├── man-isabelle.pdf ├── man-isabelle-changes.pdf ├── document ├── build ├── root.bib └── root.tex ├── ROOT ├── Makefile ├── README.md ├── LICENSE ├── Chapter_system.thy ├── Chapter_theories.thy ├── Chapter_methods.thy └── Chapter_case.thy /man-isabelle.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gteege/gentle-isabelle/HEAD/man-isabelle.pdf -------------------------------------------------------------------------------- /man-isabelle-changes.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gteege/gentle-isabelle/HEAD/man-isabelle-changes.pdf -------------------------------------------------------------------------------- /document/build: -------------------------------------------------------------------------------- 1 | #! /bin/bash 2 | $ISABELLE_PDFLATEX root.tex 3 | $ISABELLE_BIBTEX root 4 | $ISABELLE_PDFLATEX root.tex 5 | $ISABELLE_PDFLATEX root.tex 6 | $ISABELLE_MAKEINDEX root.idx 7 | $ISABELLE_PDFLATEX root.tex 8 | 9 | -------------------------------------------------------------------------------- /ROOT: -------------------------------------------------------------------------------- 1 | session "man-isabelle" = "HOL-Library" + 2 | options [document = pdf, document_output = "output", document_variants="document=-theory", document_build = build] 3 | theories 4 | Chapter_system 5 | Chapter_theories 6 | Chapter_proofs 7 | Chapter_methods 8 | Chapter_case 9 | Chapter_holbasic 10 | Chapter_holtdefs 11 | Chapter_holtypes 12 | document_files 13 | "root.tex" 14 | "root.bib" 15 | "build" 16 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | # Location of the Cogent installation directory (with subdirectories cogent and isabelle) 2 | COGENTROOT=$(COGENT_HOME) 3 | 4 | ISABELLE_HOME=~/Isabelle2025 5 | 6 | ifdef ISABELLE_HOME 7 | # Alternative location of Isabelle installation directory 8 | ISABELLEROOT=$(ISABELLE_HOME) 9 | else 10 | # Use Isabelle in Cogent installation 11 | ISABELLEROOT=$(COGENTROOT)/isabelle 12 | endif 13 | 14 | ISABELLE=$(ISABELLEROOT)/bin/isabelle 15 | 16 | all: doc 17 | 18 | edit: 19 | $(ISABELLE) jedit -l HOL Chapter_holtypes.thy 20 | 21 | doc: 22 | $(ISABELLE) build -v -b -d . man-isabelle 23 | if [ -e output/document.pdf ]; then cp output/document.pdf man-isabelle.pdf; fi 24 | 25 | clean: 26 | -rm -f *~ 27 | -rm -r output 28 | 29 | 30 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # gentle-isabelle 2 | A gentle introduction to Isabelle and Isabelle/HOL 3 | 4 | When I started to use Isabelle some years ago I had no background in formal proof systems other than a basic knowledge of mathematical logics. I found it very challenging to understand what the system does and how it is used. The extensive documentation (which I appreciate a lot in the meantime) was of limited help at the beginning: it is spread across several documents and it is either oriented towards specific applications (the tutorials about program semantics) or requires profound knowledge of proof systems for understanding (the reference manual etc). It did not provide the orientation I needed for a thorough insight into the *language* used to write theories and proofs. 5 | 6 | At some point I started to turn my notes into a document and later decided that it may be useful for others as well, if it covers a substantial part of Isabelle and Isabelle/HOL. So I revised and extended it, while having fun in exploring the features of Isabelle and Isabelle/HOL. The document became much larger than intended. 7 | 8 | As an introductory manual it explains how to work with Isabelle to develop 9 | mathematical models. It does not presume prior knowledge about formal 10 | or informal proof techniques. It only assumes that the reader has a basic 11 | understanding of mathematical logics and the task of proving mathematical 12 | propositions. 13 | 14 | The document is not a tutorial for working with examples. Instead, it describes the concepts and the language used to input mathematical 15 | models to Isabelle, beginning with the most basic concepts and then proceeding to more eloborate concepts. 16 | 17 | Have fun. 18 | -------------------------------------------------------------------------------- /document/root.bib: -------------------------------------------------------------------------------- 1 | @manual{prog-prove, 2 | author = {Tobias Nipkow}, 3 | title = {Programming and Proving in {Isabelle/HOL}}, 4 | note = {\url{https://isabelle.in.tum.de/doc/prog-prove.pdf}}} 5 | 6 | @manual{datatypes, 7 | author = {Julian Biendarra and Jasmin Blanchette and Martin Desharnais and Lorenz Panny and 8 | Andrei Popescu and Dmitriy Traytel}, 9 | title = {Defining (Co)datatypes and Primitively (Co)recursive Functions in {Isabelle/HOL}}, 10 | note = {\url{https://isabelle.in.tum.de/doc/datatypes.pdf}}} 11 | 12 | @manual{functions, 13 | author = {Alexander Krauss}, 14 | title = {Defining Recursive Functions in {Isabelle/HOL}}, 15 | note = {\url{https://isabelle.in.tum.de/doc/functions.pdf}}} 16 | 17 | @manual{corec, 18 | author = {Jasmin Blanchette and Aymeric Bouzy and Andreas Lochbihler and Andrei Popescu and Dmitriy Traytel}, 19 | title = {Defining Nonprimitively (Co)recursive Functions in {Isabelle/HOL}}, 20 | note = {\url{https://isabelle.in.tum.de/doc/corec.pdf}}} 21 | 22 | @manual{eisbach, 23 | author = {Daniel Matichuk and Makarius Wenzel and Toby Murray}, 24 | title = {The {Eisbach} User Manual}, 25 | note = {\url{https://isabelle.in.tum.de/doc/eisbach.pdf}}} 26 | 27 | @manual{isar-ref, 28 | author = {Makarius Wenzel}, 29 | title = {The {Isabelle/Isar} Reference Manual}, 30 | note = {\url{https://isabelle.in.tum.de/doc/isar-ref.pdf}}} 31 | 32 | @manual{system, 33 | author = {Makarius Wenzel}, 34 | title = {The {Isabelle} System Manual}, 35 | note = {\url{https://isabelle.in.tum.de/doc/system.pdf}}} 36 | 37 | @manual{jedit, 38 | author = {Makarius Wenzel}, 39 | title = {Isabelle/jEdit}, 40 | note = {\url{https://isabelle.in.tum.de/doc/jedit.pdf}}} 41 | 42 | @manual{tutorial, 43 | author = {Tobias Nipkow and Lawrence C. Paulson and Markus Wenzel}, 44 | title = {{Isabelle/HOL} A Proof Assistant for Higher-Order Logic}, 45 | note = {\url{https://isabelle.in.tum.de/doc/tutorial.pdf}}} 46 | 47 | @article{fuerer, 48 | title = {Quotients of Bounded Natural Functors}, 49 | author = {Basil Fürer and Andreas Lochbihler and Joshua Schneider and Dmitriy Traytel}, 50 | url = {https://lmcs.episciences.org/7354}, 51 | doi = {10.46298/lmcs-18(1:23)2022}, 52 | journal = {Logical Methods in Computer Science}, 53 | issn = {1860-5974}, 54 | volume = {Volume 18, Issue 1}, 55 | eid = 23, 56 | year = {2022}, 57 | month = {Feb}, 58 | keywords = {Computer Science - Logic in Computer Science, Computer Science - Programming Languages}, 59 | } 60 | -------------------------------------------------------------------------------- /document/root.tex: -------------------------------------------------------------------------------- 1 | \documentclass[11pt,a4paper]{report} 2 | \usepackage{isabelle,isabellesym} 3 | 4 | % further packages required for unusual symbols (see also 5 | % isabellesym.sty), use only when needed 6 | 7 | %\usepackage{amssymb} 8 | %for \, \, \, \, \, \, 9 | %\, \, \, \, \, 10 | %\, \, \ 11 | 12 | %\usepackage{eurosym} 13 | %for \ 14 | 15 | \usepackage[only,bigsqcap]{stmaryrd} 16 | %for \ 17 | 18 | %\usepackage{eufrak} 19 | %for \ ... \, \ ... \ (also included in amssymb) 20 | 21 | %\usepackage{textcomp} 22 | %for \, \, \, \, \, 23 | %\ 24 | 25 | % required for [mode=Rule]: 26 | \usepackage{mathpartir} 27 | 28 | % TG: added for title page modification 29 | \usepackage{titling} 30 | 31 | % TG: added for changebars 32 | \usepackage{changebar} 33 | % this requires to use pdflatex, specified by option document_build in ROOT 34 | % with pdflatex font encoding T1 is required instead of OT1 (the default) to print \guilsinglleft and others 35 | \usepackage[T1]{fontenc} 36 | 37 | % TG: added for index generation with index as chapter in toc 38 | \usepackage{imakeidx} 39 | \makeindex[intoc] 40 | 41 | % this should be the last package used 42 | \usepackage{pdfsetup} 43 | 44 | % urls in roman style 45 | \urlstyle{rm} 46 | 47 | % theory text in slanted tt with underscore and quotes 48 | \isabellestyle{default} 49 | 50 | % omit quotes for altstrings 51 | \def\isacharbackquoteopen{}% 52 | \def\isacharbackquoteclose{}% 53 | 54 | 55 | % for uniform font size 56 | %\renewcommand{\isastyle}{\isastyleminor} 57 | 58 | \begin{document} 59 | 60 | \title{A Gentle Introduction to Isabelle\\ and Isabelle/HOL} 61 | \author{{\em Gunnar Teege}\\ 62 | Universität der Bundeswehr München \\ 63 | \texttt{gunnar.teege@unibw.de} 64 | } 65 | \date{March 27, 2025} 66 | \postdate{\par\vskip 0.2cm Compatible with Isabelle Release 2025 67 | % \par\vskip 1cm Changebars mark content related changes relative to the version of July, 20, 2024 68 | \end{center}} 69 | \maketitle 70 | 71 | \tableofcontents 72 | 73 | % sane default for proof documents 74 | \parindent 0pt\parskip 0.5ex 75 | 76 | % generated text of all theories 77 | \input{session} 78 | 79 | % optional bibliography 80 | \begingroup 81 | \cleardoublepage 82 | \phantomsection 83 | \addcontentsline{toc}{chapter}{Bibliography} 84 | \bibliographystyle{abbrv} 85 | \bibliography{root} 86 | \endgroup 87 | 88 | % TG: insert the index 89 | \printindex 90 | 91 | \end{document} 92 | 93 | %%% Local Variables: 94 | %%% mode: latex 95 | %%% TeX-master: t 96 | %%% End: 97 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Creative Commons Legal Code 2 | 3 | CC0 1.0 Universal 4 | 5 | CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE 6 | LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN 7 | ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS 8 | INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES 9 | REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS 10 | PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM 11 | THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED 12 | HEREUNDER. 13 | 14 | Statement of Purpose 15 | 16 | The laws of most jurisdictions throughout the world automatically confer 17 | exclusive Copyright and Related Rights (defined below) upon the creator 18 | and subsequent owner(s) (each and all, an "owner") of an original work of 19 | authorship and/or a database (each, a "Work"). 20 | 21 | Certain owners wish to permanently relinquish those rights to a Work for 22 | the purpose of contributing to a commons of creative, cultural and 23 | scientific works ("Commons") that the public can reliably and without fear 24 | of later claims of infringement build upon, modify, incorporate in other 25 | works, reuse and redistribute as freely as possible in any form whatsoever 26 | and for any purposes, including without limitation commercial purposes. 27 | These owners may contribute to the Commons to promote the ideal of a free 28 | culture and the further production of creative, cultural and scientific 29 | works, or to gain reputation or greater distribution for their Work in 30 | part through the use and efforts of others. 