isabelle: doc-src/TutorialI/IsarOverview/Isar/document/intro.tex@fb78ee03c391 (annotated)

13619 584291949c23 * empty log message * nipkow parents: diff changeset	1	\section{Introduction}
584291949c23 * empty log message * nipkow parents: diff changeset	2
13766 fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	3	Isabelle is a generic proof assistant. Isar is an extension of
fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	4	Isabelle with structured proofs in a stylised language of mathematics.
fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	5	These proofs are readable for both a human and a machine.
fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	6	Isabelle/HOL~\cite{LNCS2283} is a specialisation of Isabelle with
fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	7	higher-order logic (HOL). This paper is a compact introduction to
fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	8	structured proofs in Isar/HOL, an extension of Isabelle/HOL. We
13765 e3c444e805c4 * empty log message * nipkow parents: 13620 diff changeset	9	intentionally do not present the full language but concentrate on the
e3c444e805c4 * empty log message * nipkow parents: 13620 diff changeset	10	essentials. Neither do we give a formal semantics of Isar. Instead we
e3c444e805c4 * empty log message * nipkow parents: 13620 diff changeset	11	introduce Isar by example. We believe that the language ``speaks for
e3c444e805c4 * empty log message * nipkow parents: 13620 diff changeset	12	itself'' in the same way that traditional mathematical proofs do,
e3c444e805c4 * empty log message * nipkow parents: 13620 diff changeset	13	which are also introduced by example rather than by teaching students
e3c444e805c4 * empty log message * nipkow parents: 13620 diff changeset	14	logic first. A detailed exposition of Isar can be found in Markus
e3c444e805c4 * empty log message * nipkow parents: 13620 diff changeset	15	Wenzel's PhD thesis~\cite{Wenzel-PhD} (which also discusses related
e3c444e805c4 * empty log message * nipkow parents: 13620 diff changeset	16	work) and the Isar reference manual~\cite{Isar-Ref-Man}.
13619 584291949c23 * empty log message * nipkow parents: diff changeset	17
584291949c23 * empty log message * nipkow parents: diff changeset	18	\subsection{Background}
584291949c23 * empty log message * nipkow parents: diff changeset	19
584291949c23 * empty log message * nipkow parents: diff changeset	20	Interactive theorem proving has been dominated by a model of proof
584291949c23 * empty log message * nipkow parents: diff changeset	21	that goes back to the LCF system~\cite{LCF}: a proof is a more or less
584291949c23 * empty log message * nipkow parents: diff changeset	22	structured sequence of commands that manipulate an implicit proof
584291949c23 * empty log message * nipkow parents: diff changeset	23	state. Thus the proof text is only suitable for the machine; for a
584291949c23 * empty log message * nipkow parents: diff changeset	24	human, the proof only comes alive when he can see the state changes
584291949c23 * empty log message * nipkow parents: diff changeset	25	caused by the stepwise execution of the commands. Such proofs are like
584291949c23 * empty log message * nipkow parents: diff changeset	26	uncommented assembly language programs. We call them
584291949c23 * empty log message * nipkow parents: diff changeset	27	\emph{tactic-style} proofs because LCF proof commands were called
584291949c23 * empty log message * nipkow parents: diff changeset	28	tactics.
584291949c23 * empty log message * nipkow parents: diff changeset	29
584291949c23 * empty log message * nipkow parents: diff changeset	30	A radically different approach was taken by the Mizar
13766 fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	31	system~\cite{Rudnicki92} where proofs are written in a stylised language akin
13620 61a23a43b783 * empty log message * nipkow parents: 13619 diff changeset	32	to that used in ordinary mathematics texts. The most important argument in
61a23a43b783 * empty log message * nipkow parents: 13619 diff changeset	33	favour of a mathematics-like proof language is communication: as soon as not
61a23a43b783 * empty log message * nipkow parents: 13619 diff changeset	34	just the theorem but also the proof becomes an object of interest, it should
61a23a43b783 * empty log message * nipkow parents: 13619 diff changeset	35	be readable. From a system development point of view there is a second
61a23a43b783 * empty log message * nipkow parents: 13619 diff changeset	36	important argument against tactic-style proofs: they are much harder to
13765 e3c444e805c4 * empty log message * nipkow parents: 13620 diff changeset	37	maintain when the system is modified.
e3c444e805c4 * empty log message * nipkow parents: 13620 diff changeset	38	%The reason is as follows. Since it is
e3c444e805c4 * empty log message * nipkow parents: 13620 diff changeset	39	%usually quite unclear what exactly is proved at some point in the middle of a
e3c444e805c4 * empty log message * nipkow parents: 13620 diff changeset	40	%command sequence, updating a failed proof often requires executing the proof
e3c444e805c4 * empty log message * nipkow parents: 13620 diff changeset	41	%up to the point of failure using the old version of the system. In contrast,
e3c444e805c4 * empty log message * nipkow parents: 13620 diff changeset	42	%mathematics-like proofs contain enough information to tell you what is proved
e3c444e805c4 * empty log message * nipkow parents: 13620 diff changeset	43	%at any point.
