isabelle: doc-src/TutorialI/IsarOverview/Isar/Logic.thy@ee898d32de21 (annotated)

13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	1	(<)theory Logic = Main:(>)
502f69ea6627 * empty log message * nipkow parents: diff changeset	2
13613 531f1f524848 * empty log message * nipkow parents: 13580 diff changeset	3	section{Logic \label{sec:Logic}}
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	4
502f69ea6627 * empty log message * nipkow parents: diff changeset	5	subsection{Propositional logic}
502f69ea6627 * empty log message * nipkow parents: diff changeset	6
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	7	subsubsection{Introduction rules}
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	8
13310 d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	9	text{* We start with a really trivial toy proof to introduce the basic
d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	10	features of structured proofs. *}
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	11	lemma "A \<longrightarrow> A"
502f69ea6627 * empty log message * nipkow parents: diff changeset	12	proof (rule impI)
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	13	assume a: "A"
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	14	show "A" by(rule a)
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	15	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	16	text{*\noindent
13310 d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	17	The operational reading: the \isakeyword{assume}-\isakeyword{show} block
d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	18	proves @{prop"A \<Longrightarrow> A"},
13619 584291949c23 * empty log message * nipkow parents: 13613 diff changeset	19	which rule @{thm[source]impI} (@{thm impI})
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	20	turns into the desired @{prop"A \<longrightarrow> A"}.
13330 c9e9b6add754 * empty log message * nipkow parents: 13329 diff changeset	21	However, this text is much too detailed for comfort. Therefore Isar
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	22	implements the following principle:
502f69ea6627 * empty log message * nipkow parents: diff changeset	23	\begin{quote}\em
13310 d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	24	Command \isakeyword{proof} automatically tries to select an introduction rule
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	25	based on the goal and a predefined list of rules.
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	26	\end{quote}
502f69ea6627 * empty log message * nipkow parents: diff changeset	27	Here @{thm[source]impI} is applied automatically:
502f69ea6627 * empty log message * nipkow parents: diff changeset	28	*}
502f69ea6627 * empty log message * nipkow parents: diff changeset	29
502f69ea6627 * empty log message * nipkow parents: diff changeset	30	lemma "A \<longrightarrow> A"
502f69ea6627 * empty log message * nipkow parents: diff changeset	31	proof
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	32	assume a: "A"
cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	33	show "A" by(rule a)
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	34	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	35
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	36	text{* Trivial proofs, in particular those by assumption, should be trivial
13322 3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	37	to perform. Proof ``.'' does just that (and a bit more). Thus
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	38	naming of assumptions is often superfluous: *}
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	39	lemma "A \<longrightarrow> A"
502f69ea6627 * empty log message * nipkow parents: diff changeset	40	proof
502f69ea6627 * empty log message * nipkow parents: diff changeset	41	assume "A"
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	42	show "A" .
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	43	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	44
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	45	text{* To hide proofs by assumption further, \isakeyword{by}@{text"(method)"}
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	46	first applies @{text method} and then tries to solve all remaining subgoals
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	47	by assumption: *}
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	48	lemma "A \<longrightarrow> A \<and> A"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	49	proof
13613 531f1f524848 * empty log message * nipkow parents: 13580 diff changeset	50	assume "A"
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	51	show "A \<and> A" by(rule conjI)
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	52	qed
13619 584291949c23 * empty log message * nipkow parents: 13613 diff changeset	53	text{*\noindent Rule @{thm[source]conjI} is of course @{thm conjI}.
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	54	A drawback of these implicit proofs by assumption is that it
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	55	is no longer obvious where an assumption is used.
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	56
13310 d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	57	Proofs of the form \isakeyword{by}@{text"(rule"}~\emph{name}@{text")"} can be
d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	58	abbreviated to ``..''
13322 3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	59	if \emph{name} refers to one of the predefined introduction rules:
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	60	*}
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	61
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	62	lemma "A \<longrightarrow> A \<and> A"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	63	proof
13613 531f1f524848 * empty log message * nipkow parents: 13580 diff changeset	64	assume "A"
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	65	show "A \<and> A" ..
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	66	qed
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	67	text{*\noindent
13310 d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	68	This is what happens: first the matching introduction rule @{thm[source]conjI}
d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	69	is applied (first ``.''), then the two subgoals are solved by assumption
d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	70	(second ``.''). *}
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	71
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	72	subsubsection{Elimination rules}
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	73
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	74	text{*A typical elimination rule is @{thm[source]conjE}, $\land$-elimination:
13619 584291949c23 * empty log message * nipkow parents: 13613 diff changeset	75	@{thm[display,indent=5]conjE} In the following proof it is applied
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	76	by hand, after its first (\emph{major}) premise has been eliminated via
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	77	@{text"[OF AB]"}: *}
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	78	lemma "A \<and> B \<longrightarrow> B \<and> A"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	79	proof
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	80	assume AB: "A \<and> B"
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	81	show "B \<and> A"
13347 867f876589e7 * empty log message * nipkow parents: 13338 diff changeset	82	proof (rule conjE[OF AB]) -- {@{text"conjE[OF AB]"}: @{thm conjE[OF AB]} }
13613 531f1f524848 * empty log message * nipkow parents: 13580 diff changeset	83	assume "A" "B"
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	84	show ?thesis ..
