wenzelm@29730: wenzelm@58889: section \Example: First-Order Logic\ wenzelm@29730: wenzelm@29730: theory %visible First_Order_Logic wenzelm@42651: imports Base (* FIXME Pure!? *) wenzelm@29730: begin wenzelm@29730: wenzelm@58618: text \ wenzelm@29732: \noindent In order to commence a new object-logic within wenzelm@29732: Isabelle/Pure we introduce abstract syntactic categories @{text "i"} wenzelm@29732: for individuals and @{text "o"} for object-propositions. The latter wenzelm@29732: is embedded into the language of Pure propositions by means of a wenzelm@29732: separate judgment. wenzelm@58618: \ wenzelm@29730: wenzelm@29730: typedecl i wenzelm@29730: typedecl o wenzelm@29730: wenzelm@29730: judgment wenzelm@29730: Trueprop :: "o \ prop" ("_" 5) wenzelm@29730: wenzelm@58618: text \ wenzelm@56594: \noindent Note that the object-logic judgment is implicit in the wenzelm@29730: syntax: writing @{prop A} produces @{term "Trueprop A"} internally. wenzelm@29730: From the Pure perspective this means ``@{prop A} is derivable in the wenzelm@29730: object-logic''. wenzelm@58618: \ wenzelm@29730: wenzelm@29730: wenzelm@58618: subsection \Equational reasoning \label{sec:framework-ex-equal}\ wenzelm@29730: wenzelm@58618: text \ wenzelm@29730: Equality is axiomatized as a binary predicate on individuals, with wenzelm@29730: reflexivity as introduction, and substitution as elimination wenzelm@29730: principle. Note that the latter is particularly convenient in a wenzelm@29730: framework like Isabelle, because syntactic congruences are wenzelm@29730: implicitly produced by unification of @{term "B x"} against wenzelm@29730: expressions containing occurrences of @{term x}. wenzelm@58618: \ wenzelm@29730: wenzelm@29730: axiomatization wenzelm@29730: equal :: "i \ i \ o" (infix "=" 50) wenzelm@29730: where wenzelm@29730: refl [intro]: "x = x" and wenzelm@29730: subst [elim]: "x = y \ B x \ B y" wenzelm@29730: wenzelm@58618: text \ wenzelm@29730: \noindent Substitution is very powerful, but also hard to control in wenzelm@29730: full generality. We derive some common symmetry~/ transitivity wenzelm@45103: schemes of @{term equal} as particular consequences. wenzelm@58618: \ wenzelm@29730: wenzelm@29730: theorem sym [sym]: wenzelm@29730: assumes "x = y" wenzelm@29730: shows "y = x" wenzelm@29730: proof - wenzelm@29730: have "x = x" .. wenzelm@58618: with \x = y\ show "y = x" .. wenzelm@29730: qed wenzelm@29730: wenzelm@29730: theorem forw_subst [trans]: wenzelm@29730: assumes "y = x" and "B x" wenzelm@29730: shows "B y" wenzelm@29730: proof - wenzelm@58618: from \y = x\ have "x = y" .. wenzelm@58618: from this and \B x\ show "B y" .. wenzelm@29730: qed wenzelm@29730: wenzelm@29730: theorem back_subst [trans]: wenzelm@29730: assumes "B x" and "x = y" wenzelm@29730: shows "B y" wenzelm@29730: proof - wenzelm@58618: from \x = y\ and \B x\ wenzelm@29730: show "B y" .. wenzelm@29730: qed wenzelm@29730: wenzelm@29730: theorem trans [trans]: wenzelm@29730: assumes "x = y" and "y = z" wenzelm@29730: shows "x = z" wenzelm@29730: proof - wenzelm@58618: from \y = z\ and \x = y\ wenzelm@29730: show "x = z" .. wenzelm@29730: qed wenzelm@29730: wenzelm@29730: wenzelm@58618: subsection \Basic group theory\ wenzelm@29730: wenzelm@58618: text \ wenzelm@29730: As an example for equational reasoning we consider some bits of wenzelm@29730: group theory. The subsequent locale definition postulates group wenzelm@29730: operations and axioms; we also derive some consequences of this wenzelm@29730: specification. wenzelm@58618: \ wenzelm@29730: wenzelm@29730: locale