src/Doc/Intro/document/advanced.tex

merge

\part{Advanced Methods}
Before continuing, it might be wise to try some of your own examples in
Isabelle, reinforcing your knowledge of the basic functions.

Look through {\em Isabelle's Object-Logics\/} and try proving some
simple theorems.  You probably should begin with first-order logic
(\texttt{FOL} or~\texttt{LK}).  Try working some of the examples provided,
and others from the literature.  Set theory~(\texttt{ZF}) and
Constructive Type Theory~(\texttt{CTT}) form a richer world for
mathematical reasoning and, again, many examples are in the
literature.  Higher-order logic~(\texttt{HOL}) is Isabelle's most
elaborate logic.  Its types and functions are identified with those of
the meta-logic.

Choose a logic that you already understand.  Isabelle is a proof
tool, not a teaching tool; if you do not know how to do a particular proof
on paper, then you certainly will not be able to do it on the machine.
Even experienced users plan large proofs on paper.

We have covered only the bare essentials of Isabelle, but enough to perform
substantial proofs.  By occasionally dipping into the {\em Reference
Manual}, you can learn additional tactics, subgoal commands and tacticals.


\section{Deriving rules in Isabelle}
\index{rules!derived}
A mathematical development goes through a progression of stages.  Each
stage defines some concepts and derives rules about them.  We shall see how
to derive rules, perhaps involving definitions, using Isabelle.  The
following section will explain how to declare types, constants, rules and
definitions.


\subsection{Deriving a rule using tactics and meta-level assumptions} 
\label{deriving-example}
\index{examples!of deriving rules}\index{assumptions!of main goal}

The subgoal module supports the derivation of rules, as discussed in
\S\ref{deriving}.  When the \ttindex{Goal} command is supplied a formula of
the form $\List{\theta@1; \ldots; \theta@k} \Imp \phi$, there are two
possibilities:
\begin{itemize}
\item If all of the premises $\theta@1$, \ldots, $\theta@k$ are simple
  formulae{} (they do not involve the meta-connectives $\Forall$ or
  $\Imp$) then the command sets the goal to be 
  $\List{\theta@1; \ldots; \theta@k} \Imp \phi$ and returns the empty list.
\item If one or more premises involves the meta-connectives $\Forall$ or
  $\Imp$, then the command sets the goal to be $\phi$ and returns a list
  consisting of the theorems ${\theta@i\;[\theta@i]}$, for $i=1$, \ldots,~$k$.
  These meta-level assumptions are also recorded internally, allowing
  \texttt{result} (which is called by \texttt{qed}) to discharge them in the
  original order.
\end{itemize}
Rules that discharge assumptions or introduce eigenvariables have complex
premises, and the second case applies.  In this section, many of the
theorems are subject to meta-level assumptions, so we make them visible by by setting the 
\ttindex{show_hyps} flag:
\begin{ttbox} 
set show_hyps;
{\out val it = true : bool}
\end{ttbox}

Now, we are ready to derive $\conj$ elimination.  Until now, calling \texttt{Goal} has
returned an empty list, which we have ignored.  In this example, the list
contains the two premises of the rule, since one of them involves the $\Imp$
connective.  We bind them to the \ML\ identifiers \texttt{major} and {\tt
  minor}:\footnote{Some ML compilers will print a message such as {\em binding
    not exhaustive}.  This warns that \texttt{Goal} must return a 2-element
  list.  Otherwise, the pattern-match will fail; ML will raise exception
  \xdx{Match}.}
\begin{ttbox}
val [major,minor] = Goal
    "[| P&Q;  [| P; Q |] ==> R |] ==> R";
{\out Level 0}
{\out R}
{\out  1. R}
{\out val major = "P & Q  [P & Q]" : thm}
{\out val minor = "[| P; Q |] ==> R  [[| P; Q |] ==> R]" : thm}
\end{ttbox}
Look at the minor premise, recalling that meta-level assumptions are
shown in brackets.  Using \texttt{minor}, we reduce $R$ to the subgoals
$P$ and~$Q$:
\begin{ttbox}
by (resolve_tac [minor] 1);
{\out Level 1}
{\out R}
{\out  1. P}
{\out  2. Q}
\end{ttbox}
Deviating from~\S\ref{deriving}, we apply $({\conj}E1)$ forwards from the
assumption $P\conj Q$ to obtain the theorem~$P\;[P\conj Q]$.
\begin{ttbox}
major RS conjunct1;
{\out val it = "P  [P & Q]" : thm}
\ttbreak
by (resolve_tac [major RS conjunct1] 1);
{\out Level 2}
{\out R}
{\out  1. Q}
\end{ttbox}
Similarly, we solve the subgoal involving~$Q$.
\begin{ttbox}
major RS conjunct2;
{\out val it = "Q  [P & Q]" : thm}
by (resolve_tac [major RS conjunct2] 1);
{\out Level 3}
{\out R}
{\out No subgoals!}
\end{ttbox}
Calling \ttindex{topthm} returns the current proof state as a theorem.
Note that it contains assumptions.  Calling \ttindex{qed} discharges
the assumptions --- both occurrences of $P\conj Q$ are discharged as
one --- and makes the variables schematic.
\begin{ttbox}
topthm();
{\out val it = "R  [P & Q, P & Q, [| P; Q |] ==> R]" : thm}
qed "conjE";
{\out val conjE = "[| ?P & ?Q; [| ?P; ?Q |] ==> ?R |] ==> ?R" : thm}
\end{ttbox}


\subsection{Definitions and derived rules} \label{definitions}
\index{rules!derived}\index{definitions!and derived rules|(}

Definitions are expressed as meta-level equalities.  Let us define negation
and the if-and-only-if connective:
\begin{eqnarray*}
  \neg \Var{P}          & \equiv & \Var{P}\imp\bot \\
  \Var{P}\bimp \Var{Q}  & \equiv & 
                (\Var{P}\imp \Var{Q}) \conj (\Var{Q}\imp \Var{P})
\end{eqnarray*}
\index{meta-rewriting}%
Isabelle permits {\bf meta-level rewriting} using definitions such as
these.  {\bf Unfolding} replaces every instance
of $\neg \Var{P}$ by the corresponding instance of ${\Var{P}\imp\bot}$.  For
example, $\forall x.\neg (P(x)\conj \neg R(x,0))$ unfolds to
\[ \forall x.(P(x)\conj R(x,0)\imp\bot)\imp\bot.  \]
{\bf Folding} a definition replaces occurrences of the right-hand side by
the left.  The occurrences need not be free in the entire formula.

When you define new concepts, you should derive rules asserting their
abstract properties, and then forget their definitions.  This supports
modularity: if you later change the definitions without affecting their
abstract properties, then most of your proofs will carry through without
change.  Indiscriminate unfolding makes a subgoal grow exponentially,
becoming unreadable.

Taking this point of view, Isabelle does not unfold definitions
automatically during proofs.  Rewriting must be explicit and selective.
Isabelle provides tactics and meta-rules for rewriting, and a version of
the \texttt{Goal} command that unfolds the conclusion and premises of the rule
being derived.