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	85	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	86	qed
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	87	text{*\noindent Note that the term @{text"?thesis"} always stands for the
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	88	``current goal'', i.e.\ the enclosing \isakeyword{show} (or
13322 3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	89	\isakeyword{have}) statement.
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	90
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	91	This is too much proof text. Elimination rules should be selected
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	92	automatically based on their major premise, the formula or rather connective
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	93	to be eliminated. In Isar they are triggered by propositions being fed
13519 36ee816b5ee3 * empty log message * nipkow parents: 13351 diff changeset	94	\emph{into} a proof. Syntax:
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	95	\begin{center}
13519 36ee816b5ee3 * empty log message * nipkow parents: 13351 diff changeset	96	\isakeyword{from} \emph{fact} \isakeyword{show} \emph{proposition} \emph{proof}
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	97	\end{center}
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	98	where \emph{fact} stands for the name of a previously proved
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	99	proposition, e.g.\ an assumption, an intermediate result or some global
13620 61a23a43b783 * empty log message * nipkow parents: 13619 diff changeset	100	theorem, which may also be modified with @{text OF} etc.
13519 36ee816b5ee3 * empty log message * nipkow parents: 13351 diff changeset	101	The \emph{fact} is ``piped'' into the \emph{proof}, which can deal with it
13620 61a23a43b783 * empty log message * nipkow parents: 13619 diff changeset	102	how it chooses. If the \emph{proof} starts with a plain \isakeyword{proof},
13519 36ee816b5ee3 * empty log message * nipkow parents: 13351 diff changeset	103	an elimination rule (from a predefined list) is applied
36ee816b5ee3 * empty log message * nipkow parents: 13351 diff changeset	104	whose first premise is solved by the \emph{fact}. Thus the proof above
36ee816b5ee3 * empty log message * nipkow parents: 13351 diff changeset	105	is equivalent to the following one: *}
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	106
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	107	lemma "A \<and> B \<longrightarrow> B \<and> A"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	108	proof
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	109	assume AB: "A \<and> B"
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	110	from AB show "B \<and> A"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	111	proof
13613 531f1f524848 * empty log message * nipkow parents: 13580 diff changeset	112	assume "A" "B"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	113	show ?thesis ..
502f69ea6627 * empty log message * nipkow parents: diff changeset	114	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	115	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	116
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	117	text{* Now we come a second important principle:
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	118	\begin{quote}\em
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	119	Try to arrange the sequence of propositions in a UNIX-like pipe,
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	120	such that the proof of each proposition builds on the previous proposition.
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	121	\end{quote}
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	122	The previous proposition can be referred to via the fact @{text this}.
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	123	This greatly reduces the need for explicit naming of propositions:
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	124	*}
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	125	lemma "A \<and> B \<longrightarrow> B \<and> A"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	126	proof
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	127	assume "A \<and> B"
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	128	from this show "B \<and> A"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	129	proof
13613 531f1f524848 * empty log message * nipkow parents: 13580 diff changeset	130	assume "A" "B"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	131	show ?thesis ..
502f69ea6627 * empty log message * nipkow parents: diff changeset	132	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	133	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	134
13322 3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	135	text{*\noindent Because of the frequency of \isakeyword{from}~@{text
3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	136	this} Isar provides two abbreviations:
3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	137	\begin{center}
3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	138	\begin{tabular}{rcl}
3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	139	\isakeyword{then} &=& \isakeyword{from} @{text this} \\
3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	140	\isakeyword{thus} &=& \isakeyword{then} \isakeyword{show}
3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	141	\end{tabular}
3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	142	\end{center}
13310 d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	143	\medskip
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	144
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	145	Here is an alternative proof that operates purely by forward reasoning: *}
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	146	lemma "A \<and> B \<longrightarrow> B \<and> A"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	147	proof
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	148	assume ab: "A \<and> B"
13613 531f1f524848 * empty log message * nipkow parents: 13580 diff changeset	149	from ab have a: "A" ..
531f1f524848 * empty log message * nipkow parents: 13580 diff changeset	150	from ab have b: "B" ..
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	151	from b a show "B \<and> A" ..
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	152	qed
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	153	text{*\noindent
13322 3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	154	It is worth examining this text in detail because it exhibits a number of new concepts.
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	155
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	156	For a start, this is the first time we have proved intermediate propositions
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	157	(\isakeyword{have}) on the way to the final \isakeyword{show}. This is the
13330 c9e9b6add754 * empty log message * nipkow parents: 13329 diff changeset	158	norm in any nontrivial proof where one cannot bridge the gap between the
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	159	assumptions and the conclusion in one step. Both \isakeyword{have}s above are
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	160	proved automatically via @{thm[source]conjE} triggered by
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	161	\isakeyword{from}~@{text ab}.
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	162
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	163	The \isakeyword{show} command illustrates two things:
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	164	\begin{itemize}
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	165	\item \isakeyword{from} can be followed by any number of facts.
13322 3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	166	Given \isakeyword{from}~@{text f}$_1$~\dots~@{text f}$_n$, the
3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	167	\isakeyword{proof} step after \isakeyword{show}
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	168	tries to find an elimination rule whose first $n$ premises can be proved
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	169	by the given facts in the given order.
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	170	\item If there is no matching elimination rule, introduction rules are tried,
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	171	again using the facts to prove the premises.
