779 \item [@{text "name = value"}] as an attribute expression modifies |
779 \item [@{text "name = value"}] as an attribute expression modifies |
780 the named option, with the syntax of the value depending on the |
780 the named option, with the syntax of the value depending on the |
781 option's type. For @{ML_type bool} the default value is @{text |
781 option's type. For @{ML_type bool} the default value is @{text |
782 true}. Any attempt to change a global option in a local context is |
782 true}. Any attempt to change a global option in a local context is |
783 ignored. |
783 ignored. |
784 |
|
785 \end{descr} |
|
786 *} |
|
787 |
|
788 |
|
789 section {* Derived proof schemes *} |
|
790 |
|
791 subsection {* Generalized elimination \label{sec:obtain} *} |
|
792 |
|
793 text {* |
|
794 \begin{matharray}{rcl} |
|
795 @{command_def "obtain"} & : & \isartrans{proof(state)}{proof(prove)} \\ |
|
796 @{command_def "guess"}@{text "\<^sup>*"} & : & \isartrans{proof(state)}{proof(prove)} \\ |
|
797 \end{matharray} |
|
798 |
|
799 Generalized elimination means that additional elements with certain |
|
800 properties may be introduced in the current context, by virtue of a |
|
801 locally proven ``soundness statement''. Technically speaking, the |
|
802 @{command "obtain"} language element is like a declaration of |
|
803 @{command "fix"} and @{command "assume"} (see also see |
|
804 \secref{sec:proof-context}), together with a soundness proof of its |
|
805 additional claim. According to the nature of existential reasoning, |
|
806 assumptions get eliminated from any result exported from the context |
|
807 later, provided that the corresponding parameters do \emph{not} |
|
808 occur in the conclusion. |
|
809 |
|
810 \begin{rail} |
|
811 'obtain' parname? (vars + 'and') 'where' (props + 'and') |
|
812 ; |
|
813 'guess' (vars + 'and') |
|
814 ; |
|
815 \end{rail} |
|
816 |
|
817 The derived Isar command @{command "obtain"} is defined as follows |
|
818 (where @{text "b\<^sub>1, \<dots>, b\<^sub>k"} shall refer to (optional) |
|
819 facts indicated for forward chaining). |
|
820 \begin{matharray}{l} |
|
821 @{text "\<langle>using b\<^sub>1 \<dots> b\<^sub>k\<rangle>"}~~@{command "obtain"}~@{text "x\<^sub>1 \<dots> x\<^sub>m \<WHERE> a: \<phi>\<^sub>1 \<dots> \<phi>\<^sub>n \<langle>proof\<rangle> \<equiv>"} \\[1ex] |
|
822 \quad @{command "have"}~@{text "\<And>thesis. (\<And>x\<^sub>1 \<dots> x\<^sub>m. \<phi>\<^sub>1 \<Longrightarrow> \<dots> \<phi>\<^sub>n \<Longrightarrow> thesis) \<Longrightarrow> thesis"} \\ |
|
823 \quad @{command "proof"}~@{text succeed} \\ |
|
824 \qquad @{command "fix"}~@{text thesis} \\ |
|
825 \qquad @{command "assume"}~@{text "that [Pure.intro?]: \<And>x\<^sub>1 \<dots> x\<^sub>m. \<phi>\<^sub>1 \<Longrightarrow> \<dots> \<phi>\<^sub>n \<Longrightarrow> thesis"} \\ |
|
826 \qquad @{command "then"}~@{command "show"}~@{text thesis} \\ |
|
827 \quad\qquad @{command "apply"}~@{text -} \\ |
|
828 \quad\qquad @{command "using"}~@{text "b\<^sub>1 \<dots> b\<^sub>k \<langle>proof\<rangle>"} \\ |
|
829 \quad @{command "qed"} \\ |
|
830 \quad @{command "fix"}~@{text "x\<^sub>1 \<dots> x\<^sub>m"}~@{command "assume"}@{text "\<^sup>* a: \<phi>\<^sub>1 \<dots> \<phi>\<^sub>n"} \\ |
|
831 \end{matharray} |
|
832 |
|
833 Typically, the soundness proof is relatively straight-forward, often |
|
834 just by canonical automated tools such as ``@{command "by"}~@{text |
|
835 simp}'' or ``@{command "by"}~@{text blast}''. Accordingly, the |
|
836 ``@{text that}'' reduction above is declared as simplification and |
|
837 introduction rule. |
|
838 |
|
839 In a sense, @{command "obtain"} represents at the level of Isar |
|
840 proofs what would be meta-logical existential quantifiers and |
|
841 conjunctions. This concept has a broad range of useful |
|
842 applications, ranging from plain elimination (or introduction) of |
