11 begin |
11 begin |
12 |
12 |
13 |
13 |
14 subsection \<open>Pure backward reasoning\<close> |
14 subsection \<open>Pure backward reasoning\<close> |
15 |
15 |
16 text \<open>In order to get a first idea of how Isabelle/Isar proof documents may |
16 text \<open> |
17 look like, we consider the propositions \<open>I\<close>, \<open>K\<close>, and \<open>S\<close>. The following |
17 In order to get a first idea of how Isabelle/Isar proof documents may look |
18 (rather explicit) proofs should require little extra explanations.\<close> |
18 like, we consider the propositions \<open>I\<close>, \<open>K\<close>, and \<open>S\<close>. The following (rather |
|
19 explicit) proofs should require little extra explanations. |
|
20 \<close> |
19 |
21 |
20 lemma I: "A \<longrightarrow> A" |
22 lemma I: "A \<longrightarrow> A" |
21 proof |
23 proof |
22 assume A |
24 assume A |
23 show A by fact |
25 show A by fact |
48 qed |
50 qed |
49 qed |
51 qed |
50 qed |
52 qed |
51 qed |
53 qed |
52 |
54 |
53 text \<open>Isar provides several ways to fine-tune the reasoning, avoiding |
55 text \<open> |
54 excessive detail. Several abbreviated language elements are available, |
56 Isar provides several ways to fine-tune the reasoning, avoiding excessive |
55 enabling the writer to express proofs in a more concise way, even without |
57 detail. Several abbreviated language elements are available, enabling the |
56 referring to any automated proof tools yet. |
58 writer to express proofs in a more concise way, even without referring to |
57 |
59 any automated proof tools yet. |
58 First of all, proof by assumption may be abbreviated as a single dot.\<close> |
60 |
|
61 Concluding any (sub-)proof already involves solving any remaining goals by |
|
62 assumption\<^footnote>\<open>This is not a completely trivial operation, as proof by |
|
63 assumption may involve full higher-order unification.\<close>. Thus we may skip the |
|
64 rather vacuous body of the above proof. |
|
65 \<close> |
59 |
66 |
60 lemma "A \<longrightarrow> A" |
67 lemma "A \<longrightarrow> A" |
61 proof |
68 proof |
62 assume A |
69 qed |
63 show A by fact+ |
70 |
64 qed |
71 text \<open> |
65 |
72 Note that the \<^theory_text>\<open>proof\<close> command refers to the \<open>rule\<close> method (without |
66 text \<open>In fact, concluding any (sub-)proof already involves solving any |
73 arguments) by default. Thus it implicitly applies a single rule, as |
67 remaining goals by assumption\footnote{This is not a completely trivial |
74 determined from the syntactic form of the statements involved. The \<^theory_text>\<open>by\<close> |
68 operation, as proof by assumption may involve full higher-order |
75 command abbreviates any proof with empty body, so the proof may be further |
69 unification.}. Thus we may skip the rather vacuous body of the above proof |
76 pruned. |
70 as well.\<close> |
77 \<close> |
71 |
|
72 lemma "A \<longrightarrow> A" |
|
73 proof |
|
74 qed |
|
75 |
|
76 text \<open>Note that the \isacommand{proof} command refers to the \<open>rule\<close> method |
|
77 (without arguments) by default. Thus it implicitly applies a single rule, |
|
78 as determined from the syntactic form of the statements involved. The |
|
79 \isacommand{by} command abbreviates any proof with empty body, so the |
|
80 proof may be further pruned.\<close> |
|
81 |
78 |
82 lemma "A \<longrightarrow> A" |
79 lemma "A \<longrightarrow> A" |
83 by rule |
80 by rule |
84 |
81 |
85 text \<open>Proof by a single rule may be abbreviated as double-dot.\<close> |
82 text \<open> |
|
83 Proof by a single rule may be abbreviated as double-dot. |
|
84 \<close> |
86 |
85 |
87 lemma "A \<longrightarrow> A" .. |
86 lemma "A \<longrightarrow> A" .. |
88 |
87 |
89 text \<open>Thus we have arrived at an adequate representation of the proof of a |
88 text \<open> |
90 tautology that holds by a single standard rule.\footnote{Apparently, the |