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	172	\end{itemize}
13310 d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	173	In this case, the proof succeeds with @{thm[source]conjI}. Note that the proof
13519 36ee816b5ee3 * empty log message * nipkow parents: 13351 diff changeset	174	would fail had we written \isakeyword{from}~@{text"a b"}
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	175	instead of \isakeyword{from}~@{text"b a"}.
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	176
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	177	This treatment of facts fed into a proof is not restricted to implicit
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	178	application of introduction and elimination rules but applies to explicit
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	179	application of rules as well. Thus you could replace the final ``..'' above
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	180	with \isakeyword{by}@{text"(rule conjI)"}.
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	181	*}
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	182
13555 fc529625b494 * empty log message * nipkow parents: 13519 diff changeset	183	subsection{More constructs}
fc529625b494 * empty log message * nipkow parents: 13519 diff changeset	184
fc529625b494 * empty log message * nipkow parents: 13519 diff changeset	185	text{* In the previous proof of @{prop"A \<and> B \<longrightarrow> B \<and> A"} we needed to feed
fc529625b494 * empty log message * nipkow parents: 13519 diff changeset	186	more than one fact into a proof step, a frequent situation. Then the
fc529625b494 * empty log message * nipkow parents: 13519 diff changeset	187	UNIX-pipe model appears to break down and we need to name the different
fc529625b494 * empty log message * nipkow parents: 13519 diff changeset	188	facts to refer to them. But this can be avoided:
fc529625b494 * empty log message * nipkow parents: 13519 diff changeset	189	*}
fc529625b494 * empty log message * nipkow parents: 13519 diff changeset	190	lemma "A \<and> B \<longrightarrow> B \<and> A"
fc529625b494 * empty log message * nipkow parents: 13519 diff changeset	191	proof
fc529625b494 * empty log message * nipkow parents: 13519 diff changeset	192	assume ab: "A \<and> B"
13613 531f1f524848 * empty log message * nipkow parents: 13580 diff changeset	193	from ab have "B" ..
13555 fc529625b494 * empty log message * nipkow parents: 13519 diff changeset	194	moreover
13613 531f1f524848 * empty log message * nipkow parents: 13580 diff changeset	195	from ab have "A" ..
13555 fc529625b494 * empty log message * nipkow parents: 13519 diff changeset	196	ultimately show "B \<and> A" ..
fc529625b494 * empty log message * nipkow parents: 13519 diff changeset	197	qed
fc529625b494 * empty log message * nipkow parents: 13519 diff changeset	198	text{*\noindent You can combine any number of facts @{term A1} \dots\ @{term
fc529625b494 * empty log message * nipkow parents: 13519 diff changeset	199	An} into a sequence by separating their proofs with
fc529625b494 * empty log message * nipkow parents: 13519 diff changeset	200	\isakeyword{moreover}. After the final fact, \isakeyword{ultimately} stands
fc529625b494 * empty log message * nipkow parents: 13519 diff changeset	201	for \isakeyword{from}~@{term A1}~\dots~@{term An}. This avoids having to
fc529625b494 * empty log message * nipkow parents: 13519 diff changeset	202	introduce names for all of the sequence elements. *}
fc529625b494 * empty log message * nipkow parents: 13519 diff changeset	203
13620 61a23a43b783 * empty log message * nipkow parents: 13619 diff changeset	204	text{* Although we have only seen a few introduction and elimination rules so
13555 fc529625b494 * empty log message * nipkow parents: 13519 diff changeset	205	far, Isar's predefined rules include all the usual natural deduction
fc529625b494 * empty log message * nipkow parents: 13519 diff changeset	206	rules. We conclude our exposition of propositional logic with an extended
fc529625b494 * empty log message * nipkow parents: 13519 diff changeset	207	example --- which rules are used implicitly where? *}
13326 900f220c800d * empty log message * nipkow parents: 13322 diff changeset	208	lemma "\<not> (A \<and> B) \<longrightarrow> \<not> A \<or> \<not> B"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	209	proof
13326 900f220c800d * empty log message * nipkow parents: 13322 diff changeset	210	assume n: "\<not> (A \<and> B)"
900f220c800d * empty log message * nipkow parents: 13322 diff changeset	211	show "\<not> A \<or> \<not> B"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	212	proof (rule ccontr)
13326 900f220c800d * empty log message * nipkow parents: 13322 diff changeset	213	assume nn: "\<not> (\<not> A \<or> \<not> B)"
900f220c800d * empty log message * nipkow parents: 13322 diff changeset	214	have "\<not> A"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	215	proof
13613 531f1f524848 * empty log message * nipkow parents: 13580 diff changeset	216	assume "A"
13326 900f220c800d * empty log message * nipkow parents: 13322 diff changeset	217	have "\<not> B"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	218	proof
13613 531f1f524848 * empty log message * nipkow parents: 13580 diff changeset	219	assume "B"
13326 900f220c800d * empty log message * nipkow parents: 13322 diff changeset	220	have "A \<and> B" ..
900f220c800d * empty log message * nipkow parents: 13322 diff changeset	221	with n show False ..
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	222	qed
13326 900f220c800d * empty log message * nipkow parents: 13322 diff changeset	223	hence "\<not> A \<or> \<not> B" ..
900f220c800d * empty log message * nipkow parents: 13322 diff changeset	224	with nn show False ..
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	225	qed
13326 900f220c800d * empty log message * nipkow parents: 13322 diff changeset	226	hence "\<not> A \<or> \<not> B" ..