31 | 32 | For these and/or other purposes and motivations, and without any 33 | expectation of additional consideration or compensation, the person 34 | associating CC0 with a Work (the "Affirmer"), to the extent that he or she 35 | is an owner of Copyright and Related Rights in the Work, voluntarily 36 | elects to apply CC0 to the Work and publicly distribute the Work under its 37 | terms, with knowledge of his or her Copyright and Related Rights in the 38 | Work and the meaning and intended legal effect of CC0 on those rights. 39 | 40 | 1. Copyright and Related Rights. A Work made available under CC0 may be 41 | protected by copyright and related or neighboring rights ("Copyright and 42 | Related Rights"). Copyright and Related Rights include, but are not 43 | limited to, the following: 44 | 45 | i. the right to reproduce, adapt, distribute, perform, display, 46 | communicate, and translate a Work; 47 | ii. moral rights retained by the original author(s) and/or performer(s); 48 | iii. publicity and privacy rights pertaining to a person's image or 49 | likeness depicted in a Work; 50 | iv. rights protecting against unfair competition in regards to a Work, 51 | subject to the limitations in paragraph 4(a), below; 52 | v. rights protecting the extraction, dissemination, use and reuse of data 53 | in a Work; 54 | vi. database rights (such as those arising under Directive 96/9/EC of the 55 | European Parliament and of the Council of 11 March 1996 on the legal 56 | protection of databases, and under any national implementation 57 | thereof, including any amended or successor version of such 58 | directive); and 59 | vii. other similar, equivalent or corresponding rights throughout the 60 | world based on applicable law or treaty, and any national 61 | implementations thereof. 62 | 63 | 2. Waiver. To the greatest extent permitted by, but not in contravention 64 | of, applicable law, Affirmer hereby overtly, fully, permanently, 65 | irrevocably and unconditionally waives, abandons, and surrenders all of 66 | Affirmer's Copyright and Related Rights and associated claims and causes 67 | of action, whether now known or unknown (including existing as well as 68 | future claims and causes of action), in the Work (i) in all territories 69 | worldwide, (ii) for the maximum duration provided by applicable law or 70 | treaty (including future time extensions), (iii) in any current or future 71 | medium and for any number of copies, and (iv) for any purpose whatsoever, 72 | including without limitation commercial, advertising or promotional 73 | purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each 74 | member of the public at large and to the detriment of Affirmer's heirs and 75 | successors, fully intending that such Waiver shall not be subject to 76 | revocation, rescission, cancellation, termination, or any other legal or 77 | equitable action to disrupt the quiet enjoyment of the Work by the public 78 | as contemplated by Affirmer's express Statement of Purpose. 79 | 80 | 3. Public License Fallback. Should any part of the Waiver for any reason 81 | be judged legally invalid or ineffective under applicable law, then the 82 | Waiver shall be preserved to the maximum extent permitted taking into 83 | account Affirmer's express Statement of Purpose. In addition, to the 84 | extent the Waiver is so judged Affirmer hereby grants to each affected 85 | person a royalty-free, non transferable, non sublicensable, non exclusive, 86 | irrevocable and unconditional license to exercise Affirmer's Copyright and 87 | Related Rights in the Work (i) in all territories worldwide, (ii) for the 88 | maximum duration provided by applicable law or treaty (including future 89 | time extensions), (iii) in any current or future medium and for any number 90 | of copies, and (iv) for any purpose whatsoever, including without 91 | limitation commercial, advertising or promotional purposes (the 92 | "License"). The License shall be deemed effective as of the date CC0 was 93 | applied by Affirmer to the Work. Should any part of the License for any 94 | reason be judged legally invalid or ineffective under applicable law, such 95 | partial invalidity or ineffectiveness shall not invalidate the remainder 96 | of the License, and in such case Affirmer hereby affirms that he or she 97 | will not (i) exercise any of his or her remaining Copyright and Related 98 | Rights in the Work or (ii) assert any associated claims and causes of 99 | action with respect to the Work, in either case contrary to Affirmer's 100 | express Statement of Purpose. 101 | 102 | 4. Limitations and Disclaimers. 103 | 104 | a. No trademark or patent rights held by Affirmer are waived, abandoned, 105 | surrendered, licensed or otherwise affected by this document. 106 | b. Affirmer offers the Work as-is and makes no representations or 107 | warranties of any kind concerning the Work, express, implied, 108 | statutory or otherwise, including without limitation warranties of 109 | title, merchantability, fitness for a particular purpose, non 110 | infringement, or the absence of latent or other defects, accuracy, or 111 | the present or absence of errors, whether or not discoverable, all to 112 | the greatest extent permissible under applicable law. 113 | c. Affirmer disclaims responsibility for clearing rights of other persons 114 | that may apply to the Work or any use thereof, including without 115 | limitation any person's Copyright and Related Rights in the Work. 116 | Further, Affirmer disclaims responsibility for obtaining any necessary 117 | consents, permissions or other rights required for any use of the 118 | Work. 119 | d. Affirmer understands and acknowledges that Creative Commons is not a 120 | party to this document and has no duty or obligation with respect to 121 | this CC0 or use of the Work. 122 | -------------------------------------------------------------------------------- /Chapter_system.thy: -------------------------------------------------------------------------------- 1 | theory Chapter_system 2 | imports 3 | Main 4 | "HOL-Library.LaTeXsugar" 5 | begin 6 | (* turn off alternative printing of function card, introduced by LaTeXsugar *) 7 | (* tag %invisible suppresses printing the no_notation command *) 8 | no_notation %invisible (latex output) card ("|_|") 9 | 10 | chapter "Isabelle System" 11 | text_raw\\label{system}\ 12 | 13 | text \ 14 | Isabelle is a ``proof assistant'' for formal mathematical proofs. It supports a notation for propositions and 15 | their proofs, it can check whether a proof is correct, and it can even help to find a proof. 16 | 17 | This introductory manual explains how to work with Isabelle to develop mathematical models. 18 | It does not presume prior knowledge about formal or informal proof techniques. It only assumes that 19 | the reader has a basic understanding of mathematical logics and the task of proving mathematical 20 | propositions. 21 | \ 22 | 23 | section "Invoking Isabelle" 24 | text_raw\\label{system-invoke}\ 25 | 26 | text \ 27 | After installation, Isabelle can be invoked interactively as an editor for entering propositions and proofs, 28 | or it can be invoked noninteractively to check a proof and generate a PDF document which displays the 29 | propositions and proofs. 30 | \ 31 | 32 | subsection "Installation and Configuration" 33 | text_raw\\label{system-invoke-install}\ 34 | text \ 35 | Isabelle is freely available from \<^verbatim>\https://isabelle.in.tum.de/\ and other mirror sites for Windows, 36 | Mac, and Linux. It is actively maintained, there is usually one release every year. Older releases 37 | are available in a distribution archive. 38 | 39 | To install Isabelle, follow the instructions on 40 | \begin{verbatim} 41 | https://isabelle.in.tum.de/installation.html 42 | \end{verbatim} 43 | Although there are many configuration options, there is no need for an initial configuration, 44 | interactive and noninteractive invocation is immediately possible. 45 | \ 46 | 47 | subsection "Theories and Sessions" 48 | text_raw\\label{system-invoke-theory}\ 49 | text \ 50 | The propositions and proofs in Isabelle notation are usually collected in ``theory files'' with names of the 51 | form \<^verbatim>\name.thy\. A theory file\index{theory!file} must import at least one other theory file to build upon its content. For theories 52 | based on higher order logic (``HOL''), the usual starting point to import is the theory @{theory Main}\index{Main (theory)}. 53 | 54 | Several theory files can be grouped in a ``session''\index{session}. A session is usually stored in a directory\index{session!directory} in the file system. 55 | It consists of a file named \<^verbatim>\ROOT\ \index{ROOT (file)} which contains a specification of the session, and the theory files which 56 | belong to the session. 57 | 58 | When Isabelle loads a session it loads and checks all its theory files. Then it can generate a ``heap file''\index{heap file} for 59 | the session which contains the processed session content. The heap file can be reloaded by Isabelle to avoid 60 | the time and effort for processing and checking the theory files. 61 | 62 | A session always has a single parent session\index{session!parent $\sim$}, with the exception of the Isabelle builtin session @{session Pure}\index{Pure (session)}. 63 | Thus, every session depends on a linear sequence of ancestor sessions which begins at @{session Pure}. The ancestor 64 | sessions have separate heap files. A session is always loaded together with all ancestor sessions. 65 | 66 | Every session has a name of the form \<^verbatim>\chap/sess\ where \<^verbatim>\chap\ is an arbitrary ``chapter name'', it defaults to 67 | \<^verbatim>\Unsorted\\index{Unsorted (chapter name)}. The session name and the name of the parent session are specified in the \<^verbatim>\ROOT\ file in the session 68 | directory. When a session is loaded by Isabelle, its directory and the directories of all ancestor sessions must 69 | be known by Isabelle. 70 | 71 | The Isabelle distribution provides heap files for the session \<^verbatim>\HOL/HOL\\index{HOL (session)} and its parent session \<^verbatim>\Pure/Pure\, 72 | the session directories are automatically known. 73 | 74 | Every session may be displayed in a ``session document''\index{session!document}. This is a PDF document generated by translating the 75 | content of the session theory files to \LaTeX. A frame \LaTeX\ document must be provided which includes all content 76 | generated from the theory files. The path of the frame document, whether a session document shall be generated and 77 | which theories shall be included is specified in the \<^verbatim>\ROOT\ file. 78 | 79 | The command 80 | \begin{verbatim} 81 | isabelle mkroot [OPTIONS] [Directory] 82 | \end{verbatim} 83 | \index{mkroot (isabelle tool)} can be used to initialize the given directory (default is the current directory) as session directory. It creates 84 | an initial \<^verbatim>\ROOT\ file to be populated with theory file names and other specification for the session, and it 85 | creates a simple frame \LaTeX\ document. 