group = wenzelm@29730: fixes prod :: "i \ i \ i" (infix "\" 70) wenzelm@29730: and inv :: "i \ i" ("(_\)" [1000] 999) wenzelm@29730: and unit :: i ("1") wenzelm@29730: assumes assoc: "(x \ y) \ z = x \ (y \ z)" wenzelm@29730: and left_unit: "1 \ x = x" wenzelm@29730: and left_inv: "x\ \ x = 1" wenzelm@29730: begin wenzelm@29730: wenzelm@29730: theorem right_inv: "x \ x\ = 1" wenzelm@29730: proof - wenzelm@29730: have "x \ x\ = 1 \ (x \ x\)" by (rule left_unit [symmetric]) wenzelm@29730: also have "\ = (1 \ x) \ x\" by (rule assoc [symmetric]) wenzelm@29730: also have "1 = (x\)\ \ x\" by (rule left_inv [symmetric]) wenzelm@29730: also have "\ \ x = (x\)\ \ (x\ \ x)" by (rule assoc) wenzelm@29730: also have "x\ \ x = 1" by (rule left_inv) wenzelm@29730: also have "((x\)\ \ \) \ x\ = (x\)\ \ (1 \ x\)" by (rule assoc) wenzelm@29730: also have "1 \ x\ = x\" by (rule left_unit) wenzelm@29730: also have "(x\)\ \ \ = 1" by (rule left_inv) wenzelm@29730: finally show "x \ x\ = 1" . wenzelm@29730: qed wenzelm@29730: wenzelm@29730: theorem right_unit: "x \ 1 = x" wenzelm@29730: proof - wenzelm@29730: have "1 = x\ \ x" by (rule left_inv [symmetric]) wenzelm@29730: also have "x \ \ = (x \ x\) \ x" by (rule assoc [symmetric]) wenzelm@29730: also have "x \ x\ = 1" by (rule right_inv) wenzelm@29730: also have "\ \ x = x" by (rule left_unit) wenzelm@29730: finally show "x \ 1 = x" . wenzelm@29730: qed wenzelm@29730: wenzelm@58618: text \ wenzelm@29732: \noindent Reasoning from basic axioms is often tedious. Our proofs wenzelm@29732: work by producing various instances of the given rules (potentially wenzelm@29732: the symmetric form) using the pattern ``@{command have}~@{text wenzelm@29730: eq}~@{command "by"}~@{text "(rule r)"}'' and composing the chain of wenzelm@29730: results via @{command also}/@{command finally}. These steps may wenzelm@29730: involve any of the transitivity rules declared in wenzelm@29730: \secref{sec:framework-ex-equal}, namely @{thm trans} in combining wenzelm@29730: the first two results in @{thm right_inv} and in the final steps of wenzelm@29730: both proofs, @{thm forw_subst} in the first combination of @{thm wenzelm@29730: right_unit}, and @{thm back_subst} in all other calculational steps. wenzelm@29730: wenzelm@29730: Occasional substitutions in calculations are adequate, but should wenzelm@29730: not be over-emphasized. The other extreme is to compose a chain by wenzelm@29730: plain transitivity only, with replacements occurring always in wenzelm@29730: topmost position. For example: wenzelm@58618: \ wenzelm@29730: wenzelm@29730: (*<*) wenzelm@29730: theorem "\A. PROP A \ PROP A" wenzelm@29730: proof - wenzelm@29730: assume [symmetric, defn]: "\x y. (x \ y) \ Trueprop (x = y)" wenzelm@56594: fix x wenzelm@29730: (*>*) wenzelm@29730: have "x \ 1 = x \ (x\ \ x)" unfolding left_inv .. wenzelm@29730: also have "\ = (x \ x\) \ x" unfolding assoc .. wenzelm@29730: also have "\ = 1 \ x" unfolding right_inv .. wenzelm@29730: also have "\ = x" unfolding left_unit .. wenzelm@29730: finally have "x \ 1 = x" . wenzelm@29730: (*<*) wenzelm@29730: qed wenzelm@29730: (*>*) wenzelm@29730: wenzelm@58618: text \ wenzelm@29730: \noindent Here we have re-used the built-in mechanism for unfolding wenzelm@29730: definitions in order to normalize each equational problem. A more wenzelm@29730: realistic object-logic would include proper setup for the Simplifier wenzelm@29730: (\secref{sec:simplifier}), the main automated tool for equational wenzelm@29732: reasoning in Isabelle. Then ``@{command unfolding}~@{thm wenzelm@29730: left_inv}~@{command ".."