89 Thus we have arrived at an adequate representation of the proof of a |
91 rule here is implication introduction.} |
90 tautology that holds by a single standard rule.\<^footnote>\<open>Apparently, the |
|
91 rule here is implication introduction.\<close> |
92 |
92 |
93 \<^medskip> |
93 \<^medskip> |
94 Let us also reconsider \<open>K\<close>. Its statement is composed of iterated |
94 Let us also reconsider \<open>K\<close>. Its statement is composed of iterated |
95 connectives. Basic decomposition is by a single rule at a time, which is |
95 connectives. Basic decomposition is by a single rule at a time, which is why |
96 why our first version above was by nesting two proofs. |
96 our first version above was by nesting two proofs. |
97 |
97 |
98 The \<open>intro\<close> proof method repeatedly decomposes a goal's |
98 The \<open>intro\<close> proof method repeatedly decomposes a goal's conclusion.\<^footnote>\<open>The |
99 conclusion.\footnote{The dual method is \<open>elim\<close>, acting on a goal's |
99 dual method is \<open>elim\<close>, acting on a goal's premises.\<close> |
100 premises.}\<close> |
100 \<close> |
101 |
101 |
102 lemma "A \<longrightarrow> B \<longrightarrow> A" |
102 lemma "A \<longrightarrow> B \<longrightarrow> A" |
103 proof (intro impI) |
103 proof (intro impI) |
104 assume A |
104 assume A |
105 show A by fact |
105 show A by fact |
108 text \<open>Again, the body may be collapsed.\<close> |
108 text \<open>Again, the body may be collapsed.\<close> |
109 |
109 |
110 lemma "A \<longrightarrow> B \<longrightarrow> A" |
110 lemma "A \<longrightarrow> B \<longrightarrow> A" |
111 by (intro impI) |
111 by (intro impI) |
112 |
112 |
113 text \<open>Just like \<open>rule\<close>, the \<open>intro\<close> and \<open>elim\<close> proof methods pick standard |
113 text \<open> |
|
114 Just like \<open>rule\<close>, the \<open>intro\<close> and \<open>elim\<close> proof methods pick standard |
114 structural rules, in case no explicit arguments are given. While implicit |
115 structural rules, in case no explicit arguments are given. While implicit |
115 rules are usually just fine for single rule application, this may go too |
116 rules are usually just fine for single rule application, this may go too far |
116 far with iteration. Thus in practice, \<open>intro\<close> and \<open>elim\<close> would be |
117 with iteration. Thus in practice, \<open>intro\<close> and \<open>elim\<close> would be typically |
117 typically restricted to certain structures by giving a few rules only, |
118 restricted to certain structures by giving a few rules only, e.g.\ \<^theory_text>\<open>proof |
118 e.g.\ \isacommand{proof}~\<open>(intro impI allI)\<close> to strip implications and |
119 (intro impI allI)\<close> to strip implications and universal quantifiers. |
119 universal quantifiers. |
|
120 |
120 |
121 Such well-tuned iterated decomposition of certain structures is the prime |
121 Such well-tuned iterated decomposition of certain structures is the prime |
122 application of \<open>intro\<close> and \<open>elim\<close>. In contrast, terminal steps that solve |
122 application of \<open>intro\<close> and \<open>elim\<close>. In contrast, terminal steps that solve a |
123 a goal completely are usually performed by actual automated proof methods |
123 goal completely are usually performed by actual automated proof methods |
124 (such as \isacommand{by}~\<open>blast\<close>.\<close> |
124 (such as \<^theory_text>\<open>by blast\<close>. |
|
125 \<close> |
125 |
126 |
126 |
127 |
127 subsection \<open>Variations of backward vs.\ forward reasoning\<close> |
128 subsection \<open>Variations of backward vs.\ forward reasoning\<close> |
128 |
129 |
129 text \<open>Certainly, any proof may be performed in backward-style only. On the |
130 text \<open> |
130 other hand, small steps of reasoning are often more naturally expressed in |
