16 text {* In order to get a first idea of how Isabelle/Isar proof |
16 text {* In order to get a first idea of how Isabelle/Isar proof |
17 documents may look like, we consider the propositions @{text I}, |
17 documents may look like, we consider the propositions @{text I}, |
18 @{text K}, and @{text S}. The following (rather explicit) proofs |
18 @{text K}, and @{text S}. The following (rather explicit) proofs |
19 should require little extra explanations. *} |
19 should require little extra explanations. *} |
20 |
20 |
21 lemma I: "A --> A" |
21 lemma I: "A \<longrightarrow> A" |
22 proof |
22 proof |
23 assume A |
23 assume A |
24 show A by fact |
24 show A by fact |
25 qed |
25 qed |
26 |
26 |
27 lemma K: "A --> B --> A" |
27 lemma K: "A \<longrightarrow> B \<longrightarrow> A" |
28 proof |
28 proof |
29 assume A |
29 assume A |
30 show "B --> A" |
30 show "B \<longrightarrow> A" |
31 proof |
31 proof |
32 show A by fact |
32 show A by fact |
33 qed |
33 qed |
34 qed |
34 qed |
35 |
35 |
36 lemma S: "(A --> B --> C) --> (A --> B) --> A --> C" |
36 lemma S: "(A \<longrightarrow> B \<longrightarrow> C) \<longrightarrow> (A \<longrightarrow> B) \<longrightarrow> A \<longrightarrow> C" |
37 proof |
37 proof |
38 assume "A --> B --> C" |
38 assume "A \<longrightarrow> B \<longrightarrow> C" |
39 show "(A --> B) --> A --> C" |
39 show "(A \<longrightarrow> B) \<longrightarrow> A \<longrightarrow> C" |
40 proof |
40 proof |
41 assume "A --> B" |
41 assume "A \<longrightarrow> B" |
42 show "A --> C" |
42 show "A \<longrightarrow> C" |
43 proof |
43 proof |
44 assume A |
44 assume A |
45 show C |
45 show C |
46 proof (rule mp) |
46 proof (rule mp) |
47 show "B --> C" by (rule mp) fact+ |
47 show "B \<longrightarrow> C" by (rule mp) fact+ |
48 show B by (rule mp) fact+ |
48 show B by (rule mp) fact+ |
49 qed |
49 qed |
50 qed |
50 qed |
51 qed |
51 qed |
52 qed |
52 qed |
70 any remaining goals by assumption\footnote{This is not a completely |
70 any remaining goals by assumption\footnote{This is not a completely |
71 trivial operation, as proof by assumption may involve full |
71 trivial operation, as proof by assumption may involve full |
72 higher-order unification.}. Thus we may skip the rather vacuous |
72 higher-order unification.}. Thus we may skip the rather vacuous |
73 body of the above proof as well. *} |
73 body of the above proof as well. *} |
74 |
74 |
75 lemma "A --> A" |
75 lemma "A \<longrightarrow> A" |
76 proof |
76 proof |
77 qed |
77 qed |
78 |
78 |
79 text {* Note that the \isacommand{proof} command refers to the @{text |
79 text {* Note that the \isacommand{proof} command refers to the @{text |
80 rule} method (without arguments) by default. Thus it implicitly |
80 rule} method (without arguments) by default. Thus it implicitly |
81 applies a single rule, as determined from the syntactic form of the |
81 applies a single rule, as determined from the syntactic form of the |
82 statements involved. The \isacommand{by} command abbreviates any |
82 statements involved. The \isacommand{by} command abbreviates any |
83 proof with empty body, so the proof may be further pruned. *} |
83 proof with empty body, so the proof may be further pruned. *} |
84 |
84 |
85 lemma "A --> A" |
85 lemma "A \<longrightarrow> A" |
86 by rule |
86 by rule |
87 |
87 |
88 text {* Proof by a single rule may be abbreviated as double-dot. *} |
88 text {* Proof by a single rule may be abbreviated as double-dot. *} |
89 |
89 |
90 lemma "A --> A" .. |
90 lemma "A \<longrightarrow> A" .. |
91 |
91 |
92 text {* Thus we have arrived at an adequate representation of the |
92 text {* Thus we have arrived at an adequate representation of the |
93 proof of a tautology that holds by a single standard |
93 proof of a tautology that holds by a single standard |
94 rule.\footnote{Apparently, the rule here is implication |
94 rule.\footnote{Apparently, the rule here is implication |
95 introduction.} *} |
95 introduction.} *} |
101 |
101 |
102 The @{text intro} proof method repeatedly decomposes a goal's |
102 The @{text intro} proof method repeatedly decomposes a goal's |
103 conclusion.\footnote{The dual method is @{text elim}, acting on a |
