239 \begin{isamarkuptext}% |
248 \begin{isamarkuptext}% |
240 FIXME% |
249 FIXME% |
241 \end{isamarkuptext}% |
250 \end{isamarkuptext}% |
242 \isamarkuptrue% |
251 \isamarkuptrue% |
243 % |
252 % |
244 \isamarkupsection{Context \label{sec:context}% |
253 \isamarkupsection{Contexts \label{sec:context}% |
245 } |
254 } |
246 \isamarkuptrue% |
255 \isamarkuptrue% |
247 % |
256 % |
248 \isadelimFIXME |
257 \begin{isamarkuptext}% |
249 % |
258 A logical context represents the background that is taken for |
250 \endisadelimFIXME |
259 granted when formulating statements and composing proofs. It acts |
251 % |
260 as a medium to produce formal content, depending on earlier material |
252 \isatagFIXME |
261 (declarations, results etc.). |
253 % |
262 |
254 \begin{isamarkuptext}% |
263 In particular, derivations within the primitive Pure logic can be |
255 What is a context anyway? A highly advanced |
264 described as a judgment \isa{{\isasymGamma}\ {\isasymturnstile}\isactrlsub {\isasymTheta}\ {\isasymphi}}, meaning that a |
256 technological and cultural achievement, which took humanity several |
265 proposition \isa{{\isasymphi}} is derivable from hypotheses \isa{{\isasymGamma}} |
257 thousands of years to be develop, is writing with pen-and-paper. Here |
266 within the theory \isa{{\isasymTheta}}. There are logical reasons for |
258 the paper is the context, or medium. It accommodates a certain range |
267 keeping \isa{{\isasymTheta}} and \isa{{\isasymGamma}} separate: theories support type |
259 of different kinds of pens, but also has some inherent limitations. |
268 constructors and schematic polymorphism of constants and axioms, |
260 For example, carved inscriptions are better done on solid material |
269 while the inner calculus of \isa{{\isasymGamma}\ {\isasymturnstile}\ {\isasymphi}} is limited to Simple |
261 like wood or stone. |
270 Type Theory (with fixed type variables in the assumptions). |
262 |
271 |
263 Isabelle/Isar distinguishes two key notions of context: \emph{theory |
272 \medskip Contexts and derivations are linked by the following key |
264 context} and \emph{proof context}. To motivate this fundamental |
273 principles: |
265 division consider the very idea of logical reasoning which is about |
274 |
266 judgments $\Gamma \Drv{\Theta} \phi$, where $\Theta$ is the background |
275 \begin{itemize} |
267 theory with declarations of operators and axioms stating their |
276 |
268 properties, and $\Gamma$ a collection of hypotheses emerging |
277 \item Transfer: monotonicity of derivations admits results to be |
269 temporarily during proof. For example, the rule of |
278 transferred into a larger context, i.e.\ \isa{{\isasymGamma}\ {\isasymturnstile}\isactrlsub {\isasymTheta}\ {\isasymphi}} |
270 implication-introduction \[ \infer{\Gamma \Drv{\Theta} A \Imp |
279 implies \isa{{\isasymGamma}{\isacharprime}\ {\isasymturnstile}\isactrlsub {\isasymTheta}\isactrlsub {\isacharprime}\ {\isasymphi}} for contexts \isa{{\isasymTheta}{\isacharprime}\ {\isasymsupseteq}\ {\isasymTheta}} and \isa{{\isasymGamma}{\isacharprime}\ {\isasymsupseteq}\ {\isasymGamma}}. |
271 B}{\Gamma, A \Drv{\Theta} B} \] can be read as ``to show $A \Imp B$ we |
280 |
272 may assume $A$ as hypothesis and need to show $B$''. It is |
281 \item Export: discharge of hypotheses admits results to be exported |
273 characteristic that $\Theta$ is unchanged and $\Gamma$ is only |
282 into a smaller context, i.e.\ \isa{{\isasymGamma}{\isacharprime}\ {\isasymturnstile}\isactrlsub {\isasymTheta}\ {\isasymphi}} implies |
274 modified according to some general patterns of ``assuming'' and |
283 \isa{{\isasymGamma}\ {\isasymturnstile}\isactrlsub {\isasymTheta}\ {\isasymDelta}\ {\isasymLongrightarrow}\ {\isasymphi}} where \isa{{\isasymGamma}{\isacharprime}\ {\isasymsupseteq}\ {\isasymGamma}} and \isa{{\isasymDelta}\ {\isacharequal}\ {\isasymGamma}{\isacharprime}\ {\isacharminus}\ {\isasymGamma}}. Note that \isa{{\isasymTheta}} remains unchanged here, only the |
275 ``discharging'' hypotheses. This admits the following abbreviated |
284 \isa{{\isasymGamma}} part is affected. |
276 notation, where the fixed $\Theta$ and locally changed $\Gamma$ are |
285 |
277 left implicit: \[ \infer{A \Imp B}{\infer*{B}{[A]}} \] |
286 \end{itemize} |
278 |
287 |
279 In some logical traditions (e.g.\ Type Theory) there is a tendency to |