For example, the intuitionistic definition of negation given above may seem
peculiar.  Using Isabelle, we shall derive pleasanter negation rules:
\[  \infer[({\neg}I)]{\neg P}{\infer*{\bot}{[P]}}   \qquad
    \infer[({\neg}E)]{Q}{\neg P & P}  \]
This requires proving the following meta-formulae:
$$ (P\Imp\bot)    \Imp \neg P   \eqno(\neg I) $$
$$ \List{\neg P; P} \Imp Q.       \eqno(\neg E) $$


\subsection{Deriving the $\neg$ introduction rule}
To derive $(\neg I)$, we may call \texttt{Goal} with the appropriate formula.
Again, the rule's premises involve a meta-connective, and \texttt{Goal}
returns one-element list.  We bind this list to the \ML\ identifier \texttt{prems}.
\begin{ttbox}
val prems = Goal "(P ==> False) ==> ~P";
{\out Level 0}
{\out ~P}
{\out  1. ~P}
{\out val prems = ["P ==> False  [P ==> False]"] : thm list}
\end{ttbox}
Calling \ttindex{rewrite_goals_tac} with \tdx{not_def}, which is the
definition of negation, unfolds that definition in the subgoals.  It leaves
the main goal alone.
\begin{ttbox}
not_def;
{\out val it = "~?P == ?P --> False" : thm}
by (rewrite_goals_tac [not_def]);
{\out Level 1}
{\out ~P}
{\out  1. P --> False}
\end{ttbox}
Using \tdx{impI} and the premise, we reduce subgoal~1 to a triviality:
\begin{ttbox}
by (resolve_tac [impI] 1);
{\out Level 2}
{\out ~P}
{\out  1. P ==> False}
\ttbreak
by (resolve_tac prems 1);
{\out Level 3}
{\out ~P}
{\out  1. P ==> P}
\end{ttbox}
The rest of the proof is routine.  Note the form of the final result.
\begin{ttbox}
by (assume_tac 1);
{\out Level 4}
{\out ~P}
{\out No subgoals!}
\ttbreak
qed "notI";
{\out val notI = "(?P ==> False) ==> ~?P" : thm}
\end{ttbox}
\indexbold{*notI theorem}

There is a simpler way of conducting this proof.  The \ttindex{Goalw}
command starts a backward proof, as does \texttt{Goal}, but it also
unfolds definitions.  Thus there is no need to call
\ttindex{rewrite_goals_tac}:
\begin{ttbox}
val prems = Goalw [not_def]
    "(P ==> False) ==> ~P";
{\out Level 0}
{\out ~P}
{\out  1. P --> False}
{\out val prems = ["P ==> False  [P ==> False]"] : thm list}
\end{ttbox}


\subsection{Deriving the $\neg$ elimination rule}
Let us derive the rule $(\neg E)$.  The proof follows that of~\texttt{conjE}
above, with an additional step to unfold negation in the major premise.
The \texttt{Goalw} command is best for this: it unfolds definitions not only
in the conclusion but the premises.
\begin{ttbox}
Goalw [not_def] "[| ~P;  P |] ==> R";
{\out Level 0}
{\out [| ~ P; P |] ==> R}
{\out  1. [| P --> False; P |] ==> R}
\end{ttbox}
As the first step, we apply \tdx{FalseE}:
\begin{ttbox}
by (resolve_tac [FalseE] 1);
{\out Level 1}
{\out [| ~ P; P |] ==> R}
{\out  1. [| P --> False; P |] ==> False}
\end{ttbox}
%
Everything follows from falsity.  And we can prove falsity using the
premises and Modus Ponens:
\begin{ttbox}
by (eresolve_tac [mp] 1);
{\out Level 2}
{\out [| ~ P; P |] ==> R}
{\out  1. P ==> P}
\ttbreak
by (assume_tac 1);
{\out Level 3}
{\out [| ~ P; P |] ==> R}
{\out No subgoals!}
\ttbreak
qed "notE";
{\out val notE = "[| ~?P; ?P |] ==> ?R" : thm}
\end{ttbox}


\medskip
\texttt{Goalw} unfolds definitions in the premises even when it has to return
them as a list.  Another way of unfolding definitions in a theorem is by
applying the function \ttindex{rewrite_rule}.

\index{definitions!and derived rules|)}


\section{Defining theories}\label{sec:defining-theories}
\index{theories!defining|(}

Isabelle makes no distinction between simple extensions of a logic ---
like specifying a type~$bool$ with constants~$true$ and~$false$ ---
and defining an entire logic.  A theory definition has a form like
\begin{ttbox}
\(T\) = \(S@1\) + \(\cdots\) + \(S@n\) +
classes      {\it class declarations}
default      {\it sort}
types        {\it type declarations and synonyms}
arities      {\it type arity declarations}
consts       {\it constant declarations}
syntax       {\it syntactic constant declarations}
translations {\it ast translation rules}
defs         {\it meta-logical definitions}
rules        {\it rule declarations}
end
ML           {\it ML code}
\end{ttbox}
This declares the theory $T$ to extend the existing theories
$S@1$,~\ldots,~$S@n$.  It may introduce new classes, types, arities
(of existing types), constants and rules; it can specify the default
sort for type variables.  A constant declaration can specify an
associated concrete syntax.  The translations section specifies
rewrite rules on abstract syntax trees, handling notations and
abbreviations.  \index{*ML section} The \texttt{ML} section may contain
code to perform arbitrary syntactic transformations.  The main
declaration forms are discussed below.  There are some more sections
not presented here, the full syntax can be found in
\iflabelundefined{app:TheorySyntax}{an appendix of the {\it Reference
    Manual}}{App.\ts\ref{app:TheorySyntax}}.  Also note that
object-logics may add further theory sections, for example
\texttt{typedef}, \texttt{datatype} in HOL.

All the declaration parts can be omitted or repeated and may appear in
any order, except that the {\ML} section must be last (after the {\tt
  end} keyword).  In the simplest case, $T$ is just the union of
$S@1$,~\ldots,~$S@n$.  New theories always extend one or more other
theories, inheriting their types, constants, syntax, etc.  The theory
\thydx{Pure} contains nothing but Isabelle's meta-logic.  The variant
\thydx{CPure} offers the more usual higher-order function application
syntax $t\,u@1\ldots\,u@n$ instead of $t(u@1,\ldots,u@n)$ in Pure.

Each theory definition must reside in a separate file, whose name is
the theory's with {\tt.thy} appended.  Calling
\ttindexbold{use_thy}~{\tt"{\it T\/}"} reads the definition from {\it
  T}{\tt.thy}, writes a corresponding file of {\ML} code {\tt.{\it
    T}.thy.ML}, reads the latter file, and deletes it if no errors
occurred.  This declares the {\ML} structure~$T$, which contains a
component \texttt{thy} denoting the new theory, a component for each
rule, and everything declared in {\it ML code}.

