src/Doc/Tutorial/document/rules.tex
author wenzelm
Sun, 15 Nov 2020 17:42:35 +0100
changeset 72614 ffed574c65c3
parent 64242 93c6f0da5c70
permissions -rw-r--r--
tuned;
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
54583
3936fb5803d6 tweaks to the documentation
paulson
parents: 48985
diff changeset
     1
%!TEX root = root.tex
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
     2
\chapter{The Rules of the Game}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
     3
\label{chap:rules}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
     4
 
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
     5
This chapter outlines the concepts and techniques that underlie reasoning
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
     6
in Isabelle.  Until now, we have proved everything using only induction and
13439
2f98365f57a8 *** empty log message ***
nipkow
parents: 12815
diff changeset
     7
simplification, but any serious verification project requires more elaborate
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
     8
forms of inference.  The chapter also introduces the fundamentals of
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
     9
predicate logic.  The first examples in this chapter will consist of
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
    10
detailed, low-level proof steps.  Later, we shall see how to automate such
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
    11
reasoning using the methods
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
    12
\isa{blast},
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
    13
\isa{auto} and others.  Backward or goal-directed proof is our usual style,
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
    14
but the chapter also introduces forward reasoning, where one theorem is
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
    15
transformed to yield another.
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
    16
10848
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
    17
\section{Natural Deduction}
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
    18
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
    19
\index{natural deduction|(}%
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
    20
In Isabelle, proofs are constructed using inference rules. The 
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
    21
most familiar inference rule is probably \emph{modus ponens}:%
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
    22
\index{modus ponens@\emph{modus ponens}} 
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
    23
\[ \infer{Q}{P\imp Q & P} \]
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
    24
This rule says that from $P\imp Q$ and $P$ we may infer~$Q$.  
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
    25
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
    26
\textbf{Natural deduction} is an attempt to formalize logic in a way 
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
    27
that mirrors human reasoning patterns. 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
    28
For each logical symbol (say, $\conj$), there 
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
    29
are two kinds of rules: \textbf{introduction} and \textbf{elimination} rules. 
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
    30
The introduction rules allow us to infer this symbol (say, to 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
    31
infer conjunctions). The elimination rules allow us to deduce 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
    32
consequences from this symbol. Ideally each rule should mention 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
    33
one symbol only.  For predicate logic this can be 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
    34
done, but when users define their own concepts they typically 
11255
ca546b170471 *** empty log message ***
paulson
parents: 11234
diff changeset
    35
have to refer to other symbols as well.  It is best not to be dogmatic.
54583
3936fb5803d6 tweaks to the documentation
paulson
parents: 48985
diff changeset
    36
Our system is not based on pure natural deduction, but includes elements from the sequent calculus 
3936fb5803d6 tweaks to the documentation
paulson
parents: 48985
diff changeset
    37
and free-variable tableaux.
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
    38
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
    39
Natural deduction generally deserves its name.  It is easy to use.  Each
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
    40
proof step consists of identifying the outermost symbol of a formula and
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
    41
applying the corresponding rule.  It creates new subgoals in
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
    42
an obvious way from parts of the chosen formula.  Expanding the
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
    43
definitions of constants can blow up the goal enormously.  Deriving natural
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
    44
deduction rules for such constants lets us reason in terms of their key
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
    45
properties, which might otherwise be obscured by the technicalities of its
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
    46
definition.  Natural deduction rules also lend themselves to automation.
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
    47
Isabelle's
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
    48
\textbf{classical reasoner} accepts any suitable  collection of natural deduction
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
    49
rules and uses them to search for proofs automatically.  Isabelle is designed around
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
    50
natural deduction and many of its tools use the terminology of introduction
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
    51
and elimination rules.%
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
    52
\index{natural deduction|)}
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
    53
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
    54
10848
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
    55
\section{Introduction Rules}
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
    56
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
    57
\index{introduction rules|(}%
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
    58
An introduction rule tells us when we can infer a formula 
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
    59
containing a specific logical symbol. For example, the conjunction 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
    60
introduction rule says that if we have $P$ and if we have $Q$ then 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
    61
we have $P\conj Q$. In a mathematics text, it is typically shown 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
    62
like this:
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
    63
\[  \infer{P\conj Q}{P & Q} \]
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
    64
The rule introduces the conjunction
10971
6852682eaf16 *** empty log message ***
nipkow
parents: 10967
diff changeset
    65
symbol~($\conj$) in its conclusion.  In Isabelle proofs we
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
    66
mainly  reason backwards.  When we apply this rule, the subgoal already has
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
    67
the form of a conjunction; the proof step makes this conjunction symbol
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
    68
disappear. 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
    69
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
    70
In Isabelle notation, the rule looks like this:
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
    71
\begin{isabelle}
11417
499435b4084e less indexing of theorem names
paulson
parents: 11411
diff changeset
    72
\isasymlbrakk?P;\ ?Q\isasymrbrakk\ \isasymLongrightarrow\ ?P\ \isasymand\ ?Q\rulenamedx{conjI}
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
    73
\end{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
    74
Carefully examine the syntax.  The premises appear to the
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
    75
left of the arrow and the conclusion to the right.  The premises (if 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
    76
more than one) are grouped using the fat brackets.  The question marks
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
    77
indicate \textbf{schematic variables} (also called
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
    78
\textbf{unknowns}):\index{unknowns|bold} they may
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
    79
be replaced by arbitrary formulas.  If we use the rule backwards, Isabelle
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
    80
tries to unify the current subgoal with the conclusion of the rule, which
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
    81
has the form \isa{?P\ \isasymand\ ?Q}.  (Unification is discussed below,
11428
332347b9b942 tidying the index
paulson
parents: 11417
diff changeset
    82
{\S}\ref{sec:unification}.)  If successful,
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
    83
it yields new subgoals given by the formulas assigned to 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
    84
\isa{?P} and \isa{?Q}.
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
    85
12333
ef43a3d6e962 minor tweaks
paulson
parents: 12156
diff changeset
    86
The following trivial proof illustrates how rules work.  It also introduces a
ef43a3d6e962 minor tweaks
paulson
parents: 12156
diff changeset
    87
style of indentation.  If a command adds a new subgoal, then the next
ef43a3d6e962 minor tweaks
paulson
parents: 12156
diff changeset
    88
command's indentation is increased by one space; if it proves a subgoal, then
ef43a3d6e962 minor tweaks
paulson
parents: 12156
diff changeset
    89
the indentation is reduced.  This provides the reader with hints about the
ef43a3d6e962 minor tweaks
paulson
parents: 12156
diff changeset
    90
subgoal structure.
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
    91
\begin{isabelle}
10596
77951eaeb5b0 tidying
paulson
parents: 10578
diff changeset
    92
\isacommand{lemma}\ conj_rule:\ "\isasymlbrakk P;\
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
    93
Q\isasymrbrakk\ \isasymLongrightarrow\ P\ \isasymand\
10301
paulson
parents: 10295
diff changeset
    94
(Q\ \isasymand\ P)"\isanewline
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
    95
\isacommand{apply}\ (rule\ conjI)\isanewline
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
    96
\ \isacommand{apply}\ assumption\isanewline
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
    97
\isacommand{apply}\ (rule\ conjI)\isanewline
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
    98
\ \isacommand{apply}\ assumption\isanewline
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
    99
\isacommand{apply}\ assumption
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   100
\end{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   101
At the start, Isabelle presents 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   102
us with the assumptions (\isa{P} and~\isa{Q}) and with the goal to be proved,
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   103
\isa{P\ \isasymand\
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   104
(Q\ \isasymand\ P)}.  We are working backwards, so when we
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   105
apply conjunction introduction, the rule removes the outermost occurrence
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   106
of the \isa{\isasymand} symbol.  To apply a  rule to a subgoal, we apply
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
   107
the proof method \isa{rule} --- here with \isa{conjI}, the  conjunction
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   108
introduction rule. 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   109
\begin{isabelle}
10596
77951eaeb5b0 tidying
paulson
parents: 10578
diff changeset
   110
%\isasymlbrakk P;\ Q\isasymrbrakk\ \isasymLongrightarrow\ P\ \isasymand\ Q\
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   111
%\isasymand\ P\isanewline
10596
77951eaeb5b0 tidying
paulson
parents: 10578
diff changeset
   112
\ 1.\ \isasymlbrakk P;\ Q\isasymrbrakk\ \isasymLongrightarrow\ P\isanewline
77951eaeb5b0 tidying
paulson
parents: 10578
diff changeset
   113
\ 2.\ \isasymlbrakk P;\ Q\isasymrbrakk\ \isasymLongrightarrow\ Q\ \isasymand\ P
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   114
\end{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   115
Isabelle leaves two new subgoals: the two halves of the original conjunction. 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   116
The first is simply \isa{P}, which is trivial, since \isa{P} is among 
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
   117
the assumptions.  We can apply the \methdx{assumption} 
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   118
method, which proves a subgoal by finding a matching assumption.
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   119
\begin{isabelle}
10596
77951eaeb5b0 tidying
paulson
parents: 10578
diff changeset
   120
\ 1.\ \isasymlbrakk P;\ Q\isasymrbrakk\ \isasymLongrightarrow\ 
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   121
Q\ \isasymand\ P
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   122
\end{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   123
We are left with the subgoal of proving  
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   124
\isa{Q\ \isasymand\ P} from the assumptions \isa{P} and~\isa{Q}.  We apply
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   125
\isa{rule conjI} again. 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   126
\begin{isabelle}
10596
77951eaeb5b0 tidying
paulson
parents: 10578
diff changeset
   127
\ 1.\ \isasymlbrakk P;\ Q\isasymrbrakk\ \isasymLongrightarrow\ Q\isanewline
77951eaeb5b0 tidying
paulson
parents: 10578
diff changeset
   128
\ 2.\ \isasymlbrakk P;\ Q\isasymrbrakk\ \isasymLongrightarrow\ P
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   129
\end{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   130
We are left with two new subgoals, \isa{Q} and~\isa{P}, each of which can be proved
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   131
using the \isa{assumption} method.%
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   132
\index{introduction rules|)}
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   133
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   134
10848
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
   135
\section{Elimination Rules}
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   136
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   137
\index{elimination rules|(}%
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   138
Elimination rules work in the opposite direction from introduction 
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   139
rules. In the case of conjunction, there are two such rules. 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   140
From $P\conj Q$ we infer $P$. also, from $P\conj Q$  
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   141
we infer $Q$:
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   142
\[ \infer{P}{P\conj Q} \qquad \infer{Q}{P\conj Q}  \]
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   143
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   144
Now consider disjunction. There are two introduction rules, which resemble inverted forms of the
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   145
conjunction elimination rules:
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   146
\[ \infer{P\disj Q}{P} \qquad \infer{P\disj Q}{Q}  \]
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   147
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   148
What is the disjunction elimination rule?  The situation is rather different from 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   149
conjunction.  From $P\disj Q$ we cannot conclude  that $P$ is true and we
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   150
cannot conclude that $Q$ is true; there are no direct
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   151
elimination rules of the sort that we have seen for conjunction.  Instead,
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   152
there is an elimination  rule that works indirectly.  If we are trying  to prove
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   153
something else, say $R$, and we know that $P\disj Q$ holds,  then we have to consider
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   154
two cases.  We can assume that $P$ is true  and prove $R$ and then assume that $Q$ is
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   155
true and prove $R$ a second  time.  Here we see a fundamental concept used in natural
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
   156
deduction:  that of the \textbf{assumptions}. We have to prove $R$ twice, under
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   157
different assumptions.  The assumptions are local to these subproofs and are visible 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   158
nowhere else. 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   159
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   160
In a logic text, the disjunction elimination rule might be shown 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   161
like this:
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   162
\[ \infer{R}{P\disj Q & \infer*{R}{[P]} & \infer*{R}{[Q]}} \]
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   163
The assumptions $[P]$ and $[Q]$ are bracketed 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   164
to emphasize that they are local to their subproofs.  In Isabelle 
10848
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
   165
notation, the already-familiar \isa{\isasymLongrightarrow} syntax serves the
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   166
same  purpose:
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   167
\begin{isabelle}
11417
499435b4084e less indexing of theorem names
paulson
parents: 11411
diff changeset
   168
\isasymlbrakk?P\ \isasymor\ ?Q;\ ?P\ \isasymLongrightarrow\ ?R;\ ?Q\ \isasymLongrightarrow\ ?R\isasymrbrakk\ \isasymLongrightarrow\ ?R\rulenamedx{disjE}
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   169
\end{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   170
When we use this sort of elimination rule backwards, it produces 
10971
6852682eaf16 *** empty log message ***
nipkow
parents: 10967
diff changeset
   171
a case split.  (We have seen this before, in proofs by induction.)  The following  proof
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   172
illustrates the use of disjunction elimination.  
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   173
\begin{isabelle}
10301
paulson
parents: 10295
diff changeset
   174
\isacommand{lemma}\ disj_swap:\ "P\ \isasymor\ Q\ 
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   175
\isasymLongrightarrow\ Q\ \isasymor\ P"\isanewline
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   176
\isacommand{apply}\ (erule\ disjE)\isanewline
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   177
\ \isacommand{apply}\ (rule\ disjI2)\isanewline
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   178
\ \isacommand{apply}\ assumption\isanewline
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   179
\isacommand{apply}\ (rule\ disjI1)\isanewline
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   180
\isacommand{apply}\ assumption
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   181
\end{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   182
We assume \isa{P\ \isasymor\ Q} and
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   183
must prove \isa{Q\ \isasymor\ P}\@.  Our first step uses the disjunction
11428
332347b9b942 tidying the index
paulson
parents: 11417
diff changeset
   184
elimination rule, \isa{disjE}\@.  We invoke it using \methdx{erule}, a
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
   185
method designed to work with elimination rules.  It looks for an assumption that
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   186
matches the rule's first premise.  It deletes the matching assumption,
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   187
regards the first premise as proved and returns subgoals corresponding to
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   188
the remaining premises.  When we apply \isa{erule} to \isa{disjE}, only two
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   189
subgoals result.  This is better than applying it using \isa{rule}
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   190
to get three subgoals, then proving the first by assumption: the other
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   191
subgoals would have the redundant assumption 
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   192
\hbox{\isa{P\ \isasymor\ Q}}.
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
   193
Most of the time, \isa{erule} is  the best way to use elimination rules, since it
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
   194
replaces an assumption by its subformulas; only rarely does the original
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
   195
assumption remain useful.
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   196
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   197
\begin{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   198
%P\ \isasymor\ Q\ \isasymLongrightarrow\ Q\ \isasymor\ P\isanewline
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   199
\ 1.\ P\ \isasymLongrightarrow\ Q\ \isasymor\ P\isanewline
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   200
\ 2.\ Q\ \isasymLongrightarrow\ Q\ \isasymor\ P
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   201
\end{isabelle}
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   202
These are the two subgoals returned by \isa{erule}.  The first assumes
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   203
\isa{P} and the  second assumes \isa{Q}.  Tackling the first subgoal, we
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   204
need to  show \isa{Q\ \isasymor\ P}\@.  The second introduction rule
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   205
(\isa{disjI2}) can reduce this  to \isa{P}, which matches the assumption.
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   206
So, we apply the
10596
77951eaeb5b0 tidying
paulson
parents: 10578
diff changeset
   207
\isa{rule}  method with \isa{disjI2} \ldots
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   208
\begin{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   209
\ 1.\ P\ \isasymLongrightarrow\ P\isanewline
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   210
\ 2.\ Q\ \isasymLongrightarrow\ Q\ \isasymor\ P
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   211
\end{isabelle}
10596
77951eaeb5b0 tidying
paulson
parents: 10578
diff changeset
   212
\ldots and finish off with the \isa{assumption} 
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   213
method.  We are left with the other subgoal, which 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   214
assumes \isa{Q}.  
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   215
\begin{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   216
\ 1.\ Q\ \isasymLongrightarrow\ Q\ \isasymor\ P
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   217
\end{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   218
Its proof is similar, using the introduction 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   219
rule \isa{disjI1}. 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   220
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   221
The result of this proof is a new inference rule \isa{disj_swap}, which is neither 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   222
an introduction nor an elimination rule, but which might 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   223
be useful.  We can use it to replace any goal of the form $Q\disj P$
27167
nipkow
parents: 25264
diff changeset
   224
by one of the form $P\disj Q$.%
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   225
\index{elimination rules|)}
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   226
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   227
10848
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
   228
\section{Destruction Rules: Some Examples}
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   229
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   230
\index{destruction rules|(}%
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   231
Now let us examine the analogous proof for conjunction. 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   232
\begin{isabelle}
10301
paulson
parents: 10295
diff changeset
   233
\isacommand{lemma}\ conj_swap:\ "P\ \isasymand\ Q\ \isasymLongrightarrow\ Q\ \isasymand\ P"\isanewline
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   234
\isacommand{apply}\ (rule\ conjI)\isanewline
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   235
\ \isacommand{apply}\ (drule\ conjunct2)\isanewline
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   236
\ \isacommand{apply}\ assumption\isanewline
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   237
\isacommand{apply}\ (drule\ conjunct1)\isanewline
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   238
\isacommand{apply}\ assumption
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   239
\end{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   240
Recall that the conjunction elimination rules --- whose Isabelle names are 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   241
\isa{conjunct1} and \isa{conjunct2} --- simply return the first or second half
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   242
of a conjunction.  Rules of this sort (where the conclusion is a subformula of a
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
   243
premise) are called \textbf{destruction} rules because they take apart and destroy
10978
5eebea8f359f *** empty log message ***
nipkow
parents: 10971
diff changeset
   244
a premise.%
54583
3936fb5803d6 tweaks to the documentation
paulson
parents: 48985
diff changeset
   245
\footnote{This Isabelle terminology is not used in standard logic texts, 
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   246
although the distinction between the two forms of elimination rule is well known. 
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
   247
Girard \cite[page 74]{girard89},\index{Girard, Jean-Yves|fnote}
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
   248
for example, writes ``The elimination rules 
10848
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
   249
[for $\disj$ and $\exists$] are very
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   250
bad.  What is catastrophic about them is the parasitic presence of a formula [$R$]
54583
3936fb5803d6 tweaks to the documentation
paulson
parents: 48985
diff changeset
   251
which has no structural link with the formula which is eliminated.''
3936fb5803d6 tweaks to the documentation
paulson
parents: 48985
diff changeset
   252
These Isabelle rules are inspired by the sequent calculus.}
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   253
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   254
The first proof step applies conjunction introduction, leaving 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   255
two subgoals: 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   256
\begin{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   257
%P\ \isasymand\ Q\ \isasymLongrightarrow\ Q\ \isasymand\ P\isanewline
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   258
\ 1.\ P\ \isasymand\ Q\ \isasymLongrightarrow\ Q\isanewline
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   259
\ 2.\ P\ \isasymand\ Q\ \isasymLongrightarrow\ P
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   260
\end{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   261
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   262
To invoke the elimination rule, we apply a new method, \isa{drule}. 
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
   263
Think of the \isa{d} as standing for \textbf{destruction} (or \textbf{direct}, if
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   264
you prefer).   Applying the 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   265
second conjunction rule using \isa{drule} replaces the assumption 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   266
\isa{P\ \isasymand\ Q} by \isa{Q}. 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   267
\begin{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   268
\ 1.\ Q\ \isasymLongrightarrow\ Q\isanewline
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   269
\ 2.\ P\ \isasymand\ Q\ \isasymLongrightarrow\ P
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   270
\end{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   271
The resulting subgoal can be proved by applying \isa{assumption}.
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   272
The other subgoal is similarly proved, using the \isa{conjunct1} rule and the 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   273
\isa{assumption} method.
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   274
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   275
Choosing among the methods \isa{rule}, \isa{erule} and \isa{drule} is up to 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   276
you.  Isabelle does not attempt to work out whether a rule 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   277
is an introduction rule or an elimination rule.  The 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   278
method determines how the rule will be interpreted. Many rules 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   279
can be used in more than one way.  For example, \isa{disj_swap} can 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   280
be applied to assumptions as well as to goals; it replaces any
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   281
assumption of the form
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   282
$P\disj Q$ by a one of the form $Q\disj P$.
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   283
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   284
Destruction rules are simpler in form than indirect rules such as \isa{disjE},
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   285
but they can be inconvenient.  Each of the conjunction rules discards half 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   286
of the formula, when usually we want to take both parts of the conjunction as new
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   287
assumptions.  The easiest way to do so is by using an 
10848
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
   288
alternative conjunction elimination rule that resembles \isa{disjE}\@.  It is
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
   289
seldom, if ever, seen in logic books.  In Isabelle syntax it looks like this: 
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   290
\begin{isabelle}
11417
499435b4084e less indexing of theorem names
paulson
parents: 11411
diff changeset
   291
\isasymlbrakk?P\ \isasymand\ ?Q;\ \isasymlbrakk?P;\ ?Q\isasymrbrakk\ \isasymLongrightarrow\ ?R\isasymrbrakk\ \isasymLongrightarrow\ ?R\rulenamedx{conjE}
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   292
\end{isabelle}
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   293
\index{destruction rules|)}
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   294
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   295
\begin{exercise}
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   296
Use the rule \isa{conjE} to shorten the proof above. 
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   297
\end{exercise}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   298
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   299
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   300
\section{Implication}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   301
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   302
\index{implication|(}%
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
   303
At the start of this chapter, we saw the rule \emph{modus ponens}.  It is, in fact,
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   304
a destruction rule. The matching introduction rule looks like this 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   305
in Isabelle: 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   306
\begin{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   307
(?P\ \isasymLongrightarrow\ ?Q)\ \isasymLongrightarrow\ ?P\
11417
499435b4084e less indexing of theorem names
paulson
parents: 11411
diff changeset
   308
\isasymlongrightarrow\ ?Q\rulenamedx{impI}
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   309
\end{isabelle}
12535
wenzelm
parents: 12408
diff changeset
   310
And this is \emph{modus ponens}\index{modus ponens@\emph{modus ponens}}:
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   311
\begin{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   312
\isasymlbrakk?P\ \isasymlongrightarrow\ ?Q;\ ?P\isasymrbrakk\
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   313
\isasymLongrightarrow\ ?Q
11417
499435b4084e less indexing of theorem names
paulson
parents: 11411
diff changeset
   314
\rulenamedx{mp}
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   315
\end{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   316
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   317
Here is a proof using the implication rules.  This 
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   318
lemma performs a sort of uncurrying, replacing the two antecedents 
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   319
of a nested implication by a conjunction.  The proof illustrates
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   320
how assumptions work.  At each proof step, the subgoals inherit the previous
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   321
assumptions, perhaps with additions or deletions.  Rules such as
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   322
\isa{impI} and \isa{disjE} add assumptions, while applying \isa{erule} or
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   323
\isa{drule} deletes the matching assumption.
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   324
\begin{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   325
\isacommand{lemma}\ imp_uncurry:\
10301
paulson
parents: 10295
diff changeset
   326
"P\ \isasymlongrightarrow\ (Q\
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   327
\isasymlongrightarrow\ R)\ \isasymLongrightarrow\ P\
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   328
\isasymand\ Q\ \isasymlongrightarrow\
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   329
R"\isanewline
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   330
\isacommand{apply}\ (rule\ impI)\isanewline
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   331
\isacommand{apply}\ (erule\ conjE)\isanewline
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   332
\isacommand{apply}\ (drule\ mp)\isanewline
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   333
\ \isacommand{apply}\ assumption\isanewline
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   334
\isacommand{apply}\ (drule\ mp)\isanewline
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   335
\ \ \isacommand{apply}\ assumption\isanewline
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   336
\ \isacommand{apply}\ assumption
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   337
\end{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   338
First, we state the lemma and apply implication introduction (\isa{rule impI}), 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   339
which moves the conjunction to the assumptions. 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   340
\begin{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   341
%P\ \isasymlongrightarrow\ Q\ \isasymlongrightarrow\ R\ \isasymLongrightarrow\ P\
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   342
%\isasymand\ Q\ \isasymlongrightarrow\ R\isanewline
10596
77951eaeb5b0 tidying
paulson
parents: 10578
diff changeset
   343
\ 1.\ \isasymlbrakk P\ \isasymlongrightarrow\ Q\ \isasymlongrightarrow\ R;\ P\ \isasymand\ Q\isasymrbrakk\ \isasymLongrightarrow\ R
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   344
\end{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   345
Next, we apply conjunction elimination (\isa{erule conjE}), which splits this
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   346
conjunction into two  parts. 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   347
\begin{isabelle}
10596
77951eaeb5b0 tidying
paulson
parents: 10578
diff changeset
   348
\ 1.\ \isasymlbrakk P\ \isasymlongrightarrow\ Q\ \isasymlongrightarrow\ R;\ P;\
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   349
Q\isasymrbrakk\ \isasymLongrightarrow\ R
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   350
\end{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   351
Now, we work on the assumption \isa{P\ \isasymlongrightarrow\ (Q\
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   352
\isasymlongrightarrow\ R)}, where the parentheses have been inserted for
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   353
clarity.  The nested implication requires two applications of
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   354
\textit{modus ponens}: \isa{drule mp}.  The first use  yields the
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   355
implication \isa{Q\
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   356
\isasymlongrightarrow\ R}, but first we must prove the extra subgoal 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   357
\isa{P}, which we do by assumption. 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   358
\begin{isabelle}
10596
77951eaeb5b0 tidying
paulson
parents: 10578
diff changeset
   359
\ 1.\ \isasymlbrakk P;\ Q\isasymrbrakk\ \isasymLongrightarrow\ P\isanewline
77951eaeb5b0 tidying
paulson
parents: 10578
diff changeset
   360
\ 2.\ \isasymlbrakk P;\ Q;\ Q\ \isasymlongrightarrow\ R\isasymrbrakk\ \isasymLongrightarrow\ R
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   361
\end{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   362
Repeating these steps for \isa{Q\
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   363
\isasymlongrightarrow\ R} yields the conclusion we seek, namely~\isa{R}.