13619 584291949c23 * empty log message * nipkow parents: diff changeset	44
584291949c23 * empty log message * nipkow parents: diff changeset	45	For these reasons the Isabelle system, originally firmly in the
584291949c23 * empty log message * nipkow parents: diff changeset	46	LCF-tradition, was extended with a language for writing structured
584291949c23 * empty log message * nipkow parents: diff changeset	47	proofs in a mathematics-like style. As the name already indicates,
13620 61a23a43b783 * empty log message * nipkow parents: 13619 diff changeset	48	Isar was certainly inspired by Mizar. However, there are many
13619 584291949c23 * empty log message * nipkow parents: diff changeset	49	differences. For a start, Isar is generic: only a few of the language
584291949c23 * empty log message * nipkow parents: diff changeset	50	constructs described below are specific to HOL; many are generic and
584291949c23 * empty log message * nipkow parents: diff changeset	51	thus available for any logic defined in Isabelle, e.g.\ ZF.
584291949c23 * empty log message * nipkow parents: diff changeset	52	Furthermore, we have Isabelle's powerful automatic proof procedures at
584291949c23 * empty log message * nipkow parents: diff changeset	53	our disposal. A closer comparison of Isar and Mizar can be found
584291949c23 * empty log message * nipkow parents: diff changeset	54	elsewhere~\cite{WenzelW-JAR}.
584291949c23 * empty log message * nipkow parents: diff changeset	55
584291949c23 * empty log message * nipkow parents: diff changeset	56	\subsection{A first glimpse of Isar}
584291949c23 * empty log message * nipkow parents: diff changeset	57	Below you find a simplified grammar for Isar proofs.
584291949c23 * empty log message * nipkow parents: diff changeset	58	Parentheses are used for grouping and $^?$ indicates an optional item:
584291949c23 * empty log message * nipkow parents: diff changeset	59	\begin{center}
584291949c23 * empty log message * nipkow parents: diff changeset	60	\begin{tabular}{lrl}
584291949c23 * empty log message * nipkow parents: diff changeset	61	\emph{proof} & ::= & \isakeyword{proof} \emph{method}$^?$
584291949c23 * empty log message * nipkow parents: diff changeset	62	\emph{statement}*
584291949c23 * empty log message * nipkow parents: diff changeset	63	\isakeyword{qed} \\
584291949c23 * empty log message * nipkow parents: diff changeset	64	&$\mid$& \isakeyword{by} \emph{method}\\[1ex]
584291949c23 * empty log message * nipkow parents: diff changeset	65	\emph{statement} &::= & \isakeyword{fix} \emph{variables} \\
584291949c23 * empty log message * nipkow parents: diff changeset	66	&$\mid$& \isakeyword{assume} \emph{propositions} \\
584291949c23 * empty log message * nipkow parents: diff changeset	67	&$\mid$& (\isakeyword{from} \emph{facts})$^?$
584291949c23 * empty log message * nipkow parents: diff changeset	68	(\isakeyword{show} $\mid$ \isakeyword{have})
584291949c23 * empty log message * nipkow parents: diff changeset	69	\emph{propositions} \emph{proof} \\[1ex]
584291949c23 * empty log message * nipkow parents: diff changeset	70	\emph{proposition} &::=& (\emph{label}{\bf:})$^?$ \emph{string} \\[1ex]
584291949c23 * empty log message * nipkow parents: diff changeset	71	\emph{fact} &::=& \emph{label}
584291949c23 * empty log message * nipkow parents: diff changeset	72	\end{tabular}
584291949c23 * empty log message * nipkow parents: diff changeset	73	\end{center}
584291949c23 * empty log message * nipkow parents: diff changeset	74	A proof can be either compound (\isakeyword{proof} --
584291949c23 * empty log message * nipkow parents: diff changeset	75	\isakeyword{qed}) or atomic (\isakeyword{by}). A \emph{method} is a
13620 61a23a43b783 * empty log message * nipkow parents: 13619 diff changeset	76	proof method (tactic) offered by the underlying theorem prover.
61a23a43b783 * empty log message * nipkow parents: 13619 diff changeset	77	Thus this grammar is generic both w.r.t.\ the logic and the theorem prover.