900f220c800d * empty log message * nipkow parents: 13322 diff changeset	227	with nn show False ..
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	228	qed
13326 900f220c800d * empty log message * nipkow parents: 13322 diff changeset	229	qed
13555 fc529625b494 * empty log message * nipkow parents: 13519 diff changeset	230	text{*\noindent
fc529625b494 * empty log message * nipkow parents: 13519 diff changeset	231	Rule @{thm[source]ccontr} (``classical contradiction'') is
fc529625b494 * empty log message * nipkow parents: 13519 diff changeset	232	@{thm ccontr[no_vars]}.
fc529625b494 * empty log message * nipkow parents: 13519 diff changeset	233	Apart from demonstrating the strangeness of classical
13329 53c4ec15cae0 * empty log message * nipkow parents: 13326 diff changeset	234	arguments by contradiction, this example also introduces two new
13330 c9e9b6add754 * empty log message * nipkow parents: 13329 diff changeset	235	abbreviations:
13329 53c4ec15cae0 * empty log message * nipkow parents: 13326 diff changeset	236	\begin{center}
53c4ec15cae0 * empty log message * nipkow parents: 13326 diff changeset	237	\begin{tabular}{lcl}
53c4ec15cae0 * empty log message * nipkow parents: 13326 diff changeset	238	\isakeyword{hence} &=& \isakeyword{then} \isakeyword{have} \\
53c4ec15cae0 * empty log message * nipkow parents: 13326 diff changeset	239	\isakeyword{with}~\emph{facts} &=&
13613 531f1f524848 * empty log message * nipkow parents: 13580 diff changeset	240	\isakeyword{from}~\emph{facts} @{text this}
13329 53c4ec15cae0 * empty log message * nipkow parents: 13326 diff changeset	241	\end{tabular}
53c4ec15cae0 * empty log message * nipkow parents: 13326 diff changeset	242	\end{center}
13326 900f220c800d * empty log message * nipkow parents: 13322 diff changeset	243	*}
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	244
13310 d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	245	subsection{Avoiding duplication}
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	246
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	247	text{* So far our examples have been a bit unnatural: normally we want to
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	248	prove rules expressed with @{text"\<Longrightarrow>"}, not @{text"\<longrightarrow>"}. Here is an example:
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	249	*}
13322 3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	250	lemma "A \<and> B \<Longrightarrow> B \<and> A"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	251	proof
13322 3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	252	assume "A \<and> B" thus "B" ..
3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	253	next
3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	254	assume "A \<and> B" thus "A" ..
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	255	qed
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	256	text{*\noindent The \isakeyword{proof} always works on the conclusion,
13322 3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	257	@{prop"B \<and> A"} in our case, thus selecting $\land$-introduction. Hence
3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	258	we must show @{prop B} and @{prop A}; both are proved by
13329 53c4ec15cae0 * empty log message * nipkow parents: 13326 diff changeset	259	$\land$-elimination and the proofs are separated by \isakeyword{next}:
53c4ec15cae0 * empty log message * nipkow parents: 13326 diff changeset	260	\begin{description}
53c4ec15cae0 * empty log message * nipkow parents: 13326 diff changeset	261	\item[\isakeyword{next}] deals with multiple subgoals. For example,
53c4ec15cae0 * empty log message * nipkow parents: 13326 diff changeset	262	when showing @{term"A \<and> B"} we need to show both @{term A} and @{term
53c4ec15cae0 * empty log message * nipkow parents: 13326 diff changeset	263	B}. Each subgoal is proved separately, in \emph{any} order. The
53c4ec15cae0 * empty log message * nipkow parents: 13326 diff changeset	264	individual proofs are separated by \isakeyword{next}.
53c4ec15cae0 * empty log message * nipkow parents: 13326 diff changeset	265	\end{description}
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	266
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	267	This is all very well as long as formulae are small. Let us now look at some
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	268	devices to avoid repeating (possibly large) formulae. A very general method
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	269	is pattern matching: *}
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	270
13322 3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	271	lemma "large_A \<and> large_B \<Longrightarrow> large_B \<and> large_A"
3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	272	(is "?AB \<Longrightarrow> ?B \<and> ?A")
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	273	proof
13613 531f1f524848 * empty log message * nipkow parents: 13580 diff changeset	274	assume "?AB" thus "?B" ..
13322 3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	275	next
13613 531f1f524848 * empty log message * nipkow parents: 13580 diff changeset	276	assume "?AB" thus "?A" ..
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	277	qed
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	278	text{*\noindent Any formula may be followed by
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	279	@{text"("}\isakeyword{is}~\emph{pattern}@{text")"} which causes the pattern
13310 d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	280	to be matched against the formula, instantiating the @{text"?"}-variables in
13620 61a23a43b783 * empty log message * nipkow parents: 13619 diff changeset	281	the pattern. Subsequent uses of these variables in other terms causes
13310 d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	282	them to be replaced by the terms they stand for.
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	283
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	284	We can simplify things even more by stating the theorem by means of the
13322 3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	285	\isakeyword{assumes} and \isakeyword{shows} elements which allow direct
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	286	naming of assumptions: *}
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	287
13322 3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	288	lemma assumes AB: "large_A \<and> large_B"
3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	289	shows "large_B \<and> large_A" (is "?B \<and> ?A")
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	290	proof
13613 531f1f524848 * empty log message * nipkow parents: 13580 diff changeset	291	from AB show "?B" ..