Errors may arise during the translation to {\ML} (say, a misspelled
keyword) or during creation of the new theory (say, a type error in a
rule).  But if all goes well, \texttt{use_thy} will finally read the file
{\it T}{\tt.ML} (if it exists).  This file typically contains proofs
that refer to the components of~$T$.  The structure is automatically
opened, so its components may be referred to by unqualified names,
e.g.\ just \texttt{thy} instead of $T$\texttt{.thy}.

\ttindexbold{use_thy} automatically loads a theory's parents before
loading the theory itself.  When a theory file is modified, many
theories may have to be reloaded.  Isabelle records the modification
times and dependencies of theory files.  See
\iflabelundefined{sec:reloading-theories}{the {\em Reference Manual\/}}%
                 {\S\ref{sec:reloading-theories}}
for more details.


\subsection{Declaring constants, definitions and rules}
\indexbold{constants!declaring}\index{rules!declaring}

Most theories simply declare constants, definitions and rules.  The {\bf
  constant declaration part} has the form
\begin{ttbox}
consts  \(c@1\) :: \(\tau@1\)
        \vdots
        \(c@n\) :: \(\tau@n\)
\end{ttbox}
where $c@1$, \ldots, $c@n$ are constants and $\tau@1$, \ldots, $\tau@n$ are
types.  The types must be enclosed in quotation marks if they contain
user-declared infix type constructors like \texttt{*}.  Each
constant must be enclosed in quotation marks unless it is a valid
identifier.  To declare $c@1$, \ldots, $c@n$ as constants of type $\tau$,
the $n$ declarations may be abbreviated to a single line:
\begin{ttbox}
        \(c@1\), \ldots, \(c@n\) :: \(\tau\)
\end{ttbox}
The {\bf rule declaration part} has the form
\begin{ttbox}
rules   \(id@1\) "\(rule@1\)"
        \vdots
        \(id@n\) "\(rule@n\)"
\end{ttbox}
where $id@1$, \ldots, $id@n$ are \ML{} identifiers and $rule@1$, \ldots,
$rule@n$ are expressions of type~$prop$.  Each rule {\em must\/} be
enclosed in quotation marks.  Rules are simply axioms; they are 
called \emph{rules} because they are mainly used to specify the inference
rules when defining a new logic.

\indexbold{definitions} The {\bf definition part} is similar, but with
the keyword \texttt{defs} instead of \texttt{rules}.  {\bf Definitions} are
rules of the form $s \equiv t$, and should serve only as
abbreviations.  The simplest form of a definition is $f \equiv t$,
where $f$ is a constant.  Also allowed are $\eta$-equivalent forms of
this, where the arguments of~$f$ appear applied on the left-hand side
of the equation instead of abstracted on the right-hand side.

Isabelle checks for common errors in definitions, such as extra
variables on the right-hand side and cyclic dependencies, that could
least to inconsistency.  It is still essential to take care:
theorems proved on the basis of incorrect definitions are useless,
your system can be consistent and yet still wrong.

\index{examples!of theories} This example theory extends first-order
logic by declaring and defining two constants, {\em nand} and {\em
  xor}:
\begin{ttbox}
Gate = FOL +
consts  nand,xor :: [o,o] => o
defs    nand_def "nand(P,Q) == ~(P & Q)"
        xor_def  "xor(P,Q)  == P & ~Q | ~P & Q"
end
\end{ttbox}

Declaring and defining constants can be combined:
\begin{ttbox}
Gate = FOL +
constdefs  nand :: [o,o] => o
           "nand(P,Q) == ~(P & Q)"
           xor  :: [o,o] => o
           "xor(P,Q)  == P & ~Q | ~P & Q"
end
\end{ttbox}
\texttt{constdefs} generates the names \texttt{nand_def} and \texttt{xor_def}
automatically, which is why it is restricted to alphanumeric identifiers.  In
general it has the form
\begin{ttbox}
constdefs  \(id@1\) :: \(\tau@1\)
           "\(id@1 \equiv \dots\)"
           \vdots
           \(id@n\) :: \(\tau@n\)
           "\(id@n \equiv \dots\)"
\end{ttbox}


\begin{warn}
A common mistake when writing definitions is to introduce extra free variables
on the right-hand side as in the following fictitious definition:
\begin{ttbox}
defs  prime_def "prime(p) == (m divides p) --> (m=1 | m=p)"
\end{ttbox}
Isabelle rejects this ``definition'' because of the extra \texttt{m} on the
right-hand side, which would introduce an inconsistency.  What you should have
written is
\begin{ttbox}
defs  prime_def "prime(p) == ALL m. (m divides p) --> (m=1 | m=p)"
\end{ttbox}
\end{warn}

\subsection{Declaring type constructors}
\indexbold{types!declaring}\indexbold{arities!declaring}
%
Types are composed of type variables and {\bf type constructors}.  Each
type constructor takes a fixed number of arguments.  They are declared
with an \ML-like syntax.  If $list$ takes one type argument, $tree$ takes
two arguments and $nat$ takes no arguments, then these type constructors
can be declared by
\begin{ttbox}
types 'a list
      ('a,'b) tree
      nat
\end{ttbox}

The {\bf type declaration part} has the general form
\begin{ttbox}
types   \(tids@1\) \(id@1\)
        \vdots
        \(tids@n\) \(id@n\)
\end{ttbox}
where $id@1$, \ldots, $id@n$ are identifiers and $tids@1$, \ldots, $tids@n$
are type argument lists as shown in the example above.  It declares each
$id@i$ as a type constructor with the specified number of argument places.

The {\bf arity declaration part} has the form
\begin{ttbox}
arities \(tycon@1\) :: \(arity@1\)
        \vdots
        \(tycon@n\) :: \(arity@n\)
\end{ttbox}
where $tycon@1$, \ldots, $tycon@n$ are identifiers and $arity@1$, \ldots,
$arity@n$ are arities.  Arity declarations add arities to existing
types; they do not declare the types themselves.
In the simplest case, for an 0-place type constructor, an arity is simply
the type's class.  Let us declare a type~$bool$ of class $term$, with
constants $tt$ and~$ff$.  (In first-order logic, booleans are
distinct from formulae, which have type $o::logic$.)
\index{examples!of theories}
\begin{ttbox}
Bool = FOL +
types   bool
arities bool    :: term
consts  tt,ff   :: bool
end
\end{ttbox}
A $k$-place type constructor may have arities of the form
$(s@1,\ldots,s@k)c$, where $s@1,\ldots,s@n$ are sorts and $c$ is a class.
Each sort specifies a type argument; it has the form $\{c@1,\ldots,c@m\}$,
where $c@1$, \dots,~$c@m$ are classes.  Mostly we deal with singleton
sorts, and may abbreviate them by dropping the braces.  The arity
$(term)term$ is short for $(\{term\})term$.  Recall the discussion in
\S\ref{polymorphic}.