103 conclusion.\footnote{The dual method is @{text elim}, acting on a |
104 goal's premises.} *} |
104 goal's premises.} *} |
105 |
105 |
106 lemma "A --> B --> A" |
106 lemma "A \<longrightarrow> B \<longrightarrow> A" |
107 proof (intro impI) |
107 proof (intro impI) |
108 assume A |
108 assume A |
109 show A by fact |
109 show A by fact |
110 qed |
110 qed |
111 |
111 |
112 text {* Again, the body may be collapsed. *} |
112 text {* Again, the body may be collapsed. *} |
113 |
113 |
114 lemma "A --> B --> A" |
114 lemma "A \<longrightarrow> B \<longrightarrow> A" |
115 by (intro impI) |
115 by (intro impI) |
116 |
116 |
117 text {* Just like @{text rule}, the @{text intro} and @{text elim} |
117 text {* Just like @{text rule}, the @{text intro} and @{text elim} |
118 proof methods pick standard structural rules, in case no explicit |
118 proof methods pick standard structural rules, in case no explicit |
119 arguments are given. While implicit rules are usually just fine for |
119 arguments are given. While implicit rules are usually just fine for |
138 reasoning as a first-class concept. In order to demonstrate the |
138 reasoning as a first-class concept. In order to demonstrate the |
139 difference, we consider several proofs of @{text "A \<and> B \<longrightarrow> B \<and> A"}. |
139 difference, we consider several proofs of @{text "A \<and> B \<longrightarrow> B \<and> A"}. |
140 |
140 |
141 The first version is purely backward. *} |
141 The first version is purely backward. *} |
142 |
142 |
143 lemma "A & B --> B & A" |
143 lemma "A \<and> B \<longrightarrow> B \<and> A" |
144 proof |
144 proof |
145 assume "A & B" |
145 assume "A \<and> B" |
146 show "B & A" |
146 show "B \<and> A" |
147 proof |
147 proof |
148 show B by (rule conjunct2) fact |
148 show B by (rule conjunct2) fact |
149 show A by (rule conjunct1) fact |
149 show A by (rule conjunct1) fact |
150 qed |
150 qed |
151 qed |
151 qed |
156 \isacommand{from} to focus on the @{text "A \<and> B"} assumption as the |
156 \isacommand{from} to focus on the @{text "A \<and> B"} assumption as the |
157 current facts, enabling the use of double-dot proofs. Note that |
157 current facts, enabling the use of double-dot proofs. Note that |
158 \isacommand{from} already does forward-chaining, involving the |
158 \isacommand{from} already does forward-chaining, involving the |
159 @{text conjE} rule here. *} |
159 @{text conjE} rule here. *} |
160 |
160 |
161 lemma "A & B --> B & A" |
161 lemma "A \<and> B \<longrightarrow> B \<and> A" |
162 proof |
162 proof |
163 assume "A & B" |
163 assume "A \<and> B" |
164 show "B & A" |
164 show "B \<and> A" |
165 proof |
165 proof |
166 from `A & B` show B .. |
166 from `A \<and> B` show B .. |
167 from `A & B` show A .. |
167 from `A \<and> B` show A .. |
168 qed |
168 qed |
169 qed |
169 qed |
170 |
170 |
171 text {* In the next version, we move the forward step one level |
171 text {* In the next version, we move the forward step one level |
172 upwards. Forward-chaining from the most recent facts is indicated |
172 upwards. Forward-chaining from the most recent facts is indicated |
174 from @{text "A \<and> B"} actually becomes an elimination, rather than an |
174 from @{text "A \<and> B"} actually becomes an elimination, rather than an |
175 introduction. The resulting proof structure directly corresponds to |
175 introduction. The resulting proof structure directly corresponds to |
176 that of the @{text conjE} rule, including the repeated goal |
176 that of the @{text conjE} rule, including the repeated goal |
177 proposition that is abbreviated as @{text ?thesis} below. *} |
177 proposition that is abbreviated as @{text ?thesis} below. *} |
178 |
178 |
179 lemma "A & B --> B & A" |
179 lemma "A \<and> B \<longrightarrow> B \<and> A" |
180 proof |
180 proof |
181 assume "A & B" |
181 assume "A \<and> B" |
182 then show "B & A" |
182 then show "B \<and> A" |
183 proof -- {* rule @{text conjE} of @{text "A \<and> B"} *} |
183 proof -- {* rule @{text conjE} of @{text "A \<and> B"} *} |
184 assume B A |
184 assume B A |
185 then show ?thesis .. -- {* rule @{text conjI} of @{text "B \<and> A"} *} |