13322 3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	292	next
13613 531f1f524848 * empty log message * nipkow parents: 13580 diff changeset	293	from AB show "?A" ..
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	294	qed
13322 3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	295	text{*\noindent Note the difference between @{text ?AB}, a term, and
3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	296	@{text AB}, a fact.
3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	297
3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	298	Finally we want to start the proof with $\land$-elimination so we
3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	299	don't have to perform it twice, as above. Here is a slick way to
3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	300	achieve this: *}
3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	301
3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	302	lemma assumes AB: "large_A \<and> large_B"
3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	303	shows "large_B \<and> large_A" (is "?B \<and> ?A")
3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	304	using AB
3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	305	proof
13613 531f1f524848 * empty log message * nipkow parents: 13580 diff changeset	306	assume "?A" "?B" show ?thesis ..
13322 3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	307	qed
3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	308	text{*\noindent Command \isakeyword{using} can appear before a proof
3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	309	and adds further facts to those piped into the proof. Here @{text AB}
3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	310	is the only such fact and it triggers $\land$-elimination. Another
13619 584291949c23 * empty log message * nipkow parents: 13613 diff changeset	311	frequent idiom is as follows:
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	312	\begin{center}
13700 80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	313	\isakeyword{from} \emph{major-facts}~
13619 584291949c23 * empty log message * nipkow parents: 13613 diff changeset	314	\isakeyword{show} \emph{proposition}~
13700 80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	315	\isakeyword{using} \emph{minor-facts}~
13619 584291949c23 * empty log message * nipkow parents: 13613 diff changeset	316	\emph{proof}
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	317	\end{center}
13322 3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	318	\medskip
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	319
13330 c9e9b6add754 * empty log message * nipkow parents: 13329 diff changeset	320	Sometimes it is necessary to suppress the implicit application of rules in a
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	321	\isakeyword{proof}. For example \isakeyword{show}~@{prop"A \<or> B"} would
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	322	trigger $\lor$-introduction, requiring us to prove @{prop A}. A simple
13613 531f1f524848 * empty log message * nipkow parents: 13580 diff changeset	323	``@{text"-"}'' prevents this \emph{faux pas}: *}
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	324
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	325	lemma assumes AB: "A \<or> B" shows "B \<or> A"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	326	proof -
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	327	from AB show ?thesis
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	328	proof
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	329	assume A show ?thesis ..
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	330	next
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	331	assume B show ?thesis ..
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	332	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	333	qed
13322 3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	334	text{\noindent Could \isakeyword{using} help to eliminate this ``@{text"-"}''? }
13317 bb74918cc0dd * empty log message * nipkow parents: 13313 diff changeset	335
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	336	subsection{Predicate calculus}
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	337
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	338	text{* Command \isakeyword{fix} introduces new local variables into a
13322 3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	339	proof. The pair \isakeyword{fix}-\isakeyword{show} corresponds to @{text"\<And>"}
3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	340	(the universal quantifier at the
13307 cf076cdcfbf3 * empty log message * nipkow parents: 13305 diff changeset	341	meta-level) just like \isakeyword{assume}-\isakeyword{show} corresponds to
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	342	@{text"\<Longrightarrow>"}. Here is a sample proof, annotated with the rules that are
13330 c9e9b6add754 * empty log message * nipkow parents: 13329 diff changeset	343	applied implicitly: *}
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	344	lemma assumes P: "\<forall>x. P x" shows "\<forall>x. P(f x)"
13351 bc1fb6941b54 * empty log message * nipkow parents: 13347 diff changeset	345	proof --"@{thm[source]allI}: @{thm allI}"
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	346	fix a
13351 bc1fb6941b54 * empty log message * nipkow parents: 13347 diff changeset	347	from P show "P(f a)" .. --"@{thm[source]allE}: @{thm allE}"
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	348	qed
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	349	text{*\noindent Note that in the proof we have chosen to call the bound
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	350	variable @{term a} instead of @{term x} merely to show that the choice of
13322 3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	351	local names is irrelevant.
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	352
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	353	Next we look at @{text"\<exists>"} which is a bit more tricky.
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	354	*}
502f69ea6627 * empty log message * nipkow parents: diff changeset	355
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	356	lemma assumes Pf: "\<exists>x. P(f x)" shows "\<exists>y. P y"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	357	proof -
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	358	from Pf show ?thesis
13351 bc1fb6941b54 * empty log message * nipkow parents: 13347 diff changeset	359	proof -- "@{thm[source]exE}: @{thm exE}"
bc1fb6941b54 * empty log message * nipkow parents: 13347 diff changeset	360	fix x
bc1fb6941b54 * empty log message * nipkow parents: 13347 diff changeset	361	assume "P(f x)"
bc1fb6941b54 * empty log message * nipkow parents: 13347 diff changeset	362	show ?thesis .. -- "@{thm[source]exI}: @{thm exI}"
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	363	qed
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	364	qed
13317 bb74918cc0dd * empty log message * nipkow parents: 13313 diff changeset	365	text{*\noindent Explicit $\exists$-elimination as seen above can become
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	366	cumbersome in practice. The derived Isar language element
13322 3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	367	\isakeyword{obtain} provides a more appealing form of generalized
13317 bb74918cc0dd * empty log message * nipkow parents: 13313 diff changeset	368	existence reasoning: *}
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	369
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	370	lemma assumes Pf: "\<exists>x. P(f x)" shows "\<exists>y. P y"
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	371	proof -
13322 3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	372	from Pf obtain x where "P(f x)" ..