13619 584291949c23 * empty log message * nipkow parents: diff changeset	78
584291949c23 * empty log message * nipkow parents: diff changeset	79	This is a typical proof skeleton:
584291949c23 * empty log message * nipkow parents: diff changeset	80	\begin{center}
584291949c23 * empty log message * nipkow parents: diff changeset	81	\begin{tabular}{@{}ll}
584291949c23 * empty log message * nipkow parents: diff changeset	82	\isakeyword{proof}\\
584291949c23 * empty log message * nipkow parents: diff changeset	83	\hspace*{3ex}\isakeyword{assume} \isa{"}\emph{the-assm}\isa{"}\\
584291949c23 * empty log message * nipkow parents: diff changeset	84	\hspace*{3ex}\isakeyword{have} \isa{"}\dots\isa{"} & --- intermediate result\\
584291949c23 * empty log message * nipkow parents: diff changeset	85	\hspace*{3ex}\vdots\\
584291949c23 * empty log message * nipkow parents: diff changeset	86	\hspace*{3ex}\isakeyword{have} \isa{"}\dots\isa{"} & --- intermediate result\\
584291949c23 * empty log message * nipkow parents: diff changeset	87	\hspace*{3ex}\isakeyword{show} \isa{"}\emph{the-concl}\isa{"}\\
584291949c23 * empty log message * nipkow parents: diff changeset	88	\isakeyword{qed}
584291949c23 * empty log message * nipkow parents: diff changeset	89	\end{tabular}
584291949c23 * empty log message * nipkow parents: diff changeset	90	\end{center}
584291949c23 * empty log message * nipkow parents: diff changeset	91	It proves \emph{the-assm}~$\Longrightarrow$~\emph{the-concl}. Text starting with
584291949c23 * empty log message * nipkow parents: diff changeset	92	``---'' is a comment. The intermediate \isakeyword{have}s are only
584291949c23 * empty log message * nipkow parents: diff changeset	93	there to bridge the gap between the assumption and the conclusion and
584291949c23 * empty log message * nipkow parents: diff changeset	94	do not contribute to the theorem being proved. In contrast,
584291949c23 * empty log message * nipkow parents: diff changeset	95	\isakeyword{show} establishes the conclusion of the theorem.
584291949c23 * empty log message * nipkow parents: diff changeset	96
584291949c23 * empty log message * nipkow parents: diff changeset	97	\subsection{Bits of Isabelle}
584291949c23 * empty log message * nipkow parents: diff changeset	98
13766 fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	99	We recall some basic notions and notation from Isabelle. For more
fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	100	details and for instructions how to run examples see
fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	101	elsewhere~\cite{LNCS2283}.
fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	102
fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	103	Isabelle's meta-logic comes with a type of \emph{propositions} with
fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	104	implication $\Longrightarrow$ and a universal quantifier $\bigwedge$ for expressing
fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	105	inference rules and generality. Iterated implications $A_1 \Longrightarrow \dots
fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	106	A_n \Longrightarrow A$ may be abbreviated to $[\![ A_1; \dots; A_n ]\!] \Longrightarrow A$.
fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	107	Applying a theorem $A \Longrightarrow B$ (named \isa{T}) to a theorem $A$ (named
fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	108	\isa{U}) is written \isa{T[OF U]} and yields theorem $B$.
13619 584291949c23 * empty log message * nipkow parents: diff changeset	109
584291949c23 * empty log message * nipkow parents: diff changeset	110	Isabelle terms are simply typed. Function types are
584291949c23 * empty log message * nipkow parents: diff changeset	111	written $\tau_1 \Rightarrow \tau_2$.
584291949c23 * empty log message * nipkow parents: diff changeset	112
13620 61a23a43b783 * empty log message * nipkow parents: 13619 diff changeset	113	Free variables that may be instantiated (``logical variables'' in Prolog
61a23a43b783 * empty log message * nipkow parents: 13619 diff changeset	114	parlance) are prefixed with a \isa{?}. Typically, theorems are stated with
61a23a43b783 * empty log message * nipkow parents: 13619 diff changeset	115	ordinary free variables but after the proof those are automatically replaced
61a23a43b783 * empty log message * nipkow parents: 13619 diff changeset	116	by \isa{?}-variables. Thus the theorem can be used with arbitrary instances
61a23a43b783 * empty log message * nipkow parents: 13619 diff changeset	117	of its free variables.