86 | \ 87 | 88 | subsection "Invocation as Editor" 89 | text_raw\\label{system-invoke-edit}\ 90 | text \ 91 | Isabelle is invoked for editing using the command 92 | \begin{verbatim} 93 | isabelle jedit [OPTIONS] [Files ...] 94 | \end{verbatim} 95 | \index{jedit (isabelle tool)} It starts an interactive editor and opens the specified theory files. If no file is specified it opens the 96 | file \<^verbatim>\Scratch.thy\\index{Scratch.thy (file)} in the user's home directory. If that file does not exist, it is created as an empty file. 97 | 98 | The editor also loads a session (together with its ancestors), the default session to load is HOL\index{HOL (session)}. 99 | If a heap file exists for the loaded session it is used, otherwise a heap file is created by processing 100 | all the session's theories. 101 | 102 | The default session to load can be changed by the option 103 | \begin{verbatim} 104 | -l 105 | \end{verbatim} 106 | \index{-l (option)} 107 | 108 | Moreover the editor also loads (but does not open) theories which are transitively imported by the 109 | opened theory files. If these are Isabelle standard theories it finds them automatically. If they 110 | belong to the session in the current directory it also finds them. If they belong to other sessions, 111 | the option 112 | \begin{verbatim} 113 | -d 114 | \end{verbatim} 115 | \index{-d (option)} 116 | must be used to make the session directory known to Isabelle. For every used session a separate option must be 117 | specified. 118 | 119 | If an imported theory belongs to the loaded session or an ancestor, it is directly referenced there. 120 | Otherwise the theory file is loaded and processed. 121 | \ 122 | 123 | subsection "Invocation for Batch Processing" 124 | text_raw\\label{system-invoke-build}\ 125 | text \ 126 | Isabelle is invoked for batch processing of all theory files in one or more sessions using the command 127 | \begin{verbatim} 128 | isabelle build [OPTIONS] [Sessions ...] 129 | \end{verbatim} 130 | \index{build (isabelle tool)} 131 | It loads all theory files of the specified sessions and checks the contained proofs. It also loads all required 132 | ancestor sessions. If not known to Isabelle, the corresponding session directories must be specified using option 133 | \<^verbatim>\-d\ as described in Section~\ref{system-invoke-edit}. Sessions required for other sessions are loaded from 134 | heap files if existent, otherwise the corresponding theories are loaded and a heap file is created. 135 | 136 | If option \<^verbatim>\-b\\index{-b (option)} is specified, heap files are also created for all sessions specified in the command. Option 137 | \<^verbatim>\-c\\index{-c (option)} clears the specified sessions (removes their heap files) before processing them. Option \<^verbatim>\-n\\index{-n (option)} omits 138 | the actual session processing, together with option \<^verbatim>\-c\ it can be used to simply clear the heap files. 139 | 140 | The specified sessions are only processed if at least one of their theory files has changed since the last 141 | processing or if the session is cleared using option \<^verbatim>\-c\. If option \<^verbatim>\-v\\index{-v (option)} is specified all loaded sessions 142 | and all processed theories are listed on standard output. 143 | 144 | If specified for a session in its \<^verbatim>\ROOT\ file (see Section~\ref{system-invoke-doc}), also the session document 145 | is generated when a session is processed. 146 | \ 147 | 148 | subsection "Invocation for Document Creation" 149 | text_raw\\label{system-invoke-doc}\ 150 | text \** todo **\ 151 | 152 | section "Interactively Working with Isabelle" 153 | text_raw\\label{system-jedit}\ 154 | 155 | text\ 156 | After invoking Isabelle as editor (see Section~\ref{system-invoke-edit}) it supports interactive 157 | work with theories. 158 | 159 | The user interface consists of a text area\index{text area} which is surrounded by docking areas where 160 | additional panels\index{panel} can be displayed. Several panels can be displayed in the same docking area, 161 | using tabs to switch among them. Panels may also be displayed as separate undocked 162 | windows. 163 | 164 | A panel can be displayed by selecting it in the \<^verbatim>\Plugins -> Isabelle\ menu. Some of 165 | the panels are described in the following sections. 166 | \ 167 | 168 | subsection "The Text Area" 169 | text_raw\\label{system-jedit-main}\ 170 | 171 | text\ 172 | The text area displays the content of an open theory file and supports editing 173 | it. The font (size) used for display can be configured through the menu in 174 | \<^verbatim>\Utilities -> Global Options -> jEdit -> Text Area\ together with many other 175 | options for display. 176 | \ 177 | 178 | subsubsection "Processing the Text Area Content" 179 | 180 | text\ 181 | Moreover, in the default configuration, Isabelle automatically processes 182 | the theory text up to the current part visible in the text area window. This includes processing 183 | the content of all imported theory files, if the import statement is visible. 184 | 185 | Whenever the window is moved forward the processing is continued if ``Continuous 186 | checking'' has not been disabled in the Theories panel. Whenever the content of the text area 187 | is modified the processing is set back and restarted at the modified position. 188 | 189 | In the default configuration the progress of the processing is shown by shading the 190 | unprocessed text in red and by a bar on the right border of the text area which symbolizes 191 | the whole theory file and shows the unprocessed part by red shading as well. 192 | \ 193 | 194 | subsubsection "Displaying Definitions of Identifiers" 195 | 196 | text\ 197 | Most identifiers\index{identifier!definition} used in Isabelle content have been defined in some theory file, this also holds 198 | for commands and other elements of the Isabelle syntax. The definition can be accessed by holding 199 | down CTRL (CMD on Macs) and clicking on an identifier. This also works for identifiers displayed 200 | in most other panels. 201 | 202 | The definition is displayed by opening the corresponding theory file in the text area and 203 | positioning the window on the definition text. 204 | 205 | If an identifier's definition has been loaded from a heap file (see Section~\ref{system-invoke-theory}) 206 | it is still displayed by opening the theory file, however, its content is not processed in the way 207 | described above. In particular, this is usually the case for all identifiers defined in the sessions 208 | \<^verbatim>\HOL/HOL\ and \<^verbatim>\Pure/Pure\. 209 | \ 210 | 211 | subsection "The Sidekick Panel" 212 | text_raw\\label{system-jedit-sidekick}\ 213 | 214 | text\ 215 | The Sidekick panel\index{panel!sidekick $\sim$} displays a structured view of the content of the text area and supports 216 | interactively expanding and collapsing substructures. It can be used for navigation in the text 217 | area by clicking on an item displayed in the Sidekick panel. 218 | 219 | The structure view is not updated automatically upon changes in the the text area, to update it the 220 | text area content must be saved to its theory file. 221 | \ 222 | 223 | subsection "The Output Panel" 224 | text_raw\\label{system-jedit-output}\ 225 | 226 | text\ 227 | The Output panel\index{panel!output $\sim$} displays the result of the theory text processing when it reaches the 228 | cursor position in the text area. 229 | 230 | The displayed information depends on the cursor position and may be an information 231 | about the current theorem or proof or it may be an error message. 232 | \ 233 | 234 | subsection "The State Panel" 235 | text_raw\\label{system-jedit-state}\ 236 | 237 | text\ 238 | The State panel\index{panel!state $\sim$}\index{state!panel} displays a specific result of the theory text processing 239 | if the cursor position is in a proof. It is called the ``goal state''\index{goal!state} (see 240 | Section~\ref{proof-state-goal}), and describes what remains to be proved by the 241 | rest of the proof. 242 | 243 | The Output panel can be configured to include the goal state in its display by 244 | checking the ``Proof state'' button. 245 | \ 246 | 247 | subsection "The Symbols Panel" 248 | text_raw\\label{system-jedit-symbols}\ 249 | 250 | text\ 251 | Isabelle uses a large set of mathematical symbols and other special symbols which 252 | are usually not on the keyboard. The Symbols panel\index{panel!symbols $\sim$}\index{symbol!panel} can be used to input such 253 | symbols in the text area. It comprises several tabs for selecting different symbol sets. 254 | 255 | Alternatively, symbols not available on the keyboard may be entered by a specific sequence 256 | of keys, called an abbreviation\index{symbol!abbreviation}. As an example, the sequence \<^verbatim>\==>\ is an abbreviation for the 257 | symbol \\\ consisting of three separate keys. In the interactive editor Isabelle replaces some 258 | abbreviations upon entering automatically by their symbol, others are left as they are. 259 | 260 | If the mouse is positioned on a symbol in the Symbols panel available abbreviations are displayed 261 | as \<^verbatim>\abbrev:...\ in the popup message. 262 | \ 263 | 264 | subsection "The Documentation Panel" 265 | text_raw\\label{system-jedit-documentation}\ 266 | 267 | text\ 268 | A comprehensive set of documentation about Isabelle can be opened 269 | through the Documentation panel\index{panel!documentation $\sim$}\index{documentation!panel}. 270 | This introduction refers to some of these documentations, if applicable, through 271 | the bibliography. 272 | 273 | For example, more information about the use of the interactive editor can be found 274 | in the Isabelle Manual about jEdit \<^cite>\jedit\. 275 | \ 276 | 277 | subsection "The Query Panel" 278 | text_raw\\label{system-jedit-query}\ 279 | 280 | text\ 281 | The Query panel\index{panel!query $\sim$} supports active searching for items in the content of all loaded sessions. There are 282 | several tabs for searching different kinds of items. Depending on the kind, a search specification\index{search!specification} 283 | must be entered in the tab, the results are displayed in the window below. 284 | 285 | Note that a simple full text search is usually not supported. More information about supported 286 | search specifications for different kinds of items can be found in Chapter~\ref{theory}. 