131 Certainly, any proof may be performed in backward-style only. On the other |
|
132 hand, small steps of reasoning are often more naturally expressed in |
131 forward-style. Isar supports both backward and forward reasoning as a |
133 forward-style. Isar supports both backward and forward reasoning as a |
132 first-class concept. In order to demonstrate the difference, we consider |
134 first-class concept. In order to demonstrate the difference, we consider |
133 several proofs of \<open>A \<and> B \<longrightarrow> B \<and> A\<close>. |
135 several proofs of \<open>A \<and> B \<longrightarrow> B \<and> A\<close>. |
134 |
136 |
135 The first version is purely backward.\<close> |
137 The first version is purely backward. |
|
138 \<close> |
136 |
139 |
137 lemma "A \<and> B \<longrightarrow> B \<and> A" |
140 lemma "A \<and> B \<longrightarrow> B \<and> A" |
138 proof |
141 proof |
139 assume "A \<and> B" |
142 assume "A \<and> B" |
140 show "B \<and> A" |
143 show "B \<and> A" |
142 show B by (rule conjunct2) fact |
145 show B by (rule conjunct2) fact |
143 show A by (rule conjunct1) fact |
146 show A by (rule conjunct1) fact |
144 qed |
147 qed |
145 qed |
148 qed |
146 |
149 |
147 text \<open>Above, the projection rules \<open>conjunct1\<close> / \<open>conjunct2\<close> had to be named |
150 text \<open> |
148 explicitly, since the goals \<open>B\<close> and \<open>A\<close> did not provide any structural |
151 Above, the projection rules \<open>conjunct1\<close> / \<open>conjunct2\<close> had to be named |
149 clue. This may be avoided using \isacommand{from} to focus on the \<open>A \<and> B\<close> |
152 explicitly, since the goals \<open>B\<close> and \<open>A\<close> did not provide any structural clue. |
150 assumption as the current facts, enabling the use of double-dot proofs. |
153 This may be avoided using \<^theory_text>\<open>from\<close> to focus on the \<open>A \<and> B\<close> assumption as the |
151 Note that \isacommand{from} already does forward-chaining, involving the |
154 current facts, enabling the use of double-dot proofs. Note that \<^theory_text>\<open>from\<close> |
152 \<open>conjE\<close> rule here.\<close> |
155 already does forward-chaining, involving the \<open>conjE\<close> rule here. |
|
156 \<close> |
153 |
157 |
154 lemma "A \<and> B \<longrightarrow> B \<and> A" |
158 lemma "A \<and> B \<longrightarrow> B \<and> A" |
155 proof |
159 proof |
156 assume "A \<and> B" |
160 assume "A \<and> B" |
157 show "B \<and> A" |
161 show "B \<and> A" |
159 from \<open>A \<and> B\<close> show B .. |
163 from \<open>A \<and> B\<close> show B .. |
160 from \<open>A \<and> B\<close> show A .. |
164 from \<open>A \<and> B\<close> show A .. |
161 qed |
165 qed |
162 qed |
166 qed |
163 |
167 |
164 text \<open>In the next version, we move the forward step one level upwards. |
168 text \<open> |
165 Forward-chaining from the most recent facts is indicated by the |
169 In the next version, we move the forward step one level upwards. |
166 \isacommand{then} command. Thus the proof of \<open>B \<and> A\<close> from \<open>A \<and> B\<close> actually |
170 Forward-chaining from the most recent facts is indicated by the \<^theory_text>\<open>then\<close> |
167 becomes an elimination, rather than an introduction. The resulting proof |
171 command. Thus the proof of \<open>B \<and> A\<close> from \<open>A \<and> B\<close> actually becomes an |
168 structure directly corresponds to that of the \<open>conjE\<close> rule, including the |
172 elimination, rather than an introduction. The resulting proof structure |
169 repeated goal proposition that is abbreviated as \<open>?thesis\<close> below.\<close> |
173 directly corresponds to that of the \<open>conjE\<close> rule, including the repeated |
|
174 goal proposition that is abbreviated as \<open>?thesis\<close> below. |
|
175 \<close> |
170 |
176 |
171 lemma "A \<and> B \<longrightarrow> B \<and> A" |