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   364
\begin{isabelle}
10596
77951eaeb5b0 tidying
paulson
parents: 10578
diff changeset
   365
\ 1.\ \isasymlbrakk P;\ Q;\ Q\ \isasymlongrightarrow\ R\isasymrbrakk\
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   366
\isasymLongrightarrow\ R
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   367
\end{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   368
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   369
The symbols \isa{\isasymLongrightarrow} and \isa{\isasymlongrightarrow}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   370
both stand for implication, but they differ in many respects.  Isabelle
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   371
uses \isa{\isasymLongrightarrow} to express inference rules; the symbol is
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   372
built-in and Isabelle's inference mechanisms treat it specially.  On the
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   373
other hand, \isa{\isasymlongrightarrow} is just one of the many connectives
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   374
available in higher-order logic.  We reason about it using inference rules
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   375
such as \isa{impI} and \isa{mp}, just as we reason about the other
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   376
connectives.  You will have to use \isa{\isasymlongrightarrow} in any
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   377
context that requires a formula of higher-order logic.  Use
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   378
\isa{\isasymLongrightarrow} to separate a theorem's preconditions from its
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   379
conclusion.%
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   380
\index{implication|)}
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   381
10848
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
   382
\medskip
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
   383
\index{by@\isacommand{by} (command)|(}%
10848
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
   384
The \isacommand{by} command is useful for proofs like these that use
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
   385
\isa{assumption} heavily.  It executes an
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
   386
\isacommand{apply} command, then tries to prove all remaining subgoals using
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
   387
\isa{assumption}.  Since (if successful) it ends the proof, it also replaces the 
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
   388
\isacommand{done} symbol.  For example, the proof above can be shortened:
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
   389
\begin{isabelle}
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
   390
\isacommand{lemma}\ imp_uncurry:\
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
   391
"P\ \isasymlongrightarrow\ (Q\
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
   392
\isasymlongrightarrow\ R)\ \isasymLongrightarrow\ P\
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
   393
\isasymand\ Q\ \isasymlongrightarrow\
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
   394
R"\isanewline
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
   395
\isacommand{apply}\ (rule\ impI)\isanewline
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
   396
\isacommand{apply}\ (erule\ conjE)\isanewline
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
   397
\isacommand{apply}\ (drule\ mp)\isanewline
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
   398
\ \isacommand{apply}\ assumption\isanewline
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
   399
\isacommand{by}\ (drule\ mp)
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
   400
\end{isabelle}
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
   401
We could use \isacommand{by} to replace the final \isacommand{apply} and
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
   402
\isacommand{done} in any proof, but typically we use it
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
   403
to eliminate calls to \isa{assumption}.  It is also a nice way of expressing a
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
   404
one-line proof.%
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
   405
\index{by@\isacommand{by} (command)|)}
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
   406
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   407
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   408
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   409
\section{Negation}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   410
 
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   411
\index{negation|(}%
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   412
Negation causes surprising complexity in proofs.  Its natural 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   413
deduction rules are straightforward, but additional rules seem 
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   414
necessary in order to handle negated assumptions gracefully.  This section
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   415
also illustrates the \isa{intro} method: a convenient way of
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   416
applying introduction rules.
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   417
11428
332347b9b942 tidying the index
paulson
parents: 11417
diff changeset
   418
Negation introduction deduces $\lnot P$ if assuming $P$ leads to a 
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   419
contradiction. Negation elimination deduces any formula in the 
11428
332347b9b942 tidying the index
paulson
parents: 11417
diff changeset
   420
presence of $\lnot P$ together with~$P$: 
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   421
\begin{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   422
(?P\ \isasymLongrightarrow\ False)\ \isasymLongrightarrow\ \isasymnot\ ?P%
11417
499435b4084e less indexing of theorem names
paulson
parents: 11411
diff changeset
   423
\rulenamedx{notI}\isanewline
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   424
\isasymlbrakk{\isasymnot}\ ?P;\ ?P\isasymrbrakk\ \isasymLongrightarrow\ ?R%
11417
499435b4084e less indexing of theorem names
paulson
parents: 11411
diff changeset
   425
\rulenamedx{notE}
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   426
\end{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   427
%
11428
332347b9b942 tidying the index
paulson
parents: 11417
diff changeset
   428
Classical logic allows us to assume $\lnot P$ 
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   429
when attempting to prove~$P$: 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   430
\begin{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   431
(\isasymnot\ ?P\ \isasymLongrightarrow\ ?P)\ \isasymLongrightarrow\ ?P%
11417
499435b4084e less indexing of theorem names
paulson
parents: 11411
diff changeset
   432
\rulenamedx{classical}
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   433
\end{isabelle}
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   434
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
   435
\index{contrapositives|(}%
11428
332347b9b942 tidying the index
paulson
parents: 11417
diff changeset
   436
The implications $P\imp Q$ and $\lnot Q\imp\lnot P$ are logically
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   437
equivalent, and each is called the
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
   438
\textbf{contrapositive} of the other.  Four further rules support
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   439
reasoning about contrapositives.  They differ in the placement of the
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   440
negation symbols: 
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   441
\begin{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   442
\isasymlbrakk?Q;\ \isasymnot\ ?P\ \isasymLongrightarrow\ \isasymnot\ ?Q\isasymrbrakk\ \isasymLongrightarrow\ ?P%
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   443
\rulename{contrapos_pp}\isanewline
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
   444
\isasymlbrakk?Q;\ ?P\ \isasymLongrightarrow\ \isasymnot\ ?Q\isasymrbrakk\ \isasymLongrightarrow\
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
   445
\isasymnot\ ?P%
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
   446
\rulename{contrapos_pn}\isanewline
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   447
\isasymlbrakk{\isasymnot}\ ?Q;\ \isasymnot\ ?P\ \isasymLongrightarrow\ ?Q\isasymrbrakk\ \isasymLongrightarrow\ ?P%
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   448
\rulename{contrapos_np}\isanewline
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   449
\isasymlbrakk{\isasymnot}\ ?Q;\ ?P\ \isasymLongrightarrow\ ?Q\isasymrbrakk\ \isasymLongrightarrow\ \isasymnot\ ?P%
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   450
\rulename{contrapos_nn}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   451
\end{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   452
%
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   453
These rules are typically applied using the \isa{erule} method, where 
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   454
their effect is to form a contrapositive from an 
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
   455
assumption and the goal's conclusion.%
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
   456
\index{contrapositives|)}
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   457
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   458
The most important of these is \isa{contrapos_np}.  It is useful
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   459
for applying introduction rules to negated assumptions.  For instance, 
11428
332347b9b942 tidying the index
paulson
parents: 11417
diff changeset
   460
the assumption $\lnot(P\imp Q)$ is equivalent to the conclusion $P\imp Q$ and we 
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   461
might want to use conjunction introduction on it. 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   462
Before we can do so, we must move that assumption so that it 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   463
becomes the conclusion. The following proof demonstrates this 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   464
technique: 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   465
\begin{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   466
\isacommand{lemma}\ "\isasymlbrakk{\isasymnot}(P{\isasymlongrightarrow}Q);\
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   467
\isasymnot(R{\isasymlongrightarrow}Q)\isasymrbrakk\ \isasymLongrightarrow\
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   468
R"\isanewline
10971
6852682eaf16 *** empty log message ***
nipkow
parents: 10967
diff changeset
   469
\isacommand{apply}\ (erule_tac\ Q = "R{\isasymlongrightarrow}Q"\ \isakeyword{in}\
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   470
contrapos_np)\isanewline
12408
2884148a9fe9 intro and elim now require arguments
paulson
parents: 12333
diff changeset
   471
\isacommand{apply}\ (intro\ impI)\isanewline
10848
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
   472
\isacommand{by}\ (erule\ notE)
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   473
\end{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   474
%
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   475
There are two negated assumptions and we need to exchange the conclusion with the
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   476
second one.  The method \isa{erule contrapos_np} would select the first assumption,
11179
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   477
which we do not want.  So we specify the desired assumption explicitly
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   478
using a new method, \isa{erule_tac}.  This is the resulting subgoal: 
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   479
\begin{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   480
\ 1.\ \isasymlbrakk{\isasymnot}\ (P\ \isasymlongrightarrow\ Q);\ \isasymnot\
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   481
R\isasymrbrakk\ \isasymLongrightarrow\ R\ \isasymlongrightarrow\ Q%
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   482
\end{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   483
The former conclusion, namely \isa{R}, now appears negated among the assumptions,
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   484
while the negated formula \isa{R\ \isasymlongrightarrow\ Q} becomes the new
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   485
conclusion.
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   486
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
   487
We can now apply introduction rules.  We use the \methdx{intro} method, which
12408
2884148a9fe9 intro and elim now require arguments
paulson
parents: 12333
diff changeset
   488
repeatedly applies the given introduction rules.  Here its effect is equivalent
10596
77951eaeb5b0 tidying
paulson
parents: 10578
diff changeset
   489
to \isa{rule impI}.
77951eaeb5b0 tidying
paulson
parents: 10578
diff changeset
   490
\begin{isabelle}
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   491
\ 1.\ \isasymlbrakk{\isasymnot}\ (P\ \isasymlongrightarrow\ Q);\ \isasymnot\ R;\
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   492
R\isasymrbrakk\ \isasymLongrightarrow\ Q%
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   493
\end{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   494
We can see a contradiction in the form of assumptions \isa{\isasymnot\ R}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   495
and~\isa{R}, which suggests using negation elimination.  If applied on its own,
10848
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
   496
\isa{notE} will select the first negated assumption, which is useless.  
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
   497
Instead, we invoke the rule using the
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
   498
\isa{by} command.
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   499
Now when Isabelle selects the first assumption, it tries to prove \isa{P\
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   500
\isasymlongrightarrow\ Q} and fails; it then backtracks, finds the 
10971
6852682eaf16 *** empty log message ***
nipkow
parents: 10967
diff changeset
   501
assumption \isa{\isasymnot~R} and finally proves \isa{R} by assumption.  That
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   502
concludes the proof.
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   503
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   504
\medskip
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   505
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   506
The following example may be skipped on a first reading.  It involves a
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   507
peculiar but important rule, a form of disjunction introduction:
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   508
\begin{isabelle}
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   509
(\isasymnot \ ?Q\ \isasymLongrightarrow \ ?P)\ \isasymLongrightarrow \ ?P\ \isasymor \ ?Q%
11417
499435b4084e less indexing of theorem names
paulson
parents: 11411
diff changeset
   510
\rulenamedx{disjCI}
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   511
\end{isabelle}
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   512
This rule combines the effects of \isa{disjI1} and \isa{disjI2}.  Its great
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   513
advantage is that we can remove the disjunction symbol without deciding
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
   514
which disjunction to prove.  This treatment of disjunction is standard in sequent
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
   515
and tableau calculi.
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   516
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   517
\begin{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   518
\isacommand{lemma}\ "(P\ \isasymor\ Q)\ \isasymand\ R\
10848
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
   519
\isasymLongrightarrow\ P\ \isasymor\ (Q\ \isasymand\ R)"\isanewline
27167
nipkow
parents: 25264
diff changeset
   520
\isacommand{apply}\ (rule\ disjCI)\isanewline
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   521
\isacommand{apply}\ (elim\ conjE\ disjE)\isanewline
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   522
\ \isacommand{apply}\ assumption
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   523
\isanewline
10848
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
   524
\isacommand{by}\ (erule\ contrapos_np,\ rule\ conjI)
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   525
\end{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   526
%
27167
nipkow
parents: 25264
diff changeset
   527
The first proof step to applies the introduction rules \isa{disjCI}.
nipkow
parents: 25264
diff changeset
   528
The resulting subgoal has the negative assumption 
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   529
\hbox{\isa{\isasymnot(Q\ \isasymand\ R)}}.  
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   530
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   531
\begin{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   532
\ 1.\ \isasymlbrakk(P\ \isasymor\ Q)\ \isasymand\ R;\ \isasymnot\ (Q\ \isasymand\
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   533
R)\isasymrbrakk\ \isasymLongrightarrow\ P%
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   534
\end{isabelle}
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   535
Next we apply the \isa{elim} method, which repeatedly applies 
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   536
elimination rules; here, the elimination rules given 
10971
6852682eaf16 *** empty log message ***
nipkow
parents: 10967
diff changeset
   537
in the command.  One of the subgoals is trivial (\isa{\isacommand{apply} assumption}),
6852682eaf16 *** empty log message ***
nipkow
parents: 10967
diff changeset
   538
leaving us with one other:
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   539
\begin{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   540
\ 1.\ \isasymlbrakk{\isasymnot}\ (Q\ \isasymand\ R);\ R;\ Q\isasymrbrakk\ \isasymLongrightarrow\ P%
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   541
\end{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   542
%
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   543
Now we must move the formula \isa{Q\ \isasymand\ R} to be the conclusion.  The
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   544
combination 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   545
\begin{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   546
\ \ \ \ \ (erule\ contrapos_np,\ rule\ conjI)
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   547
\end{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   548
is robust: the \isa{conjI} forces the \isa{erule} to select a
10301
paulson
parents: 10295
diff changeset
   549
conjunction.  The two subgoals are the ones we would expect from applying
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   550
conjunction introduction to
10971
6852682eaf16 *** empty log message ***
nipkow
parents: 10967
diff changeset
   551
\isa{Q~\isasymand~R}:  
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   552
\begin{isabelle}
10596
77951eaeb5b0 tidying
paulson
parents: 10578
diff changeset
   553
\ 1.\ \isasymlbrakk R;\ Q;\ \isasymnot\ P\isasymrbrakk\ \isasymLongrightarrow\
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   554
Q\isanewline
10596
77951eaeb5b0 tidying
paulson
parents: 10578
diff changeset
   555
\ 2.\ \isasymlbrakk R;\ Q;\ \isasymnot\ P\isasymrbrakk\ \isasymLongrightarrow\ R%
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   556
\end{isabelle}
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   557
They are proved by assumption, which is implicit in the \isacommand{by}
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   558
command.%
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   559
\index{negation|)}
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   560
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   561
11179
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   562
\section{Interlude: the Basic Methods for Rules}
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   563
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   564
We have seen examples of many tactics that operate on individual rules.  It
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   565
may be helpful to review how they work given an arbitrary rule such as this:
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   566
\[ \infer{Q}{P@1 & \ldots & P@n} \]
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
   567
Below, we refer to $P@1$ as the \bfindex{major premise}.  This concept
11179
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   568
applies only to elimination and destruction rules.  These rules act upon an
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
   569
instance of their major premise, typically to replace it by subformulas of itself.
11179
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   570
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   571
Suppose that the rule above is called~\isa{R}\@.  Here are the basic rule
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   572
methods, most of which we have already seen:
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   573
\begin{itemize}
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   574
\item 
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
   575
Method \isa{rule\ R} unifies~$Q$ with the current subgoal, replacing it
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
   576
by $n$ new subgoals: instances of $P@1$, \ldots,~$P@n$. 
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
   577
This is backward reasoning and is appropriate for introduction rules.
11179
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   578
\item 
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   579
Method \isa{erule\ R} unifies~$Q$ with the current subgoal and
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   580
simultaneously unifies $P@1$ with some assumption.  The subgoal is 
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   581
replaced by the $n-1$ new subgoals of proving
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   582
instances of $P@2$,
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   583
\ldots,~$P@n$, with the matching assumption deleted.  It is appropriate for
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   584
elimination rules.  The method
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   585
\isa{(rule\ R,\ assumption)} is similar, but it does not delete an
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   586
assumption.
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   587
\item 
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
   588
Method \isa{drule\ R} unifies $P@1$ with some assumption, which it
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
   589
then deletes.  The subgoal is 
11179
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   590
replaced by the $n-1$ new subgoals of proving $P@2$, \ldots,~$P@n$; an
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   591
$n$th subgoal is like the original one but has an additional assumption: an
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   592
instance of~$Q$.  It is appropriate for destruction rules. 
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   593
\item 
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   594
Method \isa{frule\ R} is like \isa{drule\ R} except that the matching
11428
332347b9b942 tidying the index
paulson
parents: 11417
diff changeset
   595
assumption is not deleted.  (See {\S}\ref{sec:frule} below.)
11179
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   596
\end{itemize}
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   597
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
   598
Other methods apply a rule while constraining some of its
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
   599
variables.  The typical form is
11179
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   600
\begin{isabelle}
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
   601
\ \ \ \ \ \methdx{rule_tac}\ $v@1$ = $t@1$ \isakeyword{and} \ldots \isakeyword{and}
11179
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   602
$v@k$ =
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   603
$t@k$ \isakeyword{in} R
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   604
\end{isabelle}
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   605
This method behaves like \isa{rule R}, while instantiating the variables
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   606
$v@1$, \ldots,
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
   607
$v@k$ as specified.  We similarly have \methdx{erule_tac}, \methdx{drule_tac} and
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
   608
\methdx{frule_tac}.  These methods also let us specify which subgoal to
11179
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   609
operate on.  By default it is the first subgoal, as with nearly all
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   610
methods, but we can specify that rule \isa{R} should be applied to subgoal
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   611
number~$i$:
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   612
\begin{isabelle}
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   613
\ \ \ \ \ rule_tac\ [$i$] R
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   614
\end{isabelle}
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   615
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   616
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   617
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   618
\section{Unification and Substitution}\label{sec:unification}
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   619
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   620
\index{unification|(}%
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
   621
As we have seen, Isabelle rules involve schematic variables, which begin with
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   622
a question mark and act as
13751
ac6a9c2f9fb2 trace_unify_fail
paulson
parents: 13439
diff changeset
   623
placeholders for terms.  \textbf{Unification} --- well known to Prolog programmers --- is the act of
ac6a9c2f9fb2 trace_unify_fail
paulson
parents: 13439
diff changeset
   624
making two terms identical, possibly replacing their schematic variables by
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
   625
terms.  The simplest case is when the two terms are already the same. Next
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
   626
simplest is \textbf{pattern-matching}, which replaces variables in only one of the
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
   627
terms.  The
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   628
\isa{rule} method typically  matches the rule's conclusion
13751
ac6a9c2f9fb2 trace_unify_fail
paulson
parents: 13439
diff changeset
   629
against the current subgoal.  The
ac6a9c2f9fb2 trace_unify_fail
paulson
parents: 13439
diff changeset
   630
\isa{assumption} method matches the current subgoal's conclusion
ac6a9c2f9fb2 trace_unify_fail
paulson
parents: 13439
diff changeset
   631
against each of its assumptions.   Unification can instantiate variables in both terms; the \isa{rule} method can do this if the goal
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   632
itself contains schematic variables.  Other occurrences of the variables in
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   633
the rule or proof state are updated at the same time.
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   634
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   635
Schematic variables in goals represent unknown terms.  Given a goal such
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   636
as $\exists x.\,P$, they let us proceed with a proof.  They can be 
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   637
filled in later, sometimes in stages and often automatically. 
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   638
16359
nipkow
parents: 15952
diff changeset
   639
\begin{pgnote}
16523
f8a734dc0fbc *** empty log message ***
nipkow
parents: 16412
diff changeset
   640
If unification fails when you think it should succeed, try setting the Proof General flag \pgmenu{Isabelle} $>$ \pgmenu{Settings} $>$
f8a734dc0fbc *** empty log message ***
nipkow
parents: 16412
diff changeset
   641
\pgmenu{Trace Unification},
16359
nipkow
parents: 15952
diff changeset
   642
which makes Isabelle show the cause of unification failures (in Proof
16523
f8a734dc0fbc *** empty log message ***
nipkow
parents: 16412
diff changeset
   643
General's \pgmenu{Trace} buffer).
16359
nipkow
parents: 15952
diff changeset
   644
\end{pgnote}
16412
50eab0183aea *** empty log message ***
nipkow
parents: 16410
diff changeset
   645
\noindent
16359
nipkow
parents: 15952
diff changeset
   646
For example, suppose we are trying to prove this subgoal by assumption:
13751
ac6a9c2f9fb2 trace_unify_fail
paulson
parents: 13439
diff changeset
   647
\begin{isabelle}
ac6a9c2f9fb2 trace_unify_fail
paulson
parents: 13439
diff changeset
   648
\ 1.\ P\ (a,\ f\ (b,\ g\ (e,\ a),\ b),\ a)\ \isasymLongrightarrow \ P\ (a,\ f\ (b,\ g\ (c,\ a),\ b),\ a)
ac6a9c2f9fb2 trace_unify_fail
paulson
parents: 13439
diff changeset
   649
\end{isabelle}
ac6a9c2f9fb2 trace_unify_fail
paulson
parents: 13439
diff changeset
   650
The \isa{assumption} method having failed, we try again with the flag set:
ac6a9c2f9fb2 trace_unify_fail
paulson
parents: 13439
diff changeset
   651
\begin{isabelle}
ac6a9c2f9fb2 trace_unify_fail
paulson
parents: 13439
diff changeset
   652
\isacommand{apply} assumption
ac6a9c2f9fb2 trace_unify_fail
paulson
parents: 13439
diff changeset
   653
\end{isabelle}
16412
50eab0183aea *** empty log message ***
nipkow
parents: 16410
diff changeset
   654
In this trivial case, the output clearly shows that \isa{e} clashes with \isa{c}:
13751
ac6a9c2f9fb2 trace_unify_fail
paulson
parents: 13439
diff changeset
   655
\begin{isabelle}
16412
50eab0183aea *** empty log message ***
nipkow
parents: 16410
diff changeset
   656
Clash: e =/= c
13751
ac6a9c2f9fb2 trace_unify_fail
paulson
parents: 13439
diff changeset
   657
\end{isabelle}
ac6a9c2f9fb2 trace_unify_fail
paulson
parents: 13439
diff changeset
   658
ac6a9c2f9fb2 trace_unify_fail
paulson
parents: 13439
diff changeset
   659
Isabelle uses
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
   660
\textbf{higher-order} unification, which works in the
13751
ac6a9c2f9fb2 trace_unify_fail
paulson
parents: 13439
diff changeset
   661
typed $\lambda$-calculus.  The procedure requires search and is potentially
ac6a9c2f9fb2 trace_unify_fail
paulson
parents: 13439
diff changeset
   662
undecidable.  For our purposes, however, the differences from ordinary
ac6a9c2f9fb2 trace_unify_fail
paulson
parents: 13439
diff changeset
   663
unification are straightforward.  It handles bound variables
ac6a9c2f9fb2 trace_unify_fail
paulson
parents: 13439
diff changeset
   664
correctly, avoiding capture.  The two terms
ac6a9c2f9fb2 trace_unify_fail
paulson
parents: 13439
diff changeset
   665
\isa{{\isasymlambda}x.\ f(x,z)} and \isa{{\isasymlambda}y.\ f(y,z)} are
ac6a9c2f9fb2 trace_unify_fail
paulson
parents: 13439
diff changeset
   666
trivially unifiable because they differ only by a bound variable renaming.  The two terms \isa{{\isasymlambda}x.\ ?P} and
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   667
\isa{{\isasymlambda}x.\ t x}  are not unifiable; replacing \isa{?P} by
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   668
\isa{t x} is forbidden because the free occurrence of~\isa{x} would become
13751
ac6a9c2f9fb2 trace_unify_fail
paulson
parents: 13439
diff changeset
   669
bound.  Unfortunately, even if \isa{trace_unify_fail} is set, Isabelle displays no information about this type of failure.
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
   670
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   671
\begin{warn}
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   672
Higher-order unification sometimes must invent
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   673
$\lambda$-terms to replace function  variables,
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   674
which can lead to a combinatorial explosion. However,  Isabelle proofs tend
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   675
to involve easy cases where there are few possibilities for the
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   676
$\lambda$-term being constructed. In the easiest case, the
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   677
function variable is applied only to bound variables, 
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   678
as when we try to unify \isa{{\isasymlambda}x\ y.\ f(?h x y)} and
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   679
\isa{{\isasymlambda}x\ y.\ f(x+y+a)}.  The only solution is to replace
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   680
\isa{?h} by \isa{{\isasymlambda}x\ y.\ x+y+a}.  Such cases admit at most
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   681
one unifier, like ordinary unification.  A harder case is
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   682
unifying \isa{?h a} with~\isa{a+b}; it admits two solutions for \isa{?h},
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   683
namely \isa{{\isasymlambda}x.~a+b} and \isa{{\isasymlambda}x.~x+b}. 
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   684
Unifying \isa{?h a} with~\isa{a+a+b} admits four solutions; their number is
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   685
exponential in the number of occurrences of~\isa{a} in the second term.