A type constructor may be overloaded (subject to certain conditions) by
appearing in several arity declarations.  For instance, the function type
constructor~$fun$ has the arity $(logic,logic)logic$; in higher-order
logic, it is declared also to have arity $(term,term)term$.

Theory \texttt{List} declares the 1-place type constructor $list$, gives
it the arity $(term)term$, and declares constants $Nil$ and $Cons$ with
polymorphic types:%
\footnote{In the \texttt{consts} part, type variable {\tt'a} has the default
  sort, which is \texttt{term}.  See the {\em Reference Manual\/}
\iflabelundefined{sec:ref-defining-theories}{}%
{(\S\ref{sec:ref-defining-theories})} for more information.}
\index{examples!of theories}
\begin{ttbox}
List = FOL +
types   'a list
arities list    :: (term)term
consts  Nil     :: 'a list
        Cons    :: ['a, 'a list] => 'a list
end
\end{ttbox}
Multiple arity declarations may be abbreviated to a single line:
\begin{ttbox}
arities \(tycon@1\), \ldots, \(tycon@n\) :: \(arity\)
\end{ttbox}

%\begin{warn}
%Arity declarations resemble constant declarations, but there are {\it no\/}
%quotation marks!  Types and rules must be quoted because the theory
%translator passes them verbatim to the {\ML} output file.
%\end{warn}

\subsection{Type synonyms}\indexbold{type synonyms}
Isabelle supports {\bf type synonyms} ({\bf abbreviations}) which are similar
to those found in \ML.  Such synonyms are defined in the type declaration part
and are fairly self explanatory:
\begin{ttbox}
types gate       = [o,o] => o
      'a pred    = 'a => o
      ('a,'b)nuf = 'b => 'a
\end{ttbox}
Type declarations and synonyms can be mixed arbitrarily:
\begin{ttbox}
types nat
      'a stream = nat => 'a
      signal    = nat stream
      'a list
\end{ttbox}
A synonym is merely an abbreviation for some existing type expression.
Hence synonyms may not be recursive!  Internally all synonyms are
fully expanded.  As a consequence Isabelle output never contains
synonyms.  Their main purpose is to improve the readability of theory
definitions.  Synonyms can be used just like any other type:
\begin{ttbox}
consts and,or :: gate
       negate :: signal => signal
\end{ttbox}

\subsection{Infix and mixfix operators}
\index{infixes}\index{examples!of theories}

Infix or mixfix syntax may be attached to constants.  Consider the
following theory:
\begin{ttbox}
Gate2 = FOL +
consts  "~&"     :: [o,o] => o         (infixl 35)
        "#"      :: [o,o] => o         (infixl 30)
defs    nand_def "P ~& Q == ~(P & Q)"    
        xor_def  "P # Q  == P & ~Q | ~P & Q"
end
\end{ttbox}
The constant declaration part declares two left-associating infix operators
with their priorities, or precedences; they are $\nand$ of priority~35 and
$\xor$ of priority~30.  Hence $P \xor Q \xor R$ is parsed as $(P\xor Q)
\xor R$ and $P \xor Q \nand R$ as $P \xor (Q \nand R)$.  Note the quotation
marks in \verb|"~&"| and \verb|"#"|.

The constants \hbox{\verb|op ~&|} and \hbox{\verb|op #|} are declared
automatically, just as in \ML.  Hence you may write propositions like
\verb|op #(True) == op ~&(True)|, which asserts that the functions $\lambda
Q.True \xor Q$ and $\lambda Q.True \nand Q$ are identical.

\medskip Infix syntax and constant names may be also specified
independently.  For example, consider this version of $\nand$:
\begin{ttbox}
consts  nand     :: [o,o] => o         (infixl "~&" 35)
\end{ttbox}

\bigskip\index{mixfix declarations}
{\bf Mixfix} operators may have arbitrary context-free syntaxes.  Let us
add a line to the constant declaration part:
\begin{ttbox}
        If :: [o,o,o] => o       ("if _ then _ else _")
\end{ttbox}
This declares a constant $If$ of type $[o,o,o] \To o$ with concrete syntax {\tt
  if~$P$ then~$Q$ else~$R$} as well as \texttt{If($P$,$Q$,$R$)}.  Underscores
denote argument positions.  

The declaration above does not allow the \texttt{if}-\texttt{then}-{\tt
  else} construct to be printed split across several lines, even if it
is too long to fit on one line.  Pretty-printing information can be
added to specify the layout of mixfix operators.  For details, see
\iflabelundefined{Defining-Logics}%
    {the {\it Reference Manual}, chapter `Defining Logics'}%
    {Chap.\ts\ref{Defining-Logics}}.

Mixfix declarations can be annotated with priorities, just like
infixes.  The example above is just a shorthand for
\begin{ttbox}
        If :: [o,o,o] => o       ("if _ then _ else _" [0,0,0] 1000)
\end{ttbox}
The numeric components determine priorities.  The list of integers
defines, for each argument position, the minimal priority an expression
at that position must have.  The final integer is the priority of the
construct itself.  In the example above, any argument expression is
acceptable because priorities are non-negative, and conditionals may
appear everywhere because 1000 is the highest priority.  On the other
hand, the declaration
\begin{ttbox}
        If :: [o,o,o] => o       ("if _ then _ else _" [100,0,0] 99)
\end{ttbox}
defines concrete syntax for a conditional whose first argument cannot have
the form \texttt{if~$P$ then~$Q$ else~$R$} because it must have a priority
of at least~100.  We may of course write
\begin{quote}\tt
if (if $P$ then $Q$ else $R$) then $S$ else $T$
\end{quote}
because expressions in parentheses have maximal priority.  

Binary type constructors, like products and sums, may also be declared as
infixes.  The type declaration below introduces a type constructor~$*$ with
infix notation $\alpha*\beta$, together with the mixfix notation
${<}\_,\_{>}$ for pairs.  We also see a rule declaration part.
\index{examples!of theories}\index{mixfix declarations}
\begin{ttbox}
Prod = FOL +
types   ('a,'b) "*"                           (infixl 20)
arities "*"     :: (term,term)term
consts  fst     :: "'a * 'b => 'a"
        snd     :: "'a * 'b => 'b"
        Pair    :: "['a,'b] => 'a * 'b"       ("(1<_,/_>)")
rules   fst     "fst(<a,b>) = a"
        snd     "snd(<a,b>) = b"
end
\end{ttbox}

\begin{warn}
  The name of the type constructor is~\texttt{*} and not \texttt{op~*}, as
  it would be in the case of an infix constant.  Only infix type
  constructors can have symbolic names like~\texttt{*}.  General mixfix
  syntax for types may be introduced via appropriate \texttt{syntax}
  declarations.
\end{warn}