185 then show ?thesis .. -- {* rule @{text conjI} of @{text "B \<and> A"} *} |
186 qed |
186 qed |
187 qed |
187 qed |
188 |
188 |
189 text {* In the subsequent version we flatten the structure of the main |
189 text {* In the subsequent version we flatten the structure of the main |
190 body by doing forward reasoning all the time. Only the outermost |
190 body by doing forward reasoning all the time. Only the outermost |
191 decomposition step is left as backward. *} |
191 decomposition step is left as backward. *} |
192 |
192 |
193 lemma "A & B --> B & A" |
193 lemma "A \<and> B \<longrightarrow> B \<and> A" |
194 proof |
194 proof |
195 assume "A & B" |
195 assume "A \<and> B" |
196 from `A & B` have A .. |
196 from `A \<and> B` have A .. |
197 from `A & B` have B .. |
197 from `A \<and> B` have B .. |
198 from `B` `A` show "B & A" .. |
198 from `B` `A` show "B \<and> A" .. |
199 qed |
199 qed |
200 |
200 |
201 text {* We can still push forward-reasoning a bit further, even at the |
201 text {* We can still push forward-reasoning a bit further, even at the |
202 risk of getting ridiculous. Note that we force the initial proof |
202 risk of getting ridiculous. Note that we force the initial proof |
203 step to do nothing here, by referring to the ``-'' proof method. *} |
203 step to do nothing here, by referring to the ``-'' proof method. *} |
204 |
204 |
205 lemma "A & B --> B & A" |
205 lemma "A \<and> B \<longrightarrow> B \<and> A" |
206 proof - |
206 proof - |
207 { |
207 { |
208 assume "A & B" |
208 assume "A \<and> B" |
209 from `A & B` have A .. |
209 from `A \<and> B` have A .. |
210 from `A & B` have B .. |
210 from `A \<and> B` have B .. |
211 from `B` `A` have "B & A" .. |
211 from `B` `A` have "B \<and> A" .. |
212 } |
212 } |
213 then show ?thesis .. -- {* rule @{text impI} *} |
213 then show ?thesis .. -- {* rule @{text impI} *} |
214 qed |
214 qed |
215 |
215 |
216 text {* \medskip With these examples we have shifted through a whole |
216 text {* \medskip With these examples we have shifted through a whole |
254 |
254 |
255 text {* We consider the proposition @{text "P \<or> P \<longrightarrow> P"}. The proof |
255 text {* We consider the proposition @{text "P \<or> P \<longrightarrow> P"}. The proof |
256 below involves forward-chaining from @{text "P \<or> P"}, followed by an |
256 below involves forward-chaining from @{text "P \<or> P"}, followed by an |
257 explicit case-analysis on the two \emph{identical} cases. *} |
257 explicit case-analysis on the two \emph{identical} cases. *} |
258 |
258 |
259 lemma "P | P --> P" |
259 lemma "P \<or> P \<longrightarrow> P" |
260 proof |
260 proof |
261 assume "P | P" |
261 assume "P \<or> P" |
262 then show P |
262 then show P |
263 proof -- {* |
263 proof -- {* |
264 rule @{text disjE}: \smash{$\infer{C}{A \disj B & \infer*{C}{[A]} & \infer*{C}{[B]}}$} |
264 rule @{text disjE}: \smash{$\infer{C}{A \disj B & \infer*{C}{[A]} & \infer*{C}{[B]}}$} |
265 *} |
265 *} |
266 assume P show P by fact |
266 assume P show P by fact |
305 text {* Again, the rather vacuous body of the proof may be collapsed. |
305 text {* Again, the rather vacuous body of the proof may be collapsed. |
306 Thus the case analysis degenerates into two assumption steps, which |
306 Thus the case analysis degenerates into two assumption steps, which |
307 are implicitly performed when concluding the single rule step of the |
307 are implicitly performed when concluding the single rule step of the |
308 double-dot proof as follows. *} |
308 double-dot proof as follows. *} |
309 |
309 |
310 lemma "P | P --> P" |
310 lemma "P \<or> P --> P" |
311 proof |
311 proof |
312 assume "P | P" |
312 assume "P \<or> P" |
313 then show P .. |
313 then show P .. |
314 qed |
314 qed |
315 |
315 |
316 |
316 |
317 subsubsection {* A quantifier proof *} |
317 subsubsection {* A quantifier proof *} |
326 instantiation. Furthermore, we encounter two new language elements: |
326 instantiation. Furthermore, we encounter two new language elements: |
327 the \isacommand{fix} command augments the context by some new |
327 the \isacommand{fix} command augments the context by some new |