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   686
\end{warn}
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   687
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   688
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
   689
11179
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   690
\subsection{Substitution and the {\tt\slshape subst} Method}
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   691
\label{sec:subst}
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   692
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   693
\index{substitution|(}%
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
   694
Isabelle also uses function variables to express \textbf{substitution}. 
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   695
A typical substitution rule allows us to replace one term by 
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   696
another if we know that two terms are equal. 
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   697
\[ \infer{P[t/x]}{s=t & P[s/x]} \]
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   698
The rule uses a notation for substitution: $P[t/x]$ is the result of
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   699
replacing $x$ by~$t$ in~$P$.  The rule only substitutes in the positions
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   700
designated by~$x$.  For example, it can
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   701
derive symmetry of equality from reflexivity.  Using $x=s$ for~$P$
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   702
replaces just the first $s$ in $s=s$ by~$t$:
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   703
\[ \infer{t=s}{s=t & \infer{s=s}{}} \]
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   704
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   705
The Isabelle version of the substitution rule looks like this: 
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   706
\begin{isabelle}
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   707
\isasymlbrakk?t\ =\ ?s;\ ?P\ ?s\isasymrbrakk\ \isasymLongrightarrow\ ?P\
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   708
?t
11417
499435b4084e less indexing of theorem names
paulson
parents: 11411
diff changeset
   709
\rulenamedx{ssubst}
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   710
\end{isabelle}
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   711
Crucially, \isa{?P} is a function 
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
   712
variable.  It can be replaced by a $\lambda$-term 
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
   713
with one bound variable, whose occurrences identify the places 
15952
ad9e27c1b2c8 documented new subst method
paulson
parents: 15617
diff changeset
   714
in which $s$ will be replaced by~$t$.  The proof above requires \isa{?P}
ad9e27c1b2c8 documented new subst method
paulson
parents: 15617
diff changeset
   715
to be replaced by \isa{{\isasymlambda}x.~x=s}; the second premise will then
ad9e27c1b2c8 documented new subst method
paulson
parents: 15617
diff changeset
   716
be \isa{s=s} and the conclusion will be \isa{t=s}.
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   717
15952
ad9e27c1b2c8 documented new subst method
paulson
parents: 15617
diff changeset
   718
The \isa{simp} method also replaces equals by equals, but the substitution
ad9e27c1b2c8 documented new subst method
paulson
parents: 15617
diff changeset
   719
rule gives us more control.  Consider this proof: 
ad9e27c1b2c8 documented new subst method
paulson
parents: 15617
diff changeset
   720
\begin{isabelle}
ad9e27c1b2c8 documented new subst method
paulson
parents: 15617
diff changeset
   721
\isacommand{lemma}\
ad9e27c1b2c8 documented new subst method
paulson
parents: 15617
diff changeset
   722
"\isasymlbrakk x\ =\ f\ x;\ odd(f\ x)\isasymrbrakk\ \isasymLongrightarrow\
ad9e27c1b2c8 documented new subst method
paulson
parents: 15617
diff changeset
   723
odd\ x"\isanewline
ad9e27c1b2c8 documented new subst method
paulson
parents: 15617
diff changeset
   724
\isacommand{by}\ (erule\ ssubst)
ad9e27c1b2c8 documented new subst method
paulson
parents: 15617
diff changeset
   725
\end{isabelle}
ad9e27c1b2c8 documented new subst method
paulson
parents: 15617
diff changeset
   726
%
ad9e27c1b2c8 documented new subst method
paulson
parents: 15617
diff changeset
   727
The assumption \isa{x\ =\ f\ x}, if used for rewriting, would loop, 
ad9e27c1b2c8 documented new subst method
paulson
parents: 15617
diff changeset
   728
replacing \isa{x} by \isa{f x} and then by
ad9e27c1b2c8 documented new subst method
paulson
parents: 15617
diff changeset
   729
\isa{f(f x)} and so forth. (Here \isa{simp} 
ad9e27c1b2c8 documented new subst method
paulson
parents: 15617
diff changeset
   730
would see the danger and would re-orient the equality, but in more complicated
ad9e27c1b2c8 documented new subst method
paulson
parents: 15617
diff changeset
   731
cases it can be fooled.) When we apply the substitution rule,  
ad9e27c1b2c8 documented new subst method
paulson
parents: 15617
diff changeset
   732
Isabelle replaces every
ad9e27c1b2c8 documented new subst method
paulson
parents: 15617
diff changeset
   733
\isa{x} in the subgoal by \isa{f x} just once. It cannot loop.  The
ad9e27c1b2c8 documented new subst method
paulson
parents: 15617
diff changeset
   734
resulting subgoal is trivial by assumption, so the \isacommand{by} command
ad9e27c1b2c8 documented new subst method
paulson
parents: 15617
diff changeset
   735
proves it implicitly. 
ad9e27c1b2c8 documented new subst method
paulson
parents: 15617
diff changeset
   736
ad9e27c1b2c8 documented new subst method
paulson
parents: 15617
diff changeset
   737
We are using the \isa{erule} method in a novel way. Hitherto, 
ad9e27c1b2c8 documented new subst method
paulson
parents: 15617
diff changeset
   738
the conclusion of the rule was just a variable such as~\isa{?R}, but it may
ad9e27c1b2c8 documented new subst method
paulson
parents: 15617
diff changeset
   739
be any term. The conclusion is unified with the subgoal just as 
ad9e27c1b2c8 documented new subst method
paulson
parents: 15617
diff changeset
   740
it would be with the \isa{rule} method. At the same time \isa{erule} looks 
ad9e27c1b2c8 documented new subst method
paulson
parents: 15617
diff changeset
   741
for an assumption that matches the rule's first premise, as usual.  With
ad9e27c1b2c8 documented new subst method
paulson
parents: 15617
diff changeset
   742
\isa{ssubst} the effect is to find, use and delete an equality 
ad9e27c1b2c8 documented new subst method
paulson
parents: 15617
diff changeset
   743
assumption.
ad9e27c1b2c8 documented new subst method
paulson
parents: 15617
diff changeset
   744
ad9e27c1b2c8 documented new subst method
paulson
parents: 15617
diff changeset
   745
The \methdx{subst} method performs individual substitutions. In simple cases,
ad9e27c1b2c8 documented new subst method
paulson
parents: 15617
diff changeset
   746
it closely resembles a use of the substitution rule.  Suppose a
11179
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   747
proof has reached this point:
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   748
\begin{isabelle}
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   749
\ 1.\ \isasymlbrakk P\ x\ y\ z;\ Suc\ x\ <\ y\isasymrbrakk \ \isasymLongrightarrow \ f\ z\ =\ x\ *\ y%
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   750
\end{isabelle}
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   751
Now we wish to apply a commutative law:
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   752
\begin{isabelle}
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   753
?m\ *\ ?n\ =\ ?n\ *\ ?m%
57512
cc97b347b301 reduced name variants for assoc and commute on plus and mult
haftmann
parents: 54583
diff changeset
   754
\rulename{mult.commute}
11179
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   755
\end{isabelle}
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   756
Isabelle rejects our first attempt:
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   757
\begin{isabelle}
57512
cc97b347b301 reduced name variants for assoc and commute on plus and mult
haftmann
parents: 54583
diff changeset
   758
apply (simp add: mult.commute)
11179
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   759
\end{isabelle}
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   760
The simplifier notices the danger of looping and refuses to apply the
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   761
rule.%
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   762
\footnote{More precisely, it only applies such a rule if the new term is
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   763
smaller under a specified ordering; here, \isa{x\ *\ y}
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   764
is already smaller than
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   765
\isa{y\ *\ x}.}
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   766
%
57512
cc97b347b301 reduced name variants for assoc and commute on plus and mult
haftmann
parents: 54583
diff changeset
   767
The \isa{subst} method applies \isa{mult.commute} exactly once.  
11179
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   768
\begin{isabelle}
57512
cc97b347b301 reduced name variants for assoc and commute on plus and mult
haftmann
parents: 54583
diff changeset
   769
\isacommand{apply}\ (subst\ mult.commute)\isanewline
11179
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   770
\ 1.\ \isasymlbrakk P\ x\ y\ z;\ Suc\ x\ <\ y\isasymrbrakk \
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   771
\isasymLongrightarrow \ f\ z\ =\ y\ *\ x%
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   772
\end{isabelle}
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   773
As we wanted, \isa{x\ *\ y} has become \isa{y\ *\ x}.
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   774
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   775
\medskip
15952
ad9e27c1b2c8 documented new subst method
paulson
parents: 15617
diff changeset
   776
This use of the \methdx{subst} method has the same effect as the command
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   777
\begin{isabelle}
57512
cc97b347b301 reduced name variants for assoc and commute on plus and mult
haftmann
parents: 54583
diff changeset
   778
\isacommand{apply}\ (rule\ mult.commute [THEN ssubst])
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   779
\end{isabelle}
15952
ad9e27c1b2c8 documented new subst method
paulson
parents: 15617
diff changeset
   780
The attribute \isa{THEN}, which combines two rules, is described in 
ad9e27c1b2c8 documented new subst method
paulson
parents: 15617
diff changeset
   781
{\S}\ref{sec:THEN} below. The \methdx{subst} method is more powerful than
ad9e27c1b2c8 documented new subst method
paulson
parents: 15617
diff changeset
   782
applying the substitution rule. It can perform substitutions in a subgoal's
ad9e27c1b2c8 documented new subst method
paulson
parents: 15617
diff changeset
   783
assumptions. Moreover, if the subgoal contains more than one occurrence of
ad9e27c1b2c8 documented new subst method
paulson
parents: 15617
diff changeset
   784
the left-hand side of the equality, the \methdx{subst} method lets us specify which occurrence should be replaced.
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   785
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   786
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   787
\subsection{Unification and Its Pitfalls}
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   788
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   789
Higher-order unification can be tricky.  Here is an example, which you may
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   790
want to skip on your first reading:
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   791
\begin{isabelle}
11179
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   792
\isacommand{lemma}\ "\isasymlbrakk x\ =\
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   793
f\ x;\ triple\ (f\ x)\ (f\ x)\ x\isasymrbrakk\
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   794
\isasymLongrightarrow\ triple\ x\ x\ x"\isanewline
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   795
\isacommand{apply}\ (erule\ ssubst)\isanewline
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   796
\isacommand{back}\isanewline
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   797
\isacommand{back}\isanewline
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   798
\isacommand{back}\isanewline
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   799
\isacommand{back}\isanewline
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   800
\isacommand{apply}\ assumption\isanewline
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   801
\isacommand{done}
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   802
\end{isabelle}
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   803
%
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   804
By default, Isabelle tries to substitute for all the 
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   805
occurrences.  Applying \isa{erule\ ssubst} yields this subgoal:
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   806
\begin{isabelle}
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   807
\ 1.\ triple\ (f\ x)\ (f\ x)\ x\ \isasymLongrightarrow\ triple\ (f\ x)\ (f\ x)\ (f\ x)
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   808
\end{isabelle}
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   809
The substitution should have been done in the first two occurrences 
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
   810
of~\isa{x} only. Isabelle has gone too far. The \commdx{back}
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
   811
command allows us to reject this possibility and demand a new one: 
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   812
\begin{isabelle}
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   813
\ 1.\ triple\ (f\ x)\ (f\ x)\ x\ \isasymLongrightarrow\ triple\ x\ (f\ x)\ (f\ x)
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   814
\end{isabelle}
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   815
%
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   816
Now Isabelle has left the first occurrence of~\isa{x} alone. That is 
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
   817
promising but it is not the desired combination. So we use \isacommand{back} 
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   818
again:
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   819
\begin{isabelle}
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   820
\ 1.\ triple\ (f\ x)\ (f\ x)\ x\ \isasymLongrightarrow\ triple\ (f\ x)\ x\ (f\ x)
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   821
\end{isabelle}
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   822
%
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
   823
This also is wrong, so we use \isacommand{back} again: 
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   824
\begin{isabelle}
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   825
\ 1.\ triple\ (f\ x)\ (f\ x)\ x\ \isasymLongrightarrow\ triple\ x\ x\ (f\ x)
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   826
\end{isabelle}
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   827
%
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   828
And this one is wrong too. Looking carefully at the series 
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   829
of alternatives, we see a binary countdown with reversed bits: 111,
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
   830
011, 101, 001.  Invoke \isacommand{back} again: 
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   831
\begin{isabelle}
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   832
\ 1.\ triple\ (f\ x)\ (f\ x)\ x\ \isasymLongrightarrow\ triple\ (f\ x)\ (f\ x)\ x%
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   833
\end{isabelle}
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   834
At last, we have the right combination!  This goal follows by assumption.%
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   835
\index{unification|)}
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   836
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
   837
\medskip
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
   838
This example shows that unification can do strange things with
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   839
function variables.  We were forced to select the right unifier using the
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
   840
\isacommand{back} command.  That is all right during exploration, but \isacommand{back}
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   841
should never appear in the final version of a proof.  You can eliminate the
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
   842
need for \isacommand{back} by giving Isabelle less freedom when you apply a rule.
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   843
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   844
One way to constrain the inference is by joining two methods in a 
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   845
\isacommand{apply} command. Isabelle  applies the first method and then the
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   846
second. If the second method  fails then Isabelle automatically backtracks.
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   847
This process continues until  the first method produces an output that the
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   848
second method can  use. We get a one-line proof of our example: 
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   849
\begin{isabelle}
11179
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   850
\isacommand{lemma}\ "\isasymlbrakk x\ =\ f\ x;\ triple\ (f\ x)\ (f\ x)\ x\isasymrbrakk\
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   851
\isasymLongrightarrow\ triple\ x\ x\ x"\isanewline
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   852
\isacommand{apply}\ (erule\ ssubst,\ assumption)\isanewline
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   853
\isacommand{done}
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   854
\end{isabelle}
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   855
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   856
\noindent
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   857
The \isacommand{by} command works too, since it backtracks when
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   858
proving subgoals by assumption:
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   859
\begin{isabelle}
11179
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   860
\isacommand{lemma}\ "\isasymlbrakk x\ =\ f\ x;\ triple\ (f\ x)\ (f\ x)\ x\isasymrbrakk\
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   861
\isasymLongrightarrow\ triple\ x\ x\ x"\isanewline
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   862
\isacommand{by}\ (erule\ ssubst)
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   863
\end{isabelle}
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   864
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   865
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   866
The most general way to constrain unification is 
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   867
by instantiating variables in the rule.  The method \isa{rule_tac} is
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   868
similar to \isa{rule}, but it
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   869
makes some of the rule's variables  denote specified terms.  
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   870
Also available are {\isa{drule_tac}}  and \isa{erule_tac}.  Here we need
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   871
\isa{erule_tac} since above we used \isa{erule}.
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   872
\begin{isabelle}
11179
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   873
\isacommand{lemma}\ "\isasymlbrakk x\ =\ f\ x;\ triple\ (f\ x)\ (f\ x)\ x\isasymrbrakk\ \isasymLongrightarrow\ triple\ x\ x\ x"\isanewline
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
   874
\isacommand{by}\ (erule_tac\ P = "\isasymlambda u.\ triple\ u\ u\ x"\ 
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   875
\isakeyword{in}\ ssubst)
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   876
\end{isabelle}
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   877
%
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   878
To specify a desired substitution 
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   879
requires instantiating the variable \isa{?P} with a $\lambda$-expression. 
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   880
The bound variable occurrences in \isa{{\isasymlambda}u.\ P\ u\
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   881
u\ x} indicate that the first two arguments have to be substituted, leaving
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   882
the third unchanged.  With this instantiation, backtracking is neither necessary
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   883
nor possible.
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   884
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
   885
An alternative to \isa{rule_tac} is to use \isa{rule} with a theorem
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
   886
modified using~\isa{of}, described in
12540
a5604ff1ef4e minor suggestions from Markus
paulson
parents: 12535
diff changeset
   887
{\S}\ref{sec:forward} below.   But \isa{rule_tac}, unlike \isa{of}, can 
a5604ff1ef4e minor suggestions from Markus
paulson
parents: 12535
diff changeset
   888
express instantiations that refer to 
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   889
\isasymAnd-bound variables in the current subgoal.%
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   890
\index{substitution|)}
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   891
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   892
10848
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
   893
\section{Quantifiers}
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   894
11411
c315dda16748 indexing
paulson
parents: 11406
diff changeset
   895
\index{quantifiers!universal|(}%
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   896
Quantifiers require formalizing syntactic substitution and the notion of 
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
   897
arbitrary value.  Consider the universal quantifier.  In a logic
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   898
book, its introduction  rule looks like this: 
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   899
\[ \infer{\forall x.\,P}{P} \]
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   900
Typically, a proviso written in English says that $x$ must not
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   901
occur in the assumptions.  This proviso guarantees that $x$ can be regarded as
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   902
arbitrary, since it has not been assumed to satisfy any special conditions. 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   903
Isabelle's  underlying formalism, called the
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
   904
\bfindex{meta-logic}, eliminates the  need for English.  It provides its own
27167
nipkow
parents: 25264
diff changeset
   905
universal quantifier (\isasymAnd) to express the notion of an arbitrary value.
nipkow
parents: 25264
diff changeset
   906
We have already seen  another operator of the meta-logic, namely
nipkow
parents: 25264
diff changeset
   907
\isa\isasymLongrightarrow, which expresses  inference rules and the treatment
nipkow
parents: 25264
diff changeset
   908
of assumptions. The only other operator in the meta-logic is \isa\isasymequiv,
nipkow
parents: 25264
diff changeset
   909
which can be used to define constants.
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   910
10848
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
   911
\subsection{The Universal Introduction Rule}
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
   912
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   913
Returning to the universal quantifier, we find that having a similar quantifier
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   914
as part of the meta-logic makes the introduction rule trivial to express:
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   915
\begin{isabelle}
11417
499435b4084e less indexing of theorem names
paulson
parents: 11411
diff changeset
   916
(\isasymAnd x.\ ?P\ x)\ \isasymLongrightarrow\ {\isasymforall}x.\ ?P\ x\rulenamedx{allI}
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   917
\end{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   918
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   919
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   920
The following trivial proof demonstrates how the universal introduction 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   921
rule works. 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   922
\begin{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   923
\isacommand{lemma}\ "{\isasymforall}x.\ P\ x\ \isasymlongrightarrow\ P\ x"\isanewline
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   924
\isacommand{apply}\ (rule\ allI)\isanewline
10848
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
   925
\isacommand{by}\ (rule\ impI)
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   926
\end{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   927
The first step invokes the rule by applying the method \isa{rule allI}. 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   928
\begin{isabelle}
10596
77951eaeb5b0 tidying
paulson
parents: 10578
diff changeset
   929
\ 1.\ \isasymAnd x.\ P\ x\ \isasymlongrightarrow\ P\ x
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   930
\end{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   931
Note  that the resulting proof state has a bound variable,
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   932
namely~\isa{x}.  The rule has replaced the universal quantifier of
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   933
higher-order  logic by Isabelle's meta-level quantifier.  Our goal is to
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   934
prove
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   935
\isa{P\ x\ \isasymlongrightarrow\ P\ x} for arbitrary~\isa{x}; it is 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   936
an implication, so we apply the corresponding introduction rule (\isa{impI}). 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   937
\begin{isabelle}
10596
77951eaeb5b0 tidying
paulson
parents: 10578
diff changeset
   938
\ 1.\ \isasymAnd x.\ P\ x\ \isasymLongrightarrow\ P\ x
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   939
\end{isabelle}
10848
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
   940
This last subgoal is implicitly proved by assumption. 
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   941
10848
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
   942
\subsection{The Universal Elimination Rule}
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
   943
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   944
Now consider universal elimination. In a logic text, 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   945
the rule looks like this: 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   946
\[ \infer{P[t/x]}{\forall x.\,P} \]
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   947
The conclusion is $P$ with $t$ substituted for the variable~$x$.  
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   948
Isabelle expresses substitution using a function variable: 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   949
\begin{isabelle}
11417
499435b4084e less indexing of theorem names
paulson
parents: 11411
diff changeset
   950
{\isasymforall}x.\ ?P\ x\ \isasymLongrightarrow\ ?P\ ?x\rulenamedx{spec}
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   951
\end{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   952
This destruction rule takes a 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   953
universally quantified formula and removes the quantifier, replacing 
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   954
the bound variable \isa{x} by the schematic variable \isa{?x}.  Recall that a
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   955
schematic variable starts with a question mark and acts as a
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   956
placeholder: it can be replaced by any term.  
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   957
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   958
The universal elimination rule is also
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   959
available in the standard elimination format.  Like \isa{conjE}, it never
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   960
appears in logic books:
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   961
\begin{isabelle}
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   962
\isasymlbrakk \isasymforall x.\ ?P\ x;\ ?P\ ?x\ \isasymLongrightarrow \ ?R\isasymrbrakk \ \isasymLongrightarrow \ ?R%
11417
499435b4084e less indexing of theorem names
paulson
parents: 11411
diff changeset
   963
\rulenamedx{allE}
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   964
\end{isabelle}
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   965
The methods \isa{drule~spec} and \isa{erule~allE} do precisely the
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   966
same inference.
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   967
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   968
To see how $\forall$-elimination works, let us derive a rule about reducing 
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   969
the scope of a universal quantifier.  In mathematical notation we write
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   970
\[ \infer{P\imp\forall x.\,Q}{\forall x.\,P\imp Q} \]
10978
5eebea8f359f *** empty log message ***
nipkow
parents: 10971
diff changeset
   971
with the proviso ``$x$ not free in~$P$.''  Isabelle's treatment of
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   972
substitution makes the proviso unnecessary.  The conclusion is expressed as
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   973
\isa{P\
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   974
\isasymlongrightarrow\ ({\isasymforall}x.\ Q\ x)}. No substitution for the
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   975
variable \isa{P} can introduce a dependence upon~\isa{x}: that would be a
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   976
bound variable capture.  Let us walk through the proof.
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   977
\begin{isabelle}
10848
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
   978
\isacommand{lemma}\ "(\isasymforall x.\ P\ \isasymlongrightarrow \ Q\ x)\
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
   979
\isasymLongrightarrow \ P\ \isasymlongrightarrow \ (\isasymforall x.\ Q\
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   980
x)"
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   981
\end{isabelle}
10848
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
   982
First we apply implies introduction (\isa{impI}), 
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   983
which moves the \isa{P} from the conclusion to the assumptions. Then 
10848
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
   984
we apply universal introduction (\isa{allI}).  
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   985
\begin{isabelle}
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   986
\isacommand{apply}\ (rule\ impI,\ rule\ allI)\isanewline
10848
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
   987
\ 1.\ \isasymAnd x.\ \isasymlbrakk{\isasymforall}x.\ P\ \isasymlongrightarrow\ Q\
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
   988
x;\ P\isasymrbrakk\ \isasymLongrightarrow\ Q\ x
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   989
\end{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   990
As before, it replaces the HOL 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   991
quantifier by a meta-level quantifier, producing a subgoal that 
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   992
binds the variable~\isa{x}.  The leading bound variables
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   993
(here \isa{x}) and the assumptions (here \isa{{\isasymforall}x.\ P\
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
   994
\isasymlongrightarrow\ Q\ x} and \isa{P}) form the \textbf{context} for the
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   995
conclusion, here \isa{Q\ x}.  Subgoals inherit the context,
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   996
although assumptions can be added or deleted (as we saw
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
   997
earlier), while rules such as \isa{allI} add bound variables.
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   998
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
   999
Now, to reason from the universally quantified 
10967
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  1000
assumption, we apply the elimination rule using the \isa{drule} 
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1001
method.  This rule is called \isa{spec} because it specializes a universal formula
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1002
to a particular term.
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1003
\begin{isabelle}
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1004
\isacommand{apply}\ (drule\ spec)\isanewline
10596
77951eaeb5b0 tidying
paulson
parents: 10578
diff changeset
  1005
\ 1.\ \isasymAnd x.\ \isasymlbrakk P;\ P\ \isasymlongrightarrow\ Q\ (?x2\
77951eaeb5b0 tidying
paulson
parents: 10578
diff changeset
  1006
x)\isasymrbrakk\ \isasymLongrightarrow\ Q\ x
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1007
\end{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1008
Observe how the context has changed.  The quantified formula is gone,
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1009
replaced by a new assumption derived from its body.  We have
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1010
removed the quantifier and replaced the bound variable
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1011
by the curious term 
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1012
\isa{?x2~x}.  This term is a placeholder: it may become any term that can be
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1013
built from~\isa{x}.  (Formally, \isa{?x2} is an unknown of function type, applied
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1014
to the argument~\isa{x}.)  This new assumption is an implication, so we can  use
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1015
\emph{modus ponens} on it, which concludes the proof. 