177 lemma "A \<and> B \<longrightarrow> B \<and> A" |
172 proof |
178 proof |
173 assume "A \<and> B" |
179 assume "A \<and> B" |
174 then show "B \<and> A" |
180 then show "B \<and> A" |
176 assume B A |
182 assume B A |
177 then show ?thesis .. \<comment> \<open>rule \<open>conjI\<close> of \<open>B \<and> A\<close>\<close> |
183 then show ?thesis .. \<comment> \<open>rule \<open>conjI\<close> of \<open>B \<and> A\<close>\<close> |
178 qed |
184 qed |
179 qed |
185 qed |
180 |
186 |
181 text \<open>In the subsequent version we flatten the structure of the main body by |
187 text \<open> |
182 doing forward reasoning all the time. Only the outermost decomposition |
188 In the subsequent version we flatten the structure of the main body by doing |
183 step is left as backward.\<close> |
189 forward reasoning all the time. Only the outermost decomposition step is |
|
190 left as backward. |
|
191 \<close> |
184 |
192 |
185 lemma "A \<and> B \<longrightarrow> B \<and> A" |
193 lemma "A \<and> B \<longrightarrow> B \<and> A" |
186 proof |
194 proof |
187 assume "A \<and> B" |
195 assume "A \<and> B" |
188 from \<open>A \<and> B\<close> have A .. |
196 from \<open>A \<and> B\<close> have A .. |
189 from \<open>A \<and> B\<close> have B .. |
197 from \<open>A \<and> B\<close> have B .. |
190 from \<open>B\<close> \<open>A\<close> show "B \<and> A" .. |
198 from \<open>B\<close> \<open>A\<close> show "B \<and> A" .. |
191 qed |
199 qed |
192 |
200 |
193 text \<open>We can still push forward-reasoning a bit further, even at the risk of |
201 text \<open> |
194 getting ridiculous. Note that we force the initial proof step to do |
202 We can still push forward-reasoning a bit further, even at the risk of |
195 nothing here, by referring to the \<open>-\<close> proof method.\<close> |
203 getting ridiculous. Note that we force the initial proof step to do nothing |
|
204 here, by referring to the \<open>-\<close> proof method. |
|
205 \<close> |
196 |
206 |
197 lemma "A \<and> B \<longrightarrow> B \<and> A" |
207 lemma "A \<and> B \<longrightarrow> B \<and> A" |
198 proof - |
208 proof - |
199 { |
209 { |
200 assume "A \<and> B" |
210 assume "A \<and> B" |
206 qed |
216 qed |
207 |
217 |
208 text \<open> |
218 text \<open> |
209 \<^medskip> |
219 \<^medskip> |
210 With these examples we have shifted through a whole range from purely |
220 With these examples we have shifted through a whole range from purely |
211 backward to purely forward reasoning. Apparently, in the extreme ends we |
221 backward to purely forward reasoning. Apparently, in the extreme ends we get |
212 get slightly ill-structured proofs, which also require much explicit |
222 slightly ill-structured proofs, which also require much explicit naming of |
213 naming of either rules (backward) or local facts (forward). |
223 either rules (backward) or local facts (forward). |
214 |
224 |
215 The general lesson learned here is that good proof style would achieve |
225 The general lesson learned here is that good proof style would achieve just |
216 just the \<^emph>\<open>right\<close> balance of top-down backward decomposition, and |
226 the \<^emph>\<open>right\<close> balance of top-down backward decomposition, and bottom-up |
217 bottom-up forward composition. In general, there is no single best way to |
227 forward composition. In general, there is no single best way to arrange some |
218 arrange some pieces of formal reasoning, of course. Depending on the |
228 pieces of formal reasoning, of course. Depending on the actual applications, |
219 actual applications, the intended audience etc., rules (and methods) on |
229 the intended audience etc., rules (and methods) on the one hand vs.\ facts |
220 the one hand vs.\ facts on the other hand have to be emphasized in an |
230 on the other hand have to be emphasized in an appropriate way. This requires |
