244 achieve just the \emph{right} balance of top-down backward |
244 achieve just the \emph{right} balance of top-down backward |
245 decomposition, and bottom-up forward composition. In practice, there |
245 decomposition, and bottom-up forward composition. In practice, there |
246 is no single best way to arrange some pieces of formal reasoning, of |
246 is no single best way to arrange some pieces of formal reasoning, of |
247 course. Depending on the actual applications, the intended audience |
247 course. Depending on the actual applications, the intended audience |
248 etc., certain aspects such as rules~/ methods vs.\ facts have to be |
248 etc., certain aspects such as rules~/ methods vs.\ facts have to be |
249 emphasised in an appropriate way. This requires the proof writer to |
249 emphasized in an appropriate way. This requires the proof writer to |
250 develop good taste, and some practice, of course. |
250 develop good taste, and some practice, of course. |
251 *}; |
251 *}; |
252 |
252 |
253 text {* |
253 text {* |
254 For our example the most appropriate way of reasoning is probably the |
254 For our example the most appropriate way of reasoning is probably the |
273 |
273 |
274 subsection {* A few examples from ``Introduction to Isabelle'' *}; |
274 subsection {* A few examples from ``Introduction to Isabelle'' *}; |
275 |
275 |
276 text {* |
276 text {* |
277 We rephrase some of the basic reasoning examples of |
277 We rephrase some of the basic reasoning examples of |
278 \cite{isabelle-intro}. |
278 \cite{isabelle-intro} (using HOL rather than FOL). |
279 *}; |
279 *}; |
280 |
280 |
281 subsubsection {* Propositional proof *}; |
281 subsubsection {* A propositional proof *}; |
|
282 |
|
283 text {* |
|
284 We consider the proposition $P \disj P \impl P$. The proof below |
|
285 involves forward-chaining from $P \disj P$, followed by an explicit |
|
286 case-analysis on the two \emph{identical} cases. |
|
287 *}; |
282 |
288 |
283 lemma "P | P --> P"; |
289 lemma "P | P --> P"; |
284 proof; |
290 proof; |
285 assume "P | P"; |
291 assume "P | P"; |
286 then; show P; |
292 thus P; |
|
293 proof -- {* |
|
294 rule \name{disjE}: \smash{$\infer{C}{A \disj B & \infer*{C}{[A]} & \infer*{C}{[B]}}$} |
|
295 *}; |
|
296 assume P; show P; .; |
|
297 next; |
|
298 assume P; show P; .; |
|
299 qed; |
|
300 qed; |
|
301 |
|
302 text {* |
|
303 Case splits are \emph{not} hardwired into the Isar language as a |
|
304 special feature. The \isacommand{next} command used to separate the |
|
305 cases above is just a short form of managing block structure. |
|
306 |
|
307 \medskip In general, applying proof methods may split up a goal into |
|
308 separate ``cases'', i.e.\ new subgoals with individual local |
|
309 assumptions. The corresponding proof text typically mimics this by |
|
310 establishing results in appropriate contexts, separated by blocks. |
|
311 |
|
312 In order to avoid too much explicit bracketing, the Isar system |
|
313 implicitly opens an additional block for any new goal, the |
|
314 \isacommand{next} statement then closes one block level, opening a |
|
315 new one. The resulting behavior is what one might expect from |
|
316 separating cases, only that it is more flexible. E.g. an induction |
|
317 base case (which does not introduce local assumptions) would |
|
318 \emph{not} require \isacommand{next} to separate the subsequent step |
|
319 case. |
|
320 |
|
321 \medskip In our example the situation is even simpler, since the two |
|
322 ``cases'' actually coincide. Consequently the proof may be rephrased |
|
323 as follows. |
|
324 *}; |
|
325 |
|
326 lemma "P | P --> P"; |
|
327 proof; |
|
328 assume "P | P"; |
|
329 thus P; |
287 proof; |
330 proof; |
288 assume P; |
331 assume P; |
289 show P; .; |
332 show P; .; |
290 show P; .; |
333 show P; .; |
291 qed; |
334 qed; |
292 qed; |
335 qed; |
293 |
336 |
|
337 text {* |
|
338 Again, the rather vacuous body of the proof may be collapsed. Thus |
|
339 the case analysis degenerates into two assumption steps, which |
|
340 are implicitly performed when concluding the single rule step of the |
|
341 double-dot proof below. |
|
342 *}; |
|
343 |
294 lemma "P | P --> P"; |
344 lemma "P | P --> P"; |
295 proof; |
345 proof; |
296 assume "P | P"; |
346 assume "P | P"; |