\subsection{Overloading}
\index{overloading}\index{examples!of theories}
The {\bf class declaration part} has the form
\begin{ttbox}
classes \(id@1\) < \(c@1\)
        \vdots
        \(id@n\) < \(c@n\)
\end{ttbox}
where $id@1$, \ldots, $id@n$ are identifiers and $c@1$, \ldots, $c@n$ are
existing classes.  It declares each $id@i$ as a new class, a subclass
of~$c@i$.  In the general case, an identifier may be declared to be a
subclass of $k$ existing classes:
\begin{ttbox}
        \(id\) < \(c@1\), \ldots, \(c@k\)
\end{ttbox}
Type classes allow constants to be overloaded.  As suggested in
\S\ref{polymorphic}, let us define the class $arith$ of arithmetic
types with the constants ${+} :: [\alpha,\alpha]\To \alpha$ and $0,1 {::}
\alpha$, for $\alpha{::}arith$.  We introduce $arith$ as a subclass of
$term$ and add the three polymorphic constants of this class.
\index{examples!of theories}\index{constants!overloaded}
\begin{ttbox}
Arith = FOL +
classes arith < term
consts  "0"     :: 'a::arith                  ("0")
        "1"     :: 'a::arith                  ("1")
        "+"     :: ['a::arith,'a] => 'a       (infixl 60)
end
\end{ttbox}
No rules are declared for these constants: we merely introduce their
names without specifying properties.  On the other hand, classes
with rules make it possible to prove {\bf generic} theorems.  Such
theorems hold for all instances, all types in that class.

We can now obtain distinct versions of the constants of $arith$ by
declaring certain types to be of class $arith$.  For example, let us
declare the 0-place type constructors $bool$ and $nat$:
\index{examples!of theories}
\begin{ttbox}
BoolNat = Arith +
types   bool  nat
arities bool, nat   :: arith
consts  Suc         :: nat=>nat
\ttbreak
rules   add0        "0 + n = n::nat"
        addS        "Suc(m)+n = Suc(m+n)"
        nat1        "1 = Suc(0)"
        or0l        "0 + x = x::bool"
        or0r        "x + 0 = x::bool"
        or1l        "1 + x = 1::bool"
        or1r        "x + 1 = 1::bool"
end
\end{ttbox}
Because $nat$ and $bool$ have class $arith$, we can use $0$, $1$ and $+$ at
either type.  The type constraints in the axioms are vital.  Without
constraints, the $x$ in $1+x = 1$ (axiom \texttt{or1l})
would have type $\alpha{::}arith$
and the axiom would hold for any type of class $arith$.  This would
collapse $nat$ to a trivial type:
\[ Suc(1) = Suc(0+1) = Suc(0)+1 = 1+1 = 1! \]


\section{Theory example: the natural numbers}

We shall now work through a small example of formalized mathematics
demonstrating many of the theory extension features.


\subsection{Extending first-order logic with the natural numbers}
\index{examples!of theories}

Section\ts\ref{sec:logical-syntax} has formalized a first-order logic,
including a type~$nat$ and the constants $0::nat$ and $Suc::nat\To nat$.
Let us introduce the Peano axioms for mathematical induction and the
freeness of $0$ and~$Suc$:\index{axioms!Peano}
\[ \vcenter{\infer[(induct)]{P[n/x]}{P[0/x] & \infer*{P[Suc(x)/x]}{[P]}}}
 \qquad \parbox{4.5cm}{provided $x$ is not free in any assumption except~$P$}
\]
\[ \infer[(Suc\_inject)]{m=n}{Suc(m)=Suc(n)} \qquad
   \infer[(Suc\_neq\_0)]{R}{Suc(m)=0}
\]
Mathematical induction asserts that $P(n)$ is true, for any $n::nat$,
provided $P(0)$ holds and that $P(x)$ implies $P(Suc(x))$ for all~$x$.
Some authors express the induction step as $\forall x. P(x)\imp P(Suc(x))$.
To avoid making induction require the presence of other connectives, we
formalize mathematical induction as
$$ \List{P(0); \Forall x. P(x)\Imp P(Suc(x))} \Imp P(n). \eqno(induct) $$

\noindent
Similarly, to avoid expressing the other rules using~$\forall$, $\imp$
and~$\neg$, we take advantage of the meta-logic;\footnote
{On the other hand, the axioms $Suc(m)=Suc(n) \bimp m=n$
and $\neg(Suc(m)=0)$ are logically equivalent to those given, and work
better with Isabelle's simplifier.} 
$(Suc\_neq\_0)$ is
an elimination rule for $Suc(m)=0$:
$$ Suc(m)=Suc(n) \Imp m=n  \eqno(Suc\_inject) $$
$$ Suc(m)=0      \Imp R    \eqno(Suc\_neq\_0) $$

\noindent
We shall also define a primitive recursion operator, $rec$.  Traditionally,
primitive recursion takes a natural number~$a$ and a 2-place function~$f$,
and obeys the equations
\begin{eqnarray*}
  rec(0,a,f)            & = & a \\
  rec(Suc(m),a,f)       & = & f(m, rec(m,a,f))
\end{eqnarray*}
Addition, defined by $m+n \equiv rec(m,n,\lambda x\,y.Suc(y))$,
should satisfy
\begin{eqnarray*}
  0+n      & = & n \\
  Suc(m)+n & = & Suc(m+n)
\end{eqnarray*}
Primitive recursion appears to pose difficulties: first-order logic has no
function-valued expressions.  We again take advantage of the meta-logic,
which does have functions.  We also generalise primitive recursion to be
polymorphic over any type of class~$term$, and declare the addition
function:
\begin{eqnarray*}
  rec   & :: & [nat, \alpha{::}term, [nat,\alpha]\To\alpha] \To\alpha \\
  +     & :: & [nat,nat]\To nat 
\end{eqnarray*}


\subsection{Declaring the theory to Isabelle}
\index{examples!of theories}
Let us create the theory \thydx{Nat} starting from theory~\verb$FOL$,
which contains only classical logic with no natural numbers.  We declare
the 0-place type constructor $nat$ and the associated constants.  Note that
the constant~0 requires a mixfix annotation because~0 is not a legal
identifier, and could not otherwise be written in terms:
\begin{ttbox}\index{mixfix declarations}
Nat = FOL +
types   nat
arities nat         :: term
consts  "0"         :: nat                              ("0")
        Suc         :: nat=>nat
        rec         :: [nat, 'a, [nat,'a]=>'a] => 'a
        "+"         :: [nat, nat] => nat                (infixl 60)
rules   Suc_inject  "Suc(m)=Suc(n) ==> m=n"
        Suc_neq_0   "Suc(m)=0      ==> R"
        induct      "[| P(0);  !!x. P(x) ==> P(Suc(x)) |]  ==> P(n)"
        rec_0       "rec(0,a,f) = a"
        rec_Suc     "rec(Suc(m), a, f) = f(m, rec(m,a,f))"
        add_def     "m+n == rec(m, n, \%x y. Suc(y))"
end
\end{ttbox}
In axiom \texttt{add_def}, recall that \verb|%| stands for~$\lambda$.
Loading this theory file creates the \ML\ structure \texttt{Nat}, which
contains the theory and axioms.

