12 text {* |
12 text {* |
13 Cantor's Theorem states that every set has more subsets than it has |
13 Cantor's Theorem states that every set has more subsets than it has |
14 elements. It has become a favorite basic example in pure |
14 elements. It has become a favorite basic example in pure |
15 higher-order logic since it is so easily expressed: \[\all{f::\alpha |
15 higher-order logic since it is so easily expressed: \[\all{f::\alpha |
16 \To \alpha \To \idt{bool}} \ex{S::\alpha \To \idt{bool}} |
16 \To \alpha \To \idt{bool}} \ex{S::\alpha \To \idt{bool}} |
17 \all{x::\alpha}. f \ap x \not= S\] |
17 \all{x::\alpha} f \ap x \not= S\] |
18 |
18 |
19 Viewing types as sets, $\alpha \To \idt{bool}$ represents the |
19 Viewing types as sets, $\alpha \To \idt{bool}$ represents the |
20 powerset of $\alpha$. This version of the theorem states that for |
20 powerset of $\alpha$. This version of the theorem states that for |
21 every function from $\alpha$ to its powerset, some subset is outside |
21 every function from $\alpha$ to its powerset, some subset is outside |
22 its range. The Isabelle/Isar proofs below uses HOL's set theory, |
22 its range. The Isabelle/Isar proofs below uses HOL's set theory, |
23 with the type $\alpha \ap \idt{set}$ and the operator $\idt{range}$. |
23 with the type $\alpha \ap \idt{set}$ and the operator |
|
24 $\idt{range}::(\alpha \To \beta) \To \beta \ap \idt{set}$. |
24 |
25 |
25 \bigskip We first consider a slightly awkward version of the proof, |
26 \bigskip We first consider a slightly awkward version of the proof, |
26 with the reasoning expressed quite naively. |
27 with the innermost reasoning expressed quite naively. |
27 *}; |
28 *}; |
28 |
29 |
29 theorem "EX S. S ~: range(f :: 'a => 'a set)"; |
30 theorem "EX S. S ~: range(f :: 'a => 'a set)"; |
30 proof; |
31 proof; |
31 let ?S = "{x. x ~: f x}"; |
32 let ?S = "{x. x ~: f x}"; |
56 The following version of the proof essentially does the same |
57 The following version of the proof essentially does the same |
57 reasoning, only that it is expressed more neatly. In particular, we |
58 reasoning, only that it is expressed more neatly. In particular, we |
58 change the order of assumptions introduced in the two cases of rule |
59 change the order of assumptions introduced in the two cases of rule |
59 \name{equalityCE}, streamlining the flow of intermediate facts and |
60 \name{equalityCE}, streamlining the flow of intermediate facts and |
60 avoiding explicit naming.\footnote{In general, neither the order of |
61 avoiding explicit naming.\footnote{In general, neither the order of |
61 assumptions as introduced \isacommand{assume}, nor the order of goals |
62 assumptions as introduced by \isacommand{assume}, nor the order of |
62 as solved by \isacommand{show} matters. The basic logical structure |
63 goals as solved by \isacommand{show} is of any significance. The |
63 has to be left intact, though. In particular, assumptions |
64 basic logical structure has to be left intact, though. In |
64 ``belonging'' to some goal have to be introduced \emph{before} its |
65 particular, assumptions ``belonging'' to some goal have to be |
65 corresponding \isacommand{show}.} |
66 introduced \emph{before} its corresponding \isacommand{show}.} |
66 *}; |
67 *}; |
67 |
68 |
68 theorem "EX S. S ~: range(f :: 'a => 'a set)"; |
69 theorem "EX S. S ~: range(f :: 'a => 'a set)"; |
69 proof; |
70 proof; |
70 let ?S = "{x. x ~: f x}"; |
71 let ?S = "{x. x ~: f x}"; |
89 qed; |
90 qed; |
90 qed; |
91 qed; |
91 |
92 |
92 text {* |
93 text {* |
93 How much creativity is required? As it happens, Isabelle can prove |
94 How much creativity is required? As it happens, Isabelle can prove |
94 this theorem automatically. The default context of the classical |
95 this theorem automatically. The default context of the Isabelle's |
95 proof tools contains rules for most of the constructs of HOL's set |
96 classical prover contains rules for most of the constructs of HOL's |
96 theory. We must augment it with \name{equalityCE} to break up set |
97 set theory. We must augment it with \name{equalityCE} to break up |
97 equalities, and then apply best-first search. Depth-first search |
98 set equalities, and then apply best-first search. Depth-first search |
98 would diverge, but best-first search successfully navigates through |
99 would diverge, but best-first search successfully navigates through |
99 the large search space. |
100 the large search space. |
100 *}; |
101 *}; |
101 |
102 |
102 theorem "EX S. S ~: range(f :: 'a => 'a set)"; |
103 theorem "EX S. S ~: range(f :: 'a => 'a set)"; |
104 |
105 |
105 text {* |
106 text {* |
106 While this establishes the same theorem internally, we do not get any |
107 While this establishes the same theorem internally, we do not get any |
107 idea of how the proof actually works. There is currently no way to |
108 idea of how the proof actually works. There is currently no way to |
108 transform internal system-level representations of Isabelle proofs |
109 transform internal system-level representations of Isabelle proofs |
109 back into Isar documents. Writing proof documents really is a |
110 back into Isar documents. Writing intelligible proof documents |
110 creative process, after all. |
111 really is a creative process, after all. |
111 *}; |
112 *}; |
112 |
113 |
113 end; |
114 end; |