|
843 object-level existential and conjunctions, to elimination over |
|
844 results of symbolic evaluation of recursive definitions, for |
|
845 example. Also note that @{command "obtain"} without parameters acts |
|
846 much like @{command "have"}, where the result is treated as a |
|
847 genuine assumption. |
|
848 |
|
849 An alternative name to be used instead of ``@{text that}'' above may |
|
850 be given in parentheses. |
|
851 |
|
852 \medskip The improper variant @{command "guess"} is similar to |
|
853 @{command "obtain"}, but derives the obtained statement from the |
|
854 course of reasoning! The proof starts with a fixed goal @{text |
|
855 thesis}. The subsequent proof may refine this to anything of the |
|
856 form like @{text "\<And>x\<^sub>1 \<dots> x\<^sub>m. \<phi>\<^sub>1 \<Longrightarrow> \<dots> |
|
857 \<phi>\<^sub>n \<Longrightarrow> thesis"}, but must not introduce new subgoals. The |
|
858 final goal state is then used as reduction rule for the obtain |
|
859 scheme described above. Obtained parameters @{text "x\<^sub>1, \<dots>, |
|
860 x\<^sub>m"} are marked as internal by default, which prevents the |
|
861 proof context from being polluted by ad-hoc variables. The variable |
|
862 names and type constraints given as arguments for @{command "guess"} |
|
863 specify a prefix of obtained parameters explicitly in the text. |
|
864 |
|
865 It is important to note that the facts introduced by @{command |
|
866 "obtain"} and @{command "guess"} may not be polymorphic: any |
|
867 type-variables occurring here are fixed in the present context! |
|
868 *} |
|
869 |
|
870 |
|
871 subsection {* Calculational reasoning \label{sec:calculation} *} |
|
872 |
|
873 text {* |
|
874 \begin{matharray}{rcl} |
|
875 @{command_def "also"} & : & \isartrans{proof(state)}{proof(state)} \\ |
|
876 @{command_def "finally"} & : & \isartrans{proof(state)}{proof(chain)} \\ |
|
877 @{command_def "moreover"} & : & \isartrans{proof(state)}{proof(state)} \\ |
|
878 @{command_def "ultimately"} & : & \isartrans{proof(state)}{proof(chain)} \\ |
|
879 @{command_def "print_trans_rules"}@{text "\<^sup>*"} & : & \isarkeep{theory~|~proof} \\ |
|
880 @{attribute trans} & : & \isaratt \\ |
|
881 @{attribute sym} & : & \isaratt \\ |
|
882 @{attribute symmetric} & : & \isaratt \\ |
|
883 \end{matharray} |
|
884 |
|
885 Calculational proof is forward reasoning with implicit application |
|
886 of transitivity rules (such those of @{text "="}, @{text "\<le>"}, |
|
887 @{text "<"}). Isabelle/Isar maintains an auxiliary fact register |
|
888 @{fact_ref calculation} for accumulating results obtained by |
|
889 transitivity composed with the current result. Command @{command |
|
890 "also"} updates @{fact calculation} involving @{fact this}, while |
|
891 @{command "finally"} exhibits the final @{fact calculation} by |
|
892 forward chaining towards the next goal statement. Both commands |
|
893 require valid current facts, i.e.\ may occur only after commands |
|
894 that produce theorems such as @{command "assume"}, @{command |
|
895 "note"}, or some finished proof of @{command "have"}, @{command |
|
896 "show"} etc. The @{command "moreover"} and @{command "ultimately"} |
|
897 commands are similar to @{command "also"} and @{command "finally"}, |
|
898 but only collect further results in @{fact calculation} without |
|
899 applying any rules yet. |
|
900 |
|
901 Also note that the implicit term abbreviation ``@{text "\<dots>"}'' has |
|
902 its canonical application with calculational proofs. It refers to |
|
903 the argument of the preceding statement. (The argument of a curried |
|
904 infix expression happens to be its right-hand side.) |
|
905 |
|
906 Isabelle/Isar calculations are implicitly subject to block structure |
|
907 in the sense that new threads of calculational reasoning are |
|