\subsection{Proving some recursion equations}
Theory \texttt{FOL/ex/Nat} contains proofs involving this theory of the
natural numbers.  As a trivial example, let us derive recursion equations
for \verb$+$.  Here is the zero case:
\begin{ttbox}
Goalw [add_def] "0+n = n";
{\out Level 0}
{\out 0 + n = n}
{\out  1. rec(0,n,\%x y. Suc(y)) = n}
\ttbreak
by (resolve_tac [rec_0] 1);
{\out Level 1}
{\out 0 + n = n}
{\out No subgoals!}
qed "add_0";
\end{ttbox}
And here is the successor case:
\begin{ttbox}
Goalw [add_def] "Suc(m)+n = Suc(m+n)";
{\out Level 0}
{\out Suc(m) + n = Suc(m + n)}
{\out  1. rec(Suc(m),n,\%x y. Suc(y)) = Suc(rec(m,n,\%x y. Suc(y)))}
\ttbreak
by (resolve_tac [rec_Suc] 1);
{\out Level 1}
{\out Suc(m) + n = Suc(m + n)}
{\out No subgoals!}
qed "add_Suc";
\end{ttbox}
The induction rule raises some complications, which are discussed next.
\index{theories!defining|)}


\section{Refinement with explicit instantiation}
\index{resolution!with instantiation}
\index{instantiation|(}

In order to employ mathematical induction, we need to refine a subgoal by
the rule~$(induct)$.  The conclusion of this rule is $\Var{P}(\Var{n})$,
which is highly ambiguous in higher-order unification.  It matches every
way that a formula can be regarded as depending on a subterm of type~$nat$.
To get round this problem, we could make the induction rule conclude
$\forall n.\Var{P}(n)$ --- but putting a subgoal into this form requires
refinement by~$(\forall E)$, which is equally hard!

The tactic \texttt{res_inst_tac}, like \texttt{resolve_tac}, refines a subgoal by
a rule.  But it also accepts explicit instantiations for the rule's
schematic variables.  
\begin{description}
\item[\ttindex{res_inst_tac} {\it insts} {\it thm} {\it i}]
instantiates the rule {\it thm} with the instantiations {\it insts}, and
then performs resolution on subgoal~$i$.

\item[\ttindex{eres_inst_tac}] 
and \ttindex{dres_inst_tac} are similar, but perform elim-resolution
and destruct-resolution, respectively.
\end{description}
The list {\it insts} consists of pairs $[(v@1,e@1), \ldots, (v@n,e@n)]$,
where $v@1$, \ldots, $v@n$ are names of schematic variables in the rule ---
with no leading question marks! --- and $e@1$, \ldots, $e@n$ are
expressions giving their instantiations.  The expressions are type-checked
in the context of a particular subgoal: free variables receive the same
types as they have in the subgoal, and parameters may appear.  Type
variable instantiations may appear in~{\it insts}, but they are seldom
required: \texttt{res_inst_tac} instantiates type variables automatically
whenever the type of~$e@i$ is an instance of the type of~$\Var{v@i}$.

\subsection{A simple proof by induction}
\index{examples!of induction}
Let us prove that no natural number~$k$ equals its own successor.  To
use~$(induct)$, we instantiate~$\Var{n}$ to~$k$; Isabelle finds a good
instantiation for~$\Var{P}$.
\begin{ttbox}
Goal "~ (Suc(k) = k)";
{\out Level 0}
{\out Suc(k) ~= k}
{\out  1. Suc(k) ~= k}
\ttbreak
by (res_inst_tac [("n","k")] induct 1);
{\out Level 1}
{\out Suc(k) ~= k}
{\out  1. Suc(0) ~= 0}
{\out  2. !!x. Suc(x) ~= x ==> Suc(Suc(x)) ~= Suc(x)}
\end{ttbox}
We should check that Isabelle has correctly applied induction.  Subgoal~1
is the base case, with $k$ replaced by~0.  Subgoal~2 is the inductive step,
with $k$ replaced by~$Suc(x)$ and with an induction hypothesis for~$x$.
The rest of the proof demonstrates~\tdx{notI}, \tdx{notE} and the
other rules of theory \texttt{Nat}.  The base case holds by~\ttindex{Suc_neq_0}:
\begin{ttbox}
by (resolve_tac [notI] 1);
{\out Level 2}
{\out Suc(k) ~= k}
{\out  1. Suc(0) = 0 ==> False}
{\out  2. !!x. Suc(x) ~= x ==> Suc(Suc(x)) ~= Suc(x)}
\ttbreak
by (eresolve_tac [Suc_neq_0] 1);
{\out Level 3}
{\out Suc(k) ~= k}
{\out  1. !!x. Suc(x) ~= x ==> Suc(Suc(x)) ~= Suc(x)}
\end{ttbox}
The inductive step holds by the contrapositive of~\ttindex{Suc_inject}.
Negation rules transform the subgoal into that of proving $Suc(x)=x$ from
$Suc(Suc(x)) = Suc(x)$:
\begin{ttbox}
by (resolve_tac [notI] 1);
{\out Level 4}
{\out Suc(k) ~= k}
{\out  1. !!x. [| Suc(x) ~= x; Suc(Suc(x)) = Suc(x) |] ==> False}
\ttbreak
by (eresolve_tac [notE] 1);
{\out Level 5}
{\out Suc(k) ~= k}
{\out  1. !!x. Suc(Suc(x)) = Suc(x) ==> Suc(x) = x}
\ttbreak
by (eresolve_tac [Suc_inject] 1);
{\out Level 6}
{\out Suc(k) ~= k}
{\out No subgoals!}
\end{ttbox}


\subsection{An example of ambiguity in \texttt{resolve_tac}}
\index{examples!of induction}\index{unification!higher-order}
If you try the example above, you may observe that \texttt{res_inst_tac} is
not actually needed.  Almost by chance, \ttindex{resolve_tac} finds the right
instantiation for~$(induct)$ to yield the desired next state.  With more
complex formulae, our luck fails.  
\begin{ttbox}
Goal "(k+m)+n = k+(m+n)";
{\out Level 0}
{\out k + m + n = k + (m + n)}
{\out  1. k + m + n = k + (m + n)}
\ttbreak
by (resolve_tac [induct] 1);
{\out Level 1}
{\out k + m + n = k + (m + n)}
{\out  1. k + m + n = 0}
{\out  2. !!x. k + m + n = x ==> k + m + n = Suc(x)}
\end{ttbox}
This proof requires induction on~$k$.  The occurrence of~0 in subgoal~1
indicates that induction has been applied to the term~$k+(m+n)$; this
application is sound but will not lead to a proof here.  Fortunately,
Isabelle can (lazily!) generate all the valid applications of induction.
The \ttindex{back} command causes backtracking to an alternative outcome of
the tactic.
\begin{ttbox}
back();
{\out Level 1}
{\out k + m + n = k + (m + n)}
{\out  1. k + m + n = k + 0}
{\out  2. !!x. k + m + n = k + x ==> k + m + n = k + Suc(x)}
\end{ttbox}
Now induction has been applied to~$m+n$.  This is equally useless.  Let us
call \ttindex{back} again.
\begin{ttbox}
back();
{\out Level 1}
{\out k + m + n = k + (m + n)}
{\out  1. k + m + 0 = k + (m + 0)}
{\out  2. !!x. k + m + x = k + (m + x) ==>}
{\out          k + m + Suc(x) = k + (m + Suc(x))}
\end{ttbox}
Now induction has been applied to~$n$.  What is the next alternative?
\begin{ttbox}
back();
{\out Level 1}
{\out k + m + n = k + (m + n)}
{\out  1. k + m + n = k + (m + 0)}
{\out  2. !!x. k + m + n = k + (m + x) ==> k + m + n = k + (m + Suc(x))}
\end{ttbox}
Inspecting subgoal~1 reveals that induction has been applied to just the
second occurrence of~$n$.  This perfectly legitimate induction is useless
here.  