287 | \ 288 | 289 | subsection "The Theories Panel" 290 | text_raw\\label{system-jedit-theories}\ 291 | 292 | text\ 293 | The Theories panel\index{panel!theories $\sim$}\index{theories!panel} displays the loaded session and the opened or imported theories which do 294 | not belong to the loaded session or its ancestors. The (parts of) theories which have not 295 | been processed are shaded in red. 296 | 297 | If the check button next to a theory is checked, the theory file is processed 298 | independently of the position of the text area window. 299 | \ 300 | 301 | end 302 | -------------------------------------------------------------------------------- /Chapter_theories.thy: -------------------------------------------------------------------------------- 1 | theory Chapter_theories 2 | imports Chapter_system 3 | begin 4 | chapter "Isabelle Theories" 5 | text_raw\\label{theory}\ 6 | 7 | text \ 8 | A theory\index{theory} is the content of an Isabelle theory file. 9 | \ 10 | 11 | section "Theory Notation" 12 | text_raw\\label{theory-notation}\ 13 | 14 | text\ 15 | Theories are written using a notation which follows strict syntax rules, similar to a programming 16 | language. The interactive editor helps using correct notation by immediately signaling syntax 17 | errors upon input. However, it is crucial to also understand the \<^emph>\meaning\ of the written text. 18 | This introduction describes both in a systematic stepwise manner. 19 | \ 20 | 21 | subsection "Languages for Theory Content" 22 | text_raw\\label{theory-notation-lang}\ 23 | 24 | text \ 25 | Isabelle aims at two main goals: Supporting interactive work with mathematical formulas 26 | and proofs, and supporting their presentation together with explanations as nicely typeset text in 27 | the form of an article or a book. For this purpose Isabelle combines three different languages for 28 | writing theory content: 29 | 30 | \<^item> a language for mathematics, called the ``inner syntax'', 31 | \<^item> a language for textual content, which is an extended form of \LaTeX\ source code, 32 | \<^item> a language for organizing fragments of the first two languages in a theory, called the ``outer 33 | syntax''.\ 34 | 35 | subsubsection "Inner Syntax" 36 | 37 | text\ 38 | For the inner syntax\index{syntax!inner $\sim$} Isabelle tries to be as close as possible to the form how mathematical content 39 | is traditionally presented in books. It supports formulas such as \\x\100 . x\{y\<^sup>2 | y. y\10}\ both 40 | in the interactive editor and the textual presentation. It does not support larger two-dimensional 41 | constructs like matrices or fractions.\ 42 | 43 | subsubsection "Outer Syntax" 44 | 45 | text\ 46 | The outer syntax\index{syntax!outer $\sim$} resembles a programming language. It uses keywords to construct larger entities 47 | like definitions and proofs. These entities usually contain mathematical formulas written in inner 48 | syntax. To clearly separate both languages, content in inner syntax must always be surrounded 49 | by double quotes \"\"\ or by the ``cartouche delimiters'' \\\\\ available in the editor's 50 | Symbols panel in tab ``Punctuation''. The only exception is a single isolated identifier, for it the 51 | quotes or delimiters may be omitted. 52 | 53 | This introduction describes only a selected part of the outer and inner syntax. The full 54 | notation used by Isabelle is described in the Isabelle/Isar reference manual \<^cite>\"isar-ref"\ with 55 | some more advanced parts in other documentation \<^cite>\datatypes and corec and eisbach\.\ 56 | 57 | subsubsection \Embedded \LaTeX\ Code\ 58 | 59 | text\ 60 | Additionally, text written in \LaTeX\ syntax\index{syntax!LaTeX $\sim$} can be embedded into the outer syntax using the form 61 | \<^theory_text>\text\ \ \\ 62 | and \LaTeX\ sections\index{sections} can be created using 63 | \<^theory_text>\chapter\ \ \\, \<^theory_text>\section\ \ \\, \<^theory_text>\subsection\ \ \\, \<^theory_text>\subsubsection\ \ \\, \<^theory_text>\paragraph\ \ \\, 64 | \<^theory_text>\subparagraph\ \ \\. 65 | 66 | It is also possible to embed inner and outer syntax in the \LaTeX\ syntax (see Chapter 4 in the 67 | Isabelle/Isar Reference Manual).\ 68 | 69 | subsubsection "Comments" 70 | 71 | text\ 72 | Moreover, comments\index{comments} of the form 73 | \begin{verbatim} 74 | (* ... *) 75 | \end{verbatim} 76 | can be embedded into the outer syntax. They are only intended for the reader of the theory file 77 | and are not displayed in the session document. 78 | 79 | Line breaks\index{line breaks} are ignored as part of the outer and inner syntax and have the same effect as 80 | a space. 81 | \ 82 | 83 | subsection "Meta Level and Object Level" 84 | text_raw\\label{theory-notation-meta}\ 85 | 86 | text \ 87 | Isabelle consists of a small fixed kernel which is called ``meta-logic''\index{meta-logic}\index{logic!meta-}. It is implemented in the 88 | session \<^verbatim>\Pure/Pure\\index{Pure (session)} (see Section~\ref{system-invoke-theory}) which is the ancestor of all other 89 | sessions. To be useful the meta-logic must be extended by an ``object logic''\index{object logic}\index{logic!object $\sim$}. It may consist of one 90 | or more sessions, all sessions other than \<^verbatim>\Pure/Pure\ are parts of an object logic. There are many 91 | object logics available for Isabelle, the most versatile is HOL\index{HOL (object logic)}. Although called a ``logic'' it is 92 | a full extensible representation of mathematics. 93 | 94 | This introduction first describes the Isabelle kernel features, followed by a 95 | description of the object logic HOL in Chapters~\ref{holbasic} and subsequent chapters. 96 | 97 | Both outer\index{syntax!outer $\sim$} and inner\index{syntax!inner $\sim$} syntax consist of a part for the kernel 98 | (the ``meta-level''\index{meta-level}\index{level!meta-} of the languages) 99 | and a part introduced by and specific for the object logic (the ``object-level''\index{object-level}\index{level!object-} of the languages). 100 | While the meta-level of the inner syntax is extremely small, mainly consisting of only four logical 101 | operators, the meta-level of the outer syntax supports a large set of constructs for specifying 102 | entities like axioms, definitions, proofs, and, finally, whole theories. 103 | 104 | This introduction describes the meta-level of the inner syntax mainly in 105 | Sections~\ref{theory-terms} and~\ref{theory-prop}. The rest of the sections about the 106 | Isabelle kernel describe the meta-level of the outer syntax. Chapter~\ref{holbasic} describes basic 107 | parts of the object level of the inner and outer syntax for HOL. Chapter~\ref{holtdefs} describes 108 | a major part of the outer syntax for HOL, whereas Chapter~\ref{holtypes} describes an important part 109 | of the inner syntax for HOL. 110 | \ 111 | 112 | subsection "Theory Structure" 113 | text_raw\\label{theory-notation-struct}\ 114 | 115 | text \ 116 | The content of a theory file\index{theory!file} has the outer syntax structure 117 | @{theory_text[display] 118 | \theory name 119 | imports name\<^sub>1 \ name\<^sub>n 120 | begin 121 | \ 122 | end\}\index{theory (keyword)}\index{imports (keyword)} 123 | where \<^theory_text>\name\ is the theory name\index{theory!name} and \<^theory_text>\name\<^sub>1 \ name\<^sub>n\ are the names of the imported theories\index{theories!imported $\sim$}. 124 | The theory name \<^theory_text>\name\ must be the same which is used for the theory file, i.e., the file name 125 | must be \<^verbatim>\name.thy\.\ 126 | 127 | section "Terms and Types" 128 | text_raw\\label{theory-terms}\ 129 | 130 | text \ 131 | The two main constituents of the inner syntax are terms\index{term} and types\index{type}. 132 | As usual in formal logics, the basic building blocks of propositions are terms. Terms denote arbitrary 133 | objects like numbers, sets, functions, or boolean values. Isabelle is strongly typed, so every term 134 | must have a type which names the type of values denoted by the term. 135 | However, in most situations Isabelle can derive the type of a term automatically, 136 | so that it needs not be specified explicitly. 137 | \ 138 | 139 | subsection "Types" 140 | text_raw\\label{theory-terms-types}\ 141 | 142 | text \ 143 | Types are basically specified by type names\index{type!name}\index{name!for type}. In Isabelle HOL (see Chapter~\ref{holbasic}) there are 144 | predefined types such as \nat\\index{nat (type)} and \bool\\index{bool (type)} for natural numbers and boolean values. With the 145 | exception of function types, types like these with a mathematical meaning always belong to an object 146 | logic. Chapter~\ref{holtypes} gives a detailed description of several important types of HOL. Due 147 | to the lack of adequate types in the meta-logic this introduction uses a small set of HOL types for 148 | examples to illustrate concepts on the meta-level, assuming an intuitive understanding of the 149 | associated operations and terms.\ 150 | 151 | subsubsection "Type Declarations" 152 | 153 | text\ 154 | New type names can be introduced using the outer syntax construct 155 | @{theory_text[display] 156 | \typedecl name\}\index{typedecl (keyword)} 157 | which introduces the \<^theory_text>\name\ for a new type for which the values are different from the values of 158 | all existing types and the set of values is not empty. No other information about the values is 159 | given, that may be done separately. See Chapter~\ref{holtdefs} for ways of defining types with 160 | specifying more information about their values.\ 161 | 162 | subsubsection "Parameterized Types and Polymorphic Types" 163 | 164 | text\ 165 | Types can be parameterized\index{type!parameterized $\sim$}\index{parameterized!type}, then the type 166 | parameters\index{type!parameter} are denoted \<^emph>\before\ the type name, such as in 167 | \nat set\ which is the HOL type of sets of natural numbers. A type name with \n\ parameters is declared 168 | in the form 169 | @{theory_text[display] 170 | \typedecl ('name\<^sub>1,\,'name\<^sub>n) name\} 171 | where the parentheses may be omitted if \n = 1\, such as in \<^theory_text>\typedecl 'a set\. 172 | The type parameters are denoted by ``type variables''\index{type!variables} which always have the 173 | form \'name\ with a leading single quote character. 174 | 175 | A type name with parameters is called a ``type constructor''\index{type!constructor} because it is not a type on its own. 176 | Every use where the parameters are replaced by actual types, such 177 | as in \nat set\, is called an ``instance''\index{type!instance} of the parameterized type. 178 | 179 | Parameters of a type constructor may again be replaced by parameterized types, such as in \('a set) set\. 180 | In this way arbitrary complex ``type expressions''\index{type!expression} can be built, consisting 181 | of type constructors, type names, type variables, and parentheses. Generally, types in Isabelle may 182 | be specified by arbitrary type expressions. 