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1016
\begin{isabelle}
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1017
\isacommand{by}\ (drule\ mp)
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1018
\end{isabelle}
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1019
Let us take a closer look at this last step.  \emph{Modus ponens} yields
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1020
two subgoals: one where we prove the antecedent (in this case \isa{P}) and
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1021
one where we may assume the consequent.  Both of these subgoals are proved
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1022
by the
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1023
\isa{assumption} method, which is implicit in the
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1024
\isacommand{by} command.  Replacing the \isacommand{by} command by 
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1025
\isa{\isacommand{apply} (drule\ mp, assumption)} would have left one last
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1026
subgoal:
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1027
\begin{isabelle}
10596
77951eaeb5b0 tidying
paulson
parents: 10578
diff changeset
  1028
\ 1.\ \isasymAnd x.\ \isasymlbrakk P;\ Q\ (?x2\ x)\isasymrbrakk\
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1029
\isasymLongrightarrow\ Q\ x
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1030
\end{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1031
The consequent is \isa{Q} applied to that placeholder.  It may be replaced by any
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1032
term built from~\isa{x}, and here 
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1033
it should simply be~\isa{x}.  The assumption need not
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1034
be identical to the conclusion, provided the two formulas are unifiable.%
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1035
\index{quantifiers!universal|)}  
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1036
10848
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1037
11234
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1038
\subsection{The Existential Quantifier}
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1039
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1040
\index{quantifiers!existential|(}%
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1041
The concepts just presented also apply
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1042
to the existential quantifier, whose introduction rule looks like this in
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1043
Isabelle: 
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1044
\begin{isabelle}
11417
499435b4084e less indexing of theorem names
paulson
parents: 11411
diff changeset
  1045
?P\ ?x\ \isasymLongrightarrow\ {\isasymexists}x.\ ?P\ x\rulenamedx{exI}
11234
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1046
\end{isabelle}
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1047
If we can exhibit some $x$ such that $P(x)$ is true, then $\exists x.
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1048
P(x)$ is also true.  It is a dual of the universal elimination rule, and
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1049
logic texts present it using the same notation for substitution.
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1050
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1051
The existential
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1052
elimination rule looks like this
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1053
in a logic text: 
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1054
\[ \infer{Q}{\exists x.\,P & \infer*{Q}{[P]}} \]
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1055
%
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1056
It looks like this in Isabelle: 
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1057
\begin{isabelle}
11417
499435b4084e less indexing of theorem names
paulson
parents: 11411
diff changeset
  1058
\isasymlbrakk{\isasymexists}x.\ ?P\ x;\ \isasymAnd x.\ ?P\ x\ \isasymLongrightarrow\ ?Q\isasymrbrakk\ \isasymLongrightarrow\ ?Q\rulenamedx{exE}
11234
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1059
\end{isabelle}
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1060
%
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1061
Given an existentially quantified theorem and some
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1062
formula $Q$ to prove, it creates a new assumption by removing the quantifier.  As with
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1063
the universal introduction  rule, the textbook version imposes a proviso on the
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1064
quantified variable, which Isabelle expresses using its meta-logic.  It is
11234
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1065
enough to have a universal quantifier in the meta-logic; we do not need an existential
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1066
quantifier to be built in as well.
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1067
 
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1068
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1069
\begin{exercise}
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1070
Prove the lemma
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1071
\[ \exists x.\, P\conj Q(x)\Imp P\conj(\exists x.\, Q(x)). \]
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1072
\emph{Hint}: the proof is similar 
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1073
to the one just above for the universal quantifier. 
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1074
\end{exercise}
11411
c315dda16748 indexing
paulson
parents: 11406
diff changeset
  1075
\index{quantifiers!existential|)}
11234
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1076
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1077
34054
8e07304ecd0c fixed typo
paulson
parents: 33057
diff changeset
  1078
\subsection{Renaming a Bound Variable: {\tt\slshape rename_tac}}
10967
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  1079
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1080
\index{assumptions!renaming|(}\index{*rename_tac (method)|(}%
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1081
When you apply a rule such as \isa{allI}, the quantified variable
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1082
becomes a new bound variable of the new subgoal.  Isabelle tries to avoid
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1083
changing its name, but sometimes it has to choose a new name in order to
11234
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1084
avoid a clash.  The result may not be ideal:
10967
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  1085
\begin{isabelle}
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  1086
\isacommand{lemma}\ "x\ <\ y\ \isasymLongrightarrow \ \isasymforall x\ y.\ P\ x\
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  1087
(f\ y)"\isanewline
12408
2884148a9fe9 intro and elim now require arguments
paulson
parents: 12333
diff changeset
  1088
\isacommand{apply}\ (intro allI)\isanewline
10967
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  1089
\ 1.\ \isasymAnd xa\ ya.\ x\ <\ y\ \isasymLongrightarrow \ P\ xa\ (f\ ya)
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  1090
\end{isabelle}
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  1091
%
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  1092
The names \isa{x} and \isa{y} were already in use, so the new bound variables are
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  1093
called \isa{xa} and~\isa{ya}.  You can rename them by invoking \isa{rename_tac}:
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  1094
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  1095
\begin{isabelle}
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  1096
\isacommand{apply}\ (rename_tac\ v\ w)\isanewline
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  1097
\ 1.\ \isasymAnd v\ w.\ x\ <\ y\ \isasymLongrightarrow \ P\ v\ (f\ w)
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  1098
\end{isabelle}
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1099
Recall that \isa{rule_tac}\index{*rule_tac (method)!and renaming} 
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1100
instantiates a
10967
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  1101
theorem with specified terms.  These terms may involve the goal's bound
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  1102
variables, but beware of referring to  variables
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  1103
like~\isa{xa}.  A future change to your theories could change the set of names
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  1104
produced at top level, so that \isa{xa} changes to~\isa{xb} or reverts to~\isa{x}.
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  1105
It is safer to rename automatically-generated variables before mentioning them.
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  1106
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  1107
If the subgoal has more bound variables than there are names given to
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1108
\isa{rename_tac}, the rightmost ones are renamed.%
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1109
\index{assumptions!renaming|)}\index{*rename_tac (method)|)}
10967
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  1110
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  1111
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  1112
\subsection{Reusing an Assumption: {\tt\slshape frule}}
11179
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
  1113
\label{sec:frule}
10848
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1114
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1115
\index{assumptions!reusing|(}\index{*frule (method)|(}%
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1116
Note that \isa{drule spec} removes the universal quantifier and --- as
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1117
usual with elimination rules --- discards the original formula.  Sometimes, a
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1118
universal formula has to be kept so that it can be used again.  Then we use a new
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1119
method: \isa{frule}.  It acts like \isa{drule} but copies rather than replaces
10848
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1120
the selected assumption.  The \isa{f} is for \emph{forward}.
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1121
10848
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1122
In this example, going from \isa{P\ a} to \isa{P(h(h~a))}
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1123
requires two uses of the quantified assumption, one for each~\isa{h}
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1124
in~\isa{h(h~a)}.
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1125
\begin{isabelle}
10848
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1126
\isacommand{lemma}\ "\isasymlbrakk{\isasymforall}x.\ P\ x\ \isasymlongrightarrow\ P\ (h\ x);
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1127
\ P\ a\isasymrbrakk\ \isasymLongrightarrow\ P(h\ (h\ a))"
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1128
\end{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1129
%
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1130
Examine the subgoal left by \isa{frule}:
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1131
\begin{isabelle}
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1132
\isacommand{apply}\ (frule\ spec)\isanewline
10848
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1133
\ 1.\ \isasymlbrakk{\isasymforall}x.\ P\ x\ \isasymlongrightarrow\ P\ (h\ x);\ P\ a;\ P\ ?x\ \isasymlongrightarrow\ P\ (h\ ?x)\isasymrbrakk\ \isasymLongrightarrow\ P\ (h\ (h\ a))
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1134
\end{isabelle}
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1135
It is what \isa{drule} would have left except that the quantified
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1136
assumption is still present.  Next we apply \isa{mp} to the
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1137
implication and the assumption~\isa{P\ a}:
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1138
\begin{isabelle}
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1139
\isacommand{apply}\ (drule\ mp,\ assumption)\isanewline
10848
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1140
\ 1.\ \isasymlbrakk{\isasymforall}x.\ P\ x\ \isasymlongrightarrow\ P\ (h\ x);\ P\ a;\ P\ (h\ a)\isasymrbrakk\ \isasymLongrightarrow\ P\ (h\ (h\ a))
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1141
\end{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1142
%
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1143
We have created the assumption \isa{P(h\ a)}, which is progress.  To
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1144
continue the proof, we apply \isa{spec} again.  We shall not need it
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1145
again, so we can use
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1146
\isa{drule}.
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1147
\begin{isabelle}
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1148
\isacommand{apply}\ (drule\ spec)\isanewline
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1149
\ 1.\ \isasymlbrakk P\ a;\ P\ (h\ a);\ P\ ?x2\ 
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1150
\isasymlongrightarrow \ P\ (h\ ?x2)\isasymrbrakk \ \isasymLongrightarrow \
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1151
P\ (h\ (h\ a))
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1152
\end{isabelle}
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1153
%
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1154
The new assumption bridges the gap between \isa{P(h\ a)} and \isa{P(h(h\ a))}.
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1155
\begin{isabelle}
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1156
\isacommand{by}\ (drule\ mp)
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1157
\end{isabelle}
10854
d1ff1ff5c5ad case_tac on bools
paulson
parents: 10848
diff changeset
  1158
d1ff1ff5c5ad case_tac on bools
paulson
parents: 10848
diff changeset
  1159
\medskip
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1160
\emph{A final remark}.  Replacing this \isacommand{by} command with
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1161
\begin{isabelle}
10848
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1162
\isacommand{apply}\ (drule\ mp,\ assumption)
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1163
\end{isabelle}
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1164
would not work: it would add a second copy of \isa{P(h~a)} instead
10854
d1ff1ff5c5ad case_tac on bools
paulson
parents: 10848
diff changeset
  1165
of the desired assumption, \isa{P(h(h~a))}.  The \isacommand{by}
d1ff1ff5c5ad case_tac on bools
paulson
parents: 10848
diff changeset
  1166
command forces Isabelle to backtrack until it finds the correct one.
d1ff1ff5c5ad case_tac on bools
paulson
parents: 10848
diff changeset
  1167
Alternatively, we could have used the \isacommand{apply} command and bundled the
11234
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1168
\isa{drule mp} with \emph{two} calls of \isa{assumption}.  Or, of course,
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1169
we could have given the entire proof to \isa{auto}.%
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1170
\index{assumptions!reusing|)}\index{*frule (method)|)}
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1171
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1172
11234
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1173
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1174
\subsection{Instantiating a Quantifier Explicitly}
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1175
\index{quantifiers!instantiating}
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1176
11234
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1177
We can prove a theorem of the form $\exists x.\,P\, x$ by exhibiting a
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1178
suitable term~$t$ such that $P\,t$ is true.  Dually, we can use an
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1179
assumption of the form $\forall x.\,P\, x$ to generate a new assumption $P\,t$ for
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1180
a suitable term~$t$.  In many cases, 
11234
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1181
Isabelle makes the correct choice automatically, constructing the term by
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1182
unification.  In other cases, the required term is not obvious and we must
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1183
specify it ourselves.  Suitable methods are \isa{rule_tac}, \isa{drule_tac}
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1184
and \isa{erule_tac}.
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1185
11428
332347b9b942 tidying the index
paulson
parents: 11417
diff changeset
  1186
We have seen (just above, {\S}\ref{sec:frule}) a proof of this lemma:
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1187
\begin{isabelle}
11234
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1188
\isacommand{lemma}\ "\isasymlbrakk \isasymforall x.\ P\ x\
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1189
\isasymlongrightarrow \ P\ (h\ x);\ P\ a\isasymrbrakk \
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1190
\isasymLongrightarrow \ P(h\ (h\ a))"
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1191
\end{isabelle}
11234
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1192
We had reached this subgoal:
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1193
\begin{isabelle}
11234
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1194
\ 1.\ \isasymlbrakk{\isasymforall}x.\ P\ x\ \isasymlongrightarrow\ P\ (h\
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1195
x);\ P\ a;\ P\ (h\ a)\isasymrbrakk\ \isasymLongrightarrow\ P\ (h\ (h\ a))
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1196
\end{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1197
%
11234
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1198
The proof requires instantiating the quantified assumption with the
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1199
term~\isa{h~a}.
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1200
\begin{isabelle}
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1201
\isacommand{apply}\ (drule_tac\ x\ =\ "h\ a"\ \isakeyword{in}\
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1202
spec)\isanewline
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1203
\ 1.\ \isasymlbrakk P\ a;\ P\ (h\ a);\ P\ (h\ a)\ \isasymlongrightarrow \
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1204
P\ (h\ (h\ a))\isasymrbrakk \ \isasymLongrightarrow \ P\ (h\ (h\ a))
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1205
\end{isabelle}
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1206
We have forced the desired instantiation.
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1207
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1208
\medskip
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1209
Existential formulas can be instantiated too.  The next example uses the 
11417
499435b4084e less indexing of theorem names
paulson
parents: 11411
diff changeset
  1210
\textbf{divides} relation\index{divides relation}
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1211
of number theory: 
11234
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1212
\begin{isabelle}
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1213
?m\ dvd\ ?n\ \isasymequiv\ {\isasymexists}k.\ ?n\ =\ ?m\ *\ k
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1214
\rulename{dvd_def}
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1215
\end{isabelle}
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1216
11234
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1217
Let us prove that multiplication of natural numbers is monotone with
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1218
respect to the divides relation:
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1219
\begin{isabelle}
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1220
\isacommand{lemma}\ mult_dvd_mono:\ "{\isasymlbrakk}i\ dvd\ m;\ j\ dvd\
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1221
n\isasymrbrakk\ \isasymLongrightarrow\ i*j\ dvd\ (m*n\ ::\ nat)"\isanewline
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1222
\isacommand{apply}\ (simp\ add:\ dvd_def)
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1223
\end{isabelle}
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1224
%
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1225
Unfolding the definition of divides has left this subgoal:
11234
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1226
\begin{isabelle}
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1227
\ 1.\ \isasymlbrakk \isasymexists k.\ m\ =\ i\ *\ k;\ \isasymexists k.\ n\
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1228
=\ j\ *\ k\isasymrbrakk \ \isasymLongrightarrow \ \isasymexists k.\ m\ *\
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1229
n\ =\ i\ *\ j\ *\ k
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1230
\end{isabelle}
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1231
%
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1232
Next, we eliminate the two existential quantifiers in the assumptions:
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1233
\begin{isabelle}
11234
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1234
\isacommand{apply}\ (erule\ exE)\isanewline
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1235
\ 1.\ \isasymAnd k.\ \isasymlbrakk \isasymexists k.\ n\ =\ j\ *\ k;\ m\ =\
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1236
i\ *\ k\isasymrbrakk \ \isasymLongrightarrow \ \isasymexists k.\ m\ *\ n\
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1237
=\ i\ *\ j\ *\ k%
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1238
\isanewline
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1239
\isacommand{apply}\ (erule\ exE)
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1240
\isanewline
11234
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1241
\ 1.\ \isasymAnd k\ ka.\ \isasymlbrakk m\ =\ i\ *\ k;\ n\ =\ j\ *\
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1242
ka\isasymrbrakk \ \isasymLongrightarrow \ \isasymexists k.\ m\ *\ n\ =\ i\
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1243
*\ j\ *\ k
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1244
\end{isabelle}
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1245
%
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1246
The term needed to instantiate the remaining quantifier is~\isa{k*ka}.  But
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1247
\isa{ka} is an automatically-generated name.  As noted above, references to
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1248
such variable names makes a proof less resilient to future changes.  So,
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1249
first we rename the most recent variable to~\isa{l}:
11234
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1250
\begin{isabelle}
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1251
\isacommand{apply}\ (rename_tac\ l)\isanewline
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1252
\ 1.\ \isasymAnd k\ l.\ \isasymlbrakk m\ =\ i\ *\ k;\ n\ =\ j\ *\ l\isasymrbrakk \
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1253
\isasymLongrightarrow \ \isasymexists k.\ m\ *\ n\ =\ i\ *\ j\ *\ k%
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1254
\end{isabelle}
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1255
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1256
We instantiate the quantifier with~\isa{k*l}:
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1257
\begin{isabelle}
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1258
\isacommand{apply}\ (rule_tac\ x="k*l"\ \isakeyword{in}\ exI)\ \isanewline
11234
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1259
\ 1.\ \isasymAnd k\ ka.\ \isasymlbrakk m\ =\ i\ *\ k;\ n\ =\ j\ *\
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1260
ka\isasymrbrakk \ \isasymLongrightarrow \ m\ *\ n\ =\ i\
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1261
*\ j\ *\ (k\ *\ ka)
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1262
\end{isabelle}
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1263
%
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1264
The rest is automatic, by arithmetic.
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1265
\begin{isabelle}
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1266
\isacommand{apply}\ simp\isanewline
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1267
\isacommand{done}\isanewline
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1268
\end{isabelle}
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1269
6902638af59e quantifier instantiation
paulson
parents: 11179
diff changeset
  1270
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1271
11458
09a6c44a48ea numerous stylistic changes and indexing
paulson
parents: 11428
diff changeset
  1272
\section{Description Operators}
10971
6852682eaf16 *** empty log message ***
nipkow
parents: 10967
diff changeset
  1273
\label{sec:SOME}
10848
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1274
11458
09a6c44a48ea numerous stylistic changes and indexing
paulson
parents: 11428
diff changeset
  1275
\index{description operators|(}%
09a6c44a48ea numerous stylistic changes and indexing
paulson
parents: 11428
diff changeset
  1276
HOL provides two description operators.
09a6c44a48ea numerous stylistic changes and indexing
paulson
parents: 11428
diff changeset
  1277
A \textbf{definite description} formalizes the word ``the,'' as in
09a6c44a48ea numerous stylistic changes and indexing
paulson
parents: 11428
diff changeset
  1278
``the greatest divisior of~$n$.''
09a6c44a48ea numerous stylistic changes and indexing
paulson
parents: 11428
diff changeset
  1279
It returns an arbitrary value unless the formula has a unique solution.
09a6c44a48ea numerous stylistic changes and indexing
paulson
parents: 11428
diff changeset
  1280
An \textbf{indefinite description} formalizes the word ``some,'' as in
12815
wenzelm
parents: 12540
diff changeset
  1281
``some member of~$S$.''  It differs from a definite description in not
11458
09a6c44a48ea numerous stylistic changes and indexing
paulson
parents: 11428
diff changeset
  1282
requiring the solution to be unique: it uses the axiom of choice to pick any
09a6c44a48ea numerous stylistic changes and indexing
paulson
parents: 11428
diff changeset
  1283
solution. 
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1284
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1285
\begin{warn}
11458
09a6c44a48ea numerous stylistic changes and indexing
paulson
parents: 11428
diff changeset
  1286
Description operators can be hard to reason about.  Novices
09a6c44a48ea numerous stylistic changes and indexing
paulson
parents: 11428
diff changeset
  1287
should try to avoid them.  Fortunately, descriptions are seldom required.
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1288
\end{warn}
10848
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1289
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1290
\subsection{Definite Descriptions}
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1291
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1292
\index{descriptions!definite}%
11458
09a6c44a48ea numerous stylistic changes and indexing
paulson
parents: 11428
diff changeset
  1293
A definite description is traditionally written $\iota x.  P(x)$.  It denotes
09a6c44a48ea numerous stylistic changes and indexing
paulson
parents: 11428
diff changeset
  1294
the $x$ such that $P(x)$ is true, provided there exists a unique such~$x$;
09a6c44a48ea numerous stylistic changes and indexing
paulson
parents: 11428
diff changeset
  1295
otherwise, it returns an arbitrary value of the expected type.
12540
a5604ff1ef4e minor suggestions from Markus
paulson
parents: 12535
diff changeset
  1296
Isabelle uses \sdx{THE} for the Greek letter~$\iota$.  
a5604ff1ef4e minor suggestions from Markus
paulson
parents: 12535
diff changeset
  1297
a5604ff1ef4e minor suggestions from Markus
paulson
parents: 12535
diff changeset
  1298
%(The traditional notation could be provided, but it is not legible on screen.)
11458
09a6c44a48ea numerous stylistic changes and indexing
paulson
parents: 11428
diff changeset
  1299
09a6c44a48ea numerous stylistic changes and indexing
paulson
parents: 11428
diff changeset
  1300
We reason using this rule, where \isa{a} is the unique solution:
10848
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1301
\begin{isabelle}
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1302
\isasymlbrakk P\ a;\ \isasymAnd x.\ P\ x\ \isasymLongrightarrow \ x\ =\ a\isasymrbrakk \ 
11458
09a6c44a48ea numerous stylistic changes and indexing
paulson
parents: 11428
diff changeset
  1303
\isasymLongrightarrow \ (THE\ x.\ P\ x)\ =\ a%
09a6c44a48ea numerous stylistic changes and indexing
paulson
parents: 11428
diff changeset
  1304
\rulenamedx{the_equality}
10848
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1305
\end{isabelle}
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1306
For instance, we can define the
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1307
cardinality of a finite set~$A$ to be that
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1308
$n$ such that $A$ is in one-to-one correspondence with $\{1,\ldots,n\}$.  We can then
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1309
prove that the cardinality of the empty set is zero (since $n=0$ satisfies the
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1310
description) and proceed to prove other facts.
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1311
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1312
A more challenging example illustrates how Isabelle/HOL defines the least number
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1313
operator, which denotes the least \isa{x} satisfying~\isa{P}:%
11428
332347b9b942 tidying the index
paulson
parents: 11417
diff changeset
  1314
\index{least number operator|see{\protect\isa{LEAST}}}
10848
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1315
\begin{isabelle}
11458
09a6c44a48ea numerous stylistic changes and indexing
paulson
parents: 11428
diff changeset
  1316
(LEAST\ x.\ P\ x)\ = (THE\ x.\ P\ x\ \isasymand \ (\isasymforall y.\
11179
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
  1317
P\ y\ \isasymlongrightarrow \ x\ \isasymle \ y))
10848
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1318
\end{isabelle}
11179
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
  1319
%
11458
09a6c44a48ea numerous stylistic changes and indexing
paulson
parents: 11428
diff changeset
  1320
Let us prove the analogue of \isa{the_equality} for \sdx{LEAST}\@.
10848
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1321
\begin{isabelle}
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1322
\isacommand{theorem}\ Least_equality:\isanewline
11179
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
  1323
\ \ \ \ \ "\isasymlbrakk P\ (k::nat);\ \ \isasymforall x.\ P\ x\ \isasymlongrightarrow \ k\ \isasymle \ x\isasymrbrakk \ \isasymLongrightarrow \ (LEAST\ x.\ P\ x)\ =\ k"\isanewline
11458
09a6c44a48ea numerous stylistic changes and indexing
paulson
parents: 11428
diff changeset
  1324
\isacommand{apply}\ (simp\ add:\ Least_def)\isanewline
09a6c44a48ea numerous stylistic changes and indexing
paulson
parents: 11428
diff changeset
  1325
\isanewline
09a6c44a48ea numerous stylistic changes and indexing
paulson
parents: 11428
diff changeset
  1326
\ 1.\ \isasymlbrakk P\ k;\ \isasymforall x.\ P\ x\ \isasymlongrightarrow \ k\ \isasymle \ x\isasymrbrakk \isanewline
09a6c44a48ea numerous stylistic changes and indexing
paulson
parents: 11428
diff changeset
  1327
\isaindent{\ 1.\ }\isasymLongrightarrow \ (THE\ x.\ P\ x\ \isasymand \ (\isasymforall y.\ P\ y\ \isasymlongrightarrow \ x\ \isasymle \ y))\ =\ k%
09a6c44a48ea numerous stylistic changes and indexing
paulson
parents: 11428
diff changeset
  1328
\end{isabelle}
09a6c44a48ea numerous stylistic changes and indexing
paulson
parents: 11428
diff changeset
  1329
The first step has merely unfolded the definition.
09a6c44a48ea numerous stylistic changes and indexing
paulson
parents: 11428
diff changeset
  1330
\begin{isabelle}
09a6c44a48ea numerous stylistic changes and indexing
paulson
parents: 11428
diff changeset
  1331
\isacommand{apply}\ (rule\ the_equality)\isanewline
10848
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1332
\isanewline
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1333
\ 1.\ \isasymlbrakk P\ k;\ \isasymforall x.\ P\ x\ \isasymlongrightarrow \ k\
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1334
\isasymle \ x\isasymrbrakk \ \isasymLongrightarrow \ P\ k\ \isasymand \
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1335
(\isasymforall y.\ P\ y\ \isasymlongrightarrow \ k\ \isasymle \ y)\isanewline
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1336
\ 2.\ \isasymAnd x.\ \isasymlbrakk P\ k;\ \isasymforall x.\ P\ x\ \isasymlongrightarrow \ k\ \isasymle \ x;\ P\ x\ \isasymand \ (\isasymforall y.\ P\ y\ \isasymlongrightarrow \ x\ \isasymle \ y)\isasymrbrakk \isanewline
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1337
\ \ \ \ \ \ \ \ \isasymLongrightarrow \ x\ =\ k%
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1338
\end{isabelle}
11458
09a6c44a48ea numerous stylistic changes and indexing
paulson
parents: 11428
diff changeset
  1339
As always with \isa{the_equality}, we must show existence and
10848
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1340
uniqueness of the claimed solution,~\isa{k}.  Existence, the first
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1341
subgoal, is trivial.  Uniqueness, the second subgoal, follows by antisymmetry:
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1342
\begin{isabelle}
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1343
\isasymlbrakk x\ \isasymle \ y;\ y\ \isasymle \ x\isasymrbrakk \ \isasymLongrightarrow \ x\ =\ y%
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1344
\rulename{order_antisym}
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1345
\end{isabelle}
11458
09a6c44a48ea numerous stylistic changes and indexing
paulson
parents: 11428
diff changeset
  1346
The assumptions imply both \isa{k~\isasymle~x} and \isa{x~\isasymle~k}.  One
09a6c44a48ea numerous stylistic changes and indexing
paulson
parents: 11428
diff changeset
  1347
call to \isa{auto} does it all: 
10848
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1348
\begin{isabelle}
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1349
\isacommand{by}\ (auto\ intro:\ order_antisym)
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1350
\end{isabelle}
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1351
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1352
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1353
\subsection{Indefinite Descriptions}
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1354
11458
09a6c44a48ea numerous stylistic changes and indexing
paulson
parents: 11428
diff changeset
  1355
\index{Hilbert's $\varepsilon$-operator}%
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1356
\index{descriptions!indefinite}%
11458
09a6c44a48ea numerous stylistic changes and indexing
paulson
parents: 11428
diff changeset
  1357
An indefinite description is traditionally written $\varepsilon x. P(x)$ and is
09a6c44a48ea numerous stylistic changes and indexing
paulson
parents: 11428
diff changeset
  1358
known as Hilbert's $\varepsilon$-operator.  It denotes
09a6c44a48ea numerous stylistic changes and indexing
paulson
parents: 11428
diff changeset
  1359
some $x$ such that $P(x)$ is true, provided one exists.