221 appropriate way. This requires the proof writer to develop good taste, and |
231 the proof writer to develop good taste, and some practice, of course. |
222 some practice, of course. |
|
223 |
232 |
224 \<^medskip> |
233 \<^medskip> |
225 For our example the most appropriate way of reasoning is probably the |
234 For our example the most appropriate way of reasoning is probably the middle |
226 middle one, with conjunction introduction done after elimination.\<close> |
235 one, with conjunction introduction done after elimination. |
|
236 \<close> |
227 |
237 |
228 lemma "A \<and> B \<longrightarrow> B \<and> A" |
238 lemma "A \<and> B \<longrightarrow> B \<and> A" |
229 proof |
239 proof |
230 assume "A \<and> B" |
240 assume "A \<and> B" |
231 then show "B \<and> A" |
241 then show "B \<and> A" |
237 |
247 |
238 |
248 |
239 |
249 |
240 subsection \<open>A few examples from ``Introduction to Isabelle''\<close> |
250 subsection \<open>A few examples from ``Introduction to Isabelle''\<close> |
241 |
251 |
242 text \<open>We rephrase some of the basic reasoning examples of @{cite |
252 text \<open> |
243 "isabelle-intro"}, using HOL rather than FOL.\<close> |
253 We rephrase some of the basic reasoning examples of @{cite |
|
254 "isabelle-intro"}, using HOL rather than FOL. |
|
255 \<close> |
244 |
256 |
245 |
257 |
246 subsubsection \<open>A propositional proof\<close> |
258 subsubsection \<open>A propositional proof\<close> |
247 |
259 |
248 text \<open>We consider the proposition \<open>P \<or> P \<longrightarrow> P\<close>. The proof below involves |
260 text \<open> |
249 forward-chaining from \<open>P \<or> P\<close>, followed by an explicit case-analysis on |
261 We consider the proposition \<open>P \<or> P \<longrightarrow> P\<close>. The proof below involves |
250 the two \<^emph>\<open>identical\<close> cases.\<close> |
262 forward-chaining from \<open>P \<or> P\<close>, followed by an explicit case-analysis on the |
|
263 two \<^emph>\<open>identical\<close> cases. |
|
264 \<close> |
251 |
265 |
252 lemma "P \<or> P \<longrightarrow> P" |
266 lemma "P \<or> P \<longrightarrow> P" |
253 proof |
267 proof |
254 assume "P \<or> P" |
268 assume "P \<or> P" |
255 then show P |
269 then show P |
258 next |
272 next |
259 assume P show P by fact |
273 assume P show P by fact |
260 qed |
274 qed |
261 qed |
275 qed |
262 |
276 |
263 text \<open>Case splits are \<^emph>\<open>not\<close> hardwired into the Isar language as a |
277 text \<open> |
264 special feature. The \isacommand{next} command used to separate the cases |
278 Case splits are \<^emph>\<open>not\<close> hardwired into the Isar language as a special |
265 above is just a short form of managing block structure. |
279 feature. The \<^theory_text>\<open>next\<close> command used to separate the cases above is just a |
|
280 short form of managing block structure. |
266 |
281 |
267 \<^medskip> |
282 \<^medskip> |
268 In general, applying proof methods may split up a goal into separate |
283 In general, applying proof methods may split up a goal into separate |
269 ``cases'', i.e.\ new subgoals with individual local assumptions. The |
284 ``cases'', i.e.\ new subgoals with individual local assumptions. The |
270 corresponding proof text typically mimics this by establishing results in |
285 corresponding proof text typically mimics this by establishing results in |
271 appropriate contexts, separated by blocks. |
286 appropriate contexts, separated by blocks. |
272 |
287 |
273 In order to avoid too much explicit parentheses, the Isar system |
288 In order to avoid too much explicit parentheses, the Isar system implicitly |
274 implicitly opens an additional block for any new goal, the |
289 opens an additional block for any new goal, the \<^theory_text>\<open>next\<close> statement then |
275 \isacommand{next} statement then closes one block level, opening a new |