288 \medskip Isabelle/Isar provides two different notions of abstract |
280 unify all kinds of declarations within a single notion of context. |
289 containers called \emph{theory context} and \emph{proof context}, |
281 This is theoretically very nice, but also more demanding, because |
290 respectively. These model the main characteristics of the primitive |
282 everything is internalized into the logical calculus itself. |
291 \isa{{\isasymTheta}} and \isa{{\isasymGamma}} above, without subscribing to any |
283 Isabelle/Pure is a very simple logic, but achieves many practically |
292 particular kind of content yet. Instead, contexts merely impose a |
284 useful concepts by differentiating various basic elements. |
293 certain policy of managing arbitrary \emph{context data}. The |
285 |
294 system provides strongly typed mechanisms to declare new kinds of |
286 Take polymorphism, for example. Instead of embarking on the |
295 data at compile time. |
287 adventurous enterprise of full higher-order logic with full |
296 |
288 type-quantification and polymorphic entities, Isabelle/Pure merely |
297 Thus the internal bootstrap process of Isabelle/Pure eventually |
289 takes a stripped-down version of Church's Simple Type Theory |
298 reaches a stage where certain data slots provide the logical content |
290 \cite{church40}. Then after the tradition of Gordon's HOL |
299 of \isa{{\isasymTheta}} and \isa{{\isasymGamma}} sketched above, but this does not |
291 \cite{mgordon-hol} it is fairly easy to introduce syntactic notions of |
300 stop there! Various additional data slots support all kinds of |
292 type variables and type-constructors, and require every theory |
301 mechanisms that are not necessarily part of the core logic. |
293 $\Theta$ being closed by type instantiation. Whenever we wish to |
302 |
294 reason with a polymorphic constant or axiom scheme at a particular |
303 For example, there would be data for canonical introduction and |
295 type, we may assume that it has been referenced initially at that very |
304 elimination rules for arbitrary operators (depending on the |
296 instance (due to the Deduction Theorem). Thus we achieve the |
305 object-logic and application), which enables users to perform |
297 following \emph{admissible |
306 standard proof steps implicitly (cf.\ the \isa{rule} method). |
298 rule}\glossary{Admissible rule}{FIXME} of schematic type-instantiation: |
307 |
299 |
308 Isabelle is able to bring forth more and more concepts successively. |
300 \[ |
309 In particular, an object-logic like Isabelle/HOL continues the |
301 \infer{\phi(\tau)}{\infer*{\phi(\alpha)}{[\alpha]}} |
310 Isabelle/Pure setup by adding specific components for automated |
302 \] |
311 reasoning (classical reasoner, tableau prover, structured induction |
303 |
312 etc.) and derived specification mechanisms (inductive predicates, |
304 Using this approach, the structured Isar proof language offers |
313 recursive functions etc.). All of this is based on the generic data |
305 schematic polymorphism within nested sub-proofs -- similar to that of |
314 management by theory and proof contexts.% |
306 polymorphic let-bindings according to Hindley-Milner.\ |
315 \end{isamarkuptext}% |
307 \cite{milner78}. All of this is achieved without disintegrating the |
316 \isamarkuptrue% |
308 rather simplistic logical core. On the other hand, the succinct rule |
|
309 presented above already involves rather delicate interaction of the |
|
310 theory and proof context (with side-conditions not mentioned here), |
|
311 and unwinding an admissible rule involves induction over derivations. |
|
312 All of this diversity needs to be accomodated by the system |
|
313 architecture and actual implementation. |
|
314 |
|
315 \medskip Despite these important observations, Isabelle/Isar is not just a |
|
316 logical calculus, there are further extra-logical aspects to be considered. |
|
317 Practical experience over the years suggests two context data structures which |
|
318 are used in rather dissimilar manners, even though there is a considerable |
|
319 overlap of underlying ideas. |
|
320 |
|
321 From the system's perspective the mode of use of theory vs.\ proof context is |
|
322 the key distinction. The actual content is merely a generic slot for |
|
323 \emph{theory data} and \emph{proof data}, respectively. There are generic |
|