13619 584291949c23 * empty log message * nipkow parents: diff changeset	118
584291949c23 * empty log message * nipkow parents: diff changeset	119	Isabelle/HOL offers all the usual logical symbols like $\longrightarrow$, $\land$,
13766 fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	120	$\forall$ etc. HOL formulae are propositions, e.g.\ $\forall$ can appear below
fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	121	$\Longrightarrow$, but not the other way around. Beware that $\longrightarrow$ binds more
fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	122	tightly than $\Longrightarrow$: in $\forall x. P \longrightarrow Q$ the $\forall x$ covers $P \longrightarrow Q$, whereas
fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	123	in $\forall x. P \Longrightarrow Q$ it covers only $P$.
fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	124
fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	125	Proof methods include \isa{rule} (which performs a backwards
13619 584291949c23 * empty log message * nipkow parents: diff changeset	126	step with a given rule, unifying the conclusion of the rule with the
584291949c23 * empty log message * nipkow parents: diff changeset	127	current subgoal and replacing the subgoal by the premises of the
584291949c23 * empty log message * nipkow parents: diff changeset	128	rule), \isa{simp} (for simplification) and \isa{blast} (for predicate
584291949c23 * empty log message * nipkow parents: diff changeset	129	calculus reasoning).
584291949c23 * empty log message * nipkow parents: diff changeset	130
584291949c23 * empty log message * nipkow parents: diff changeset	131	\subsection{Overview of the paper}
584291949c23 * empty log message * nipkow parents: diff changeset	132
584291949c23 * empty log message * nipkow parents: diff changeset	133	The rest of the paper is divided into two parts.
584291949c23 * empty log message * nipkow parents: diff changeset	134	Section~\ref{sec:Logic} introduces proofs in pure logic based on
584291949c23 * empty log message * nipkow parents: diff changeset	135	natural deduction. Section~\ref{sec:Induct} is dedicated to induction,
584291949c23 * empty log message * nipkow parents: diff changeset	136	the key reasoning principle for computer science applications.
584291949c23 * empty log message * nipkow parents: diff changeset	137
13765 e3c444e805c4 * empty log message * nipkow parents: 13620 diff changeset	138	There are two further areas where Isar provides specific support, but
e3c444e805c4 * empty log message * nipkow parents: 13620 diff changeset	139	which we do not document here. Reasoning by chains of (in)equations is
e3c444e805c4 * empty log message * nipkow parents: 13620 diff changeset	140	described elsewhere~\cite{BauerW-TPHOLs01}. Reasoning about
e3c444e805c4 * empty log message * nipkow parents: 13620 diff changeset	141	axiomatically defined structures by means of so called ``locales'' was
e3c444e805c4 * empty log message * nipkow parents: 13620 diff changeset	142	first described in \cite{KWP-TPHOLs99} but has evolved much since
e3c444e805c4 * empty log message * nipkow parents: 13620 diff changeset	143	then.
13619 584291949c23 * empty log message * nipkow parents: diff changeset	144
13765 e3c444e805c4 * empty log message * nipkow parents: 13620 diff changeset	145	Finally, a word of warning for potential writers of Isar proofs. It
e3c444e805c4 * empty log message * nipkow parents: 13620 diff changeset	146	has always been easier to write obscure rather than readable texts.
e3c444e805c4 * empty log message * nipkow parents: 13620 diff changeset	147	Similarly, tactic-style proofs are often (though by no means always!)
e3c444e805c4 * empty log message * nipkow parents: 13620 diff changeset	148	easier to write than readable ones: structure does not emerge
e3c444e805c4 * empty log message * nipkow parents: 13620 diff changeset	149	automatically but needs to be understood and imposed. If the precise
e3c444e805c4 * empty log message * nipkow parents: 13620 diff changeset	150	structure of the proof is unclear at beginning, it can be useful to
e3c444e805c4 * empty log message * nipkow parents: 13620 diff changeset	151	start in a tactic-based style for exploratory purposes until one has
e3c444e805c4 * empty log message * nipkow parents: 13620 diff changeset	152	found a proof which can be converted into a structured text in a
e3c444e805c4 * empty log message * nipkow parents: 13620 diff changeset	153	second step.
e3c444e805c4 * empty log message * nipkow parents: 13620 diff changeset	154	% Top down conversion is possible because Isar
e3c444e805c4 * empty log message * nipkow parents: 13620 diff changeset	155	%allows tactic-style proofs as components of structured ones.
e3c444e805c4 * empty log message * nipkow parents: 13620 diff changeset	156
e3c444e805c4 * empty log message * nipkow parents: 13620 diff changeset	157	%Do not be mislead by the simplicity of the formulae being proved,
e3c444e805c4 * empty log message * nipkow parents: 13620 diff changeset	158	%especially in the beginning. Isar has been used very successfully in
13766 fb78ee03c391 * empty log message * nipkow parents: 13765 diff changeset	159	%large applications, for example the formalisation of Java, in
13765 e3c444e805c4 * empty log message * nipkow parents: 13620 diff changeset	160	%particular the verification of the bytecode verifier~\cite{KleinN-TCS}.

author	nipkow
	Sun, 29 Dec 2002 08:56:24 +0100
changeset 13766	fb78ee03c391
parent 13765	e3c444e805c4
permissions	-rw-r--r--