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	373	thus "\<exists>y. P y" ..
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	374	qed
13317 bb74918cc0dd * empty log message * nipkow parents: 13313 diff changeset	375	text{*\noindent Note how the proof text follows the usual mathematical style
13310 d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	376	of concluding $P(x)$ from $\exists x. P(x)$, while carefully introducing $x$
d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	377	as a new local variable. Technically, \isakeyword{obtain} is similar to
d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	378	\isakeyword{fix} and \isakeyword{assume} together with a soundness proof of
13322 3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	379	the elimination involved.
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	380
13329 53c4ec15cae0 * empty log message * nipkow parents: 13326 diff changeset	381	Here is a proof of a well known tautology.
53c4ec15cae0 * empty log message * nipkow parents: 13326 diff changeset	382	Figure out which rule is used where! *}
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	383
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	384	lemma assumes ex: "\<exists>x. \<forall>y. P x y" shows "\<forall>y. \<exists>x. P x y"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	385	proof
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	386	fix y
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	387	from ex obtain x where "\<forall>y. P x y" ..
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	388	hence "P x y" ..
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	389	thus "\<exists>x. P x y" ..
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	390	qed
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	391
13700 80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	392	subsection{Making bigger steps}
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	393
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	394	text{* So far we have confined ourselves to single step proofs. Of course
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	395	powerful automatic methods can be used just as well. Here is an example,
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	396	Cantor's theorem that there is no surjective function from a set to its
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	397	powerset: *}
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	398	theorem "\<exists>S. S \<notin> range (f :: 'a \<Rightarrow> 'a set)"
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	399	proof
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	400	let ?S = "{x. x \<notin> f x}"
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	401	show "?S \<notin> range f"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	402	proof
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	403	assume "?S \<in> range f"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	404	then obtain y where fy: "?S = f y" ..
502f69ea6627 * empty log message * nipkow parents: diff changeset	405	show False
13310 d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	406	proof cases
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	407	assume "y \<in> ?S"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	408	with fy show False by blast
502f69ea6627 * empty log message * nipkow parents: diff changeset	409	next
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	410	assume "y \<notin> ?S"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	411	with fy show False by blast
502f69ea6627 * empty log message * nipkow parents: diff changeset	412	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	413	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	414	qed
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	415	text{*\noindent
13329 53c4ec15cae0 * empty log message * nipkow parents: 13326 diff changeset	416	For a start, the example demonstrates two new constructs:
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	417	\begin{itemize}
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	418	\item \isakeyword{let} introduces an abbreviation for a term, in our case
13580 a0febf6b0e9f * empty log message * nipkow parents: 13555 diff changeset	419	the witness for the claim.
13310 d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	420	\item Proof by @{text"cases"} starts a proof by cases. Note that it remains
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	421	implicit what the two cases are: it is merely expected that the two subproofs
13580 a0febf6b0e9f * empty log message * nipkow parents: 13555 diff changeset	422	prove @{text"P \<Longrightarrow> ?thesis"} and @{text"\<not>P \<Longrightarrow> ?thesis"} (in that order)
a0febf6b0e9f * empty log message * nipkow parents: 13555 diff changeset	423	for some @{term P}.
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	424	\end{itemize}
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	425	If you wonder how to \isakeyword{obtain} @{term y}:
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	426	via the predefined elimination rule @{thm rangeE[no_vars]}.
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	427
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	428	Method @{text blast} is used because the contradiction does not follow easily
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	429	by just a single rule. If you find the proof too cryptic for human
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	430	consumption, here is a more detailed version; the beginning up to
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	431	\isakeyword{obtain} stays unchanged. *}
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	432
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	433	theorem "\<exists>S. S \<notin> range (f :: 'a \<Rightarrow> 'a set)"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	434	proof
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	435	let ?S = "{x. x \<notin> f x}"
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	436	show "?S \<notin> range f"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	437	proof
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	438	assume "?S \<in> range f"
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	439	then obtain y where fy: "?S = f y" ..
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	440	show False
13310 d694e65127ba * empty log message * nipkow parents: 13307 diff changeset	441	proof cases
13580 a0febf6b0e9f * empty log message * nipkow parents: 13555 diff changeset	442	assume "y \<in> ?S"
a0febf6b0e9f * empty log message * nipkow parents: 13555 diff changeset	443	hence "y \<notin> f y" by simp
a0febf6b0e9f * empty log message * nipkow parents: 13555 diff changeset	444	hence "y \<notin> ?S" by(simp add:fy)
13620 61a23a43b783 * empty log message * nipkow parents: 13619 diff changeset	445	thus False by contradiction
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	446	next
13580 a0febf6b0e9f * empty log message * nipkow parents: 13555 diff changeset	447	assume "y \<notin> ?S"
a0febf6b0e9f * empty log message * nipkow parents: 13555 diff changeset	448	hence "y \<in> f y" by simp
a0febf6b0e9f * empty log message * nipkow parents: 13555 diff changeset	449	hence "y \<in> ?S" by(simp add:fy)
13620 61a23a43b783 * empty log message * nipkow parents: 13619 diff changeset	450	thus False by contradiction
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	451	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	452	qed
502f69ea6627 * empty log message * nipkow parents: diff changeset	453	qed
13317 bb74918cc0dd * empty log message * nipkow parents: 13313 diff changeset	454	text{*\noindent Method @{text contradiction} succeeds if both $P$ and
13322 3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	455	$\neg P$ are among the assumptions and the facts fed into that step, in any order.