09a6c44a48ea numerous stylistic changes and indexing
paulson
parents: 11428
diff changeset
  1360
Isabelle uses \sdx{SOME} for the Greek letter~$\varepsilon$.
09a6c44a48ea numerous stylistic changes and indexing
paulson
parents: 11428
diff changeset
  1361
33057
764547b68538 inv_onto -> inv_into
nipkow
parents: 33015
diff changeset
  1362
Here is the definition of~\cdx{inv},\footnote{In fact, \isa{inv} is defined via a second constant \isa{inv_into}, which we ignore here.} which expresses inverses of
11417
499435b4084e less indexing of theorem names
paulson
parents: 11411
diff changeset
  1363
functions:
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1364
\begin{isabelle}
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1365
inv\ f\ \isasymequiv \ \isasymlambda y.\ SOME\ x.\ f\ x\ =\ y%
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1366
\rulename{inv_def}
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1367
\end{isabelle}
11458
09a6c44a48ea numerous stylistic changes and indexing
paulson
parents: 11428
diff changeset
  1368
Using \isa{SOME} rather than \isa{THE} makes \isa{inv~f} behave well
09a6c44a48ea numerous stylistic changes and indexing
paulson
parents: 11428
diff changeset
  1369
even if \isa{f} is not injective.  As it happens, most useful theorems about
09a6c44a48ea numerous stylistic changes and indexing
paulson
parents: 11428
diff changeset
  1370
\isa{inv} do assume the function to be injective.
09a6c44a48ea numerous stylistic changes and indexing
paulson
parents: 11428
diff changeset
  1371
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1372
The inverse of \isa{f}, when applied to \isa{y}, returns some~\isa{x} such that
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1373
\isa{f~x~=~y}.  For example, we can prove \isa{inv~Suc} really is the inverse
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1374
of the \isa{Suc} function 
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1375
\begin{isabelle}
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1376
\isacommand{lemma}\ "inv\ Suc\ (Suc\ n)\ =\ n"\isanewline
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1377
\isacommand{by}\ (simp\ add:\ inv_def)
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1378
\end{isabelle}
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1379
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1380
\noindent
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1381
The proof is a one-liner: the subgoal simplifies to a degenerate application of
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1382
\isa{SOME}, which is then erased.  In detail, the left-hand side simplifies
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1383
to \isa{SOME\ x.\ Suc\ x\ =\ Suc\ n}, then to \isa{SOME\ x.\ x\ =\ n} and
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1384
finally to~\isa{n}.  
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1385
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1386
We know nothing about what
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1387
\isa{inv~Suc} returns when applied to zero.  The proof above still treats
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1388
\isa{SOME} as a definite description, since it only reasons about
11458
09a6c44a48ea numerous stylistic changes and indexing
paulson
parents: 11428
diff changeset
  1389
situations in which the value is described uniquely.  Indeed, \isa{SOME}
09a6c44a48ea numerous stylistic changes and indexing
paulson
parents: 11428
diff changeset
  1390
satisfies this rule:
09a6c44a48ea numerous stylistic changes and indexing
paulson
parents: 11428
diff changeset
  1391
\begin{isabelle}
09a6c44a48ea numerous stylistic changes and indexing
paulson
parents: 11428
diff changeset
  1392
\isasymlbrakk P\ a;\ \isasymAnd x.\ P\ x\ \isasymLongrightarrow \ x\ =\ a\isasymrbrakk \ 
09a6c44a48ea numerous stylistic changes and indexing
paulson
parents: 11428
diff changeset
  1393
\isasymLongrightarrow \ (SOME\ x.\ P\ x)\ =\ a%
09a6c44a48ea numerous stylistic changes and indexing
paulson
parents: 11428
diff changeset
  1394
\rulenamedx{some_equality}
09a6c44a48ea numerous stylistic changes and indexing
paulson
parents: 11428
diff changeset
  1395
\end{isabelle}
09a6c44a48ea numerous stylistic changes and indexing
paulson
parents: 11428
diff changeset
  1396
To go further is
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1397
tricky and requires rules such as these:
10848
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1398
\begin{isabelle}
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1399
P\ x\ \isasymLongrightarrow \ P\ (SOME\ x.\ P\ x)
11417
499435b4084e less indexing of theorem names
paulson
parents: 11411
diff changeset
  1400
\rulenamedx{someI}\isanewline
10848
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1401
\isasymlbrakk P\ a;\ \isasymAnd x.\ P\ x\ \isasymLongrightarrow \ Q\
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1402
x\isasymrbrakk \ \isasymLongrightarrow \ Q\ (SOME\ x.\ P\ x)
11417
499435b4084e less indexing of theorem names
paulson
parents: 11411
diff changeset
  1403
\rulenamedx{someI2}
10848
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1404
\end{isabelle}
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1405
Rule \isa{someI} is basic: if anything satisfies \isa{P} then so does
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1406
\hbox{\isa{SOME\ x.\ P\ x}}.  The repetition of~\isa{P} in the conclusion makes it
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1407
difficult to apply in a backward proof, so the derived rule \isa{someI2} is
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1408
also provided. 
10848
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1409
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1410
\medskip
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1411
For example, let us prove the \rmindex{axiom of choice}:
10848
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1412
\begin{isabelle}
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1413
\isacommand{theorem}\ axiom_of_choice:
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1414
\ "(\isasymforall x.\ \isasymexists y.\ P\ x\ y)\ \isasymLongrightarrow \
10848
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1415
\isasymexists f.\ \isasymforall x.\ P\ x\ (f\ x)"\isanewline
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1416
\isacommand{apply}\ (rule\ exI,\ rule\ allI)\isanewline
10971
6852682eaf16 *** empty log message ***
nipkow
parents: 10967
diff changeset
  1417
10848
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1418
\ 1.\ \isasymAnd x.\ \isasymforall x.\ \isasymexists y.\ P\ x\ y\
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1419
\isasymLongrightarrow \ P\ x\ (?f\ x)
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1420
\end{isabelle}
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1421
%
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1422
We have applied the introduction rules; now it is time to apply the elimination
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1423
rules.
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1424
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1425
\begin{isabelle}
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1426
\isacommand{apply}\ (drule\ spec,\ erule\ exE)\isanewline
10971
6852682eaf16 *** empty log message ***
nipkow
parents: 10967
diff changeset
  1427
10848
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1428
\ 1.\ \isasymAnd x\ y.\ P\ (?x2\ x)\ y\ \isasymLongrightarrow \ P\ x\ (?f\ x)
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1429
\end{isabelle}
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1430
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1431
\noindent
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1432
The rule \isa{someI} automatically instantiates
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1433
\isa{f} to \hbox{\isa{\isasymlambda x.\ SOME y.\ P\ x\ y}}, which is the choice
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1434
function.  It also instantiates \isa{?x2\ x} to \isa{x}.
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1435
\begin{isabelle}
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1436
\isacommand{by}\ (rule\ someI)\isanewline
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1437
\end{isabelle}
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1438
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1439
\subsubsection{Historical Note}
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1440
The original purpose of Hilbert's $\varepsilon$-operator was to express an
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1441
existential destruction rule:
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1442
\[ \infer{P[(\varepsilon x. P) / \, x]}{\exists x.\,P} \]
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1443
This rule is seldom used for that purpose --- it can cause exponential
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1444
blow-up --- but it is occasionally used as an introduction rule
13791
3b6ff7ceaf27 *** empty log message ***
nipkow
parents: 13751
diff changeset
  1445
for the~$\varepsilon$-operator.  Its name in HOL is \tdxbold{someI_ex}.%%
11458
09a6c44a48ea numerous stylistic changes and indexing
paulson
parents: 11428
diff changeset
  1446
\index{description operators|)}
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1447
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1448
10848
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1449
\section{Some Proofs That Fail}
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1450
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1451
\index{proofs!examples of failing|(}%
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1452
Most of the examples in this tutorial involve proving theorems.  But not every 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1453
conjecture is true, and it can be instructive to see how  
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1454
proofs fail. Here we attempt to prove a distributive law involving 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1455
the existential quantifier and conjunction. 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1456
\begin{isabelle}
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1457
\isacommand{lemma}\ "({\isasymexists}x.\ P\ x)\ \isasymand\ 
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1458
({\isasymexists}x.\ Q\ x)\ \isasymLongrightarrow\ {\isasymexists}x.\ P\ x\
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1459
\isasymand\ Q\ x"
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1460
\end{isabelle}
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1461
The first steps are  routine.  We apply conjunction elimination to break
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1462
the assumption into two existentially quantified assumptions. 
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1463
Applying existential elimination removes one of the quantifiers. 
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1464
\begin{isabelle}
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1465
\isacommand{apply}\ (erule\ conjE)\isanewline
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1466
\isacommand{apply}\ (erule\ exE)\isanewline
10596
77951eaeb5b0 tidying
paulson
parents: 10578
diff changeset
  1467
\ 1.\ \isasymAnd x.\ \isasymlbrakk{\isasymexists}x.\ Q\ x;\ P\ x\isasymrbrakk\ \isasymLongrightarrow\ {\isasymexists}x.\ P\ x\ \isasymand\ Q\ x
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1468
\end{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1469
%
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1470
When we remove the other quantifier, we get a different bound 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1471
variable in the subgoal.  (The name \isa{xa} is generated automatically.)
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1472
\begin{isabelle}
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1473
\isacommand{apply}\ (erule\ exE)\isanewline
10596
77951eaeb5b0 tidying
paulson
parents: 10578
diff changeset
  1474
\ 1.\ \isasymAnd x\ xa.\ \isasymlbrakk P\ x;\ Q\ xa\isasymrbrakk\
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1475
\isasymLongrightarrow\ {\isasymexists}x.\ P\ x\ \isasymand\ Q\ x
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1476
\end{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1477
The proviso of the existential elimination rule has forced the variables to
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1478
differ: we can hardly expect two arbitrary values to be equal!  There is
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1479
no way to prove this subgoal.  Removing the
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1480
conclusion's existential quantifier yields two
10848
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1481
identical placeholders, which can become  any term involving the variables \isa{x}
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1482
and~\isa{xa}.  We need one to become \isa{x}
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1483
and the other to become~\isa{xa}, but Isabelle requires all instances of a
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1484
placeholder to be identical. 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1485
\begin{isabelle}
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1486
\isacommand{apply}\ (rule\ exI)\isanewline
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1487
\isacommand{apply}\ (rule\ conjI)\isanewline
10596
77951eaeb5b0 tidying
paulson
parents: 10578
diff changeset
  1488
\ 1.\ \isasymAnd x\ xa.\ \isasymlbrakk P\ x;\ Q\ xa\isasymrbrakk\
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1489
\isasymLongrightarrow\ P\ (?x3\ x\ xa)\isanewline
10596
77951eaeb5b0 tidying
paulson
parents: 10578
diff changeset
  1490
\ 2.\ \isasymAnd x\ xa.\ \isasymlbrakk P\ x;\ Q\ xa\isasymrbrakk\ \isasymLongrightarrow\ Q\ (?x3\ x\ xa)
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1491
\end{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1492
We can prove either subgoal 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1493
using the \isa{assumption} method.  If we prove the first one, the placeholder
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1494
changes into~\isa{x}. 
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1495
\begin{isabelle}
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1496
\ \isacommand{apply}\ assumption\isanewline
10596
77951eaeb5b0 tidying
paulson
parents: 10578
diff changeset
  1497
\ 1.\ \isasymAnd x\ xa.\ \isasymlbrakk P\ x;\ Q\ xa\isasymrbrakk\
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1498
\isasymLongrightarrow\ Q\ x
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1499
\end{isabelle}
10848
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1500
We are left with a subgoal that cannot be proved.  Applying the \isa{assumption}
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1501
method results in an error message:
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1502
\begin{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1503
*** empty result sequence -- proof command failed
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1504
\end{isabelle}
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1505
When interacting with Isabelle via the shell interface,
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1506
you can abandon a proof using the \isacommand{oops} command.
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1507
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1508
\medskip 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1509
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1510
Here is another abortive proof, illustrating the interaction between 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1511
bound variables and unknowns.  
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1512
If $R$ is a reflexive relation, 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1513
is there an $x$ such that $R\,x\,y$ holds for all $y$?  Let us see what happens when
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1514
we attempt to prove it. 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1515
\begin{isabelle}
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1516
\isacommand{lemma}\ "\isasymforall y.\ R\ y\ y\ \isasymLongrightarrow 
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1517
\ \isasymexists x.\ \isasymforall y.\ R\ x\ y"
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1518
\end{isabelle}
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1519
First,  we remove the existential quantifier. The new proof state has  an
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1520
unknown, namely~\isa{?x}. 
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1521
\begin{isabelle}
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1522
\isacommand{apply}\ (rule\ exI)\isanewline
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1523
\ 1.\ \isasymforall y.\ R\ y\ y\ \isasymLongrightarrow \ \isasymforall y.\ R\ ?x\ y%
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1524
\end{isabelle}
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1525
It looks like we can just apply \isa{assumption}, but it fails.  Isabelle
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1526
refuses to substitute \isa{y}, a bound variable, for~\isa{?x}; that would be
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1527
a bound variable capture.  We can still try to finish the proof in some
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1528
other way. We remove the universal quantifier  from the conclusion, moving
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1529
the bound variable~\isa{y} into the subgoal.  But note that it is still
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1530
bound!
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1531
\begin{isabelle}
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1532
\isacommand{apply}\ (rule\ allI)\isanewline
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1533
\ 1.\ \isasymAnd y.\ \isasymforall y.\ R\ y\ y\ \isasymLongrightarrow \ R\ ?x\ y%
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1534
\end{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1535
Finally, we try to apply our reflexivity assumption.  We obtain a 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1536
new assumption whose identical placeholders may be replaced by 
10848
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1537
any term involving~\isa{y}. 
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1538
\begin{isabelle}
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1539
\isacommand{apply}\ (drule\ spec)\isanewline
10596
77951eaeb5b0 tidying
paulson
parents: 10578
diff changeset
  1540
\ 1.\ \isasymAnd y.\ R\ (?z2\ y)\ (?z2\ y)\ \isasymLongrightarrow\ R\ ?x\ y
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1541
\end{isabelle}
10848
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1542
This subgoal can only be proved by putting \isa{y} for all the placeholders,
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1543
making the assumption and conclusion become \isa{R\ y\ y}.  Isabelle can
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1544
replace \isa{?z2~y} by \isa{y}; this involves instantiating
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1545
\isa{?z2} to the identity function.  But, just as two steps earlier,
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1546
Isabelle refuses to substitute~\isa{y} for~\isa{?x}.
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1547
This example is typical of how Isabelle enforces sound quantifier reasoning. 
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1548
\index{proofs!examples of failing|)}
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1549
10848
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1550
\section{Proving Theorems Using the {\tt\slshape blast} Method}
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1551
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1552
\index{*blast (method)|(}%
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1553
It is hard to prove many theorems using the methods 
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1554
described above. A proof may be hundreds of steps long.  You 
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1555
may need to search among different ways of proving certain 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1556
subgoals. Often a choice that proves one subgoal renders another 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1557
impossible to prove.  There are further complications that we have not
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1558
discussed, concerning negation and disjunction.  Isabelle's
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1559
\textbf{classical reasoner} is a family of tools that perform such
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1560
proofs automatically.  The most important of these is the 
10596
77951eaeb5b0 tidying
paulson
parents: 10578
diff changeset
  1561
\isa{blast} method. 
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1562
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1563
In this section, we shall first see how to use the classical 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1564
reasoner in its default mode and then how to insert additional 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1565
rules, enabling it to work in new problem domains. 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1566
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1567
 We begin with examples from pure predicate logic. The following 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1568
example is known as Andrew's challenge. Peter Andrews designed 
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1569
it to be hard to prove by automatic means.
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1570
It is particularly hard for a resolution prover, where 
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1571
converting the nested biconditionals to
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1572
clause form produces a combinatorial
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1573
explosion~\cite{pelletier86}. However, the
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1574
\isa{blast} method proves it in a fraction  of a second. 
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1575
\begin{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1576
\isacommand{lemma}\
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1577
"(({\isasymexists}x.\
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1578
{\isasymforall}y.\
10301
paulson
parents: 10295
diff changeset
  1579
p(x){=}p(y))\
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1580
=\
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1581
(({\isasymexists}x.\
10301
paulson
parents: 10295
diff changeset
  1582
q(x))=({\isasymforall}y.\
paulson
parents: 10295
diff changeset
  1583
p(y))))\
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1584
\ \ =\ \ \ \ \isanewline
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1585
\ \ \ \ \ \ \ \
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1586
(({\isasymexists}x.\
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1587
{\isasymforall}y.\
10848
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1588
q(x){=}q(y))\ =\ (({\isasymexists}x.\ p(x))=({\isasymforall}y.\ q(y))))"\isanewline
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1589
\isacommand{by}\ blast
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1590
\end{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1591
The next example is a logic problem composed by Lewis Carroll. 
10596
77951eaeb5b0 tidying
paulson
parents: 10578
diff changeset
  1592
The \isa{blast} method finds it trivial. Moreover, it turns out 
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1593
that not all of the assumptions are necessary. We can  
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1594
experiment with variations of this formula and see which ones 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1595
can be proved. 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1596
\begin{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1597
\isacommand{lemma}\
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1598
"({\isasymforall}x.\
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1599
honest(x)\ \isasymand\
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1600
industrious(x)\ \isasymlongrightarrow\
10301
paulson
parents: 10295
diff changeset
  1601
healthy(x))\
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1602
\isasymand\ \ \isanewline
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1603
\ \ \ \ \ \ \ \ \isasymnot\ ({\isasymexists}x.\
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1604
grocer(x)\ \isasymand\
10301
paulson
parents: 10295
diff changeset
  1605
healthy(x))\
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1606
\isasymand\ \isanewline
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1607
\ \ \ \ \ \ \ \ ({\isasymforall}x.\
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1608
industrious(x)\ \isasymand\
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1609
grocer(x)\ \isasymlongrightarrow\
10301
paulson
parents: 10295
diff changeset
  1610
honest(x))\
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1611
\isasymand\ \isanewline
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1612
\ \ \ \ \ \ \ \ ({\isasymforall}x.\
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1613
cyclist(x)\ \isasymlongrightarrow\
10301
paulson
parents: 10295
diff changeset
  1614
industrious(x))\
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1615
\isasymand\ \isanewline
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1616
\ \ \ \ \ \ \ \ ({\isasymforall}x.\
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1617
{\isasymnot}healthy(x)\ \isasymand\
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1618
cyclist(x)\ \isasymlongrightarrow\
10301
paulson
parents: 10295
diff changeset
  1619
{\isasymnot}honest(x))\
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1620
\ \isanewline
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1621
\ \ \ \ \ \ \ \ \isasymlongrightarrow\
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1622
({\isasymforall}x.\
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1623
grocer(x)\ \isasymlongrightarrow\
10301
paulson
parents: 10295
diff changeset
  1624
{\isasymnot}cyclist(x))"\isanewline
10848
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1625
\isacommand{by}\ blast
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1626
\end{isabelle}
10596
77951eaeb5b0 tidying
paulson
parents: 10578
diff changeset
  1627
The \isa{blast} method is also effective for set theory, which is
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1628
described in the next chapter.  The formula below may look horrible, but
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1629
the \isa{blast} method proves it in milliseconds. 
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1630
\begin{isabelle}
10301
paulson
parents: 10295
diff changeset
  1631
\isacommand{lemma}\ "({\isasymUnion}i{\isasymin}I.\ A(i))\ \isasyminter\ ({\isasymUnion}j{\isasymin}J.\ B(j))\ =\isanewline
paulson
parents: 10295
diff changeset
  1632
\ \ \ \ \ \ \ \ ({\isasymUnion}i{\isasymin}I.\ {\isasymUnion}j{\isasymin}J.\ A(i)\ \isasyminter\ B(j))"\isanewline
10848
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1633
\isacommand{by}\ blast
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1634
\end{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1635
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1636
Few subgoals are couched purely in predicate logic and set theory.
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1637
We can extend the scope of the classical reasoner by giving it new rules. 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1638
Extending it effectively requires understanding the notions of
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1639
introduction, elimination and destruction rules.  Moreover, there is a
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1640
distinction between  safe and unsafe rules. A 
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1641
\textbf{safe}\indexbold{safe rules} rule is one that can be applied 
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1642
backwards without losing information; an
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1643
\textbf{unsafe}\indexbold{unsafe rules} rule loses  information, perhaps
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1644
transforming the subgoal into one that cannot be proved.  The safe/unsafe
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1645
distinction affects the proof search: if a proof attempt fails, the
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1646
classical reasoner backtracks to the most recent unsafe rule application
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1647
and makes another choice. 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1648
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1649
An important special case avoids all these complications.  A logical 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1650
equivalence, which in higher-order logic is an equality between 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1651
formulas, can be given to the classical 
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1652
reasoner and simplifier by using the attribute \attrdx{iff}.  You 
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1653
should do so if the right hand side of the equivalence is  
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1654
simpler than the left-hand side.  
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1655
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1656
For example, here is a simple fact about list concatenation. 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1657
The result of appending two lists is empty if and only if both 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1658
of the lists are themselves empty. Obviously, applying this equivalence 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1659
will result in a simpler goal. When stating this lemma, we include 
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1660
the \attrdx{iff} attribute. Once we have proved the lemma, Isabelle 
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1661
will make it known to the classical reasoner (and to the simplifier). 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1662
\begin{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1663
\isacommand{lemma}\
10854
d1ff1ff5c5ad case_tac on bools
paulson
parents: 10848
diff changeset
  1664
[iff]:\ "(xs{\isacharat}ys\ =\ [])\ =\
10971
6852682eaf16 *** empty log message ***
nipkow
parents: 10967
diff changeset
  1665
(xs=[]\ \isasymand\ ys=[])"\isanewline
10854
d1ff1ff5c5ad case_tac on bools
paulson
parents: 10848
diff changeset
  1666
\isacommand{apply}\ (induct_tac\ xs)\isanewline
d1ff1ff5c5ad case_tac on bools
paulson
parents: 10848
diff changeset
  1667
\isacommand{apply}\ (simp_all)\isanewline
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1668
\isacommand{done}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1669
\end{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1670
%
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1671
This fact about multiplication is also appropriate for 
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1672
the \attrdx{iff} attribute:
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1673
\begin{isabelle}
10596
77951eaeb5b0 tidying
paulson
parents: 10578
diff changeset
  1674
(\mbox{?m}\ *\ \mbox{?n}\ =\ 0)\ =\ (\mbox{?m}\ =\ 0\ \isasymor\ \mbox{?n}\ =\ 0)
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1675
\end{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1676
A product is zero if and only if one of the factors is zero.  The
10971
6852682eaf16 *** empty log message ***
nipkow
parents: 10967
diff changeset
  1677
reasoning  involves a disjunction.  Proving new rules for
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1678
disjunctive reasoning  is hard, but translating to an actual disjunction
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1679
works:  the classical reasoner handles disjunction properly.
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1680
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1681
In more detail, this is how the \attrdx{iff} attribute works.  It converts
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1682
the equivalence $P=Q$ to a pair of rules: the introduction
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1683
rule $Q\Imp P$ and the destruction rule $P\Imp Q$.  It gives both to the
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1684
classical reasoner as safe rules, ensuring that all occurrences of $P$ in
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1685
a subgoal are replaced by~$Q$.  The simplifier performs the same
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1686
replacement, since \isa{iff} gives $P=Q$ to the
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1687
simplifier.  