183 | 184 | If a type expression contains type variables, such as in \'a set\ or if it consists of a single type 185 | variable such as \'a\ the denoted type is called ``polymorphic''\index{type!polymorphic $\sim$}\index{polymorphic}. 186 | A polymorphic type can be used as a type specification, its meaning is that an arbitrary instance 187 | can be used where the type variables are replaced by actual types.\ 188 | 189 | subsubsection "Type Synonyms" 190 | 191 | text\ 192 | Alternatively a type name can be introduced as a synonym\index{type!synonym} for an existing type in the form 193 | @{theory_text[display] 194 | \type_synonym name = type\}\index{type-synonym@type$\_$synonym (keyword)} 195 | such as in \<^theory_text>\type_synonym natset = "nat set"\. Type synonyms can also be parameterized as in 196 | @{theory_text[display] 197 | \type_synonym ('name\<^sub>1,\,'name\<^sub>n) name = type\} 198 | where \type\ may be a polymorphic type which contains atmost the type variables \'name\<^sub>1,\,'name\<^sub>n\. 199 | \ 200 | 201 | subsection "Constants and Variables" 202 | text_raw\\label{theory-terms-consts}\ 203 | 204 | text \ 205 | Terms are mainly built as syntactical structures based on constants\index{constant} and variables\index{variable}. Constants are usually 206 | denoted by names\index{constant!name}\index{name!for constant}, using the same namespace as type names. Whether a name denotes a constant or a 207 | type depends on its position in a term. In HOL predefined constant names of type 208 | \bool\ are \True\\index{True (constant)} and \False\\index{False (constant)}. 209 | 210 | Constants of number types, such as \nat\, may be denoted by number literals\index{number literal}, such as \6\ 211 | or \42\. Nested terms are generally written by using parentheses\index{parentheses} \(\)\. There are many priority 212 | rules how to nest terms automatically, but if in doubt, it is always safe to use parentheses. 213 | \ 214 | 215 | subsubsection "Constants Declarations" 216 | 217 | text\ 218 | A new constant name can be introduced by specifying its type. The outer syntax construct 219 | @{theory_text[display] 220 | \consts name\<^sub>1 :: type\<^sub>1 \ name\<^sub>n :: type\<^sub>n\}\index{consts (keyword)} 221 | introduces \n\ constants with their names and types. No information is specified about the 222 | constant's values, in this respect the constants are ``underspecified''\index{constant!underspecified $\sim$}\index{underspecified!constant}. The information about the 223 | values may be specified separately. 224 | 225 | If the constant's type is polymorphic (see Section~\ref{theory-terms-types}) the constant is 226 | also called polymorphic\index{constant!polymorphic $\sim$}\index{polymorphic}. Thus the declaration 227 | @{theory_text[display] 228 | \consts myset :: "'a set"\}\index{myset (example constant)} 229 | declares the polymorphic constant \myset\ which may be a set of elements of arbitrary type. 230 | Note the use of quotes because the type is specified in inner syntax and is not a single 231 | type name.\ 232 | 233 | subsubsection "Variables" 234 | 235 | text\ 236 | A (term) variable\index{variable}\index{name!for variable} has the same form as a constant name, but it has not been introduced as a 237 | constant. Whenever a variable is used in a term it has a specific type which is either derived 238 | from its context or is explicitly specified\index{type!specification} in inner syntax in the form \varname :: type\.\ 239 | 240 | subsection "Functions" 241 | text_raw\\label{theory-terms-functions}\ 242 | 243 | text \ 244 | A constant name denotes an object, which, according to its type, may also be a function\index{function} of 245 | arbitrary order. Functions basically have a single argument\index{function!argument}. The type of a function is written 246 | in inner syntax as \argtype \ restype\\index{function!type}\index{=>@\\\ (operator)} or equivalently 247 | as \(argtype, restype) fun\\index{fun (type)} (thus \fun\ is a type constructor with two arguments). These ways of denoting function 248 | types belongs to the meta-level of the inner syntax and is thus available in all object logics. 249 | 250 | Functions in Isabelle are always total, i.e., they map every value of type \argtype\ to some value 251 | of type \restype\. However, a function may be ``underspecified''\index{function!underspecified $\sim$}\index{underspecified!function} so that no information is (yet) 252 | available about the result value for some or all argument values. A function defined by 253 | @{theory_text[display] 254 | \consts mystery :: "nat \ nat"\}\index{mystery (example constant)} 255 | is completely underspecified: although it maps every natural number to a unique other natural number 256 | no information about these numbers is available. Functions may also be partially specified by 257 | describing the result value only for some argument values. This does not mean that the function is 258 | ``partial'' and has no value for the remaining arguments. The information about these values may 259 | always be provided later, this does not ``modify'' the function, it only adds information about it. 260 | \ 261 | 262 | subsection "Functions with Multiple Arguments" 263 | text_raw\\label{theory-terms-multargs}\ 264 | 265 | text\ 266 | The result type 267 | of a function may again be a function type, then it may be applied to another argument. This is used 268 | to represent functions with more than one argument\index{function!multiple arguments}. Function types are right associative, thus a 269 | type \argtype\<^sub>1 \ argtype\<^sub>2 \ \ \ argtype\<^sub>n \ restype\ describes functions which can be applied 270 | to \n\ arguments.\ 271 | 272 | subsubsection "Function Application" 273 | 274 | text\ 275 | Function application\index{function!application} terms for a function \f\ and an argument \a\ are denoted in inner 276 | syntax by 277 | \f a\, no parentheses are required around the argument. Function application terms are left 278 | associative, thus a function application to \n\ arguments is written \f a\<^sub>1 \ a\<^sub>n\. Note that an 279 | application \f a\<^sub>1 \ a\<^sub>m\ where \m < n\ (a ``partial application'')\index{function!application!partial $\sim$} is a correct term and denotes a 280 | function taking the remaining \n-m\ arguments.\ 281 | 282 | subsubsection "Infix Function Application" 283 | 284 | text\ 285 | For every constant alternative syntax forms may be defined for application terms. This is often used 286 | for binary functions to represent application terms in infix notation\index{infix notation} with an operator symbol\index{operator symbol}\index{symbol!operator $\sim$}. 287 | As an example, the name for the addition function in HOL is \plus\, so an application term is denoted 288 | in the form \plus 3 5\. For \plus\ the alternative name \(+)\ is defined (the parentheses are part 289 | of the name). For functions with such ``operator names''\index{operator name} an application term \(+) 3 5\ can also be 290 | denoted in infix form \3 + 5\. Infix notation is supported for many basic functions and predicates 291 | in HOL , 292 | having operator names such as \(-)\, \(**)\, \(=)\, \(\)\, \(\)\, or \(\)\. 293 | \ 294 | 295 | subsection "Lambda-Terms" 296 | text_raw\\label{theory-terms-lambda}\ 297 | 298 | text\ 299 | Functions can be denoted in inner syntax by lambda terms\index{lambda term}\index{term!lambda $\sim$} of the form \\x. term\\index{/lam@\\\ (binder)} where \x\ is a variable 300 | which may occur in the \term\. The space between the dot and the \term\ is often required to 301 | separate both. A function to be applied to \n\ arguments can be denoted by the 302 | lambda term \\x\<^sub>1 \ x\<^sub>n. term\ where \x\<^sub>1, \, x\<^sub>n\ are distinct variables. As usual, types may be 303 | specified for (some of) the variables in the form \\(x\<^sub>1::t\<^sub>1) \ (x\<^sub>n::t\<^sub>n). term\. The parentheses 304 | may be omitted if there is only one argument variable. 305 | 306 | A constant function\index{function!constant $\sim$} has a value which does not depend on the argument, thus the variable \x\ 307 | does not occur in the \term\. Then its name is irrelevant and it may be replaced by the ``wildcard''\index{wildcard} 308 | \_\ (an underscore) as in \\_. term\.\ 309 | 310 | subsubsection "Binding Variables" 311 | 312 | text\ 313 | If a variable from the \x\<^sub>1, \, x\<^sub>n\ occurs in the \term\ of \\x\<^sub>1 \ x\<^sub>n. term\ it is called a 314 | ``bound''\index{variable!bound $\sim$} occurrence and denotes the corresponding function argument. If an occurrence of a variable 315 | \x\ is not a part of a lambda term \\\ x \ . term\ the occurrence is called ``free''\index{free occurrence}\index{variable!free occurrence of $\sim$}. 316 | 317 | A lambda term is a case of ``binder syntax''\index{syntax!binder $\sim$}\index{binder syntax}. It consists of a ``binder''\index{binder} (here \\\) 318 | followed by one or more variables with optional type specifications, followed by a dot and a term 319 | (called ``body''\index{binder syntax!body in $\sim$}\index{body in binder syntax}). 320 | Terms of the inner syntax nearly always have either the form of a function application, possibly 321 | in infix notation, or the form of a binder syntax. 322 | \ 323 | 324 | subsection "Searching Constants" 325 | text_raw\\label{theory-terms-search}\ 326 | 327 | text \ 328 | Constants may be searched\index{constant!search $\sim$}\index{search!for constants} using the command 329 | @{theory_text[display] 330 | \find_consts criterion\<^sub>1 \ criterion\<^sub>n\}\index{find-consts@find$\_$consts (keyword)} 331 | or using the Query panel\index{panel!query $\sim$} (see Section~\ref{system-jedit-query}) in the ``Find Constants'' tab using 332 | the sequence \criterion\<^sub>1 \ criterion\<^sub>n\ as search specification\index{search!specification} in the ``Find:'' input field. The 333 | \criterion\<^sub>i\ are combined by conjunction. 334 | 335 | The command \<^theory_text>\find_consts\ may be entered in the text area between other theory content such as 336 | type or constant declarations. It finds all named constants which have been introduced before the 337 | command position. Searches using the Query panel find all named constants which have been introduced 338 | before the cursor position in the text area.\ 339 | 340 | subsubsection "Searching by Type" 341 | 342 | text\ 343 | A \criterion\<^sub>i\ may be a type, specified in inner syntax and quoted if not a single type name. Then 344 | the search finds all constants where the type occurs as a part of the constant's type. For example, 345 | it finds all functions which have the specified type as argument or result type. 346 | 347 | A \criterion\<^sub>i\ may also have the form \strict: "type"\, then the search only finds constants which 348 | have that type. In both cases the specified type may be a function type, then the search finds 349 | corresponding named functions. 