|
1 |
|
2 (*<*) |
|
3 theory Tutorial = Main: |
|
4 (*>*) |
|
5 |
|
6 chapter {* Introduction *} |
|
7 |
|
8 chapter {* Interaction and debugging *} |
|
9 |
|
10 chapter {* Calculational reasoning *} |
|
11 |
|
12 chapter {* Proof by cases and induction *} |
|
13 |
|
14 chapter {* General natural deduction *} |
|
15 |
|
16 chapter {* Example: FIXME *} |
|
17 |
|
18 |
|
19 chapter FIXME |
|
20 |
|
21 |
|
22 section {* Formal document preparation *} |
|
23 |
|
24 subsection {* Example *} |
|
25 |
|
26 text {* |
|
27 See this very document itself. |
|
28 *} |
|
29 |
|
30 subsection {* Getting started *} |
|
31 |
|
32 text {* |
|
33 \verb"isatool mkdir Test && isatool make" |
|
34 *} |
|
35 |
|
36 section {* Human-readable proof composition in Isar *} |
|
37 |
|
38 subsection {* Getting started *} |
|
39 |
|
40 text {* Claim a trivial goal in order to enter proof mode @{text \<dots>} *} |
|
41 |
|
42 lemma True |
|
43 proof |
|
44 |
|
45 txt {* After the canonical initial refinement step we are left |
|
46 within an \emph{proof body}. *} |
|
47 |
|
48 txt {* Here we may augment the present local {proof context} as we |
|
49 please. *} |
|
50 |
|
51 fix something |
|
52 assume a: "anything something" |
|
53 |
|
54 txt {* Note that the present configuration may be inspected by |
|
55 several \emph{diagnostic commands}. *} |
|
56 |
|
57 term something -- "@{term [show_types] something}" |
|
58 term anything -- "@{term [show_types] anything}" |
|
59 thm a -- {* @{thm a} *} |
|
60 |
|
61 txt {* We may state local (auxiliary) results as well. *} |
|
62 |
|
63 have True proof qed |
|
64 |
|
65 txt {* We are now satisfied. *} |
|
66 qed |
|
67 |
|
68 |
|
69 subsection {* Calculational Reasoning *} |
|
70 |
|
71 text {* |
|
72 Isar is mainly about Natural Deduction, but Calculational Reasoning |
|
73 turns out as a simplified instance of that, so we demonstrate it |
|
74 first. |
|
75 *} |
|
76 |
|
77 subsubsection {* Transitive chains *} |
|
78 |
|
79 text {* |
|
80 Technique: establish a chain of local facts, separated by \cmd{also} |
|
81 and terminated by \cmd{finally}; another goal has to follow to point |
|
82 out the final result. |
|
83 *} |
|
84 |
|
85 lemma "x1 = x4" |
|
86 proof - -- "do nothing yet" |
|
87 have "x1 = x2" sorry |
|
88 also |
|
89 have "x2 = x3" sorry |
|
90 also |
|
91 have "x3 = x4" sorry |
|
92 finally |
|
93 show "x1 = x4" . |
|
94 qed |
|
95 |
|
96 text {* |
|
97 This may be written more succinctly, using the special term binds |
|
98 ``@{text \<dots>}'' (for the right-hand side of the last statement) and |
|
99 ``@{text ?thesis}'' (for the original claim at the head of the |
|
100 proof). |
|
101 *} |
|
102 |
|
103 lemma "x1 = x4" |
|
104 proof - |
|
105 have "x1 = x2" sorry |
|
106 also have "\<dots> = x3" sorry |
|
107 also have "\<dots> = x4" sorry |
|
108 finally show ?thesis . |
|
109 qed |
|
110 |
|
111 text {* |
|
112 The (implicit) forward-chaining steps involved in \cmd{also} and |
|
113 \cmd{finally} are declared in the current context. The main library |
|
114 of Isabelle/HOL already knows about (mixed) transitivities of @{text |
|
115 "="}, @{text "<"}, @{text "\<le>"} etc. |
|
116 *} |
|
117 |
|
118 lemma "(x1::nat) < x6" |
|
119 -- {* restriction to type @{typ nat} ensures that @{text "<"} is really transitive *} |
|
120 proof - |
|
121 have "x1 < x2" sorry |
|
122 also have "\<dots> \<le> x3" sorry |
|
123 also have "\<dots> = x4" sorry |
|
124 also have "\<dots> < x5" sorry |
|
125 also have "\<dots> = x6" sorry |
|
126 finally show ?thesis . |
|
127 qed |
|
128 |
|
129 text {* |
|
130 We may also calculate on propositions. |
|
131 *} |
|
132 |
|
133 lemma True |
|
134 proof |
|
135 have "A \<longrightarrow> B \<longrightarrow> C" sorry |
|
136 also have A sorry |
|
137 also have B sorry |
|
138 finally have C . |
|
139 qed |
|
140 |
|
141 text {* |
|
142 This is getting pretty close to Dijkstra's preferred proof style. |
|
143 *} |
|
144 |
|
145 lemma True |
|
146 proof |
|