The main goal admits fourteen different applications of induction.  The
number is exponential in the size of the formula.

\subsection{Proving that addition is associative}
Let us invoke the induction rule properly, using~{\tt
  res_inst_tac}.  At the same time, we shall have a glimpse at Isabelle's
simplification tactics, which are described in 
\iflabelundefined{simp-chap}%
    {the {\em Reference Manual}}{Chap.\ts\ref{simp-chap}}.

\index{simplification}\index{examples!of simplification} 

Isabelle's simplification tactics repeatedly apply equations to a subgoal,
perhaps proving it.  For efficiency, the rewrite rules must be packaged into a
{\bf simplification set},\index{simplification sets} or {\bf simpset}.  We
augment the implicit simpset of FOL with the equations proved in the previous
section, namely $0+n=n$ and $\texttt{Suc}(m)+n=\texttt{Suc}(m+n)$:
\begin{ttbox}
Addsimps [add_0, add_Suc];
\end{ttbox}
We state the goal for associativity of addition, and
use \ttindex{res_inst_tac} to invoke induction on~$k$:
\begin{ttbox}
Goal "(k+m)+n = k+(m+n)";
{\out Level 0}
{\out k + m + n = k + (m + n)}
{\out  1. k + m + n = k + (m + n)}
\ttbreak
by (res_inst_tac [("n","k")] induct 1);
{\out Level 1}
{\out k + m + n = k + (m + n)}
{\out  1. 0 + m + n = 0 + (m + n)}
{\out  2. !!x. x + m + n = x + (m + n) ==>}
{\out          Suc(x) + m + n = Suc(x) + (m + n)}
\end{ttbox}
The base case holds easily; both sides reduce to $m+n$.  The
tactic~\ttindex{Simp_tac} rewrites with respect to the current
simplification set, applying the rewrite rules for addition:
\begin{ttbox}
by (Simp_tac 1);
{\out Level 2}
{\out k + m + n = k + (m + n)}
{\out  1. !!x. x + m + n = x + (m + n) ==>}
{\out          Suc(x) + m + n = Suc(x) + (m + n)}
\end{ttbox}
The inductive step requires rewriting by the equations for addition
and with the induction hypothesis, which is also an equation.  The
tactic~\ttindex{Asm_simp_tac} rewrites using the implicit
simplification set and any useful assumptions:
\begin{ttbox}
by (Asm_simp_tac 1);
{\out Level 3}
{\out k + m + n = k + (m + n)}
{\out No subgoals!}
\end{ttbox}
\index{instantiation|)}


\section{A Prolog interpreter}
\index{Prolog interpreter|bold}
To demonstrate the power of tacticals, let us construct a Prolog
interpreter and execute programs involving lists.\footnote{To run these
examples, see the file \texttt{FOL/ex/Prolog.ML}.} The Prolog program
consists of a theory.  We declare a type constructor for lists, with an
arity declaration to say that $(\tau)list$ is of class~$term$
provided~$\tau$ is:
\begin{eqnarray*}
  list  & :: & (term)term
\end{eqnarray*}
We declare four constants: the empty list~$Nil$; the infix list
constructor~{:}; the list concatenation predicate~$app$; the list reverse
predicate~$rev$.  (In Prolog, functions on lists are expressed as
predicates.)
\begin{eqnarray*}
    Nil         & :: & \alpha list \\
    {:}         & :: & [\alpha,\alpha list] \To \alpha list \\
    app & :: & [\alpha list,\alpha list,\alpha list] \To o \\
    rev & :: & [\alpha list,\alpha list] \To o 
\end{eqnarray*}
The predicate $app$ should satisfy the Prolog-style rules
\[ {app(Nil,ys,ys)} \qquad
   {app(xs,ys,zs) \over app(x:xs, ys, x:zs)} \]
We define the naive version of $rev$, which calls~$app$:
\[ {rev(Nil,Nil)} \qquad
   {rev(xs,ys)\quad  app(ys, x:Nil, zs) \over
    rev(x:xs, zs)} 
\]

\index{examples!of theories}
Theory \thydx{Prolog} extends first-order logic in order to make use
of the class~$term$ and the type~$o$.  The interpreter does not use the
rules of~\texttt{FOL}.
\begin{ttbox}
Prolog = FOL +
types   'a list
arities list    :: (term)term
consts  Nil     :: 'a list
        ":"     :: ['a, 'a list]=> 'a list            (infixr 60)
        app     :: ['a list, 'a list, 'a list] => o
        rev     :: ['a list, 'a list] => o
rules   appNil  "app(Nil,ys,ys)"
        appCons "app(xs,ys,zs) ==> app(x:xs, ys, x:zs)"
        revNil  "rev(Nil,Nil)"
        revCons "[| rev(xs,ys); app(ys,x:Nil,zs) |] ==> rev(x:xs,zs)"
end
\end{ttbox}
\subsection{Simple executions}
Repeated application of the rules solves Prolog goals.  Let us
append the lists $[a,b,c]$ and~$[d,e]$.  As the rules are applied, the
answer builds up in~\texttt{?x}.
\begin{ttbox}
Goal "app(a:b:c:Nil, d:e:Nil, ?x)";
{\out Level 0}
{\out app(a : b : c : Nil, d : e : Nil, ?x)}
{\out  1. app(a : b : c : Nil, d : e : Nil, ?x)}
\ttbreak
by (resolve_tac [appNil,appCons] 1);
{\out Level 1}
{\out app(a : b : c : Nil, d : e : Nil, a : ?zs1)}
{\out  1. app(b : c : Nil, d : e : Nil, ?zs1)}
\ttbreak
by (resolve_tac [appNil,appCons] 1);
{\out Level 2}
{\out app(a : b : c : Nil, d : e : Nil, a : b : ?zs2)}
{\out  1. app(c : Nil, d : e : Nil, ?zs2)}
\end{ttbox}
At this point, the first two elements of the result are~$a$ and~$b$.
\begin{ttbox}
by (resolve_tac [appNil,appCons] 1);
{\out Level 3}
{\out app(a : b : c : Nil, d : e : Nil, a : b : c : ?zs3)}
{\out  1. app(Nil, d : e : Nil, ?zs3)}
\ttbreak
by (resolve_tac [appNil,appCons] 1);
{\out Level 4}
{\out app(a : b : c : Nil, d : e : Nil, a : b : c : d : e : Nil)}
{\out No subgoals!}
\end{ttbox}