324 interfaces to declare data entries at any time. Even the core logic of |
|
325 Isabelle/Pure registers its very own notion of theory context data (types, |
|
326 constants, axioms etc.) like any other Isabelle tool out there. Likewise, the |
|
327 essentials of Isar proof contexts are one proof data slot among many others, |
|
328 notably those of derived Isar concepts (e.g.\ calculational reasoning rules). |
|
329 |
|
330 In that respect, a theory is more like a stone tablet to carve long-lasting |
|
331 inscriptions -- but take care not to break it! While a proof context is like |
|
332 a block of paper to scribble and dispose quickly. More recently Isabelle has |
|
333 started to cultivate the paper-based craftsmanship a bit further, by |
|
334 maintaining small collections of paper booklets, better known as locales. |
|
335 |
|
336 Thus we achive ``thick'' augmented versions of {\boldmath$\Theta$} and |
|
337 {\boldmath$\Gamma$} to support realistic structured reasoning within a |
|
338 practically usable system.% |
|
339 \end{isamarkuptext}% |
|
340 \isamarkuptrue% |
|
341 % |
|
342 \endisatagFIXME |
|
343 {\isafoldFIXME}% |
|
344 % |
|
345 \isadelimFIXME |
|
346 % |
|
347 \endisadelimFIXME |
|
348 % |
317 % |
349 \isamarkupsubsection{Theory context \label{sec:context-theory}% |
318 \isamarkupsubsection{Theory context \label{sec:context-theory}% |
350 } |
319 } |
351 \isamarkuptrue% |
320 \isamarkuptrue% |
352 % |
321 % |
353 \isadelimFIXME |
322 \begin{isamarkuptext}% |
354 % |
323 Each theory is explicitly named and holds a unique identifier. |
355 \endisadelimFIXME |
324 There is a separate \emph{theory reference} for pointing backwards |
356 % |
325 to the enclosing theory context of derived entities. Theories are |
357 \isatagFIXME |
326 related by a (nominal) sub-theory relation, which corresponds to the |
358 % |
327 canonical dependency graph: each theory is derived from a certain |
359 \begin{isamarkuptext}% |
328 sub-graph of ancestor theories. The \isa{merge} of two theories |
360 A theory context consists of management information plus the |
329 refers to the least upper bound, which actually degenerates into |
361 actual data, which may be declared by other software modules later on. |
330 absorption of one theory into the other, due to the nominal |
362 The management part is surprisingly complex, we illustrate it by the |
331 sub-theory relation this. |
363 following typical situation of incremental theory development. |
332 |
364 |
333 The \isa{begin} operation starts a new theory by importing |
365 \begin{tabular}{rcccl} |
334 several parent theories and entering a special \isa{draft} mode, |
|
335 which is sustained until the final \isa{end} operation. A draft |
|
336 mode theory acts like a linear type, where updates invalidate |
|
337 earlier drafts, but theory reference values will be propagated |
|
338 automatically. Thus derived entities that ``belong'' to a draft |
|
339 might be transferred spontaneously to a larger context. An |
|
340 invalidated draft is called ``stale''. The \isa{copy} operation |
|
341 produces an auxiliary version with the same data content, but is |
|
342 unrelated to the original: updates of the copy do not affect the |
|
343 original, neither does the sub-theory relation hold. |
|
344 |
|
345 The example below shows a theory graph derived from \isa{Pure}. |
|
346 Theory \isa{Length} imports \isa{Nat} and \isa{List}. |
|
347 The linear draft mode is enabled during the ``\isa{{\isasymdots}}'' stage of |
|
348 the theory body. |
|
349 |
|
350 \bigskip |
|
351 \begin{tabular}{rcccl} |
366 & & $Pure$ \\ |
352 & & $Pure$ \\ |
367 & & $\downarrow$ \\ |
353 & & $\downarrow$ \\ |
368 & & $FOL$ \\ |
354 & & $FOL$ \\ |
369 & $\swarrow$ & & $\searrow$ & \\ |
355 & $\swarrow$ & & $\searrow$ & \\ |
370 $Nat$ & & & & $List$ \\ |
356 $Nat$ & & & & $List$ \\ |
371 & $\searrow$ & & $\swarrow$ \\ |
357 & $\searrow$ & & $\swarrow$ \\ |
372 & & $Length$ \\ |
358 & & $Length$ \\ |
373 & & \multicolumn{3}{l}{~~$\isarkeyword{imports}$} \\ |
359 & & \multicolumn{3}{l}{~~$\isarkeyword{imports}$} \\ |
374 & & \multicolumn{3}{l}{~~$\isarkeyword{begin}$} \\ |
360 & & \multicolumn{3}{l}{~~$\isarkeyword{begin}$} \\ |
375 & & $\vdots$~~ \\ |
361 & & $\vdots$~~ \\ |
376 & & $\bullet$~~ \\ |
|
377 & & $\vdots$~~ \\ |
|
378 & & $\bullet$~~ \\ |
|
379 & & $\vdots$~~ \\ |
|
380 & & \multicolumn{3}{l}{~~$\isarkeyword{end}$} \\ |