290 closes one block level, opening a new one. The resulting behaviour is what |
276 one. The resulting behaviour is what one would expect from separating |
291 one would expect from separating cases, only that it is more flexible. E.g.\ |
277 cases, only that it is more flexible. E.g.\ an induction base case (which |
292 an induction base case (which does not introduce local assumptions) would |
278 does not introduce local assumptions) would \<^emph>\<open>not\<close> require |
293 \<^emph>\<open>not\<close> require \<^theory_text>\<open>next\<close> to separate the subsequent step case. |
279 \isacommand{next} to separate the subsequent step case. |
|
280 |
294 |
281 \<^medskip> |
295 \<^medskip> |
282 In our example the situation is even simpler, since the two cases actually |
296 In our example the situation is even simpler, since the two cases actually |
283 coincide. Consequently the proof may be rephrased as follows.\<close> |
297 coincide. Consequently the proof may be rephrased as follows. |
|
298 \<close> |
284 |
299 |
285 lemma "P \<or> P \<longrightarrow> P" |
300 lemma "P \<or> P \<longrightarrow> P" |
286 proof |
301 proof |
287 assume "P \<or> P" |
302 assume "P \<or> P" |
288 then show P |
303 then show P |
305 qed |
320 qed |
306 |
321 |
307 |
322 |
308 subsubsection \<open>A quantifier proof\<close> |
323 subsubsection \<open>A quantifier proof\<close> |
309 |
324 |
310 text \<open>To illustrate quantifier reasoning, let us prove |
325 text \<open> |
|
326 To illustrate quantifier reasoning, let us prove |
311 \<open>(\<exists>x. P (f x)) \<longrightarrow> (\<exists>y. P y)\<close>. Informally, this holds because any \<open>a\<close> with |
327 \<open>(\<exists>x. P (f x)) \<longrightarrow> (\<exists>y. P y)\<close>. Informally, this holds because any \<open>a\<close> with |
312 \<open>P (f a)\<close> may be taken as a witness for the second existential statement. |
328 \<open>P (f a)\<close> may be taken as a witness for the second existential statement. |
313 |
329 |
314 The first proof is rather verbose, exhibiting quite a lot of (redundant) |
330 The first proof is rather verbose, exhibiting quite a lot of (redundant) |
315 detail. It gives explicit rules, even with some instantiation. |
331 detail. It gives explicit rules, even with some instantiation. Furthermore, |
316 Furthermore, we encounter two new language elements: the \isacommand{fix} |
332 we encounter two new language elements: the \<^theory_text>\<open>fix\<close> command augments the |
317 command augments the context by some new ``arbitrary, but fixed'' element; |
333 context by some new ``arbitrary, but fixed'' element; the \<^theory_text>\<open>is\<close> annotation |
318 the \isacommand{is} annotation binds term abbreviations by higher-order |
334 binds term abbreviations by higher-order pattern matching. |
319 pattern matching.\<close> |
335 \<close> |
320 |
336 |
321 lemma "(\<exists>x. P (f x)) \<longrightarrow> (\<exists>y. P y)" |
337 lemma "(\<exists>x. P (f x)) \<longrightarrow> (\<exists>y. P y)" |
322 proof |
338 proof |
323 assume "\<exists>x. P (f x)" |
339 assume "\<exists>x. P (f x)" |
324 then show "\<exists>y. P y" |
340 then show "\<exists>y. P y" |
327 assume "P (f a)" (is "P ?witness") |
343 assume "P (f a)" (is "P ?witness") |
328 then show ?thesis by (rule exI [of P ?witness]) |
344 then show ?thesis by (rule exI [of P ?witness]) |
329 qed |
345 qed |
330 qed |
346 qed |
331 |
347 |
332 text \<open>While explicit rule instantiation may occasionally improve readability |
348 text \<open> |
333 of certain aspects of reasoning, it is usually quite redundant. Above, the |
349 While explicit rule instantiation may occasionally improve readability of |
334 basic proof outline gives already enough structural clues for the system |
350 certain aspects of reasoning, it is usually quite redundant. Above, the |
335 to infer both the rules and their instances (by higher-order unification). |