Prolog can run functions backwards.  Which list can be appended
with $[c,d]$ to produce $[a,b,c,d]$?
Using \ttindex{REPEAT}, we find the answer at once, $[a,b]$:
\begin{ttbox}
Goal "app(?x, c:d:Nil, a:b:c:d:Nil)";
{\out Level 0}
{\out app(?x, c : d : Nil, a : b : c : d : Nil)}
{\out  1. app(?x, c : d : Nil, a : b : c : d : Nil)}
\ttbreak
by (REPEAT (resolve_tac [appNil,appCons] 1));
{\out Level 1}
{\out app(a : b : Nil, c : d : Nil, a : b : c : d : Nil)}
{\out No subgoals!}
\end{ttbox}


\subsection{Backtracking}\index{backtracking!Prolog style}
Prolog backtracking can answer questions that have multiple solutions.
Which lists $x$ and $y$ can be appended to form the list $[a,b,c,d]$?  This
question has five solutions.  Using \ttindex{REPEAT} to apply the rules, we
quickly find the first solution, namely $x=[]$ and $y=[a,b,c,d]$:
\begin{ttbox}
Goal "app(?x, ?y, a:b:c:d:Nil)";
{\out Level 0}
{\out app(?x, ?y, a : b : c : d : Nil)}
{\out  1. app(?x, ?y, a : b : c : d : Nil)}
\ttbreak
by (REPEAT (resolve_tac [appNil,appCons] 1));
{\out Level 1}
{\out app(Nil, a : b : c : d : Nil, a : b : c : d : Nil)}
{\out No subgoals!}
\end{ttbox}
Isabelle can lazily generate all the possibilities.  The \ttindex{back}
command returns the tactic's next outcome, namely $x=[a]$ and $y=[b,c,d]$:
\begin{ttbox}
back();
{\out Level 1}
{\out app(a : Nil, b : c : d : Nil, a : b : c : d : Nil)}
{\out No subgoals!}
\end{ttbox}
The other solutions are generated similarly.
\begin{ttbox}
back();
{\out Level 1}
{\out app(a : b : Nil, c : d : Nil, a : b : c : d : Nil)}
{\out No subgoals!}
\ttbreak
back();
{\out Level 1}
{\out app(a : b : c : Nil, d : Nil, a : b : c : d : Nil)}
{\out No subgoals!}
\ttbreak
back();
{\out Level 1}
{\out app(a : b : c : d : Nil, Nil, a : b : c : d : Nil)}
{\out No subgoals!}
\end{ttbox}


\subsection{Depth-first search}
\index{search!depth-first}
Now let us try $rev$, reversing a list.
Bundle the rules together as the \ML{} identifier \texttt{rules}.  Naive
reverse requires 120 inferences for this 14-element list, but the tactic
terminates in a few seconds.
\begin{ttbox}
Goal "rev(a:b:c:d:e:f:g:h:i:j:k:l:m:n:Nil, ?w)";
{\out Level 0}
{\out rev(a : b : c : d : e : f : g : h : i : j : k : l : m : n : Nil, ?w)}
{\out  1. rev(a : b : c : d : e : f : g : h : i : j : k : l : m : n : Nil,}
{\out         ?w)}
\ttbreak
val rules = [appNil,appCons,revNil,revCons];
\ttbreak
by (REPEAT (resolve_tac rules 1));
{\out Level 1}
{\out rev(a : b : c : d : e : f : g : h : i : j : k : l : m : n : Nil,}
{\out     n : m : l : k : j : i : h : g : f : e : d : c : b : a : Nil)}
{\out No subgoals!}
\end{ttbox}
We may execute $rev$ backwards.  This, too, should reverse a list.  What
is the reverse of $[a,b,c]$?
\begin{ttbox}
Goal "rev(?x, a:b:c:Nil)";
{\out Level 0}
{\out rev(?x, a : b : c : Nil)}
{\out  1. rev(?x, a : b : c : Nil)}
\ttbreak
by (REPEAT (resolve_tac rules 1));
{\out Level 1}
{\out rev(?x1 : Nil, a : b : c : Nil)}
{\out  1. app(Nil, ?x1 : Nil, a : b : c : Nil)}
\end{ttbox}
The tactic has failed to find a solution!  It reached a dead end at
subgoal~1: there is no~$\Var{x@1}$ such that [] appended with~$[\Var{x@1}]$
equals~$[a,b,c]$.  Backtracking explores other outcomes.
\begin{ttbox}
back();
{\out Level 1}
{\out rev(?x1 : a : Nil, a : b : c : Nil)}
{\out  1. app(Nil, ?x1 : Nil, b : c : Nil)}
\end{ttbox}
This too is a dead end, but the next outcome is successful.
\begin{ttbox}
back();
{\out Level 1}
{\out rev(c : b : a : Nil, a : b : c : Nil)}
{\out No subgoals!}
\end{ttbox}
\ttindex{REPEAT} goes wrong because it is only a repetition tactical, not a
search tactical.  \texttt{REPEAT} stops when it cannot continue, regardless of
which state is reached.  The tactical \ttindex{DEPTH_FIRST} searches for a
satisfactory state, as specified by an \ML{} predicate.  Below,
\ttindex{has_fewer_prems} specifies that the proof state should have no
subgoals.
\begin{ttbox}
val prolog_tac = DEPTH_FIRST (has_fewer_prems 1) 
                             (resolve_tac rules 1);
\end{ttbox}
Since Prolog uses depth-first search, this tactic is a (slow!) 
Prolog interpreter.  We return to the start of the proof using
\ttindex{choplev}, and apply \texttt{prolog_tac}:
\begin{ttbox}
choplev 0;
{\out Level 0}
{\out rev(?x, a : b : c : Nil)}
{\out  1. rev(?x, a : b : c : Nil)}
\ttbreak
by prolog_tac;
{\out Level 1}
{\out rev(c : b : a : Nil, a : b : c : Nil)}
{\out No subgoals!}
\end{ttbox}
Let us try \texttt{prolog_tac} on one more example, containing four unknowns:
\begin{ttbox}
Goal "rev(a:?x:c:?y:Nil, d:?z:b:?u)";
{\out Level 0}
{\out rev(a : ?x : c : ?y : Nil, d : ?z : b : ?u)}
{\out  1. rev(a : ?x : c : ?y : Nil, d : ?z : b : ?u)}
\ttbreak
by prolog_tac;
{\out Level 1}
{\out rev(a : b : c : d : Nil, d : c : b : a : Nil)}
{\out No subgoals!}
\end{ttbox}
Although Isabelle is much slower than a Prolog system, Isabelle
tactics can exploit logic programming techniques.