350 | 351 | If the specified type is polymorphic the search will also find constants which have an instance 352 | of it as their type or as a part of the type, respectively.\ 353 | 354 | subsubsection "Searching by Name" 355 | 356 | text\ 357 | A \criterion\<^sub>i\ may also have the form \name: strpat\ where \strpat\ is a string pattern which may 358 | use ``*'' as wildcard (then the pattern must be enclosed in double quotes). Then all constants are 359 | found where the \strpat\ matches a substring of their name. 360 | \ 361 | 362 | section "Definitions and Abbreviations" 363 | text_raw\\label{theory-definition}\ 364 | 365 | text \ 366 | A constant name may be introduced together with information about its associated value by specifying 367 | a term for the value. There are two forms for introducing constant names in this way, definitions 368 | and abbreviations. Both are constructs of the outer syntax. 369 | \ 370 | 371 | subsection "Definitions" 372 | text_raw\\label{theory-definition-defs}\ 373 | 374 | text\ 375 | A definition\index{constant!definition}\index{definition!for constant} defines a new constant together with its type and value. 376 | It is denoted in the form 377 | @{theory_text[display] 378 | \definition name where "name \ term"\}\index{definition (keyword)}\index{where (keyword)} 379 | Note that the ``defining equation'' \name \ term\ is specified in inner syntax and must be 380 | delimited by quotes. The operator \\\\index{=@\\\ (meta-logic operator)} is the equality\index{equality!meta $\sim$} operator of the meta-logic (see 381 | Section~\ref{theory-notation-meta}). The \name\ may not occur in the \term\, i.e., this form 382 | of definition 383 | does not support recursion. Also, no free variables may occur in the \term\. In the object logic HOL 384 | (see Chapter~\ref{holbasic}) also the normal equality operator \=\\index{=@\=\ (operator)} may be used instead of \\\. 385 | 386 | The type of the defined constant is the same as that of the \term\. If that type is polymorphic 387 | (see Section~\ref{theory-terms-types}) a more specific type may be specified explicitly in the form 388 | @{theory_text[display] 389 | \definition name :: type where "name \ term"\} 390 | As usual the type is specified in inner syntax and must be quoted if it is not a single type name. 391 | 392 | A short form of a definition is 393 | @{theory_text[display] 394 | \definition "name \ term"\} 395 | 396 | Usually, a constant defined in this way is fully specified, i.e., all information about its value 397 | is available. However, if the term does not provide this information, the constant is still 398 | underspecified\index{constant!underspecified $\sim$}\index{underspecified!constant}. Consider the definition 399 | @{theory_text[display] 400 | \definition mystery2 where "mystery2 \ mystery"\}\index{mystery2 (example constant)} 401 | where \mystery\ is defined as above. Then it is only known that \mystery2\ has type \nat \ nat\ and 402 | is the same total function as \mystery\, but nothing is known about its values.\ 403 | 404 | subsubsection "Defining Functions" 405 | 406 | text\ 407 | If the type of the defined constant is a function\index{function!definition}\index{definition!for function} type, the \term\ may be a lambda term. 408 | Alternatively, the definition for a function applicable to \n\ arguments can be written in the form 409 | @{theory_text[display] 410 | \definition name where "name x\<^sub>1 \ x\<^sub>n \ term"\} 411 | with variable names \x\<^sub>1 \ x\<^sub>n\ which may occur in the \term\. This form is mainly equivalent to 412 | @{theory_text[display] 413 | \definition name where "name \ \x\<^sub>1 \ x\<^sub>n. term"\}\ 414 | 415 | subsection "Abbreviations" 416 | text_raw\\label{theory-definition-abbrevs}\ 417 | 418 | text\ 419 | An abbreviation\index{abbreviation!for constant}\index{constant!abbreviation} definition does not define a constant, it only introduces the name 420 | as a synonym for a term\index{term!synonym}. Upon input the name is automatically expanded, and upon output it is used 421 | whenever a term matches its specification and the term is not too complex. 422 | An abbreviation definition is denoted in a similar form as a definition: 423 | @{theory_text[display] 424 | \abbreviation name where "name \ term"\}\index{abbreviation (keyword)}\index{where (keyword)} 425 | As for definitions, recursion is not supported, the \name\ may not occur in the \term\ and also 426 | no free variables. An explicit type may be specified for \name\ and the short form is also available 427 | as for definitions. 428 | 429 | The alternative form for functions\index{abbreviation!for function}\index{function!abbreviation} is also available. The abbreviation definition 430 | @{theory_text[display] 431 | \abbreviation name where "name x\<^sub>1 \ x\<^sub>n \ term"\} 432 | introduces a ``parameterized'' abbreviation. An application term \name term\<^sub>1 \ term\<^sub>n\ is replaced 433 | upon input by \term\ where all occurrences of \x\<^sub>i\ have been substituted by \term\<^sub>i\. Upon output 434 | terms are matched with the structure of \term\ and if successful a corresponding application term 435 | is constructed and displayed. 436 | \ 437 | 438 | section "Overloading" 439 | text_raw\\label{theory-overload}\ 440 | 441 | subsection "True Overloading" 442 | text_raw\\label{theory-overload-true}\ 443 | 444 | text \ 445 | One way of providing information about the value of an underspecified constant is overloading\index{overloading}. 446 | It provides the information with the help of another constant together with a definition for it. 447 | 448 | Overloading depends on the type. Therefore, if a constant is 449 | polymorphic, different definitions can be associated for different type instances. 450 | 451 | Overloading is only possible for constants which do not yet have a definition, i.e., they must 452 | have been defined by \<^theory_text>\consts\ (see Section~\ref{theory-terms-consts}). 453 | Such a constant \name\ is associated with \n\ definitions by the following overloading 454 | specification: 455 | @{theory_text[display] 456 | \overloading 457 | name\<^sub>1 \ name 458 | \ 459 | name\<^sub>n \ name 460 | begin 461 | definition name\<^sub>1 :: type\<^sub>1 where \ 462 | \ 463 | definition name\<^sub>n :: type\<^sub>n where \ 464 | end\}\index{overloading (keyword)} 465 | where all \type\<^sub>i\ must be instances of the type declared for \name\. 466 | 467 | The auxiliary constants \name\<^sub>1 \ name\<^sub>n\ are only introduced locally and cannot be used outside 468 | of the \<^theory_text>\overloading\ specification. 469 | \ 470 | 471 | subsection "Adhoc Overloading" 472 | text_raw\\label{theory-overload-adhoc}\ 473 | 474 | text\ 475 | There is also a form of overloading\index{overloading!ad-hoc $\sim$} which achieves similar effects although it is implemented 476 | completely differently. It is only performed on the syntactic level, like abbreviations. 477 | 478 | A constant name \name\ can be defined to be a ``type dependent abbreviation'' 479 | for \n\ terms of different type instances by 480 | @{theory_text[display] 481 | \adhoc_overloading name \ term\<^sub>1 \ term\<^sub>n\}\index{adhoc-overloading@adhoc$\_$overloading (keyword)} 482 | The syntactic operator \\\\index{==@\\\ (syntactic operator)} is available for input in the 483 | editor's Symbols panel in tab ``Arrow''. It means that translation between both sides occurs upon 484 | input and output. 485 | Upon input the type of \name\ is determined from the context, then it is replaced by the 486 | corresponding \term\<^sub>i\. Upon output terms are matched with the corresponding \term\<^sub>i\ and if 487 | successful \name\ is displayed instead. 488 | 489 | Although \name\ must be the name of an existing constant, only its type is used. The constant is 490 | not affected by the adhoc overloading, however, it becomes inaccessible because its name is now 491 | used as term abbreviation. 492 | 493 | Several constant names can be overloaded in a common specification: 494 | 495 | @{theory_text[display] 496 | \adhoc_overloading name\<^sub>1 \ term\<^sub>1\<^sub>,\<^sub>1 \ term\<^sub>1\<^sub>,\<^sub>n and \ and name\<^sub>k \ \\} 497 | \ 498 | 499 | section "Propositions" 500 | text_raw\\label{theory-prop}\ 501 | 502 | text \ 503 | A proposition\index{proposition} denotes an assertion, which can be valid or not. Valid proposition are called 504 | ``facts''\index{fact}, they are the main content of a theory. Propositions are specific terms and 505 | are hence written in inner syntax and must be enclosed in quotes. 506 | \ 507 | 508 | subsection "Formulas" 509 | text_raw\\label{theory-prop-formulas}\ 510 | 511 | text \ 512 | A simple form of a proposition is a single term of type \bool\\index{bool (type)}, such as 513 | @{text[display] 514 | \6 * 7 = 42\} 515 | The \*\ is the infix operator for multiplication, it may not be omitted in arithmetic 516 | terms. 517 | 518 | Terms of type \bool\ are also called ``formulas''\index{formula}. Since \bool\ belongs to the object 519 | logic HOL, formulas are also specific for HOL or another object logic, there are no formulas in 520 | the meta-logic. The simplest form of a proposition on meta-level is a single variable. 521 | 522 | A proposition may contain free variables as in 523 | @{text[display] 524 | \2 * x = x + x\} 525 | 526 | A formula as proposition is valid if it evaluates to \True\\index{True (constant)} for all possible values substituted 527 | for the free variables\index{free occurrence}\index{variable!free occurrence of $\sim$}. 528 | \ 529 | 530 | subsection "Derivation Rules" 531 | text_raw\\label{theory-prop-rules}\ 532 | 533 | text \ 534 | More complex propositions on the meta-level can express ``derivation rules''\index{derivation rule}\index{rule!derivation $\sim$} used to derive propositions 535 | from other propositions. Derivation rules are denoted using the meta-logic operator \\\\index{==>@\\\ (meta-logic operator)} 536 | and can thus be expressed independent of an object logic. 537 | 538 | Derivation rules consist of assumptions\index{assumption} and a conclusion\index{conclusion}. They are written in the form 539 | @{text[display] 540 | \A\<^sub>1 \ \ \ A\<^sub>n \ C\} 541 | where the \A\<^sub>1 \ A\<^sub>n\ are the assumptions and \C\ is the conclusion. Since \\\ is right-associative 542 | the conclusion can be assumed to be a single variable or a formula. 