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1688
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1689
Classical reasoning is different from
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1690
simplification.  Simplification is deterministic.  It applies rewrite rules
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1691
repeatedly, as long as possible, transforming a goal into another goal.  Classical
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1692
reasoning uses search and backtracking in order to prove a goal outright.%
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1693
\index{*blast (method)|)}%
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1694
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1695
10848
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1696
\section{Other Classical Reasoning Methods}
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1697
 
10596
77951eaeb5b0 tidying
paulson
parents: 10578
diff changeset
  1698
The \isa{blast} method is our main workhorse for proving theorems 
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1699
automatically. Other components of the classical reasoner interact 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1700
with the simplifier. Still others perform classical reasoning 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1701
to a limited extent, giving the user fine control over the proof. 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1702
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1703
Of the latter methods, the most useful is 
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1704
\methdx{clarify}.
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1705
It performs 
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1706
all obvious reasoning steps without splitting the goal into multiple 
10971
6852682eaf16 *** empty log message ***
nipkow
parents: 10967
diff changeset
  1707
parts. It does not apply unsafe rules that could render the 
6852682eaf16 *** empty log message ***
nipkow
parents: 10967
diff changeset
  1708
goal unprovable. By performing the obvious 
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1709
steps, \isa{clarify} lays bare the difficult parts of the problem, 
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1710
where human intervention is necessary. 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1711
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1712
For example, the following conjecture is false:
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1713
\begin{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1714
\isacommand{lemma}\ "({\isasymforall}x.\ P\ x)\ \isasymand\
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1715
({\isasymexists}x.\ Q\ x)\ \isasymlongrightarrow\ ({\isasymforall}x.\ P\ x\
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1716
\isasymand\ Q\ x)"\isanewline
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1717
\isacommand{apply}\ clarify
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1718
\end{isabelle}
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1719
The \isa{blast} method would simply fail, but \isa{clarify} presents 
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1720
a subgoal that helps us see why we cannot continue the proof. 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1721
\begin{isabelle}
10596
77951eaeb5b0 tidying
paulson
parents: 10578
diff changeset
  1722
\ 1.\ \isasymAnd x\ xa.\ \isasymlbrakk{\isasymforall}x.\ P\ x;\ Q\
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1723
xa\isasymrbrakk\ \isasymLongrightarrow\ P\ x\ \isasymand\ Q\ x
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1724
\end{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1725
The proof must fail because the assumption \isa{Q\ xa} and conclusion \isa{Q\ x}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1726
refer to distinct bound variables.  To reach this state, \isa{clarify} applied
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1727
the introduction rules for \isa{\isasymlongrightarrow} and \isa{\isasymforall}
12535
wenzelm
parents: 12408
diff changeset
  1728
and the elimination rule for \isa{\isasymand}.  It did not apply the introduction
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1729
rule for  \isa{\isasymand} because of its policy never to split goals.
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1730
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1731
Also available is \methdx{clarsimp}, a method
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1732
that interleaves \isa{clarify} and \isa{simp}.  Also there is  \methdx{safe},
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1733
which like \isa{clarify} performs obvious steps but even applies those that
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1734
split goals.
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1735
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1736
The \methdx{force} method applies the classical
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1737
reasoner and simplifier  to one goal. 
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1738
Unless it can prove the goal, it fails. Contrast 
10546
b0ad1ed24cf6 replaced Eps by SOME
paulson
parents: 10399
diff changeset
  1739
that with the \isa{auto} method, which also combines classical reasoning 
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1740
with simplification. The latter's purpose is to prove all the 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1741
easy subgoals and parts of subgoals. Unfortunately, it can produce 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1742
large numbers of new subgoals; also, since it proves some subgoals 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1743
and splits others, it obscures the structure of the proof tree. 
10546
b0ad1ed24cf6 replaced Eps by SOME
paulson
parents: 10399
diff changeset
  1744
The \isa{force} method does not have these drawbacks. Another 
b0ad1ed24cf6 replaced Eps by SOME
paulson
parents: 10399
diff changeset
  1745
difference: \isa{force} tries harder than {\isa{auto}} to prove 
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1746
its goal, so it can take much longer to terminate.
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1747
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1748
Older components of the classical reasoner have largely been 
10596
77951eaeb5b0 tidying
paulson
parents: 10578
diff changeset
  1749
superseded by \isa{blast}, but they still have niche applications. 
77951eaeb5b0 tidying
paulson
parents: 10578
diff changeset
  1750
Most important among these are \isa{fast} and \isa{best}. While \isa{blast} 
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1751
searches for proofs using a built-in first-order reasoner, these 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1752
earlier methods search for proofs using standard Isabelle inference. 
11179
bee6673b020a subst method and a new section on rule, rule_tac, etc
paulson
parents: 11159
diff changeset
  1753
That makes them slower but enables them to work in the 
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1754
presence of the more unusual features of Isabelle rules, such 
10848
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1755
as type classes and function unknowns. For example, recall the introduction rule
10971
6852682eaf16 *** empty log message ***
nipkow
parents: 10967
diff changeset
  1756
for Hilbert's $\varepsilon$-operator: 
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1757
\begin{isabelle}
10546
b0ad1ed24cf6 replaced Eps by SOME
paulson
parents: 10399
diff changeset
  1758
?P\ ?x\ \isasymLongrightarrow\ ?P\ (SOME\ x.\ ?P x)
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1759
\rulename{someI}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1760
\end{isabelle}
10848
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1761
%
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1762
The repeated occurrence of the variable \isa{?P} makes this rule tricky 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1763
to apply. Consider this contrived example: 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1764
\begin{isabelle}
10596
77951eaeb5b0 tidying
paulson
parents: 10578
diff changeset
  1765
\isacommand{lemma}\ "\isasymlbrakk Q\ a;\ P\ a\isasymrbrakk\isanewline
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1766
\ \ \ \ \ \ \ \ \,\isasymLongrightarrow\ P\ (SOME\ x.\ P\ x\ \isasymand\ Q\ x)\
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1767
\isasymand\ Q\ (SOME\ x.\ P\ x\ \isasymand\ Q\ x)"\isanewline
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1768
\isacommand{apply}\ (rule\ someI)
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1769
\end{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1770
%
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1771
We can apply rule \isa{someI} explicitly.  It yields the 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1772
following subgoal: 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1773
\begin{isabelle}
10596
77951eaeb5b0 tidying
paulson
parents: 10578
diff changeset
  1774
\ 1.\ \isasymlbrakk Q\ a;\ P\ a\isasymrbrakk\ \isasymLongrightarrow\ P\ ?x\
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1775
\isasymand\ Q\ ?x%
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1776
\end{isabelle}
10848
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1777
The proof from this point is trivial.  Could we have
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1778
proved the theorem with a single command? Not using \isa{blast}: it
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1779
cannot perform  the higher-order unification needed here.  The
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1780
\methdx{fast} method succeeds: 
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1781
\begin{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1782
\isacommand{apply}\ (fast\ intro!:\ someI)
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1783
\end{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1784
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1785
The \methdx{best} method is similar to
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1786
\isa{fast} but it uses a  best-first search instead of depth-first search.
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1787
Accordingly,  it is slower but is less susceptible to divergence.
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1788
Transitivity  rules usually cause \isa{fast} to loop where \isa{best} 
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1789
can often manage.
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1790
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1791
Here is a summary of the classical reasoning methods:
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1792
\begin{itemize}
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1793
\item \methdx{blast} works automatically and is the fastest
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1794
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1795
\item \methdx{clarify} and \methdx{clarsimp} perform obvious steps without
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1796
splitting the goal;  \methdx{safe} even splits goals
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1797
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1798
\item \methdx{force} uses classical reasoning and simplification to prove a goal;
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1799
 \methdx{auto} is similar but leaves what it cannot prove
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1800
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1801
\item \methdx{fast} and \methdx{best} are legacy methods that work well with rules
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1802
involving unusual features
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1803
\end{itemize}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1804
A table illustrates the relationships among four of these methods. 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1805
\begin{center}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1806
\begin{tabular}{r|l|l|}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1807
           & no split   & split \\ \hline
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1808
  no simp  & \methdx{clarify}    & \methdx{safe} \\ \hline
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1809
     simp  & \methdx{clarsimp}   & \methdx{auto} \\ \hline
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1810
\end{tabular}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1811
\end{center}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1812
16546
77e7fd18b785 added find2
nipkow
parents: 16523
diff changeset
  1813
\section{Finding More Theorems}
77e7fd18b785 added find2
nipkow
parents: 16523
diff changeset
  1814
\label{sec:find2}
48966
6e15de7dd871 more standard document preparation within session context: avoid clashes with generated .tex files, even on case-insensible file-system;
wenzelm
parents: 48522
diff changeset
  1815
\input{find2.tex}
16546
77e7fd18b785 added find2
nipkow
parents: 16523
diff changeset
  1816
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1817
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1818
\section{Forward Proof: Transforming Theorems}\label{sec:forward}
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1819
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1820
\index{forward proof|(}%
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1821
Forward proof means deriving new facts from old ones.  It is  the
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1822
most fundamental type of proof.  Backward proof, by working  from goals to
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1823
subgoals, can help us find a difficult proof.  But it is
14403
32d1526d3237 new "where" section
paulson
parents: 13791
diff changeset
  1824
not always the best way of presenting the proof thus found.  Forward
10301
paulson
parents: 10295
diff changeset
  1825
proof is particularly good for reasoning from the general
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1826
to the specific.  For example, consider this distributive law for
11080
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  1827
the greatest common divisor:
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1828
\[ k\times\gcd(m,n) = \gcd(k\times m,k\times n)\]
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1829
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1830
Putting $m=1$ we get (since $\gcd(1,n)=1$ and $k\times1=k$) 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1831
\[ k = \gcd(k,k\times n)\]
11080
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  1832
We have derived a new fact; if re-oriented, it might be
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1833
useful for simplification.  After re-orienting it and putting $n=1$, we
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1834
derive another useful law: 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1835
\[ \gcd(k,k)=k \]
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1836
Substituting values for variables --- instantiation --- is a forward step. 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1837
Re-orientation works by applying the symmetry of equality to 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1838
an equation, so it too is a forward step.  
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1839
14403
32d1526d3237 new "where" section
paulson
parents: 13791
diff changeset
  1840
\subsection{Modifying a Theorem using {\tt\slshape of},  {\tt\slshape where}
32d1526d3237 new "where" section
paulson
parents: 13791
diff changeset
  1841
 and {\tt\slshape THEN}}
10848
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1842
15952
ad9e27c1b2c8 documented new subst method
paulson
parents: 15617
diff changeset
  1843
\label{sec:THEN}
ad9e27c1b2c8 documented new subst method
paulson
parents: 15617
diff changeset
  1844
11080
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  1845
Let us reproduce our examples in Isabelle.  Recall that in
25258
22d16596c306 recdef -> fun
nipkow
parents: 16546
diff changeset
  1846
{\S}\ref{sec:fun-simplification} we declared the recursive function
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1847
\isa{gcd}:\index{*gcd (constant)|(}
11080
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  1848
\begin{isabelle}
25264
7007bc8ddae4 recdef to fun
paulson
parents: 25258
diff changeset
  1849
\isacommand{fun}\ gcd\ ::\ "nat\ \isasymRightarrow \ nat\ \isasymRightarrow \ nat"\ \isakeyword{where}\isanewline
7007bc8ddae4 recdef to fun
paulson
parents: 25258
diff changeset
  1850
\ \ "gcd\ m\ n\ =\ (if\ n=0\ then\ m\ else\ gcd\ n\ (m\ mod\ n))"
11080
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  1851
\end{isabelle}
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  1852
%
12333
ef43a3d6e962 minor tweaks
paulson
parents: 12156
diff changeset
  1853
From this definition, it is possible to prove the distributive law.  
ef43a3d6e962 minor tweaks
paulson
parents: 12156
diff changeset
  1854
That takes us to the starting point for our example.
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1855
\begin{isabelle}
25264
7007bc8ddae4 recdef to fun
paulson
parents: 25258
diff changeset
  1856
?k\ *\ gcd\ ?m\ ?n\ =\ gcd\ (?k\ *\ ?m)\ (?k\ *\ ?n)
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1857
\rulename{gcd_mult_distrib2}
11080
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  1858
\end{isabelle}
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1859
%
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1860
The first step in our derivation is to replace \isa{?m} by~1.  We instantiate the
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1861
theorem using~\attrdx{of}, which identifies variables in order of their
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1862
appearance from left to right.  In this case, the variables  are \isa{?k}, \isa{?m}
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1863
and~\isa{?n}. So, the expression
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1864
\hbox{\texttt{[of k 1]}} replaces \isa{?k} by~\isa{k} and \isa{?m}
12156
d2758965362e new-style numerals without leading #, along with generic 0 and 1
paulson
parents: 11494
diff changeset
  1865
by~\isa{1}.
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1866
\begin{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1867
\isacommand{lemmas}\ gcd_mult_0\ =\ gcd_mult_distrib2\ [of\ k\ 1]
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1868
\end{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1869
%
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1870
The keyword \commdx{lemmas} declares a new theorem, which can be derived
11080
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  1871
from an existing one using attributes such as \isa{[of~k~1]}.
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1872
The command 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1873
\isa{thm gcd_mult_0}
11080
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  1874
displays the result:
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1875
\begin{isabelle}
25264
7007bc8ddae4 recdef to fun
paulson
parents: 25258
diff changeset
  1876
\ \ \ \ \ k\ *\ gcd\ 1\ ?n\ =\ gcd\ (k\ *\ 1)\ (k\ *\ ?n)
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1877
\end{isabelle}
14403
32d1526d3237 new "where" section
paulson
parents: 13791
diff changeset
  1878
Something is odd: \isa{k} is an ordinary variable, while \isa{?n} 
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1879
is schematic.  We did not specify an instantiation 
14403
32d1526d3237 new "where" section
paulson
parents: 13791
diff changeset
  1880
for \isa{?n}.  In its present form, the theorem does not allow 
32d1526d3237 new "where" section
paulson
parents: 13791
diff changeset
  1881
substitution for \isa{k}.  One solution is to avoid giving an instantiation for
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1882
\isa{?k}: instead of a term we can put an underscore~(\isa{_}).  For example,
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1883
\begin{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1884
\ \ \ \ \ gcd_mult_distrib2\ [of\ _\ 1]
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1885
\end{isabelle}
10848
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1886
replaces \isa{?m} by~\isa{1} but leaves \isa{?k} unchanged.  
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1887
14403
32d1526d3237 new "where" section
paulson
parents: 13791
diff changeset
  1888
An equivalent solution is to use the attribute \isa{where}. 
32d1526d3237 new "where" section
paulson
parents: 13791
diff changeset
  1889
\begin{isabelle}
32d1526d3237 new "where" section
paulson
parents: 13791
diff changeset
  1890
\ \ \ \ \ gcd\_mult\_distrib2\ [where\ m=1]
32d1526d3237 new "where" section
paulson
parents: 13791
diff changeset
  1891
\end{isabelle}
32d1526d3237 new "where" section
paulson
parents: 13791
diff changeset
  1892
While \isa{of} refers to
32d1526d3237 new "where" section
paulson
parents: 13791
diff changeset
  1893
variables by their position, \isa{where} refers to variables by name. Multiple
32d1526d3237 new "where" section
paulson
parents: 13791
diff changeset
  1894
instantiations are separated by~\isa{and}, as in this example:
32d1526d3237 new "where" section
paulson
parents: 13791
diff changeset
  1895
\begin{isabelle}
32d1526d3237 new "where" section
paulson
parents: 13791
diff changeset
  1896
\ \ \ \ \ gcd\_mult\_distrib2\ [where\ m=1\ and\ k=1]
32d1526d3237 new "where" section
paulson
parents: 13791
diff changeset
  1897
\end{isabelle}
32d1526d3237 new "where" section
paulson
parents: 13791
diff changeset
  1898
32d1526d3237 new "where" section
paulson
parents: 13791
diff changeset
  1899
We now continue the present example with the version of \isa{gcd_mult_0}
32d1526d3237 new "where" section
paulson
parents: 13791
diff changeset
  1900
shown above, which has \isa{k} instead of \isa{?k}.
32d1526d3237 new "where" section
paulson
parents: 13791
diff changeset
  1901
Once we have replaced \isa{?m} by~1, we must next simplify
32d1526d3237 new "where" section
paulson
parents: 13791
diff changeset
  1902
the theorem \isa{gcd_mult_0}, performing the steps 
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1903
$\gcd(1,n)=1$ and $k\times1=k$.  The \attrdx{simplified}
10848
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1904
attribute takes a theorem
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1905
and returns the result of simplifying it, with respect to the default
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1906
simplification rules:
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1907
\begin{isabelle}
11080
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  1908
\isacommand{lemmas}\ gcd_mult_1\ =\ gcd_mult_0\
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1909
[simplified]%
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1910
\end{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1911
%
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1912
Again, we display the resulting theorem:
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1913
\begin{isabelle}
25264
7007bc8ddae4 recdef to fun
paulson
parents: 25258
diff changeset
  1914
\ \ \ \ \ k\ =\ gcd\ k\ (k\ *\ ?n)
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1915
\end{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1916
%
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1917
To re-orient the equation requires the symmetry rule:
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1918
\begin{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1919
?s\ =\ ?t\
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1920
\isasymLongrightarrow\ ?t\ =\
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1921
?s%
11417
499435b4084e less indexing of theorem names
paulson
parents: 11411
diff changeset
  1922
\rulenamedx{sym}
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1923
\end{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1924
The following declaration gives our equation to \isa{sym}:
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1925
\begin{isabelle}
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1926
\ \ \ \isacommand{lemmas}\ gcd_mult\ =\ gcd_mult_1\ [THEN\ sym]
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1927
\end{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1928
%
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1929
Here is the result:
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1930
\begin{isabelle}
25264
7007bc8ddae4 recdef to fun
paulson
parents: 25258
diff changeset
  1931
\ \ \ \ \ gcd\ k\ (k\ *\ ?n)\ =\ k%
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1932
\end{isabelle}
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1933
\isa{THEN~sym}\indexbold{*THEN (attribute)} gives the current theorem to the
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1934
rule \isa{sym} and returns the resulting conclusion.  The effect is to
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1935
exchange the two operands of the equality. Typically \isa{THEN} is used
11080
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  1936
with destruction rules.  Also useful is \isa{THEN~spec}, which removes the
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  1937
quantifier from a theorem of the form $\forall x.\,P$, and \isa{THEN~mp},
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  1938
which converts the implication $P\imp Q$ into the rule
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  1939
$\vcenter{\infer{Q}{P}}$. Similar to \isa{mp} are the following two rules,
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  1940
which extract  the two directions of reasoning about a boolean equivalence:
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1941
\begin{isabelle}
10596
77951eaeb5b0 tidying
paulson
parents: 10578
diff changeset
  1942
\isasymlbrakk?Q\ =\ ?P;\ ?Q\isasymrbrakk\ \isasymLongrightarrow\ ?P%
11417
499435b4084e less indexing of theorem names
paulson
parents: 11411
diff changeset
  1943
\rulenamedx{iffD1}%
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1944
\isanewline
10596
77951eaeb5b0 tidying
paulson
parents: 10578
diff changeset
  1945
\isasymlbrakk?P\ =\ ?Q;\ ?Q\isasymrbrakk\ \isasymLongrightarrow\ ?P%
11417
499435b4084e less indexing of theorem names
paulson
parents: 11411
diff changeset
  1946
\rulenamedx{iffD2}
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1947
\end{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1948
%
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1949
Normally we would never name the intermediate theorems
12156
d2758965362e new-style numerals without leading #, along with generic 0 and 1
paulson
parents: 11494
diff changeset
  1950
such as \isa{gcd_mult_0} and \isa{gcd_mult_1} but would combine
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1951
the three forward steps: 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1952
\begin{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1953
\isacommand{lemmas}\ gcd_mult\ =\ gcd_mult_distrib2\ [of\ k\ 1,\ simplified,\ THEN\ sym]%
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1954
\end{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1955
The directives, or attributes, are processed from left to right.  This
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1956
declaration of \isa{gcd_mult} is equivalent to the
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1957
previous one.
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1958
10848
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1959
Such declarations can make the proof script hard to read.  Better   
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1960
is to state the new lemma explicitly and to prove it using a single
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1961
\isa{rule} method whose operand is expressed using forward reasoning:
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1962
\begin{isabelle}
25264
7007bc8ddae4 recdef to fun
paulson
parents: 25258
diff changeset
  1963
\isacommand{lemma}\ gcd\_mult\ [simp]:\ "gcd\ k\ (k*n)\ =\ k"\isanewline
10848
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1964
\isacommand{by}\ (rule\ gcd_mult_distrib2\ [of\ k\ 1,\ simplified,\ THEN\ sym])
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1965
\end{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1966
Compared with the previous proof of \isa{gcd_mult}, this
10848
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1967
version shows the reader what has been proved.  Also, the result will be processed
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1968
in the normal way.  In particular, Isabelle generalizes over all variables: the
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1969
resulting theorem will have {\isa{?k}} instead of {\isa{k}}.
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1970
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1971
At the start  of this section, we also saw a proof of $\gcd(k,k)=k$.  Here
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1972
is the Isabelle version:\index{*gcd (constant)|)}
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1973
\begin{isabelle}
25264
7007bc8ddae4 recdef to fun
paulson
parents: 25258
diff changeset
  1974
\isacommand{lemma}\ gcd\_self\ [simp]:\ "gcd\ k\ k\ =\ k"\isanewline
10848
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1975
\isacommand{by}\ (rule\ gcd_mult\ [of\ k\ 1,\ simplified])
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1976
\end{isabelle}
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1977
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1978
\begin{warn}
12535
wenzelm
parents: 12408
diff changeset
  1979
To give~\isa{of} a nonatomic term, enclose it in quotation marks, as in
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1980
\isa{[of "k*m"]}.  The term must not contain unknowns: an
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1981
attribute such as 
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1982
\isa{[of "?k*m"]} will be rejected.
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1983
\end{warn}
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1984
15952
ad9e27c1b2c8 documented new subst method
paulson
parents: 15617
diff changeset
  1985
%Answer is now included in that section! Is a modified version of this
ad9e27c1b2c8 documented new subst method
paulson
parents: 15617
diff changeset
  1986
%  exercise worth including? E.g. find a difference between the two ways
ad9e27c1b2c8 documented new subst method
paulson
parents: 15617
diff changeset
  1987
%  of substituting.
ad9e27c1b2c8 documented new subst method
paulson
parents: 15617
diff changeset
  1988
%\begin{exercise}
57512
cc97b347b301 reduced name variants for assoc and commute on plus and mult
haftmann
parents: 54583
diff changeset
  1989
%In {\S}\ref{sec:subst} the method \isa{subst\ mult.commute} was applied.  How
15952
ad9e27c1b2c8 documented new subst method
paulson
parents: 15617
diff changeset
  1990
%can we achieve the same effect using \isa{THEN} with the rule \isa{ssubst}?
57512
cc97b347b301 reduced name variants for assoc and commute on plus and mult
haftmann
parents: 54583
diff changeset
  1991
%% answer  rule (mult.commute [THEN ssubst])
15952
ad9e27c1b2c8 documented new subst method
paulson
parents: 15617
diff changeset
  1992
%\end{exercise}
10848
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  1993
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1994
\subsection{Modifying a Theorem using {\tt\slshape OF}}
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  1995
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  1996
\index{*OF (attribute)|(}%
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1997
Recall that \isa{of} generates an instance of a
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  1998
rule by specifying values for its variables.  Analogous is \isa{OF}, which
11080
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  1999
generates an instance of a rule by specifying facts for its premises.  
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2000
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  2001
We again need the divides relation\index{divides relation} of number theory, which
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  2002
as we recall is defined by 
11080
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2003
\begin{isabelle}
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2004
?m\ dvd\ ?n\ \isasymequiv\ {\isasymexists}k.\ ?n\ =\ ?m\ *\ k
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2005
\rulename{dvd_def}
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2006
\end{isabelle}
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2007
%
12333
ef43a3d6e962 minor tweaks
paulson
parents: 12156
diff changeset
  2008
Suppose, for example, that we have proved the following rule.  
ef43a3d6e962 minor tweaks
paulson
parents: 12156
diff changeset
  2009
It states that if $k$ and $n$ are relatively prime
11080
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2010
and if $k$ divides $m\times n$ then $k$ divides $m$.
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2011
\begin{isabelle}
25264
7007bc8ddae4 recdef to fun
paulson
parents: 25258
diff changeset
  2012
\isasymlbrakk gcd ?k ?n {=} 1;\ ?k\ dvd\ ?m * ?n\isasymrbrakk\
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2013
\isasymLongrightarrow\ ?k\ dvd\ ?m
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2014
\rulename{relprime_dvd_mult}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2015
\end{isabelle}
11080
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2016
We can use \isa{OF} to create an instance of this rule.