297 then; show P; ..; |
347 thus P; ..; |
298 qed; |
348 qed; |
299 |
349 |
300 |
350 |
301 subsubsection {* Quantifier proof *}; |
351 subsubsection {* A quantifier proof *}; |
302 |
352 |
303 lemma "(EX x. P(f(x))) --> (EX x. P(x))"; |
353 text {* |
304 proof; |
354 To illustrate quantifier reasoning, let us prove $(\ex x P \ap (f \ap |
305 assume "EX x. P(f(x))"; |
355 x)) \impl (\ex x P \ap x)$. Informally, this holds because any $a$ |
306 then; show "EX x. P(x)"; |
356 with $P \ap (f \ap a)$ may be taken as a witness for the second |
307 proof (rule exE); |
357 existential statement. |
|
358 |
|
359 The first proof is rather verbose, exhibiting quite a lot of |
|
360 (redundant) detail. It gives explicit rules, even with some |
|
361 instantiation. Furthermore, we encounter two new language elements: |
|
362 the \isacommand{fix} command augments the context by some new |
|
363 ``arbitrary, but fixed'' element; the \isacommand{is} annotation |
|
364 binds term abbreviations by higher-order pattern matching. |
|
365 *}; |
|
366 |
|
367 lemma "(EX x. P (f x)) --> (EX x. P x)"; |
|
368 proof; |
|
369 assume "EX x. P (f x)"; |
|
370 thus "EX x. P x"; |
|
371 proof (rule exE) -- {* |
|
372 rule \name{exE}: \smash{$\infer{B}{\ex x A(x) & \infer*{B}{[A(x)]_x}}$} |
|
373 *}; |
308 fix a; |
374 fix a; |
309 assume "P(f(a))" (is "P(?witness)"); |
375 assume "P (f a)" (is "P ?witness"); |
310 show ?thesis; by (rule exI [of P ?witness]); |
376 show ?thesis; by (rule exI [of P ?witness]); |
311 qed; |
377 qed; |
312 qed; |
378 qed; |
313 |
379 |
314 lemma "(EX x. P(f(x))) --> (EX x. P(x))"; |
380 text {* |
315 proof; |
381 While explicit rule instantiation may occasionally help to improve |
316 assume "EX x. P(f(x))"; |
382 the readability of certain aspects of reasoning it is usually quite |
317 then; show "EX x. P(x)"; |
383 redundant. Above, the basic proof outline gives already enough |
|
384 structural clues for the system to infer both the rules and their |
|
385 instances (by higher-order unification). Thus we may as well prune |
|
386 the text as follows. |
|
387 *}; |
|
388 |
|
389 lemma "(EX x. P (f x)) --> (EX x. P x)"; |
|
390 proof; |
|
391 assume "EX x. P (f x)"; |
|
392 thus "EX x. P x"; |
318 proof; |
393 proof; |
319 fix a; |
394 fix a; |
320 assume "P(f(a))"; |
395 assume "P (f a)"; |
321 show ?thesis; ..; |
396 show ?thesis; ..; |
322 qed; |
397 qed; |
323 qed; |
398 qed; |
324 |
399 |
325 lemma "(EX x. P(f(x))) --> (EX x. P(x))"; |
|
326 by blast; |
|
327 |
|
328 |
400 |
329 subsubsection {* Deriving rules in Isabelle *}; |
401 subsubsection {* Deriving rules in Isabelle *}; |
330 |
402 |
331 text {* We derive the conjunction elimination rule from the |
403 text {* |
332 projections. The proof below follows the basic reasoning of the |
404 We derive the conjunction elimination rule from the projections. The |
333 script given in the Isabelle Intro Manual closely. Although, the |
405 proof below follows is quite straight-forward, since Isabelle/Isar |
334 actual underlying operations on rules and proof states are quite |
406 supports non-atomic goals and assumptions fully transparently. Note |
335 different: Isabelle/Isar supports non-atomic goals and assumptions |
407 that this is in contrast to classic Isabelle: the corresponding |
336 fully transparently, while the original Isabelle classic script |
408 tactic script given in \cite{isabelle-intro} depends on the primitive |
337 depends on the primitive goal command to decompose the rule into |
409 goal command to decompose the rule into premises and conclusion, with |
338 premises and conclusion, with the result emerging by discharging the |
410 the result emerging by discharging the context again later. |
339 context again later. *}; |
411 *}; |
340 |
412 |
341 theorem conjE: "A & B ==> (A ==> B ==> C) ==> C"; |
413 theorem conjE: "A & B ==> (A ==> B ==> C) ==> C"; |
342 proof -; |
414 proof -; |
343 assume ab: "A & B"; |
415 assume "A & B"; |
344 assume ab_c: "A ==> B ==> C"; |
416 assume ab_c: "A ==> B ==> C"; |
345 show C; |
417 show C; |
346 proof (rule ab_c); |
418 proof (rule ab_c); |
347 from ab; show A; ..; |
419 show A; by (rule conjunct1); |
348 from ab; show B; ..; |
420 show B; by (rule conjunct2); |
349 qed; |
421 qed; |
350 qed; |
422 qed; |
351 |
423 |
352 end; |
424 end; |