{Rule induction}
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	655
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	656	text{* We define our own version of reflexive transitive closure of a
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	657	relation *}
13305 f88d0c363582 * empty log message * nipkow parents: 13294 diff changeset	658
f88d0c363582 * empty log message * nipkow parents: 13294 diff changeset	659	consts rtc :: "('a \<times> 'a)set \<Rightarrow> ('a \<times> 'a)set" ("_*" [1000] 999)
f88d0c363582 * empty log message * nipkow parents: 13294 diff changeset	660	inductive "r*"
f88d0c363582 * empty log message * nipkow parents: 13294 diff changeset	661	intros
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	662	refl: "(x,x) \<in> r*"
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	663	step: "\<lbrakk> (x,y) \<in> r; (y,z) \<in> r* \<rbrakk> \<Longrightarrow> (x,z) \<in> r*"
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	664
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	665	text{* \noindent and prove that @{term"r"} is indeed transitive: }
13305 f88d0c363582 * empty log message * nipkow parents: 13294 diff changeset	666
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	667	lemma assumes A: "(x,y) \<in> r*"
13310 d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	668	shows "(y,z) \<in> r* \<Longrightarrow> (x,z) \<in> r*" (is "PROP ?P x y")
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	669	proof -
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	670	from A show "PROP ?P x y"
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	671	proof induct
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	672	fix x show "PROP ?P x x" .
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	673	next
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	674	fix x' x y
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	675	assume "(x',x) \<in> r" and
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	676	"PROP ?P x y" -- "The induction hypothesis"
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	677	thus "PROP ?P x' y" by(blast intro: rtc.step)
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	678	qed
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	679	qed
13305 f88d0c363582 * empty log message * nipkow parents: 13294 diff changeset	680
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	681	text{*\noindent Rule induction is triggered by a fact $(x_1,\dots,x_n) \in R$
13310 d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	682	piped into the proof, here \isakeyword{from}~@{text A}. The proof itself
d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	683	follows the two rules of the inductive definition very closely. The only
d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	684	surprising thing should be the keyword @{text PROP}: because of certain
d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	685	syntactic subleties it is required in front of terms of type @{typ prop} (the
d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	686	type of meta-level propositions) which are not obviously of type @{typ prop}
d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	687	(e.g.\ @{text"?P x y"}) because they do not contain a tell-tale constant such
d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	688	as @{text"\<And>"} or @{text"\<Longrightarrow>"}.
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	689
13310 d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	690	However, the proof is rather terse. Here is a more readable version:
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	691	*}
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	692
13310 d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	693	lemma assumes A: "(x,y) \<in> r" and B: "(y,z) \<in> r"
d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	694	shows "(x,z) \<in> r*"
13305 f88d0c363582 * empty log message * nipkow parents: 13294 diff changeset	695	proof -
f88d0c363582 * empty log message * nipkow parents: 13294 diff changeset	696	from A B show ?thesis
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	697	proof induct
13312 ad91cf279f06 * empty log message * nipkow parents: 13311 diff changeset	698	fix x assume "(x,z) \<in> r" -- {@{text B}[@{text y} := @{text x}]*}
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	699	thus "(x,z) \<in> r*" .
13305 f88d0c363582 * empty log message * nipkow parents: 13294 diff changeset	700	next
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	701	fix x' x y
13313 e4dc78f4e51e * empty log message * nipkow parents: 13312 diff changeset	702	assume 1: "(x',x) \<in> r" and
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	703	IH: "(y,z) \<in> r* \<Longrightarrow> (x,z) \<in> r*" and
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	704	B: "(y,z) \<in> r*"
13313 e4dc78f4e51e * empty log message * nipkow parents: 13312 diff changeset	705	from 1 IH[OF B] show "(x',z) \<in> r*" by(rule rtc.step)
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	706	qed
13305 f88d0c363582 * empty log message * nipkow parents: 13294 diff changeset	707	qed
f88d0c363582 * empty log message * nipkow parents: 13294 diff changeset	708
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	709	text{*\noindent We start the proof with \isakeyword{from}~@{text"A
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	710	B"}. Only @{text A} is ``consumed'' by the first proof step, here
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	711	induction. Since @{text B} is left over we don't just prove @{text
13311 50d821437370 * empty log message * nipkow parents: 13310 diff changeset	712	?thesis} but @{text"B \<Longrightarrow> ?thesis"}, just as in the previous
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	713	proof, only more elegantly. The base case is trivial. In the
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	714	assumptions for the induction step we can see very clearly how things
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	715	fit together and permit ourselves the obvious forward step
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	716	@{text"IH[OF B]"}. *}
13305 f88d0c363582 * empty log message * nipkow parents: 13294 diff changeset	717
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	718	(<)end(>)

author	nipkow
	Mon, 08 Jul 2002 15:03:04 +0200
changeset 13313	e4dc78f4e51e
parent 13312	ad91cf279f06
child 13317	bb74918cc0dd
permissions	-rw-r--r--