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2017
First, we
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2018
prove an instance of its first premise:
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2019
\begin{isabelle}
25264
7007bc8ddae4 recdef to fun
paulson
parents: 25258
diff changeset
  2020
\isacommand{lemma}\ relprime\_20\_81:\ "gcd\ 20\ 81\ =\ 1"\isanewline
10848
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  2021
\isacommand{by}\ (simp\ add:\ gcd.simps)
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2022
\end{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2023
We have evaluated an application of the \isa{gcd} function by
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  2024
simplification.  Expression evaluation involving recursive functions is not
11080
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2025
guaranteed to terminate, and it can be slow; Isabelle
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2026
performs arithmetic by  rewriting symbolic bit strings.  Here,
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2027
however, the simplification takes less than one second.  We can
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2028
give this new lemma to \isa{OF}.  The expression
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2029
\begin{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2030
\ \ \ \ \ relprime_dvd_mult [OF relprime_20_81]
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2031
\end{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2032
yields the theorem
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2033
\begin{isabelle}
12156
d2758965362e new-style numerals without leading #, along with generic 0 and 1
paulson
parents: 11494
diff changeset
  2034
\ \ \ \ \ 20\ dvd\ (?m\ *\ 81)\ \isasymLongrightarrow\ 20\ dvd\ ?m%
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2035
\end{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2036
%
10596
77951eaeb5b0 tidying
paulson
parents: 10578
diff changeset
  2037
\isa{OF} takes any number of operands.  Consider 
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2038
the following facts about the divides relation: 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2039
\begin{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2040
\isasymlbrakk?k\ dvd\ ?m;\
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2041
?k\ dvd\ ?n\isasymrbrakk\
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2042
\isasymLongrightarrow\ ?k\ dvd\
10971
6852682eaf16 *** empty log message ***
nipkow
parents: 10967
diff changeset
  2043
?m\ +\ ?n
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2044
\rulename{dvd_add}\isanewline
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2045
?m\ dvd\ ?m%
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2046
\rulename{dvd_refl}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2047
\end{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2048
Let us supply \isa{dvd_refl} for each of the premises of \isa{dvd_add}:
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2049
\begin{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2050
\ \ \ \ \ dvd_add [OF dvd_refl dvd_refl]
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2051
\end{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2052
Here is the theorem that we have expressed: 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2053
\begin{isabelle}
10596
77951eaeb5b0 tidying
paulson
parents: 10578
diff changeset
  2054
\ \ \ \ \ ?k\ dvd\ (?k\ +\ ?k)
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2055
\end{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2056
As with \isa{of}, we can use the \isa{_} symbol to leave some positions
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2057
unspecified:
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2058
\begin{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2059
\ \ \ \ \ dvd_add [OF _ dvd_refl]
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2060
\end{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2061
The result is 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2062
\begin{isabelle}
10971
6852682eaf16 *** empty log message ***
nipkow
parents: 10967
diff changeset
  2063
\ \ \ \ \ ?k\ dvd\ ?m\ \isasymLongrightarrow\ ?k\ dvd\ ?m\ +\ ?k
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2064
\end{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2065
10596
77951eaeb5b0 tidying
paulson
parents: 10578
diff changeset
  2066
You may have noticed that \isa{THEN} and \isa{OF} are based on 
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2067
the same idea, namely to combine two rules.  They differ in the
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2068
order of the combination and thus in their effect.  We use \isa{THEN}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2069
typically with a destruction rule to extract a subformula of the current
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2070
theorem.  We use \isa{OF} with a list of facts to generate an instance of
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  2071
the current theorem.%
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  2072
\index{*OF (attribute)|)}
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2073
10848
7b3ee4695fe6 various changes including the SOME examples, rule_format and "by"
paulson
parents: 10792
diff changeset
  2074
Here is a summary of some primitives for forward reasoning:
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2075
\begin{itemize}
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  2076
\item \attrdx{of} instantiates the variables of a rule to a list of terms
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  2077
\item \attrdx{OF} applies a rule to a list of theorems
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  2078
\item \attrdx{THEN} gives a theorem to a named rule and returns the
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2079
conclusion 
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  2080
%\item \attrdx{rule_format} puts a theorem into standard form
11080
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2081
%  by removing \isa{\isasymlongrightarrow} and~\isa{\isasymforall}
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  2082
\item \attrdx{simplified} applies the simplifier to a theorem
11080
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2083
\item \isacommand{lemmas} assigns a name to the theorem produced by the
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2084
attributes above
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2085
\end{itemize}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2086
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2087
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  2088
\section{Forward Reasoning in a Backward Proof}
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2089
10967
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2090
We have seen that the forward proof directives work well within a backward 
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  2091
proof.  There are many ways to achieve a forward style using our existing
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  2092
proof methods.  We shall also meet some new methods that perform forward
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  2093
reasoning.  
10967
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2094
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2095
The methods \isa{drule}, \isa{frule}, \isa{drule_tac}, etc.,
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2096
reason forward from a subgoal.  We have seen them already, using rules such as
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2097
\isa{mp} and
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2098
\isa{spec} to operate on formulae.  They can also operate on terms, using rules
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2099
such as these:
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2100
\begin{isabelle}
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2101
x\ =\ y\ \isasymLongrightarrow \ f\ x\ =\ f\ y%
11417
499435b4084e less indexing of theorem names
paulson
parents: 11411
diff changeset
  2102
\rulenamedx{arg_cong}\isanewline
10967
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2103
i\ \isasymle \ j\ \isasymLongrightarrow \ i\ *\ k\ \isasymle \ j\ *\ k%
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2104
\rulename{mult_le_mono1}
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2105
\end{isabelle}
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2106
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2107
For example, let us prove a fact about divisibility in the natural numbers:
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2108
\begin{isabelle}
12156
d2758965362e new-style numerals without leading #, along with generic 0 and 1
paulson
parents: 11494
diff changeset
  2109
\isacommand{lemma}\ "2\ \isasymle \ u\ \isasymLongrightarrow \ u*m\ \isasymnoteq
10967
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2110
\ Suc(u*n)"\isanewline
12408
2884148a9fe9 intro and elim now require arguments
paulson
parents: 12333
diff changeset
  2111
\isacommand{apply}\ (intro\ notI)\isanewline
12156
d2758965362e new-style numerals without leading #, along with generic 0 and 1
paulson
parents: 11494
diff changeset
  2112
\ 1.\ \isasymlbrakk 2\ \isasymle \ u;\ u\ *\ m\ =\ Suc\ (u\ *\ n)\isasymrbrakk \ \isasymLongrightarrow \ False%
10967
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2113
\end{isabelle}
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2114
%
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2115
The key step is to apply the function \ldots\isa{mod\ u} to both sides of the
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2116
equation
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  2117
\isa{u*m\ =\ Suc(u*n)}:\index{*drule_tac (method)}
10967
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2118
\begin{isabelle}
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2119
\isacommand{apply}\ (drule_tac\ f="\isasymlambda x.\ x\ mod\ u"\ \isakeyword{in}\
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2120
arg_cong)\isanewline
12156
d2758965362e new-style numerals without leading #, along with generic 0 and 1
paulson
parents: 11494
diff changeset
  2121
\ 1.\ \isasymlbrakk 2\ \isasymle \ u;\ u\ *\ m\ mod\ u\ =\ Suc\ (u\ *\ n)\ mod\
10967
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2122
u\isasymrbrakk \ \isasymLongrightarrow \ False
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2123
\end{isabelle}
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2124
%
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2125
Simplification reduces the left side to 0 and the right side to~1, yielding the
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2126
required contradiction.
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2127
\begin{isabelle}
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2128
\isacommand{apply}\ (simp\ add:\ mod_Suc)\isanewline
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2129
\isacommand{done}
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2130
\end{isabelle}
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2131
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2132
Our proof has used a fact about remainder:
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2133
\begin{isabelle}
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2134
Suc\ m\ mod\ n\ =\isanewline
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2135
(if\ Suc\ (m\ mod\ n)\ =\ n\ then\ 0\ else\ Suc\ (m\ mod\ n))
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2136
\rulename{mod_Suc}
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2137
\end{isabelle}
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2138
11080
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2139
\subsection{The Method {\tt\slshape insert}}
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2140
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  2141
\index{*insert (method)|(}%
11080
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2142
The \isa{insert} method
30649
57753e0ec1d4 1. New cancellation simprocs for common factors in inequations
nipkow
parents: 27167
diff changeset
  2143
inserts a given theorem as a new assumption of all subgoals.  This
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  2144
already is a forward step; moreover, we may (as always when using a
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  2145
theorem) apply
10596
77951eaeb5b0 tidying
paulson
parents: 10578
diff changeset
  2146
\isa{of}, \isa{THEN} and other directives.  The new assumption can then
30649
57753e0ec1d4 1. New cancellation simprocs for common factors in inequations
nipkow
parents: 27167
diff changeset
  2147
be used to help prove the subgoals.
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2148
11080
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2149
For example, consider this theorem about the divides relation.  The first
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2150
proof step inserts the distributive law for
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2151
\isa{gcd}.  We specify its variables as shown. 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2152
\begin{isabelle}
25264
7007bc8ddae4 recdef to fun
paulson
parents: 25258
diff changeset
  2153
\isacommand{lemma}\ relprime\_dvd\_mult:\ \isanewline
7007bc8ddae4 recdef to fun
paulson
parents: 25258
diff changeset
  2154
\ \ \ \ \ \ "\isasymlbrakk \ gcd\ k\ n\ =\ 1;\ k\ dvd\ m*n\ \isasymrbrakk \ \isasymLongrightarrow \ k\ dvd\ m"\isanewline
7007bc8ddae4 recdef to fun
paulson
parents: 25258
diff changeset
  2155
\isacommand{apply}\ (insert\ gcd_mult_distrib2\ [of\ m\ k\ n])
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2156
\end{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2157
In the resulting subgoal, note how the equation has been 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2158
inserted: 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2159
\begin{isabelle}
25264
7007bc8ddae4 recdef to fun
paulson
parents: 25258
diff changeset
  2160
\ 1.\ \isasymlbrakk gcd\ k\ n\ =\ 1;\ k\ dvd\ m\ *\ n;\ m\ *\ gcd\ k\ n\ =\ gcd\ (m\ *\ k)\ (m\ *\ n)\isasymrbrakk \isanewline
7007bc8ddae4 recdef to fun
paulson
parents: 25258
diff changeset
  2161
\isaindent{\ 1.\ }\isasymLongrightarrow \ k\ dvd\ m%
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2162
\end{isabelle}
25264
7007bc8ddae4 recdef to fun
paulson
parents: 25258
diff changeset
  2163
The next proof step utilizes the assumption \isa{gcd\ k\ n\ =\ 1}
7007bc8ddae4 recdef to fun
paulson
parents: 25258
diff changeset
  2164
(note that \isa{Suc\ 0} is another expression for 1):
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2165
\begin{isabelle}
11080
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2166
\isacommand{apply}(simp)\isanewline
25264
7007bc8ddae4 recdef to fun
paulson
parents: 25258
diff changeset
  2167
\ 1.\ \isasymlbrakk gcd\ k\ n\ =\ Suc\ 0;\ k\ dvd\ m\ *\ n;\ m\ =\ gcd\ (m\ *\ k)\ (m\ *\ n)\isasymrbrakk \isanewline
7007bc8ddae4 recdef to fun
paulson
parents: 25258
diff changeset
  2168
\isaindent{\ 1.\ }\isasymLongrightarrow \ k\ dvd\ m%
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2169
\end{isabelle}
11080
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2170
Simplification has yielded an equation for~\isa{m}.  The rest of the proof
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2171
is omitted.
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2172
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2173
\medskip
11417
499435b4084e less indexing of theorem names
paulson
parents: 11411
diff changeset
  2174
Here is another demonstration of \isa{insert}.  Division and
499435b4084e less indexing of theorem names
paulson
parents: 11411
diff changeset
  2175
remainder obey a well-known law: 
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2176
\begin{isabelle}
10596
77951eaeb5b0 tidying
paulson
parents: 10578
diff changeset
  2177
(?m\ div\ ?n)\ *\ ?n\ +\ ?m\ mod\ ?n\ =\ ?m
64242
93c6f0da5c70 more standardized theorem names for facts involving the div and mod identity
haftmann
parents: 57512
diff changeset
  2178
\rulename{div_mult_mod_eq}
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2179
\end{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2180
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2181
We refer to this law explicitly in the following proof: 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2182
\begin{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2183
\isacommand{lemma}\ div_mult_self_is_m:\ \isanewline
10596
77951eaeb5b0 tidying
paulson
parents: 10578
diff changeset
  2184
\ \ \ \ \ \ "0{\isacharless}n\ \isasymLongrightarrow\ (m*n)\ div\ n\ =\
77951eaeb5b0 tidying
paulson
parents: 10578
diff changeset
  2185
(m::nat)"\isanewline
64242
93c6f0da5c70 more standardized theorem names for facts involving the div and mod identity
haftmann
parents: 57512
diff changeset
  2186
\isacommand{apply}\ (insert\ div_mult_mod_eq\ [of\ "m*n"\ n])\isanewline
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2187
\isacommand{apply}\ (simp)\isanewline
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2188
\isacommand{done}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2189
\end{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2190
The first step inserts the law, specifying \isa{m*n} and
10301
paulson
parents: 10295
diff changeset
  2191
\isa{n} for its variables.  Notice that non-trivial expressions must be
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2192
enclosed in quotation marks.  Here is the resulting 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2193
subgoal, with its new assumption: 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2194
\begin{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2195
%0\ \isacharless\ n\ \isasymLongrightarrow\ (m\
10596
77951eaeb5b0 tidying
paulson
parents: 10578
diff changeset
  2196
%*\ n)\ div\ n\ =\ m\isanewline
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2197
\ 1.\ \isasymlbrakk0\ \isacharless\
10596
77951eaeb5b0 tidying
paulson
parents: 10578
diff changeset
  2198
n;\ \ (m\ *\ n)\ div\ n\ *\ n\ +\ (m\ *\ n)\ mod\ n\
77951eaeb5b0 tidying
paulson
parents: 10578
diff changeset
  2199
=\ m\ *\ n\isasymrbrakk\isanewline
77951eaeb5b0 tidying
paulson
parents: 10578
diff changeset
  2200
\ \ \ \ \isasymLongrightarrow\ (m\ *\ n)\ div\ n\
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2201
=\ m
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2202
\end{isabelle}
10596
77951eaeb5b0 tidying
paulson
parents: 10578
diff changeset
  2203
Simplification reduces \isa{(m\ *\ n)\ mod\ n} to zero.
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2204
Then it cancels the factor~\isa{n} on both
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  2205
sides of the equation \isa{(m\ *\ n)\ div\ n\ *\ n\ =\ m\ *\ n}, proving the
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  2206
theorem.
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  2207
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  2208
\begin{warn}
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  2209
Any unknowns in the theorem given to \methdx{insert} will be universally
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  2210
quantified in the new assumption.
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  2211
\end{warn}%
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  2212
\index{*insert (method)|)}
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2213
11080
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2214
\subsection{The Method {\tt\slshape subgoal_tac}}
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2215
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2216
\index{*subgoal_tac (method)}%
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  2217
A related method is \isa{subgoal_tac}, but instead
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  2218
of inserting  a theorem as an assumption, it inserts an arbitrary formula. 
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2219
This formula must be proved later as a separate subgoal. The 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2220
idea is to claim that the formula holds on the basis of the current 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2221
assumptions, to use this claim to complete the proof, and finally 
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  2222
to justify the claim. It gives the proof 
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  2223
some structure.  If you find yourself generating a complex assumption by a
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  2224
long series of forward steps, consider using \isa{subgoal_tac} instead: you can
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  2225
state the formula you are aiming for, and perhaps prove it automatically.
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2226
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2227
Look at the following example. 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2228
\begin{isabelle}
12156
d2758965362e new-style numerals without leading #, along with generic 0 and 1
paulson
parents: 11494
diff changeset
  2229
\isacommand{lemma}\ "\isasymlbrakk(z::int)\ <\ 37;\ 66\ <\ 2*z;\ z*z\
d2758965362e new-style numerals without leading #, along with generic 0 and 1
paulson
parents: 11494
diff changeset
  2230
\isasymnoteq\ 1225;\ Q(34);\ Q(36)\isasymrbrakk\isanewline
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2231
\ \ \ \ \ \ \ \ \,\isasymLongrightarrow\ Q(z)"\isanewline
12156
d2758965362e new-style numerals without leading #, along with generic 0 and 1
paulson
parents: 11494
diff changeset
  2232
\isacommand{apply}\ (subgoal_tac\ "z\ =\ 34\ \isasymor\ z\ =\
d2758965362e new-style numerals without leading #, along with generic 0 and 1
paulson
parents: 11494
diff changeset
  2233
36")\isanewline
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2234
\isacommand{apply}\ blast\isanewline
12156
d2758965362e new-style numerals without leading #, along with generic 0 and 1
paulson
parents: 11494
diff changeset
  2235
\isacommand{apply}\ (subgoal_tac\ "z\ \isasymnoteq\ 35")\isanewline
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2236
\isacommand{apply}\ arith\isanewline
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2237
\isacommand{apply}\ force\isanewline
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2238
\isacommand{done}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2239
\end{isabelle}
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  2240
The first assumption tells us 
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  2241
that \isa{z} is no greater than~36. The second tells us that \isa{z} 
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  2242
is at least~34. The third assumption tells us that \isa{z} cannot be 35, since
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  2243
$35\times35=1225$.  So \isa{z} is either 34 or~36, and since \isa{Q} holds for
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2244
both of those  values, we have the conclusion. 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2245
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2246
The Isabelle proof closely follows this reasoning. The first 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2247
step is to claim that \isa{z} is either 34 or 36. The resulting proof 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2248
state gives us two subgoals: 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2249
\begin{isabelle}
12156
d2758965362e new-style numerals without leading #, along with generic 0 and 1
paulson
parents: 11494
diff changeset
  2250
%\isasymlbrakk z\ <\ 37;\ 66\ <\ 2\ *\ z;\ z\ *\ z\ \isasymnoteq\ 1225;\
d2758965362e new-style numerals without leading #, along with generic 0 and 1
paulson
parents: 11494
diff changeset
  2251
%Q\ 34;\ Q\ 36\isasymrbrakk\ \isasymLongrightarrow\ Q\ z\isanewline
d2758965362e new-style numerals without leading #, along with generic 0 and 1
paulson
parents: 11494
diff changeset
  2252
\ 1.\ \isasymlbrakk z\ <\ 37;\ 66\ <\ 2\ *\ z;\ z\ *\ z\ \isasymnoteq\ 1225;\ Q\ 34;\ Q\ 36;\isanewline
d2758965362e new-style numerals without leading #, along with generic 0 and 1
paulson
parents: 11494
diff changeset
  2253
\ \ \ \ \ z\ =\ 34\ \isasymor\ z\ =\ 36\isasymrbrakk\isanewline
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2254
\ \ \ \ \isasymLongrightarrow\ Q\ z\isanewline
12156
d2758965362e new-style numerals without leading #, along with generic 0 and 1
paulson
parents: 11494
diff changeset
  2255
\ 2.\ \isasymlbrakk z\ <\ 37;\ 66\ <\ 2\ *\ z;\ z\ *\ z\ \isasymnoteq\ 1225;\ Q\ 34;\ Q\ 36\isasymrbrakk\isanewline
d2758965362e new-style numerals without leading #, along with generic 0 and 1
paulson
parents: 11494
diff changeset
  2256
\ \ \ \ \isasymLongrightarrow\ z\ =\ 34\ \isasymor\ z\ =\ 36
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2257
\end{isabelle}
10971
6852682eaf16 *** empty log message ***
nipkow
parents: 10967
diff changeset
  2258
The first subgoal is trivial (\isa{blast}), but for the second Isabelle needs help to eliminate
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2259
the case
10596
77951eaeb5b0 tidying
paulson
parents: 10578
diff changeset
  2260
\isa{z}=35.  The second invocation  of {\isa{subgoal_tac}} leaves two
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2261
subgoals: 
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2262
\begin{isabelle}
12156
d2758965362e new-style numerals without leading #, along with generic 0 and 1
paulson
parents: 11494
diff changeset
  2263
\ 1.\ \isasymlbrakk z\ <\ 37;\ 66\ <\ 2\ *\ z;\ z\ *\ z\ \isasymnoteq\
d2758965362e new-style numerals without leading #, along with generic 0 and 1
paulson
parents: 11494
diff changeset
  2264
1225;\ Q\ 34;\ Q\ 36;\isanewline
d2758965362e new-style numerals without leading #, along with generic 0 and 1
paulson
parents: 11494
diff changeset
  2265
\ \ \ \ \ z\ \isasymnoteq\ 35\isasymrbrakk\isanewline
d2758965362e new-style numerals without leading #, along with generic 0 and 1
paulson
parents: 11494
diff changeset
  2266
\ \ \ \ \isasymLongrightarrow\ z\ =\ 34\ \isasymor\ z\ =\ 36\isanewline
d2758965362e new-style numerals without leading #, along with generic 0 and 1
paulson
parents: 11494
diff changeset
  2267
\ 2.\ \isasymlbrakk z\ <\ 37;\ 66\ <\ 2\ *\ z;\ z\ *\ z\ \isasymnoteq\ 1225;\ Q\ 34;\ Q\ 36\isasymrbrakk\isanewline
d2758965362e new-style numerals without leading #, along with generic 0 and 1
paulson
parents: 11494
diff changeset
  2268
\ \ \ \ \isasymLongrightarrow\ z\ \isasymnoteq\ 35
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2269
\end{isabelle}
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2270
10971
6852682eaf16 *** empty log message ***
nipkow
parents: 10967
diff changeset
  2271
Assuming that \isa{z} is not 35, the first subgoal follows by linear arithmetic
6852682eaf16 *** empty log message ***
nipkow
parents: 10967
diff changeset
  2272
(\isa{arith}). For the second subgoal we apply the method \isa{force}, 
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2273
which proceeds by assuming that \isa{z}=35 and arriving at a contradiction.
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2274
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2275
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2276
\medskip
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2277
Summary of these methods:
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2278
\begin{itemize}
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  2279
\item \methdx{insert} adds a theorem as a new assumption
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  2280
\item \methdx{subgoal_tac} adds a formula as a new assumption and leaves the
10295
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2281
subgoal of proving that formula
8eb12693cead the Rules chapter and theories
paulson
parents:
diff changeset
  2282
\end{itemize}
11077
8f4fa58e6fba snapshot of a new version
paulson
parents: 10983
diff changeset
  2283
\index{forward proof|)}
10967
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2284
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2285
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2286
\section{Managing Large Proofs}
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2287
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2288
Naturally you should try to divide proofs into manageable parts.  Look for lemmas
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2289
that can be proved separately.  Sometimes you will observe that they are
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2290
instances of much simpler facts.  On other occasions, no lemmas suggest themselves
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2291
and you are forced to cope with a long proof involving many subgoals.  
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2292
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2293
\subsection{Tacticals, or Control Structures}
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2294
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  2295
\index{tacticals|(}%
10967
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2296
If the proof is long, perhaps it at least has some regularity.  Then you can
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  2297
express it more concisely using \textbf{tacticals}, which provide control
10967
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2298
structures.  Here is a proof (it would be a one-liner using
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2299
\isa{blast}, but forget that) that contains a series of repeated
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2300
commands:
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2301
%
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2302
\begin{isabelle}
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2303
\isacommand{lemma}\ "\isasymlbrakk P\isasymlongrightarrow Q;\
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2304
Q\isasymlongrightarrow R;\ R\isasymlongrightarrow S;\ P\isasymrbrakk \
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2305
\isasymLongrightarrow \ S"\isanewline
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2306
\isacommand{apply}\ (drule\ mp,\ assumption)\isanewline
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2307
\isacommand{apply}\ (drule\ mp,\ assumption)\isanewline
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2308
\isacommand{apply}\ (drule\ mp,\ assumption)\isanewline
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2309
\isacommand{apply}\ (assumption)\isanewline
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2310
\isacommand{done}
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2311
\end{isabelle}
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2312
%
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2313
Each of the three identical commands finds an implication and proves its
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2314
antecedent by assumption.  The first one finds \isa{P\isasymlongrightarrow Q} and
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2315
\isa{P}, concluding~\isa{Q}; the second one concludes~\isa{R} and the third one
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2316
concludes~\isa{S}.  The final step matches the assumption \isa{S} with the goal to
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2317
be proved.
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2318
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  2319
Suffixing a method with a plus sign~(\isa+)\index{*"+ (tactical)}
10967
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2320
expresses one or more repetitions:
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2321
\begin{isabelle}
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2322
\isacommand{lemma}\ "\isasymlbrakk P\isasymlongrightarrow Q;\ Q\isasymlongrightarrow R;\ R\isasymlongrightarrow S;\ P\isasymrbrakk \ \isasymLongrightarrow \ S"\isanewline
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2323
\isacommand{by}\ (drule\ mp,\ assumption)+
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2324
\end{isabelle}
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2325
%
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2326
Using \isacommand{by} takes care of the final use of \isa{assumption}.  The new
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2327
proof is more concise.  It is also more general: the repetitive method works
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2328
for a chain of implications having any length, not just three.
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2329
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2330
Choice is another control structure.  Separating two methods by a vertical
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  2331
% we must use ?? rather than "| as the sorting item because somehow the presence
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  2332
% of | (even quoted) stops hyperref from putting |hyperpage at the end of the index
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  2333
% entry.