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	456
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	457	As it happens, Cantor's theorem can be proved automatically by best-first
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	458	search. Depth-first search would diverge, but best-first search successfully
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	459	navigates through the large search space:
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	460	*}
502f69ea6627 * empty log message * nipkow parents: diff changeset	461
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	462	theorem "\<exists>S. S \<notin> range (f :: 'a \<Rightarrow> 'a set)"
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	463	by best
5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	464	text{*\noindent Of course this only works in the context of HOL's carefully
13700 80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	465	constructed introduction and elimination rules for set theory.*}
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	466
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	467	subsection{Raw proof blocks}
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	468
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	469	text{* Although we have shown how to employ powerful automatic methods like
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	470	@{text blast} to achieve bigger proof steps, there may still be the
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	471	tendency to use the default introduction and elimination rules to
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	472	decompose goals and facts. This can lead to very tedious proofs:
13619 584291949c23 * empty log message * nipkow parents: 13613 diff changeset	473	*}
13700 80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	474	(<)ML"set quick_and_dirty"(>)
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	475	lemma "\<forall>x y. A x y \<and> B x y \<longrightarrow> C x y"
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	476	proof
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	477	fix x show "\<forall>y. A x y \<and> B x y \<longrightarrow> C x y"
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	478	proof
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	479	fix y show "A x y \<and> B x y \<longrightarrow> C x y"
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	480	proof
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	481	assume "A x y \<and> B x y"
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	482	show "C x y" sorry
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	483	qed
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	484	qed
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	485	qed
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	486	text{*\noindent Since we are only interested in the decomposition and not the
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	487	actual proof, the latter has been replaced by
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	488	\isakeyword{sorry}. Command \isakeyword{sorry} proves anything but is
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	489	only allowed in quick and dirty mode, the default interactive mode. It
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	490	is very convenient for top down proof development.
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	491
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	492	Luckily we can avoid this step by step decomposition very easily: *}
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	493
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	494	lemma "\<forall>x y. A x y \<and> B x y \<longrightarrow> C x y"
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	495	proof -
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	496	have "\<And>x y. \<lbrakk> A x y; B x y \<rbrakk> \<Longrightarrow> C x y"
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	497	proof -
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	498	fix x y assume "A x y" "B x y"
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	499	show "C x y" sorry
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	500	qed
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	501	thus ?thesis by blast
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	502	qed
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	503
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	504	text{*\noindent
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	505	This can be simplified further by \emph{raw proof blocks},
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	506	which are proofs enclosed in braces: *}
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	507
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	508	lemma "\<forall>x y. A x y \<and> B x y \<longrightarrow> C x y"
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	509	proof -
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	510	{ fix x y assume "A x y" "B x y"
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	511	have "C x y" sorry }
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	512	thus ?thesis by blast
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	513	qed
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	514
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	515	text{*\noindent The result of the raw proof block is the same theorem
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	516	as above, namely @{prop"\<And>x y. \<lbrakk> A x y; B x y \<rbrakk> \<Longrightarrow> C x y"}. Raw
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	517	proof blocks are like ordinary proofs except that they do not prove
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	518	some explicitly stated property but that the property emerges directly
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	519	out of the \isakeyword{fixe}s, \isakeyword{assume}s and
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	520	\isakeyword{have} in the block. Thus they again serve to avoid
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	521	duplication. Note that the conclusion of a raw proof block is stated with
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	522	\isakeyword{have} rather than \isakeyword{show} because it is not the
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	523	conclusion of some pending goal but some independent claim. If you
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	524	would like to name the result of a raw proof block simply follow it
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	525	with *}
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	526
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	527	(<)
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	528	lemma "P"
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	529	proof -
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	530	{ assume A hence A . }
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	531	(>)
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	532	note some_name = this
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	533	(<)oops(>)
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	534
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	535	text{* The general idea demonstrated in this subsection is very
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	536	important in Isar and distinguishes it from tactic-style proofs:
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	537	\begin{quote}\em
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	538	Do not manipulate the proof state into a particular form by applying
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	539	tactics but state the desired form explictly and let the tactic verify
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	540	that from this form the original goal follows.