328 ``arbitrary, but fixed'' element; the \isacommand{is} annotation |
328 ``arbitrary, but fixed'' element; the \isacommand{is} annotation |
329 binds term abbreviations by higher-order pattern matching. *} |
329 binds term abbreviations by higher-order pattern matching. *} |
330 |
330 |
331 lemma "(EX x. P (f x)) --> (EX y. P y)" |
331 lemma "(\<exists>x. P (f x)) \<longrightarrow> (\<exists>y. P y)" |
332 proof |
332 proof |
333 assume "EX x. P (f x)" |
333 assume "\<exists>x. P (f x)" |
334 then show "EX y. P y" |
334 then show "\<exists>y. P y" |
335 proof (rule exE) -- {* |
335 proof (rule exE) -- {* |
336 rule @{text exE}: \smash{$\infer{B}{\ex x A(x) & \infer*{B}{[A(x)]_x}}$} |
336 rule @{text exE}: \smash{$\infer{B}{\ex x A(x) & \infer*{B}{[A(x)]_x}}$} |
337 *} |
337 *} |
338 fix a |
338 fix a |
339 assume "P (f a)" (is "P ?witness") |
339 assume "P (f a)" (is "P ?witness") |
346 redundant. Above, the basic proof outline gives already enough |
346 redundant. Above, the basic proof outline gives already enough |
347 structural clues for the system to infer both the rules and their |
347 structural clues for the system to infer both the rules and their |
348 instances (by higher-order unification). Thus we may as well prune |
348 instances (by higher-order unification). Thus we may as well prune |
349 the text as follows. *} |
349 the text as follows. *} |
350 |
350 |
351 lemma "(EX x. P (f x)) --> (EX y. P y)" |
351 lemma "(\<exists>x. P (f x)) \<longrightarrow> (\<exists>y. P y)" |
352 proof |
352 proof |
353 assume "EX x. P (f x)" |
353 assume "\<exists>x. P (f x)" |
354 then show "EX y. P y" |
354 then show "\<exists>y. P y" |
355 proof |
355 proof |
356 fix a |
356 fix a |
357 assume "P (f a)" |
357 assume "P (f a)" |
358 then show ?thesis .. |
358 then show ?thesis .. |
359 qed |
359 qed |
362 text {* Explicit @{text \<exists>}-elimination as seen above can become quite |
362 text {* Explicit @{text \<exists>}-elimination as seen above can become quite |
363 cumbersome in practice. The derived Isar language element |
363 cumbersome in practice. The derived Isar language element |
364 ``\isakeyword{obtain}'' provides a more handsome way to do |
364 ``\isakeyword{obtain}'' provides a more handsome way to do |
365 generalized existence reasoning. *} |
365 generalized existence reasoning. *} |
366 |
366 |
367 lemma "(EX x. P (f x)) --> (EX y. P y)" |
367 lemma "(\<exists>x. P (f x)) \<longrightarrow> (\<exists>y. P y)" |
368 proof |
368 proof |
369 assume "EX x. P (f x)" |
369 assume "\<exists>x. P (f x)" |
370 then obtain a where "P (f a)" .. |
370 then obtain a where "P (f a)" .. |
371 then show "EX y. P y" .. |
371 then show "\<exists>y. P y" .. |
372 qed |
372 qed |
373 |
373 |
374 text {* Technically, \isakeyword{obtain} is similar to |
374 text {* Technically, \isakeyword{obtain} is similar to |
375 \isakeyword{fix} and \isakeyword{assume} together with a soundness |
375 \isakeyword{fix} and \isakeyword{assume} together with a soundness |
376 proof of the elimination involved. Thus it behaves similar to any |
376 proof of the elimination involved. Thus it behaves similar to any |
385 text {* We derive the conjunction elimination rule from the |
385 text {* We derive the conjunction elimination rule from the |
386 corresponding projections. The proof is quite straight-forward, |
386 corresponding projections. The proof is quite straight-forward, |
387 since Isabelle/Isar supports non-atomic goals and assumptions fully |
387 since Isabelle/Isar supports non-atomic goals and assumptions fully |
388 transparently. *} |
388 transparently. *} |
389 |
389 |
390 theorem conjE: "A & B ==> (A ==> B ==> C) ==> C" |
390 theorem conjE: "A \<and> B \<Longrightarrow> (A \<Longrightarrow> B \<Longrightarrow> C) \<Longrightarrow> C" |
391 proof - |
391 proof - |
392 assume "A & B" |
392 assume "A \<and> B" |
393 assume r: "A ==> B ==> C" |
393 assume r: "A \<Longrightarrow> B \<Longrightarrow> C" |
394 show C |
394 show C |
395 proof (rule r) |
395 proof (rule r) |
396 show A by (rule conjunct1) fact |
396 show A by (rule conjunct1) fact |
397 show B by (rule conjunct2) fact |
397 show B by (rule conjunct2) fact |
398 qed |
398 qed |