}'' would become ``@{command "by"}~@{text wenzelm@29735: "(simp only: left_inv)"}'' etc. wenzelm@58618: \ wenzelm@29730: wenzelm@29730: end wenzelm@29730: wenzelm@29730: wenzelm@58618: subsection \Propositional logic \label{sec:framework-ex-prop}\ wenzelm@29730: wenzelm@58618: text \ wenzelm@29730: We axiomatize basic connectives of propositional logic: implication, wenzelm@29730: disjunction, and conjunction. The associated rules are modeled wenzelm@58552: after Gentzen's system of Natural Deduction @{cite "Gentzen:1935"}. wenzelm@58618: \ wenzelm@29730: wenzelm@29730: axiomatization wenzelm@29730: imp :: "o \ o \ o" (infixr "\" 25) where wenzelm@29730: impI [intro]: "(A \ B) \ A \ B" and wenzelm@29730: impD [dest]: "(A \ B) \ A \ B" wenzelm@29730: wenzelm@29730: axiomatization wenzelm@29730: disj :: "o \ o \ o" (infixr "\" 30) where wenzelm@53015: disjI\<^sub>1 [intro]: "A \ A \ B" and wenzelm@53015: disjI\<^sub>2 [intro]: "B \ A \ B" and wenzelm@29734: disjE [elim]: "A \ B \ (A \ C) \ (B \ C) \ C" wenzelm@29730: wenzelm@29730: axiomatization wenzelm@29730: conj :: "o \ o \ o" (infixr "\" 35) where wenzelm@29730: conjI [intro]: "A \ B \ A \ B" and wenzelm@53015: conjD\<^sub>1: "A \ B \ A" and wenzelm@53015: conjD\<^sub>2: "A \ B \ B" wenzelm@29730: wenzelm@58618: text \ wenzelm@29730: \noindent The conjunctive destructions have the disadvantage that wenzelm@29730: decomposing @{prop "A \ B"} involves an immediate decision which wenzelm@29730: component should be projected. The more convenient simultaneous wenzelm@29730: elimination @{prop "A \ B \ (A \ B \ C) \ C"} can be derived as wenzelm@29730: follows: wenzelm@58618: \ wenzelm@29730: wenzelm@29730: theorem conjE [elim]: wenzelm@29730: assumes "A \ B" wenzelm@29730: obtains A and B wenzelm@29730: proof wenzelm@58618: from \A \ B\ show A by (rule conjD\<^sub>1) wenzelm@58618: from \A \ B\ show B by (rule conjD\<^sub>2) wenzelm@29730: qed wenzelm@29730: wenzelm@58618: text \ wenzelm@29730: \noindent Here is an example of swapping conjuncts with a single wenzelm@29730: intermediate elimination step: wenzelm@58618: \ wenzelm@29730: wenzelm@29730: (*<*) wenzelm@29730: lemma "\A. PROP A \ PROP A" wenzelm@29730: proof - wenzelm@29730: (*>*) wenzelm@29730: assume "A \ B" wenzelm@29730: then obtain B and A .. wenzelm@29730: then have "B \ A" .. wenzelm@29730: (*<*) wenzelm@29730: qed wenzelm@29730: (*>*) wenzelm@29730: wenzelm@58618: text \ wenzelm@29732: \noindent Note that the analogous elimination rule for disjunction wenzelm@29732: ``@{text "\ A \ B \ A \ B"}'' coincides with wenzelm@29732: the original axiomatization of @{thm disjE}. wenzelm@29730: wenzelm@29730: \medskip We continue propositional logic by introducing absurdity wenzelm@29730: with its characteristic elimination. Plain truth may then be wenzelm@29730: defined as a proposition that is trivially true. wenzelm@58618: \ wenzelm@29730: wenzelm@29730: axiomatization wenzelm@29730: false :: o ("\") where wenzelm@29730: falseE [elim]: "\ \ A" wenzelm@29730: wenzelm@29730: definition wenzelm@29730: true :: o ("\") where wenzelm@29730: "\ \ \ \ \" wenzelm@29730: wenzelm@29730: theorem trueI [intro]: \ wenzelm@29730: unfolding true_def .. wenzelm@29730: wenzelm@58618: text \ wenzelm@29732: \medskip\noindent Now negation represents an implication towards wenzelm@29732: absurdity: wenzelm@58618: \ wenzelm@29730: wenzelm@29730: definition wenzelm@29730: not :: "o \ o" ("\ _" [40] 40) where wenzelm@29730: "\ A \ A \ \" wenzelm@29730: wenzelm@29730: theorem notI [intro]: wenzelm@29730: assumes "A \ \" wenzelm@29730: shows "\ A" wenzelm@29730: unfolding not_def wenzelm@29730: proof wenzelm@29730: assume A wenzelm@58618: then show \ by (rule \A \ \\) wenzelm@29730: qed wenzelm@29730: wenzelm@29730: theorem notE [elim]: wenzelm@29730: assumes "\ A" and A wenzelm@29730: shows B wenzelm@29730: proof - wenzelm@58618: from \\ A\ have "A \ \" unfolding not_def . wenzelm@58618: from \A \ \\ and \A\ have \ .. wenzelm@29730: then show B .. wenzelm@29730: qed wenzelm@29730: wenzelm@29730: wenzelm@58618: subsection \Classical logic\ wenzelm@29730: wenzelm@58618: text \ wenzelm@29730: Subsequently we state the principle of classical contradiction as a wenzelm@29730: local assumption. Thus we refrain from forcing the object-logic wenzelm@29730: into the classical perspective. Within that context, we may derive wenzelm@29730: well-known consequences of the classical principle. wenzelm@58618: \ wenzelm@29730: wenzelm@29730: locale classical = wenzelm@29730: assumes classical: "(\ C \ C) \ C" wenzelm@29730: begin wenzelm@29730: wenzelm@29730: theorem double_negation: wenzelm@29730: assumes "\ \ C" wenzelm@29730: shows C wenzelm@29730: proof (rule classical) wenzelm@29730: assume "\ C" wenzelm@58618: with \\ \ C\ show C .. wenzelm@29730: qed wenzelm@29730: wenzelm@29730: theorem tertium_non_datur: "C \ \ C" wenzelm@29730: proof (rule double_negation) wenzelm@29730: show "\ \ (C \ \ C)" wenzelm@29730: proof wenzelm@29730: assume "\ (C \ \ C)" wenzelm@29730: have "\ C" wenzelm@29730: proof wenzelm@29730: assume C then have "C \ \ C" .. wenzelm@58618: with \\ (C \ \ C)\ show \ .. wenzelm@29730: qed wenzelm@29730: then have "C \ \ C" .. wenzelm@58618: with \\ (C \ \ C)\ show \ .. wenzelm@29730: qed wenzelm@29730: qed wenzelm@29730: wenzelm@58618: text \ wenzelm@29735: \noindent These examples illustrate both classical reasoning and wenzelm@29735: non-trivial propositional proofs in general. All three rules wenzelm@29735: characterize classical logic independently, but the original rule is wenzelm@29735: already the most convenient to use, because it leaves the conclusion wenzelm@29735: unchanged. Note that @{prop "(\ C \ C) \ C"} fits again into our wenzelm@29735: format for eliminations, despite the additional twist that the wenzelm@29735: context refers to the main conclusion. So we may write @{thm wenzelm@29735: classical} as the Isar statement ``@{text "\ \ thesis"}''. wenzelm@29735: This also explains nicely how classical reasoning really works: wenzelm@29735: whatever the main @{text thesis} might be, we may always assume its wenzelm@29735: negation! wenzelm@58618: \ wenzelm@29730: wenzelm@29730: end wenzelm@29730: wenzelm@29730: wenzelm@58618: subsection \Quantifiers \label{sec:framework-ex-quant}\ wenzelm@29730: wenzelm@58618: text \ wenzelm@29730: Representing quantifiers is easy, thanks to the higher-order nature wenzelm@29730: of the underlying framework. According to the well-known technique wenzelm@58552: introduced by Church @{cite "church40"}, quantifiers are operators on wenzelm@29730: predicates, which are syntactically represented as @{text "\"}-terms wenzelm@29732: of type @{typ "i \ o"}. Binder notation turns @{text "All (\x. B wenzelm@29732: x)"} into @{text "\x. B x"} etc. wenzelm@58618: \ wenzelm@29730: wenzelm@29730: axiomatization wenzelm@29730: All :: "(i \ o) \ o" (binder "\" 10) where wenzelm@29730: allI [intro]: "(\x. B x) \ \x. B x" and wenzelm@29730: allD [dest]: "(\x. B x) \ B a" wenzelm@29730: wenzelm@29730: axiomatization wenzelm@29730: Ex :: "(i \ o) \ o" (binder "\" 10) where wenzelm@29730: exI [intro]: "B a \ (\x. B x)" and wenzelm@29730: exE [elim]: "(\x. B x) \ (\x. B x \ C) \ C" wenzelm@29730: wenzelm@58618: text \ wenzelm@29735: \noindent The statement of @{thm exE} corresponds to ``@{text wenzelm@29735: "\ \x. B x \ x \ B x"}'' in Isar. In the wenzelm@29735: subsequent example we illustrate quantifier reasoning involving all wenzelm@29735: four rules: wenzelm@58618: \ wenzelm@29730: wenzelm@29730: theorem wenzelm@29730: assumes "\x. \y. R x y" wenzelm@29730: shows "\y. \x. R x y" wenzelm@58618: proof -- \@{text "\"} introduction\ wenzelm@58618: obtain x where "\y. R x y" using \\x. \y. R x y\ .. -- \@{text "\"} elimination\ wenzelm@58618: fix y have "R x y" using \\y. R x y\ .. -- \@{text "\"} destruction\ wenzelm@58618: then show "\x. R x y" .. -- \@{text "\"} introduction\ wenzelm@29730: qed wenzelm@29730: wenzelm@29734: wenzelm@58618: subsection \Canonical reasoning patterns\ wenzelm@29734: wenzelm@58618: text \ wenzelm@29734: The main rules of first-order predicate logic from wenzelm@29734: \secref{sec:framework-ex-prop} and \secref{sec:framework-ex-quant} wenzelm@29734: can now be summarized as follows, using the native Isar statement wenzelm@29734: format of \secref{sec:framework-stmt}. wenzelm@29734: wenzelm@29734: \medskip wenzelm@29734: \begin{tabular}{l} wenzelm@29734: @{text "impI: \ A \ B \ A \ B"} \\ wenzelm@29734: @{text "impD: \ A \ B \ A \ B"} \\[1ex] wenzelm@29734: wenzelm@53015: @{text "disjI\<^sub>1: \ A \ A \ B"} \\ wenzelm@53015: @{text "disjI\<^sub>2: \ B \ A \ B"} \\ wenzelm@29734: @{text "disjE: \ A \ B \ A \ B"} \\[1ex] wenzelm@29734: wenzelm@29734: @{text "conjI: \ A \ B \ A \ B"} \\ wenzelm@29734: @{text "conjE: \ A \ B \ A \ B"} \\[1ex] wenzelm@29734: wenzelm@29734: @{text "falseE: \ \ \ A"} \\ wenzelm@29734: @{text "trueI: \ \"} \\[1ex] wenzelm@29734: wenzelm@29734: @{text "notI: \ A \ \ \ \ A"} \\ wenzelm@29734: @{text "notE: \ \ A \ A \ B"} \\[1ex] wenzelm@29734: wenzelm@29734: @{text "allI: \ \x. B x \ \x. B x"} \\ wenzelm@29734: @{text "allE: \ \x. B x \ B a"} \\[1ex] wenzelm@29734: wenzelm@29734: @{text "exI: \ B a \ \x. B x"} \\ wenzelm@29734: @{text "exE: \ \x. B x \ a \ B a"} wenzelm@29734: \end{tabular} wenzelm@29734: \medskip wenzelm@29734: wenzelm@29734: \noindent This essentially provides a declarative reading of Pure wenzelm@29734: rules as Isar reasoning patterns: the rule statements tells how a wenzelm@29734: canonical proof outline shall look like. Since the above rules have wenzelm@29735: already been declared as @{attribute (Pure) intro}, @{attribute wenzelm@29735: (Pure) elim}, @{attribute (Pure) dest} --- each according to its wenzelm@29735: particular shape --- we can immediately write Isar proof texts as wenzelm@29735: follows: wenzelm@58618: \ wenzelm@29734: wenzelm@29734: (*<*) wenzelm@29734: theorem "\A. PROP A \ PROP A" wenzelm@29734: proof - wenzelm@29734: (*>*) wenzelm@29734: wenzelm@58999: text_raw \\begin{minipage}[t]{0.4\textwidth}\(*<*)next(*>*) wenzelm@29734: wenzelm@29734: have "A \ B" wenzelm@29734: proof wenzelm@29734: assume A wenzelm@29734: show B sorry %noproof wenzelm@29734: qed wenzelm@29734: wenzelm@58999: text_raw \\end{minipage}\qquad\begin{minipage}[t]{0.4\textwidth}\(*<*)next(*>*) wenzelm@29734: wenzelm@29734: have "A \ B" and A sorry %noproof wenzelm@29734: then have B .. wenzelm@29734: wenzelm@58999: text_raw \\end{minipage}\\[3ex]\begin{minipage}[t]{0.4\textwidth}\(*<*)next(*>*) wenzelm@29734: wenzelm@29734: have A sorry %noproof wenzelm@29734: then have "A \ B" .. wenzelm@29734: wenzelm@29734: have B sorry %noproof wenzelm@29734: then have "A \