543 | The assumptions may be arbitrary propositions. If an 544 | assumption contains meta-logic operators parentheses\index{parentheses} can be used to delimit them from the rest of the 545 | derivation rule. 546 | 547 | A derivation rule states that if the assumptions are valid, the conclusion can be derived 548 | as also being valid. So \\\ can be viewed as a ``meta implication''\index{implication!meta $\sim$} with a similar meaning as a 549 | boolean implication, but with a different use. 550 | 551 | An example for a rule with a single assumption is 552 | @{text[display] 553 | \(x::nat) < c \ n*x \ n*c\} 554 | Note that type \nat\ is explicitly specified for variable \x\. This is necessary, because the 555 | constants \<\, \*\, and \\\ are overloaded and can be applied to other types than only natural 556 | numbers. Therefore the type of \x\ cannot be derived automatically. However, when the type of 557 | \x\ is known, the types of \c\ and \n\ can be derived to also be \nat\. 558 | 559 | An example for a rule with two assumptions is 560 | @{text[display] 561 | \(x::nat) < c \ n > 0 \ n*x < n*c\} 562 | 563 | In most cases the assumptions are also formulas, as in the example. However, they may also 564 | be again derivation rules. Then the rule is a ``meta rule''\index{rule!meta $\sim$} which derives a proposition from other 565 | rules. 566 | \ 567 | 568 | subsection "Binding Free Variables" 569 | text_raw\\label{theory-prop-bind}\ 570 | 571 | text \ 572 | A proposition may contain universally bound variables\index{variable!bound $\sim$}, using the meta-logic quantifier 573 | \\\\index{/@\\\ (meta-logic binder)} in the form 574 | @{text[display] 575 | \\ x\<^sub>1 \ x\<^sub>n. P\} 576 | where the \x\<^sub>1 \ x\<^sub>n\ may occur free in the proposition \P\. This is another case of binder 577 | syntax\index{syntax!binder $\sim$}\index{binder} (see Section~\ref{theory-terms-lambda}). As usual, types may be 578 | specified for (some of) the variables in the form \\ (x\<^sub>1::t\<^sub>1) \ (x\<^sub>n::t\<^sub>n). P\. An example for 579 | a valid derivation rule with bound variables is 580 | @{text[display] 581 | \\ (x::nat) c n . x < c \ n*x \ n*c\} 582 | \ 583 | 584 | subsection "Rules with Multiple Conclusions" 585 | text_raw\\label{theory-prop-multconcl}\ 586 | 587 | text \ 588 | A derivation rule may specify several propositions to be derivable from the same assumptions using 589 | the meta-logic operator \&&&\\index{.and@\&&&\ (meta-logic operator)} in the form 590 | @{text[display] 591 | \A\<^sub>1 \ \ \ A\<^sub>n \ C\<^sub>1 &&& \ &&& C\<^sub>h\} 592 | Here the \C\<^sub>i\ may be arbitrary propositions, like the assumptions. If they contain meta-logic 593 | operators they must be enclosed in parentheses because \&&&\ binds stronger than the other 594 | meta-logic operators. 595 | 596 | The rule is equivalent to the set of rules deriving each \C\<^sub>i\ separately: 597 | @{text[display] 598 | \A\<^sub>1 \ \ \ A\<^sub>n \ C\<^sub>1 599 | \ 600 | A\<^sub>1 \ \ \ A\<^sub>n \ C\<^sub>h\} 601 | 602 | The rule states that if the assumptions are valid then all conclusions are valid. So \&&&\ can be 603 | viewed as a ``meta conjunction''\index{conjunction!meta $\sim$} with a similar meaning as a boolean conjunction, but with a 604 | different use. 605 | 606 | An example for a rule with two conclusions is 607 | @{text[display] 608 | \(x::nat) < c \ n*x \ n*c &&& n+x < n+c\}\ 609 | 610 | subsection "Alternative Rule Syntax" 611 | text_raw\\label{theory-prop-altsynt}\ 612 | 613 | text \ 614 | An alternative, Isabelle specific syntax\index{syntax!alternative $\sim$!for rules} for derivation rules with possibly multiple conclusions is 615 | @{text[display] 616 | \\ x\<^sub>1 \ x\<^sub>m. \A\<^sub>1; \; A\<^sub>n\ \ C\<^sub>1 &&& \ &&& C\<^sub>h\} 617 | which is often considered as more readable, because it better separates the assumptions from the 618 | conclusions. In the interactive editor to switch to this form it may be necessary to set 619 | \<^verbatim>\Print Mode\ to \<^verbatim>\brackets\ in \<^verbatim>\Plugin Options\ for \<^verbatim>\Isabelle General\. The fat brackets are 620 | available for input in the editor's Symbols panel in tab ``Punctuation''. 621 | 622 | Using this syntax the two-assumption example rule from the previous section is denoted by 623 | @{text[display] 624 | \\ (x::nat) c n. \x < c; n > 0\ \ n*x < n*c\} 625 | or equivalently without quantifier by 626 | @{text[display] 627 | \\(x::nat) < c; n > 0\ \ n*x < n*c\} 628 | 629 | Note that in the literature a derivation rule @{thm conjI[no_vars]} is often denoted in the form 630 | @{thm[display,mode=Rule] conjI[no_vars]} 631 | \ 632 | 633 | subsection "Structured Rule Syntax" 634 | text_raw\\label{theory-prop-struct}\ 635 | 636 | text\ 637 | Isabelle supports another alternative syntax for derivation rules with possibly multiple 638 | conclusions. It is called ``structured''\index{syntax!structured $\sim$!for rules}\index{structured form} form, since the rule is not specified by a single 639 | proposition but by several separate propositions for the parts of the rule: 640 | @{theory_text[display] 641 | \"C\<^sub>1" \ "C\<^sub>h" if "A\<^sub>1" \ "A\<^sub>n" for x\<^sub>1 \ x\<^sub>m\}\index{if (keyword)}\index{for (keyword)} 642 | Here the conclusions, assumptions and the variables may be grouped or separated for better 643 | \index{conclusion!group}\index{assumption!group}\index{variable!group} 644 | readability by the keyword \<^theory_text>\and\\index{and (keyword)}. For every group of variables (but not for single variables in a 645 | group) a type may be specified\index{type!specification} in the form \x\<^sub>1 \ x\<^sub>m :: "type"\, it applies to all variables in the 646 | group. 647 | 648 | The keywords \<^theory_text>\if\, \<^theory_text>\and\, \<^theory_text>\for\ belong to the outer syntax. Thus, a rule in structured form 649 | cannot occur nested in another proposition, such as an assumption in another rule. Moreover, the 650 | original rule must be quoted as a whole, whereas in the structured form only the sub-propositions 651 | \C\<^sub>1 \ C\<^sub>h, A\<^sub>1, \, A\<^sub>n\ must be individually quoted. The \x\<^sub>1, \, x\<^sub>m\ need not be quoted, but if a 652 | type is specified for a variable group the type must be quoted, if it is not a single type name. 653 | 654 | If written in this form, the two-assumption example rule from the previous section may become 655 | @{theory_text[display] 656 | \"n*x < n*c" if "x < c" and "n > 0" for x::nat and n c\} 657 | and the rule with two conclusions depicted earlier may become 658 | @{theory_text[display] 659 | \"n*x \ n*c" and "n+x < n+c" if "x < c" for x::nat and n c\} 660 | The assumptions and the conclusion in a rule in structured form may be arbitrary propositions, in 661 | particular, they may be derivation rules (in unstructured form). If a conclusion is a derivation 662 | rule the assumptions \A\<^sub>1, \, A\<^sub>n\ are added to the assumptions present in the conclusion. 663 | \ 664 | 665 | subsection "Conditional Definitions" 666 | text_raw\\label{theory-prop-conddefs}\ 667 | 668 | text\ 669 | A definition, as described in Section~\ref{theory-definition-defs} may be conditional\index{definition!conditional $\sim$}\index{conditional definition}, then its 670 | defining equation has the form of a derivation rule 671 | @{theory_text[display] 672 | \definition name where "\A\<^sub>1; \; A\<^sub>n\ \ name \ term"\} 673 | or in structured form: 674 | @{theory_text[display] 675 | \definition name where "name \ term" if "A\<^sub>1" \ "A\<^sub>n"\} 676 | Since no free variables are allowed in \term\ it is not possible to bind variables using \\\. 677 | The meaning of a conditional definition is that the value of \name\ is only defined by the \term\ 678 | if all assumptions are valid. Otherwise it is underspecified. 679 | 680 | For the rule conclusion also the form \name x\<^sub>1 \ x\<^sub>n \ term\ can be used if \name\ has a function 681 | type. Then the \x\<^sub>1 \ x\<^sub>n\ may occur in the \A\<^sub>1, \, A\<^sub>n\ and restrict the specification of function 682 | values to specific function arguments. 683 | 684 | As for normal definitions a type may be specified for \name\ and the short form may be used where 685 | only the defining rule is given. For the abbreviations described in 686 | Section~\ref{theory-definition-abbrevs} a conditional form is not available. 687 | \ 688 | 689 | section "Theorems" 690 | text_raw\\label{theory-theorem}\ 691 | 692 | text \ 693 | A theorem\index{theorem} specifies a proposition together with a proof, that the proposition is valid. Thus it 694 | adds a fact\index{fact} to the enclosing theory.\ 695 | 696 | subsection "Specifying Theorems" 697 | text_raw\\label{theory-theorem-spec}\ 698 | 699 | text\ 700 | A simple form of a theorem is 701 | @{theory_text[display] 702 | \theorem "prop" \\}\index{theorem (keyword)} 703 | where \prop\ is a proposition in inner syntax and \<^theory_text>\\\ is a proof\index{proof} as described in 704 | Chapter \ref{proof}. The keyword \<^theory_text>\theorem\ can be replaced by one of the keywords 705 | \<^theory_text>\lemma\\index{lemma (keyword)}, \<^theory_text>\corollary\\index{corollary (keyword)}, \<^theory_text>\proposition\\index{proposition (keyword)} to give a hint about the use of the theorem to 706 | the reader. 707 | 708 | The example rule from the previous sections can be stated as a fact by the theorem 709 | @{theory_text[display] 710 | \theorem "\ (x::nat) c n . x < c \ n*x \ n*c" \\}\ 711 | 712 | subsubsection "Implicit Variable Bindings" 713 | 714 | text\ 715 | If the proposition in a theorem contains free variables\index{free occurrence}\index{variable!free occurrence of $\sim$} they are implicitly universally 716 | bound\index{variable!bound $\sim$}. Thus the previous example theorem is equivalent to the theorem 717 | @{theory_text[display] 718 | \theorem "(x::nat) < c \ n*x \ n*c" \\} 719 | Explicit binding of variables\index{variable!binding} is only required to avoid name clashes with 720 | constants of the same name. In the theorem 721 | @{theory_text[display] 722 | \theorem "\ (True::nat). True < c \ n*True \ n*c" \\} 723 | the name \True\ is used locally as a variable of type \nat\ instead of the predefined constant 724 | of type \bool\. Of course, using well known constant names as variables is confusing and should 725 | be avoided. 726 | 727 | Explicit binding of variables can also be useful to specify the variable types at a common place 728 | in the proposition instead of scattering them over it. Finally, explicit variable binding makes 729 | a difference for the \\\: it restricts the variables to the proposition so that they are 730 | not available in the \\\ (see Sections~\ref{proof-state-initial} and~\ref{proof-fix}).