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  2334
bar~(\isa|)\index{??@\texttt{"|} (tactical)}  gives the effect of applying the
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  2335
first method, and if that fails, trying the second.  It can be combined with
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  2336
repetition, when the choice must be made over and over again.  Here is a chain of
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  2337
implications in which most of the antecedents are proved by assumption, but one is
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  2338
proved by arithmetic:
10967
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2339
\begin{isabelle}
12156
d2758965362e new-style numerals without leading #, along with generic 0 and 1
paulson
parents: 11494
diff changeset
  2340
\isacommand{lemma}\ "\isasymlbrakk Q\isasymlongrightarrow R;\ P\isasymlongrightarrow Q;\ x<5\isasymlongrightarrow P;\
d2758965362e new-style numerals without leading #, along with generic 0 and 1
paulson
parents: 11494
diff changeset
  2341
Suc\ x\ <\ 5\isasymrbrakk \ \isasymLongrightarrow \ R"\ \isanewline
10967
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2342
\isacommand{by}\ (drule\ mp,\ (assumption|arith))+
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2343
\end{isabelle}
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2344
The \isa{arith}
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2345
method can prove $x<5$ from $x+1<5$, but it cannot duplicate the effect of
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2346
\isa{assumption}.  Therefore, we combine these methods using the choice
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2347
operator.
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2348
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  2349
A postfixed question mark~(\isa?)\index{*"? (tactical)} expresses zero or one
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  2350
repetitions of a method.  It can also be viewed as the choice between executing a
12540
a5604ff1ef4e minor suggestions from Markus
paulson
parents: 12535
diff changeset
  2351
method and doing nothing.  It is useless at top level but can be valuable
a5604ff1ef4e minor suggestions from Markus
paulson
parents: 12535
diff changeset
  2352
within other control structures; for example, 
a5604ff1ef4e minor suggestions from Markus
paulson
parents: 12535
diff changeset
  2353
\isa{($m$+)?} performs zero or more repetitions of method~$m$.%
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  2354
\index{tacticals|)}
10967
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2355
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2356
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2357
\subsection{Subgoal Numbering}
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2358
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2359
Another problem in large proofs is contending with huge
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2360
subgoals or many subgoals.  Induction can produce a proof state that looks
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2361
like this:
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2362
\begin{isabelle}
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2363
\ 1.\ bigsubgoal1\isanewline
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2364
\ 2.\ bigsubgoal2\isanewline
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2365
\ 3.\ bigsubgoal3\isanewline
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2366
\ 4.\ bigsubgoal4\isanewline
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2367
\ 5.\ bigsubgoal5\isanewline
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2368
\ 6.\ bigsubgoal6
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2369
\end{isabelle}
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2370
If each \isa{bigsubgoal} is 15 lines or so, the proof state will be too big to
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2371
scroll through.  By default, Isabelle displays at most 10 subgoals.  The 
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  2372
\commdx{pr} command lets you change this limit:
10967
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2373
\begin{isabelle}
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2374
\isacommand{pr}\ 2\isanewline
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2375
\ 1.\ bigsubgoal1\isanewline
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2376
\ 2.\ bigsubgoal2\isanewline
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2377
A total of 6 subgoals...
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2378
\end{isabelle}
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2379
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2380
\medskip
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2381
All methods apply to the first subgoal.
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2382
Sometimes, not only in a large proof, you may want to focus on some other
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2383
subgoal.  Then you should try the commands \isacommand{defer} or \isacommand{prefer}.
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2384
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2385
In the following example, the first subgoal looks hard, while the others
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2386
look as if \isa{blast} alone could prove them:
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2387
\begin{isabelle}
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2388
\ 1.\ hard\isanewline
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2389
\ 2.\ \isasymnot \ \isasymnot \ P\ \isasymLongrightarrow \ P\isanewline
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2390
\ 3.\ Q\ \isasymLongrightarrow \ Q%
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2391
\end{isabelle}
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2392
%
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  2393
The \commdx{defer} command moves the first subgoal into the last position.
10967
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2394
\begin{isabelle}
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2395
\isacommand{defer}\ 1\isanewline
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2396
\ 1.\ \isasymnot \ \isasymnot \ P\ \isasymLongrightarrow \ P\isanewline
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2397
\ 2.\ Q\ \isasymLongrightarrow \ Q\isanewline
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2398
\ 3.\ hard%
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2399
\end{isabelle}
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2400
%
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2401
Now we apply \isa{blast} repeatedly to the easy subgoals:
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2402
\begin{isabelle}
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2403
\isacommand{apply}\ blast+\isanewline
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2404
\ 1.\ hard%
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2405
\end{isabelle}
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2406
Using \isacommand{defer}, we have cleared away the trivial parts of the proof so
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2407
that we can devote attention to the difficult part.
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2408
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2409
\medskip
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  2410
The \commdx{prefer} command moves the specified subgoal into the
10967
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2411
first position.  For example, if you suspect that one of your subgoals is
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2412
invalid (not a theorem), then you should investigate that subgoal first.  If it
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2413
cannot be proved, then there is no point in proving the other subgoals.
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2414
\begin{isabelle}
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2415
\ 1.\ ok1\isanewline
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2416
\ 2.\ ok2\isanewline
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2417
\ 3.\ doubtful%
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2418
\end{isabelle}
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2419
%
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2420
We decide to work on the third subgoal.
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2421
\begin{isabelle}
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2422
\isacommand{prefer}\ 3\isanewline
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2423
\ 1.\ doubtful\isanewline
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2424
\ 2.\ ok1\isanewline
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2425
\ 3.\ ok2
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2426
\end{isabelle}
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2427
If we manage to prove \isa{doubtful}, then we can work on the other
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2428
subgoals, confident that we are not wasting our time.  Finally we revise the
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2429
proof script to remove the \isacommand{prefer} command, since we needed it only to
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2430
focus our exploration.  The previous example is different: its use of
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2431
\isacommand{defer} stops trivial subgoals from cluttering the rest of the
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2432
proof.  Even there, we should consider proving \isa{hard} as a preliminary
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2433
lemma.  Always seek ways to streamline your proofs.
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2434
 
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2435
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2436
\medskip
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2437
Summary:
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2438
\begin{itemize}
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2439
\item the control structures \isa+, \isa? and \isa| help express complicated proofs
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2440
\item the \isacommand{pr} command can limit the number of subgoals to display
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2441
\item the \isacommand{defer} and \isacommand{prefer} commands move a 
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2442
subgoal to the last or first position
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2443
\end{itemize}
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2444
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2445
\begin{exercise}
11080
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2446
Explain the use of \isa? and \isa+ in this proof.
10967
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2447
\begin{isabelle}
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2448
\isacommand{lemma}\ "\isasymlbrakk P\isasymand Q\isasymlongrightarrow R;\ P\isasymlongrightarrow Q;\ P\isasymrbrakk \ \isasymLongrightarrow \ R"\isanewline
15617
4c7bba41483a auto update
paulson
parents: 15364
diff changeset
  2449
\isacommand{by}\ (drule\ mp,\ (intro conjI)?,\ assumption+)+
10967
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2450
\end{isabelle}
69937e62a28e arg_cong, tacticals, pr, defer, prefer
paulson
parents: 10887
diff changeset
  2451
\end{exercise}
11080
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2452
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2453
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2454
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2455
\section{Proving the Correctness of Euclid's Algorithm}
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2456
\label{sec:proving-euclid}
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2457
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  2458
\index{Euclid's algorithm|(}\index{*gcd (constant)|(}\index{divides relation|(}%
11080
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2459
A brief development will demonstrate the techniques of this chapter,
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2460
including \isa{blast} applied with additional rules.  We shall also see
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2461
\isa{case_tac} used to perform a Boolean case split.
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2462
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2463
Let us prove that \isa{gcd} computes the greatest common
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2464
divisor of its two arguments.  
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2465
%
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2466
We use induction: \isa{gcd.induct} is the
25264
7007bc8ddae4 recdef to fun
paulson
parents: 25258
diff changeset
  2467
induction rule returned by \isa{fun}.  We simplify using
25258
22d16596c306 recdef -> fun
nipkow
parents: 16546
diff changeset
  2468
rules proved in {\S}\ref{sec:fun-simplification}, since rewriting by the
11080
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2469
definition of \isa{gcd} can loop.
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2470
\begin{isabelle}
25264
7007bc8ddae4 recdef to fun
paulson
parents: 25258
diff changeset
  2471
\isacommand{lemma}\ gcd\_dvd\_both:\ "(gcd\ m\ n\ dvd\ m)\ \isasymand \ (gcd\ m\ n\ dvd\ n)"
11080
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2472
\end{isabelle}
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2473
The induction formula must be a conjunction.  In the
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2474
inductive step, each conjunct establishes the other. 
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2475
\begin{isabelle}
25264
7007bc8ddae4 recdef to fun
paulson
parents: 25258
diff changeset
  2476
\ 1.\ \isasymAnd m\ n.\ (n\ \isasymnoteq \ 0\ \isasymLongrightarrow \isanewline
7007bc8ddae4 recdef to fun
paulson
parents: 25258
diff changeset
  2477
\isaindent{\ 1.\ \isasymAnd m\ n.\ (}gcd\ n\ (m\ mod\ n)\ dvd\ n\ \isasymand \isanewline
7007bc8ddae4 recdef to fun
paulson
parents: 25258
diff changeset
  2478
\isaindent{\ 1.\ \isasymAnd m\ n.\ (}gcd\ n\ (m\ mod\ n)\ dvd\ m\ mod\ n)\ \isasymLongrightarrow \isanewline
7007bc8ddae4 recdef to fun
paulson
parents: 25258
diff changeset
  2479
\isaindent{\ 1.\ \isasymAnd m\ n.\ }gcd\ m\ n\ dvd\ m\ \isasymand \ gcd\ m\ n\ dvd\ n%
11080
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2480
\end{isabelle}
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2481
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2482
The conditional induction hypothesis suggests doing a case
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  2483
analysis on \isa{n=0}.  We apply \methdx{case_tac} with type
11080
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2484
\isa{bool} --- and not with a datatype, as we have done until now.  Since
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2485
\isa{nat} is a datatype, we could have written
12535
wenzelm
parents: 12408
diff changeset
  2486
\isa{case_tac~n} instead of \isa{case_tac~"n=0"}.  However, the definition
11080
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2487
of \isa{gcd} makes a Boolean decision:
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2488
\begin{isabelle}
25264
7007bc8ddae4 recdef to fun
paulson
parents: 25258
diff changeset
  2489
\ \ \ \ "gcd\ m\ n\ =\ (if\ n=0\ then\ m\ else\ gcd\ n\ (m\ mod\ n))"
11080
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2490
\end{isabelle}
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2491
Proofs about a function frequently follow the function's definition, so we perform
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2492
case analysis over the same formula.
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2493
\begin{isabelle}
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2494
\isacommand{apply}\ (case_tac\ "n=0")\isanewline
25264
7007bc8ddae4 recdef to fun
paulson
parents: 25258
diff changeset
  2495
\ 1.\ \isasymAnd m\ n.\ \isasymlbrakk n\ \isasymnoteq \ 0\ \isasymLongrightarrow \isanewline
7007bc8ddae4 recdef to fun
paulson
parents: 25258
diff changeset
  2496
\isaindent{\ 1.\ \isasymAnd m\ n.\ \isasymlbrakk }gcd\ n\ (m\ mod\ n)\ dvd\ n\ \isasymand \ gcd\ n\ (m\ mod\ n)\ dvd\ m\ mod\ n;\isanewline
11080
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2497
\isaindent{\ 1.\ \isasymAnd m\ n.\ \ }n\ =\ 0\isasymrbrakk \isanewline
25264
7007bc8ddae4 recdef to fun
paulson
parents: 25258
diff changeset
  2498
\isaindent{\ 1.\ \isasymAnd m\ n.\ }\isasymLongrightarrow \ gcd\ m\ n\ dvd\ m\ \isasymand \ gcd\ m\ n\ dvd\ n\isanewline
7007bc8ddae4 recdef to fun
paulson
parents: 25258
diff changeset
  2499
\ 2.\ \isasymAnd m\ n.\ \isasymlbrakk n\ \isasymnoteq \ 0\ \isasymLongrightarrow \isanewline
7007bc8ddae4 recdef to fun
paulson
parents: 25258
diff changeset
  2500
\isaindent{\ 2.\ \isasymAnd m\ n.\ \isasymlbrakk }gcd\ n\ (m\ mod\ n)\ dvd\ n\ \isasymand \ gcd\ n\ (m\ mod\ n)\ dvd\ m\ mod\ n;\isanewline
7007bc8ddae4 recdef to fun
paulson
parents: 25258
diff changeset
  2501
\isaindent{\ 2.\ \isasymAnd m\ n.\ \ }n\ \isasymnoteq \ 0\isasymrbrakk \isanewline
7007bc8ddae4 recdef to fun
paulson
parents: 25258
diff changeset
  2502
\isaindent{\ 2.\ \isasymAnd m\ n.\ }\isasymLongrightarrow \ gcd\ m\ n\ dvd\ m\ \isasymand \ gcd\ m\ n\ dvd\ n%
11080
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2503
\end{isabelle}
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2504
%
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2505
Simplification leaves one subgoal: 
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2506
\begin{isabelle}
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2507
\isacommand{apply}\ (simp_all)\isanewline
25264
7007bc8ddae4 recdef to fun
paulson
parents: 25258
diff changeset
  2508
\ 1.\ \isasymAnd m\ n.\ \isasymlbrakk gcd\ n\ (m\ mod\ n)\ dvd\ n\ \isasymand \ gcd\ n\ (m\ mod\ n)\ dvd\ m\ mod\ n;\isanewline
7007bc8ddae4 recdef to fun
paulson
parents: 25258
diff changeset
  2509
\isaindent{\ 1.\ \isasymAnd m\ n.\ \ }0\ <\ n\isasymrbrakk \isanewline
7007bc8ddae4 recdef to fun
paulson
parents: 25258
diff changeset
  2510
\isaindent{\ 1.\ \isasymAnd m\ n.\ }\isasymLongrightarrow \ gcd\ n\ (m\ mod\ n)\ dvd\ m%
11080
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2511
\end{isabelle}
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2512
%
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2513
Here, we can use \isa{blast}.  
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2514
One of the assumptions, the induction hypothesis, is a conjunction. 
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2515
The two divides relationships it asserts are enough to prove 
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2516
the conclusion, for we have the following theorem at our disposal: 
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2517
\begin{isabelle}
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2518
\isasymlbrakk?k\ dvd\ (?m\ mod\ ?n){;}\ ?k\ dvd\ ?n\isasymrbrakk\ \isasymLongrightarrow\ ?k\ dvd\ ?m%
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2519
\rulename{dvd_mod_imp_dvd}
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2520
\end{isabelle}
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2521
%
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2522
This theorem can be applied in various ways.  As an introduction rule, it
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2523
would cause backward chaining from  the conclusion (namely
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2524
\isa{?k~dvd~?m}) to the two premises, which 
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2525
also involve the divides relation. This process does not look promising
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2526
and could easily loop.  More sensible is  to apply the rule in the forward
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2527
direction; each step would eliminate an occurrence of the \isa{mod} symbol, so the
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2528
process must terminate.  
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2529
\begin{isabelle}
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2530
\isacommand{apply}\ (blast\ dest:\ dvd_mod_imp_dvd)\isanewline
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2531
\isacommand{done}
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2532
\end{isabelle}
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  2533
Attaching the \attrdx{dest} attribute to \isa{dvd_mod_imp_dvd} tells
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  2534
\isa{blast} to use it as destruction rule; that is, in the forward direction.
11080
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2535
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2536
\medskip
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2537
We have proved a conjunction.  Now, let us give names to each of the
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2538
two halves:
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2539
\begin{isabelle}
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2540
\isacommand{lemmas}\ gcd_dvd1\ [iff]\ =\ gcd_dvd_both\ [THEN\ conjunct1]\isanewline
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2541
\isacommand{lemmas}\ gcd_dvd2\ [iff]\ =\ gcd_dvd_both\ [THEN\ conjunct2]%
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2542
\end{isabelle}
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  2543
Here we see \commdx{lemmas}
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  2544
used with the \attrdx{iff} attribute, which supplies the new theorems to the
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  2545
classical reasoner and the simplifier.  Recall that \attrdx{THEN} is
11080
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2546
frequently used with destruction rules; \isa{THEN conjunct1} extracts the
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2547
first half of a conjunctive theorem.  Given \isa{gcd_dvd_both} it yields
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2548
\begin{isabelle}
25264
7007bc8ddae4 recdef to fun
paulson
parents: 25258
diff changeset
  2549
\ \ \ \ \ gcd\ ?m1\ ?n1\ dvd\ ?m1
11080
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2550
\end{isabelle}
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2551
The variable names \isa{?m1} and \isa{?n1} arise because
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2552
Isabelle renames schematic variables to prevent 
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2553
clashes.  The second \isacommand{lemmas} declaration yields
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2554
\begin{isabelle}
25264
7007bc8ddae4 recdef to fun
paulson
parents: 25258
diff changeset
  2555
\ \ \ \ \ gcd\ ?m1\ ?n1\ dvd\ ?n1
11080
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2556
\end{isabelle}
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2557
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2558
\medskip
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2559
To complete the verification of the \isa{gcd} function, we must 
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2560
prove that it returns the greatest of all the common divisors 
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2561
of its arguments.  The proof is by induction, case analysis and simplification.
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2562
\begin{isabelle}
25264
7007bc8ddae4 recdef to fun
paulson
parents: 25258
diff changeset
  2563
\isacommand{lemma}\ gcd\_greatest\ [rule\_format]:\isanewline
7007bc8ddae4 recdef to fun
paulson
parents: 25258
diff changeset
  2564
\ \ \ \ \ \ "k\ dvd\ m\ \isasymlongrightarrow \ k\ dvd\ n\ \isasymlongrightarrow \ k\ dvd\ gcd\ m\ n"
11080
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2565
\end{isabelle}
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2566
%
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2567
The goal is expressed using HOL implication,
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2568
\isa{\isasymlongrightarrow}, because the induction affects the two
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2569
preconditions.  The directive \isa{rule_format} tells Isabelle to replace
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2570
each \isa{\isasymlongrightarrow} by \isa{\isasymLongrightarrow} before
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2571
storing the eventual theorem.  This directive can also remove outer
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2572
universal quantifiers, converting the theorem into the usual format for
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2573
inference rules.  It can replace any series of applications of
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2574
\isa{THEN} to the rules \isa{mp} and \isa{spec}.  We did not have to
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2575
write this:
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2576
\begin{isabelle}
25264
7007bc8ddae4 recdef to fun
paulson
parents: 25258
diff changeset
  2577
\isacommand{lemma}\ gcd_greatest\
11080
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2578
[THEN mp, THEN mp]:\isanewline
25264
7007bc8ddae4 recdef to fun
paulson
parents: 25258
diff changeset
  2579
\ \ \ \ \ \ "k\ dvd\ m\ \isasymlongrightarrow \ k\ dvd\ n\ \isasymlongrightarrow \ k\ dvd\ gcd\ m\ n"
11080
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2580
\end{isabelle}
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2581
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2582
Because we are again reasoning about \isa{gcd}, we perform the same
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2583
induction and case analysis as in the previous proof:
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2584
\begingroup\samepage
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2585
\begin{isabelle}
25264
7007bc8ddae4 recdef to fun
paulson
parents: 25258
diff changeset
  2586
\ 1.\ \isasymAnd m\ n.\ \isasymlbrakk n\ \isasymnoteq \ 0\ \isasymLongrightarrow \isanewline
7007bc8ddae4 recdef to fun
paulson
parents: 25258
diff changeset
  2587
\isaindent{\ 1.\ \isasymAnd m\ n.\ \isasymlbrakk }k\ dvd\ n\ \isasymlongrightarrow \ k\ dvd\ m\ mod\ n\ \isasymlongrightarrow \ k\ dvd\ gcd\ n\ (m\ mod\ n);\isanewline
11080
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2588
\isaindent{\ 1.\ \isasymAnd m\ n.\ \ }n\ =\ 0\isasymrbrakk \isanewline
25264
7007bc8ddae4 recdef to fun
paulson
parents: 25258
diff changeset
  2589
\isaindent{\ 1.\ \isasymAnd m\ n.\ }\isasymLongrightarrow \ k\ dvd\ m\ \isasymlongrightarrow \ k\ dvd\ n\ \isasymlongrightarrow \ k\ dvd\ gcd\ m\ n\isanewline
7007bc8ddae4 recdef to fun
paulson
parents: 25258
diff changeset
  2590
\ 2.\ \isasymAnd m\ n.\ \isasymlbrakk n\ \isasymnoteq \ 0\ \isasymLongrightarrow \isanewline
7007bc8ddae4 recdef to fun
paulson
parents: 25258
diff changeset
  2591
\isaindent{\ 2.\ \isasymAnd m\ n.\ \isasymlbrakk }k\ dvd\ n\ \isasymlongrightarrow \ k\ dvd\ m\ mod\ n\ \isasymlongrightarrow \ k\ dvd\ gcd\ n\ (m\ mod\ n);\isanewline
7007bc8ddae4 recdef to fun
paulson
parents: 25258
diff changeset
  2592
\isaindent{\ 2.\ \isasymAnd m\ n.\ \ }n\ \isasymnoteq \ 0\isasymrbrakk \isanewline
7007bc8ddae4 recdef to fun
paulson
parents: 25258
diff changeset
  2593
\isaindent{\ 2.\ \isasymAnd m\ n.\ }\isasymLongrightarrow \ k\ dvd\ m\ \isasymlongrightarrow \ k\ dvd\ n\ \isasymlongrightarrow \ k\ dvd\ gcd\ m\ n%
11080
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2594
\end{isabelle}
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2595
\endgroup
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2596
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2597
\noindent Simplification proves both subgoals. 
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2598
\begin{isabelle}
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2599
\isacommand{apply}\ (simp_all\ add:\ dvd_mod)\isanewline
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2600
\isacommand{done}
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2601
\end{isabelle}
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2602
In the first, where \isa{n=0}, the implication becomes trivial: \isa{k\ dvd\
25264
7007bc8ddae4 recdef to fun
paulson
parents: 25258
diff changeset
  2603
gcd\ m\ n} goes to~\isa{k\ dvd\ m}.  The second subgoal is proved by
11080
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2604
an unfolding of \isa{gcd}, using this rule about divides:
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2605
\begin{isabelle}
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2606
\isasymlbrakk ?f\ dvd\ ?m;\ ?f\ dvd\ ?n\isasymrbrakk \
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2607
\isasymLongrightarrow \ ?f\ dvd\ ?m\ mod\ ?n%
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2608
\rulename{dvd_mod}
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2609
\end{isabelle}
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2610
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2611
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2612
\medskip
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2613
The facts proved above can be summarized as a single logical 
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2614
equivalence.  This step gives us a chance to see another application
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2615
of \isa{blast}.
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2616
\begin{isabelle}
25264
7007bc8ddae4 recdef to fun
paulson
parents: 25258
diff changeset
  2617
\isacommand{theorem}\ gcd\_greatest\_iff\ [iff]:\ \isanewline
7007bc8ddae4 recdef to fun
paulson
parents: 25258
diff changeset
  2618
\ \ \ \ \ \ \ \ "(k\ dvd\ gcd\ m\ n)\ =\ (k\ dvd\ m\ \isasymand \ k\ dvd\ n)"\isanewline
11080
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2619
\isacommand{by}\ (blast\ intro!:\ gcd_greatest\ intro:\ dvd_trans)
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2620
\end{isabelle}
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2621
This theorem concisely expresses the correctness of the \isa{gcd} 
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2622
function. 
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2623
We state it with the \isa{iff} attribute so that 
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2624
Isabelle can use it to remove some occurrences of \isa{gcd}. 
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2625
The theorem has a one-line 
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2626
proof using \isa{blast} supplied with two additional introduction 
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2627
rules. The exclamation mark 
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2628
({\isa{intro}}{\isa{!}})\ signifies safe rules, which are 
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2629
applied aggressively.  Rules given without the exclamation mark 
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2630
are applied reluctantly and their uses can be undone if 
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2631
the search backtracks.  Here the unsafe rule expresses transitivity  
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2632
of the divides relation:
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2633
\begin{isabelle}
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2634
\isasymlbrakk?m\ dvd\ ?n;\ ?n\ dvd\ ?p\isasymrbrakk\ \isasymLongrightarrow\ ?m\ dvd\ ?p%
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2635
\rulename{dvd_trans}
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2636
\end{isabelle}
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2637
Applying \isa{dvd_trans} as 
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2638
an introduction rule entails a risk of looping, for it multiplies 
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2639
occurrences of the divides symbol. However, this proof relies 
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2640
on transitivity reasoning.  The rule {\isa{gcd\_greatest}} is safe to apply 
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2641
aggressively because it yields simpler subgoals.  The proof implicitly
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2642
uses \isa{gcd_dvd1} and \isa{gcd_dvd2} as safe rules, because they were
22855d091249 various revisions in response to comments from Tobias
paulson
parents: 11077
diff changeset
  2643
declared using \isa{iff}.%
11406
2b17622e1929 indexing and tweaks
paulson
parents: 11300
diff changeset
  2644
\index{Euclid's algorithm|)}\index{*gcd (constant)|)}\index{divides relation|)}