908 commenced for any new block (as opened by a local goal, for |
|
909 example). This means that, apart from being able to nest |
|
910 calculations, there is no separate \emph{begin-calculation} command |
|
911 required. |
|
912 |
|
913 \medskip The Isar calculation proof commands may be defined as |
|
914 follows:\footnote{We suppress internal bookkeeping such as proper |
|
915 handling of block-structure.} |
|
916 |
|
917 \begin{matharray}{rcl} |
|
918 @{command "also"}@{text "\<^sub>0"} & \equiv & @{command "note"}~@{text "calculation = this"} \\ |
|
919 @{command "also"}@{text "\<^sub>n\<^sub>+\<^sub>1"} & \equiv & @{command "note"}~@{text "calculation = trans [OF calculation this]"} \\[0.5ex] |
|
920 @{command "finally"} & \equiv & @{command "also"}~@{command "from"}~@{text calculation} \\[0.5ex] |
|
921 @{command "moreover"} & \equiv & @{command "note"}~@{text "calculation = calculation this"} \\ |
|
922 @{command "ultimately"} & \equiv & @{command "moreover"}~@{command "from"}~@{text calculation} \\ |
|
923 \end{matharray} |
|
924 |
|
925 \begin{rail} |
|
926 ('also' | 'finally') ('(' thmrefs ')')? |
|
927 ; |
|
928 'trans' (() | 'add' | 'del') |
|
929 ; |
|
930 \end{rail} |
|
931 |
|
932 \begin{descr} |
|
933 |
|
934 \item [@{command "also"}~@{text "(a\<^sub>1 \<dots> a\<^sub>n)"}] |
|
935 maintains the auxiliary @{fact calculation} register as follows. |
|
936 The first occurrence of @{command "also"} in some calculational |
|
937 thread initializes @{fact calculation} by @{fact this}. Any |
|
938 subsequent @{command "also"} on the same level of block-structure |
|
939 updates @{fact calculation} by some transitivity rule applied to |
|
940 @{fact calculation} and @{fact this} (in that order). Transitivity |
|
941 rules are picked from the current context, unless alternative rules |
|
942 are given as explicit arguments. |
|
943 |
|
944 \item [@{command "finally"}~@{text "(a\<^sub>1 \<dots> a\<^sub>n)"}] |
|
945 maintaining @{fact calculation} in the same way as @{command |
|
946 "also"}, and concludes the current calculational thread. The final |
|
947 result is exhibited as fact for forward chaining towards the next |
|
948 goal. Basically, @{command "finally"} just abbreviates @{command |
|
949 "also"}~@{command "from"}~@{fact calculation}. Typical idioms for |
|
950 concluding calculational proofs are ``@{command "finally"}~@{command |
|
951 "show"}~@{text ?thesis}~@{command "."}'' and ``@{command |
|
952 "finally"}~@{command "have"}~@{text \<phi>}~@{command "."}''. |
|
953 |
|
954 \item [@{command "moreover"} and @{command "ultimately"}] are |
|
955 analogous to @{command "also"} and @{command "finally"}, but collect |
|
956 results only, without applying rules. |
|
957 |
|
958 \item [@{command "print_trans_rules"}] prints the list of |
|
959 transitivity rules (for calculational commands @{command "also"} and |
|
960 @{command "finally"}) and symmetry rules (for the @{attribute |
|
961 symmetric} operation and single step elimination patters) of the |
|
962 current context. |
|
963 |
|
964 \item [@{attribute trans}] declares theorems as transitivity rules. |
|
965 |
|
966 \item [@{attribute sym}] declares symmetry rules, as well as |
|
967 @{attribute "Pure.elim?"} rules. |
|
968 |
|
969 \item [@{attribute symmetric}] resolves a theorem with some rule |
|
970 declared as @{attribute sym} in the current context. For example, |
|
971 ``@{command "assume"}~@{text "[symmetric]: x = y"}'' produces a |
|
972 swapped fact derived from that assumption. |
|
973 |
|
974 In structured proof texts it is often more appropriate to use an |
|
975 explicit single-step elimination proof, such as ``@{command |
|
976 "assume"}~@{text "x = y"}~@{command "then"}~@{command "have"}~@{text |
|
977 "y = x"}~@{command ".."}''. |
|
978 |
784 |
979 \end{descr} |
785 \end{descr} |
980 *} |
786 *} |
981 |
787 |
982 |
788 |