351 basic proof outline gives already enough structural clues for the system to |
336 Thus we may as well prune the text as follows.\<close> |
352 infer both the rules and their instances (by higher-order unification). Thus |
|
353 we may as well prune the text as follows. |
|
354 \<close> |
337 |
355 |
338 lemma "(\<exists>x. P (f x)) \<longrightarrow> (\<exists>y. P y)" |
356 lemma "(\<exists>x. P (f x)) \<longrightarrow> (\<exists>y. P y)" |
339 proof |
357 proof |
340 assume "\<exists>x. P (f x)" |
358 assume "\<exists>x. P (f x)" |
341 then show "\<exists>y. P y" |
359 then show "\<exists>y. P y" |
344 assume "P (f a)" |
362 assume "P (f a)" |
345 then show ?thesis .. |
363 then show ?thesis .. |
346 qed |
364 qed |
347 qed |
365 qed |
348 |
366 |
349 text \<open>Explicit \<open>\<exists>\<close>-elimination as seen above can become quite cumbersome in |
367 text \<open> |
350 practice. The derived Isar language element ``\isakeyword{obtain}'' |
368 Explicit \<open>\<exists>\<close>-elimination as seen above can become quite cumbersome in |
351 provides a more handsome way to do generalized existence reasoning.\<close> |
369 practice. The derived Isar language element ``\<^theory_text>\<open>obtain\<close>'' provides a more |
|
370 handsome way to do generalized existence reasoning. |
|
371 \<close> |
352 |
372 |
353 lemma "(\<exists>x. P (f x)) \<longrightarrow> (\<exists>y. P y)" |
373 lemma "(\<exists>x. P (f x)) \<longrightarrow> (\<exists>y. P y)" |
354 proof |
374 proof |
355 assume "\<exists>x. P (f x)" |
375 assume "\<exists>x. P (f x)" |
356 then obtain a where "P (f a)" .. |
376 then obtain a where "P (f a)" .. |
357 then show "\<exists>y. P y" .. |
377 then show "\<exists>y. P y" .. |
358 qed |
378 qed |
359 |
379 |
360 text \<open>Technically, \isakeyword{obtain} is similar to \isakeyword{fix} and |
380 text \<open> |
361 \isakeyword{assume} together with a soundness proof of the elimination |
381 Technically, \<^theory_text>\<open>obtain\<close> is similar to \<^theory_text>\<open>fix\<close> and \<^theory_text>\<open>assume\<close> together with a |
362 involved. Thus it behaves similar to any other forward proof element. Also |
382 soundness proof of the elimination involved. Thus it behaves similar to any |
363 note that due to the nature of general existence reasoning involved here, |
383 other forward proof element. Also note that due to the nature of general |
364 any result exported from the context of an \isakeyword{obtain} statement |
384 existence reasoning involved here, any result exported from the context of |
365 may \<^emph>\<open>not\<close> refer to the parameters introduced there.\<close> |
385 an \<^theory_text>\<open>obtain\<close> statement may \<^emph>\<open>not\<close> refer to the parameters introduced there. |
|
386 \<close> |
366 |
387 |
367 |
388 |
368 subsubsection \<open>Deriving rules in Isabelle\<close> |
389 subsubsection \<open>Deriving rules in Isabelle\<close> |
369 |
390 |
370 text \<open>We derive the conjunction elimination rule from the corresponding |
391 text \<open> |
|
392 We derive the conjunction elimination rule from the corresponding |
371 projections. The proof is quite straight-forward, since Isabelle/Isar |
393 projections. The proof is quite straight-forward, since Isabelle/Isar |
372 supports non-atomic goals and assumptions fully transparently.\<close> |
394 supports non-atomic goals and assumptions fully transparently. |
|
395 \<close> |
373 |
396 |
374 theorem conjE: "A \<and> B \<Longrightarrow> (A \<Longrightarrow> B \<Longrightarrow> C) \<Longrightarrow> C" |
397 theorem conjE: "A \<and> B \<Longrightarrow> (A \<Longrightarrow> B \<Longrightarrow> C) \<Longrightarrow> C" |
375 proof - |
398 proof - |
376 assume "A \<and> B" |
399 assume "A \<and> B" |
377 assume r: "A \<Longrightarrow> B \<Longrightarrow> C" |
400 assume r: "A \<Longrightarrow> B \<Longrightarrow> C" |