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	541	\end{quote}
80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	542	This yields more readable and also more robust proofs. *}
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	543
13619 584291949c23 * empty log message * nipkow parents: 13613 diff changeset	544	subsection{Further refinements}
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	545
13700 80010ca1310c added raw proof blocks nipkow parents: 13620 diff changeset	546	text{* This subsection discusses some further tricks that can make
13619 584291949c23 * empty log message * nipkow parents: 13613 diff changeset	547	life easier although they are not essential. We start with some small
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	548	syntactic items.*}
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	549
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	550	subsubsection{\isakeyword{and}}
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	551
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	552	text{* Propositions (following \isakeyword{assume} etc) may but need not be
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	553	separated by \isakeyword{and}. This is not just for readability
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	554	(\isakeyword{from} \isa{A} \isakeyword{and} \isa{B} looks nicer than
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	555	\isakeyword{from} \isa{A} \isa{B}) but for structuring lists of propositions
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	556	into possibly named blocks. For example in
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	557	\begin{center}
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	558	\isakeyword{assume} \isa{A:} $A_1$ $A_2$ \isakeyword{and} \isa{B:} $A_3$
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	559	\isakeyword{and} $A_4$
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	560	\end{center}
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	561	label \isa{A} refers to the list of propositions $A_1$ $A_2$ and
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	562	label \isa{B} to $A_3$. *}
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	563
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	564	subsubsection{\isakeyword{fixes}}
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	565
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	566	text{* Sometimes it is necessary to decorate a proposition with type
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	567	constraints, as in Cantor's theorem above. These type constraints tend
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	568	to make the theorem less readable. The situation can be improved a
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	569	little by combining the type constraint with an outer @{text"\<And>"}: *}
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	570
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	571	theorem "\<And>f :: 'a \<Rightarrow> 'a set. \<exists>S. S \<notin> range f"
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	572	(<)oops(>)
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	573	text{*\noindent However, now @{term f} is bound and we need a
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	574	\isakeyword{fix}~\isa{f} in the proof before we can refer to @{term f}.
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	575	This is avoided by \isakeyword{fixes}: *}
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	576
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	577	theorem fixes f :: "'a \<Rightarrow> 'a set" shows "\<exists>S. S \<notin> range f"
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	578	(<)oops(>)
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	579	text{* \noindent
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	580	But the real strength of \isakeyword{fixes} lies in the possibility to
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	581	introduce concrete syntax locally:*}
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	582
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	583	lemma comm_mono:
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	584	fixes r :: "'a \<Rightarrow> 'a \<Rightarrow> bool" (infix ">" 60) and
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	585	f :: "'a \<Rightarrow> 'a \<Rightarrow> 'a" (infixl "++" 70)
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	586	assumes comm: "\<And>x y::'a. x ++ y = y ++ x" and
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	587	mono: "\<And>x y z::'a. x > y \<Longrightarrow> x ++ z > y ++ z"
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	588	shows "x > y \<Longrightarrow> z ++ x > z ++ y"
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	589	by(simp add: comm mono)
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	590
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	591	text{*\noindent The concrete syntax is dropped at the end of the proof and the
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	592	theorem becomes @{thm[display,margin=50]comm_mono} *}
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	593
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	594	subsubsection{\isakeyword{obtain}}
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	595
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	596	text{* The \isakeyword{obtain} construct can introduce multiple
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	597	witnesses and propositions as in the following proof fragment:*}
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	598
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	599	lemma assumes A: "\<exists>x y. P x y \<and> Q x y" shows "R"
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	600	proof -
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	601	from A obtain x y where P: "P x y" and Q: "Q x y" by blast
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	602	(<)oops(>)
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	603	text{* Remember also that one does not even need to start with a formula
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	604	containing @{text"\<exists>"} as we saw in the proof of Cantor's theorem.
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	605	*}
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	606
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	607	subsubsection{Combining proof styles}
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	608
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	609	text{* Finally, whole ``scripts'' (tactic-based proofs in the style of
13519 36ee816b5ee3 * empty log message * nipkow parents: 13351 diff changeset	610	\cite{LNCS2283}) may appear in the leaves of the proof tree, although this is
36ee816b5ee3 * empty log message * nipkow parents: 13351 diff changeset	611	best avoided. Here is a contrived example: *}
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	612
13322 3323ecc0b97c * empty log message * nipkow parents: 13317 diff changeset	613	lemma "A \<longrightarrow> (A \<longrightarrow> B) \<longrightarrow> B"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	614	proof
13613 531f1f524848 * empty log message * nipkow parents: 13580 diff changeset	615	assume a: "A"
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	616	show "(A \<longrightarrow>B) \<longrightarrow> B"
502f69ea6627 * empty log message * nipkow parents: diff changeset	617	apply(rule impI)
502f69ea6627 * empty log message * nipkow parents: diff changeset	618	apply(erule impE)
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	619	apply(rule a)
13267 502f69ea6627 * empty log message * nipkow parents: diff changeset	620	apply assumption
502f69ea6627 * empty log message * nipkow parents: diff changeset	621	done
502f69ea6627 * empty log message * nipkow parents: diff changeset	622	qed
13619 584291949c23 * empty log message * nipkow parents: 13613 diff changeset	623
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	624	text{*\noindent You may need to resort to this technique if an
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	625	automatic step fails to prove the desired proposition.
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	626
13620 61a23a43b783 * empty log message * nipkow parents: 13619 diff changeset	627	When converting a proof from tactic-style into Isar you can proceed
13619 584291949c23 * empty log message * nipkow parents: 13613 diff changeset	628	in a top-down manner: parts of the proof can be left in script form
584291949c23 * empty log message * nipkow parents: 13613 diff changeset	629	while to outer structure is already expressed in Isar. *}
13305 f88d0c363582 * empty log message * nipkow parents: 13294 diff changeset	630
13294 5e2016d151bd * empty log message * nipkow parents: 13267 diff changeset	631	(<)end(>)

author	paulson
	Tue, 17 Dec 2002 11:05:41 +0100
changeset 13758	ee898d32de21
parent 13700	80010ca1310c
child 13765	e3c444e805c4
permissions	-rw-r--r--