362 & & \multicolumn{3}{l}{~~$\isarkeyword{end}$} \\ |
381 \end{tabular} |
363 \end{tabular} |
382 |
364 |
383 \begin{itemize} |
365 \medskip In practice, derived theory operations mostly operate |
384 \item \emph{name}, \emph{parents} and \emph{ancestors} |
366 drafts, namely the body of the current portion of theory that the |
385 \item \emph{identity} |
367 user happens to be composing. |
386 \item \emph{intermediate versions} |
368 |
387 \end{itemize} |
369 \medskip There is also a builtin theory history mechanism that amends for |
388 |
370 the destructive behaviour of theory drafts. The \isa{checkpoint} operation produces an intermediate stepping stone that |
389 \begin{description} |
371 survives the next update unscathed: both the original and the |
390 \item [draft] |
372 changed theory remain valid and are related by the sub-theory |
391 \item [intermediate] |
373 relation. This recovering of pure theory values comes at the cost |
392 \item [finished] |
374 of extra internal bookeeping. The cumulative effect of |
393 \end{description} |
375 checkpointing is purged by the \isa{finish} operation. |
394 |
376 |
395 \emph{theory reference}% |
377 History operations are usually managed by the system, e.g.\ notably |
396 \end{isamarkuptext}% |
378 in the Isar transaction loop. |
397 \isamarkuptrue% |
379 |
398 % |
380 \medskip |
399 \endisatagFIXME |
381 FIXME theory data% |
400 {\isafoldFIXME}% |
382 \end{isamarkuptext}% |
401 % |
383 \isamarkuptrue% |
402 \isadelimFIXME |
|
403 % |
|
404 \endisadelimFIXME |
|
405 % |
384 % |
406 \isamarkupsubsection{Proof context \label{sec:context-proof}% |
385 \isamarkupsubsection{Proof context \label{sec:context-proof}% |
407 } |
386 } |
408 \isamarkuptrue% |
387 \isamarkuptrue% |
409 % |
388 % |
410 \begin{isamarkuptext}% |
389 \begin{isamarkuptext}% |
411 FIXME |
390 A proof context is an arbitrary container that is initialized from a |
|
391 given theory. The result contains a back-reference to the theory it |
|
392 belongs to, together with pure data. No further bookkeeping is |
|
393 required here, thanks to the lack of destructive features. |
|
394 |
|
395 There is no restriction on producing proof contexts, although the |
|
396 usual discipline is to follow block structure as a mental model: a |
|
397 given context is extended consecutively, results are exported back |
|
398 into the original context. In particular, the concept of Isar proof |
|
399 state models block-structured reasoning explicitly, using a stack of |
|
400 proof contexts. |
|
401 |
|
402 Due to the lack of identification and back-referencing, entities |
|
403 derived in a proof context need to record inherent logical |
|
404 requirements explicitly. For example, hypotheses used in a |
|
405 derivation will be recorded separately within the sequent \isa{{\isasymGamma}\ {\isasymturnstile}\ {\isasymphi}}, just to make double sure. Results could leak into an alien |
|
406 proof context do to programming errors, but Isabelle/Isar |
|
407 occasionally includes extra validity checks at the end of a |
|
408 sub-proof. |
|
409 |
|
410 \medskip |
|
411 FIXME proof data |
412 |
412 |
413 \glossary{Proof context}{The static context of a structured proof, |
413 \glossary{Proof context}{The static context of a structured proof, |
414 acts like a local ``theory'' of the current portion of Isar proof |
414 acts like a local ``theory'' of the current portion of Isar proof |
415 text, generalizes the idea of local hypotheses \isa{{\isasymGamma}} in |
415 text, generalizes the idea of local hypotheses \isa{{\isasymGamma}} in |
416 judgments \isa{{\isasymGamma}\ {\isasymturnstile}\ {\isasymphi}} of natural deduction calculi. There is a |
416 judgments \isa{{\isasymGamma}\ {\isasymturnstile}\ {\isasymphi}} of natural deduction calculi. There is a |
417 generic notion of introducing and discharging hypotheses. Arbritrary |
417 generic notion of introducing and discharging hypotheses. Arbritrary |
418 auxiliary context data may be adjoined.}% |
418 auxiliary context data may be adjoined.}% |
419 \end{isamarkuptext}% |
419 \end{isamarkuptext}% |
|
420 \isamarkuptrue% |
|
421 % |
|
422 \isamarkupsubsection{Generic contexts% |
|
423 } |
420 \isamarkuptrue% |
424 \isamarkuptrue% |
421 % |
425 % |
422 \isadelimtheory |
426 \isadelimtheory |
423 % |
427 % |
424 \endisadelimtheory |
428 \endisadelimtheory |