147 have [trans]: "\<And>X Y Z. X \<longrightarrow> Y \<Longrightarrow> Y \<longrightarrow> Z \<Longrightarrow> X \<longrightarrow> Z" by rules |
|
148 have "A \<longrightarrow> B" sorry |
|
149 also have "\<dots> \<longrightarrow> C" sorry |
|
150 also have "\<dots> \<longrightarrow> D" sorry |
|
151 finally have "A \<longrightarrow> D" . |
|
152 qed |
|
153 |
|
154 |
|
155 subsubsection {* Degenerate calculations and bigstep reasoning *} |
|
156 |
|
157 text {* |
|
158 Instead of \cmd{also}/\cmd{finally} we may use degenerative steps |
|
159 \cmd{moreover}/\cmd{ultimately} to accumulate facts, without |
|
160 applying any forward rules yet. |
|
161 *} |
|
162 |
|
163 lemma True |
|
164 proof |
|
165 have A sorry |
|
166 moreover have B sorry |
|
167 moreover have C sorry |
|
168 ultimately have A and B and C . -- "Pretty obvious, right?" |
|
169 qed |
|
170 |
|
171 text {* |
|
172 Both kinds of calculational elements may be used together. |
|
173 *} |
|
174 |
|
175 lemma True |
|
176 proof |
|
177 assume reasoning_pattern [trans]: "A \<Longrightarrow> B \<Longrightarrow> C \<Longrightarrow> D" |
|
178 have A sorry |
|
179 moreover have B sorry |
|
180 moreover have C sorry |
|
181 finally have D . |
|
182 qed |
|
183 |
|
184 |
|
185 subsection {* Natural deduction *} |
|
186 |
|
187 subsubsection {* Primitive patterns *} |
|
188 |
|
189 text {* |
|
190 The default theory context admits to perform canonical single-step |
|
191 reasoning (similar to Gentzen) without further ado. |
|
192 *} |
|
193 |
|
194 lemma True |
|
195 proof |
|
196 |
|
197 have True .. |
|
198 |
|
199 { assume False |
|
200 then have C .. } |
|
201 |
|
202 have "\<not> A" |
|
203 proof |
|
204 assume A |
|
205 show False sorry |
|
206 qed |
|
207 |
|
208 { assume "\<not> A" and A |
|
209 then have C .. } |
|
210 |
|
211 have "A \<longrightarrow> B" |
|
212 proof |
|
213 assume A |
|
214 show B sorry |
|
215 qed |
|
216 |
|
217 { assume "A \<longrightarrow> B" and A |
|
218 then have B .. } |
|
219 |
|
220 have "A \<and> B" |
|
221 proof |
|
222 show A sorry |
|
223 show B sorry |
|
224 qed |
|
225 |
|
226 { assume "A \<and> B" |
|
227 then have A .. } |
|
228 |
|
229 { assume "A \<and> B" |
|
230 then have B .. } |
|
231 |
|
232 { assume A |
|
233 then have "A \<or> B" .. } |
|
234 |
|
235 { assume B |
|
236 then have "A \<or> B" .. } |
|
237 |
|
238 { assume "A \<or> B" |
|
239 then have C |
|
240 proof |
|
241 assume A |
|
242 then show ?thesis sorry |
|
243 next |
|
244 assume B |
|
245 then show ?thesis sorry |
|
246 qed } |
|
247 |
|
248 have "\<forall>x. P x" |
|
249 proof |
|
250 fix x |
|
251 show "P x" sorry |
|
252 qed |
|
253 |
|
254 { assume "\<forall>x. P x" |
|
255 then have "P t" .. } |
|
256 |
|
257 have "\<exists>x. P x" |
|
258 proof |
|
259 show "P t" sorry |
|
260 qed |
|
261 |
|
262 { assume "\<exists>x. P x" |
|
263 then obtain x where "P x" .. |
|
264 note nothing -- "relax" } |
|
265 qed |
|
266 |
|
267 text {* |
|
268 Certainly, this works with derived rules for defined concepts in the |
|
269 same manner. E.g.\ use the simple-typed set-theory of Isabelle/HOL. *} |
|
270 |
|
271 lemma True |
|
272 proof |
|
273 have "y \<in> (\<Inter>x \<in> A. B x)" |
|
274 proof |
|
275 fix x |
|
276 assume "x \<in> A" |
|
277 show "y \<in> B x" sorry |
|
278 qed |
|
279 |
|
280 have "y \<in> (\<Union>x \<in> A. B x)" |
|
281 proof |
|
282 show "a \<in> A" sorry |
|
283 show "y \<in> B a" sorry |
|
284 qed |
|
285 qed |
|
286 |
|
287 |
|
288 subsubsection {* Variations in structure *} |
|
289 |
|
290 text {* |
|
291 The design of the Isar language takes the user seriously |
|
292 *} |
|
293 |
|
294 subsubsection {* Generalized elimination *} |
|
295 |
|
296 subsubsection {* Scalable cases and induction *} |
|
297 |
|
298 section {* Assimilating the old tactical style *} |
|
299 |
|
300 text {* |
|
301 Improper commands: |
|
302 Observation: every Isar subproof may start with a ``script'' of |
|
303 *} |
|
304 |
|
305 (*<*) |
|
306 end |
|
307 (*>*) |