\ 731 | 732 | subsubsection "Structured Form" 733 | 734 | text\ 735 | If the proposition in a theorem is a derivation rule with possibly multiple conclusions it may also 736 | be specified in structured form (see Section~\ref{theory-prop-struct}): 737 | @{theory_text[display] 738 | \theorem "C\<^sub>1" \ "C\<^sub>h" if "A\<^sub>1" \ "A\<^sub>n" for x\<^sub>1 \ x\<^sub>m \\} 739 | with optional grouping of all components by \<^theory_text>\and\. Remember that the \C\<^sub>i\ may be arbitrary 740 | propositions, therefore a theorem in this form may specify several derivation rules with additional 741 | common assumptions and common bound variables. As for the unstructured form the explicit 742 | binding of variables\index{variable!binding} in the \<^theory_text>\for\ part is optional. If a theorem has free variables in a \C\<^sub>i\ or in 743 | a \A\<^sub>i\ a \<^theory_text>\for\ part is automatically added for all such variables.\ 744 | 745 | subsubsection "Multiple Conclusions" 746 | 747 | text\ 748 | A theorem with multiple conclusions adds a separate fact for every conclusion to the enclosing 749 | theory (copying all assumptions to every such fact), as if there had been a separate theorem for 750 | every conclusion. 751 | 752 | In particular, if no variables are explicitly bound and no common assumptions are present this 753 | form allows to specify several propositions in a common theorem of the form 754 | @{theory_text[display] 755 | \theorem "C\<^sub>1" \ "C\<^sub>h" \\} 756 | where all propositions can be proved together in a single proof. 757 | 758 | The example rules from the previous sections can be stated as facts by a common theorem in the form 759 | @{theory_text[display] 760 | \theorem "(x::nat) < c \ n*x \ n*c" 761 | and "(x::nat) \ c \ x + m \ c + m" 762 | \\} 763 | Although the resulting facts are completely independent of each other, the variables are common 764 | to both propositions. This means that it suffices to specify the type \nat\ for \x\ in one of them. 765 | If different types are specified for \x\ in the two propositions an error is signaled. 766 | \ 767 | 768 | subsection "Unknowns" 769 | text_raw\\label{theory-theorem-unknowns}\ 770 | 771 | text \ 772 | Whenever a theorem turns a proposition to a fact, the free (or universally bound) variables 773 | are replaced by ``unknowns''\index{unknown}. For a variable \name\ the corresponding unknown is \?name\. 774 | This is only a technical difference, it signals to Isabelle that the unknowns can be 775 | consistently substituted by arbitrary terms, as long as the types are preserved. 776 | 777 | The result of such a substitution\index{substitution} is always a special case of the fact and therefore also 778 | a fact. In this way a fact with unknowns gives rise to a (usually infinite) number of facts 779 | which are constructed by substituting unknowns by terms. 780 | 781 | When turned to a fact, the rule used in the example theorems becomes 782 | @{text[display] 783 | \?x < ?c \ ?n*?x \ ?n*?c\} 784 | with type \nat\ associated to all unknowns. 785 | 786 | Propositions specified in a theorem may not contain unknowns, they are only introduced by Isabelle 787 | after proving the proposition. 788 | 789 | Isabelle can be configured to suppress the question mark\index{question mark} when displaying unknowns, then 790 | this technical difference becomes invisible. 791 | \ 792 | 793 | subsection "Named Facts" 794 | text_raw\\label{theory-theorem-named}\ 795 | 796 | text \ 797 | Facts are often used in proofs of other facts. For this purpose they can be named so 798 | that they can be referenced by name\index{fact!name}\index{name!for fact}. A named fact is specified by a theorem of the form 799 | @{theory_text[display] 800 | \theorem name: "prop" \\} 801 | The names used for facts have the same form as names for constants and variables (see 802 | Section~\ref{theory-terms-consts}). The same name can be used for a variable and a fact, they can 803 | always be distinguished by the usage context. 804 | 805 | The example rule from the previous sections can be turned into a fact named \example1\ by 806 | @{theory_text[display] 807 | \theorem example1: "(x::nat) < c \ n*x \ n*c" \\}\index{example1 (example fact)}\ 808 | 809 | subsubsection "Named Fact Collections" 810 | 811 | text\ 812 | It is also possible to introduce named collections of facts\index{fact!collection}\index{name!for fact collection}. A simple way to introduce 813 | such a named collection is 814 | @{theory_text[display] 815 | \lemmas name = name\<^sub>1 \ name\<^sub>n\} 816 | where \name\<^sub>1 \ name\<^sub>n\ are names of existing facts or fact collections. 817 | 818 | If there is a second rule stated as a named fact by 819 | @{theory_text[display] 820 | \theorem example2: "(x::nat) \ c \ x + m \ c + m" \\}\index{example2 (example fact)} 821 | a named collection can be introduced by 822 | @{theory_text[display] 823 | \lemmas examples = example1 example2\}\index{examples (example fact set)} 824 | 825 | If a theorem with multiple conclusions is named in the form 826 | @{theory_text[display] 827 | \theorem name: "C\<^sub>1" \ "C\<^sub>h" if "A\<^sub>1" \ "A\<^sub>n" for x\<^sub>1 \ x\<^sub>m \\} 828 | it introduces the name for the collection of all resulting facts. Moreover, if the conclusions are 829 | grouped by \<^theory_text>\and\, (some of) the groups\index{conclusion!group} may be named separately in the form 830 | @{theory_text[display] 831 | \theorem name\<^sub>1: "C\<^sub>1\<^sub>,\<^sub>1" \ "C\<^latex>\$_{1,g_1}$\" and \ and name\<^sub>h: "C\<^sub>h\<^sub>,\<^sub>1" \ "C\<^latex>\$_{h,g_h}$\" 832 | if "A\<^sub>1" \ "A\<^sub>n" for x\<^sub>1 \ x\<^sub>m \\} 833 | which introduces the names for the corresponding collections of facts according to the groups. 834 | 835 | In this way the two example facts may be specified and named by the common theorem 836 | @{theory_text[display] 837 | \theorem example1: "(x::nat) < c \ n*x \ n*c" 838 | and example2: "(x::nat) \ c \ x + m \ c + m" 839 | \\}\index{example1 (example fact)}\index{example2 (example fact)}\ 840 | 841 | subsubsection "Dynamic Fact Sets" 842 | 843 | text\ 844 | As an alternative to introducing fact names in theorems a ``dynamic fact set''\index{fact!set}\index{dynamic fact set} can be declared by 845 | @{theory_text[display] 846 | \named_theorems name\} 847 | It can be used as a ``bucket'' where facts can be added afterwards by specifying the bucket 848 | name in the theorem: 849 | @{theory_text[display] 850 | \theorem [name]: "prop" \\} 851 | or together with specifying a fixed fact name \<^theory_text>\name\<^sub>f\ by 852 | @{theory_text[display] 853 | \theorem name\<^sub>f[name]: "prop" \\} 854 | 855 | There are also some predefined ``internal fact sets''\index{internal fact set}. For them the name can only be used to add 856 | facts as described above, the set cannot be used or displayed by referring it by name. Examples 857 | are the internal fact sets \intro\ (see Section~\ref{methods-rule-intro}) and \simp\ (see 858 | Section~\ref{methods-simp-simp}). 859 | \ 860 | 861 | subsection "Alternative Theorem Syntax" 862 | text_raw\\label{theory-theorem-altsynt}\ 863 | 864 | text \ 865 | If the proposition of a theorem is a derivation rule with possibly multiple conclusions Isabelle 866 | supports an alternative structured form\index{structured form}\index{syntax!alternative $\sim$!for theorems} 867 | \index{syntax!structured $\sim$!for theorems} for it: 868 | @{theory_text[display] 869 | \theorem 870 | fixes x\<^sub>1 \ x\<^sub>m 871 | assumes "A\<^sub>1" \ "A\<^sub>n" 872 | shows "C\<^sub>1" \ "C\<^sub>h" 873 | \\}\index{fixes (keyword)}\index{assumes (keyword)}\index{shows (keyword)} 874 | As for the general structured form (see Section~\ref{theory-prop-struct}) the variables, 875 | assumptions, and conclusions may be grouped by \<^theory_text>\and\, a type may be specified for each variable 876 | group, the keywords belong to the outer syntax and the \C\<^sub>i\ and \A\<^sub>i\ must be individually quoted. 877 | Moreover, the explicit binding of variables\index{variable!binding} in the \<^theory_text>\fixes\ part is optional, as in a \<^theory_text>\for\ part. 878 | 879 | Note that this structured form may only be used if a derivation rule is specified in a theorem. 880 | 881 | Using this syntax the two-assumption example rule from Section~\ref{theory-prop} can be 882 | written as 883 | @{theory_text[display] 884 | \theorem 885 | fixes x::nat and c n 886 | assumes "x < c" and "n > 0" 887 | shows "n*x < n*c" 888 | \\} 889 | 890 | As for the general structured form of a theorem (some of) the conclusion groups may be named 891 | individually which introduces the names for the corresponding fact collections. A possibly 892 | additional name specified after the \<^theory_text>\theorem\ keyword names the collection of the resulting facts 893 | from all groups together: 894 | @{theory_text[display] 895 | \theorem name: 896 | fixes x\<^sub>1 \ x\<^sub>m 897 | assumes "A\<^sub>1" \ "A\<^sub>n" 898 | shows name\<^sub>1: "C\<^sub>1\<^sub>,\<^sub>1" \ "C\<^latex>\$_{1,g_1}$\" and \ and name\<^sub>h: "C\<^sub>h\<^sub>,\<^sub>1" \ "C\<^latex>\$_{h,g_h}$\" 899 | \\}\ 900 | 901 | subsection "Definitions as Facts" 902 | text_raw\\label{theory-theorem-defs}\ 903 | 904 | text \ 905 | The definitions\index{definition!as fact} described in Section~\ref{theory-definition-defs} also introduce facts in 906 | the enclosing theory. Every definition introduces a new constant and specifies a defining 907 | equation of the form \name \ term\ for it. This equation is a proposition. It is the initial information given for 908 | the new constant, thus it is valid ``by definition'' and is a fact in the theory. 909 | 910 | These facts are automatically named. If \name\ is the name of the defined constant, the 911 | defining equation\index{name!of defining equation}\index{definition!name} is named \name_def\\index{def@$\_$def (fact name suffix)}. Alternatively an explicit name can be specified in 912 | the form 913 | @{theory_text[display] 914 | \definition name :: type 915 | where fact_name: "name \ term"\} 916 | 917 | Although the auxiliary constants used in an \<^theory_text>\overloading\\index{overloading} specification (see 918 | Section~\ref{theory-overload-true}) are not accessible outside the specification, their 919 | definitions are. So they can be referred by their names and used as information about the 920 | overloaded constant. 921 | \ 922 | 923 | subsection "Displaying and Searching Named Facts" 924 | text_raw\\label{theory-theorem-search}\ 925 | 926 | subsubsection "Fact Display" 927 | 928 | text \ 929 | A named fact or fact set (but not a dynamic fact set) can be displayed\index{fact!display} in its standard form 930 | as proposition using the command 931 | @{theory_text[display] 932 | \thm name\}\index{thm (keyword)} 933 | and it can be displayed in its structured form with \<^theory_text>\fixes\, \<^theory_text>\assumes\, and \<^theory_text>\shows\ using the 934 | command 935 | @{theory_text[display] 936 | \print_statement name\}\index{print-statement@print$\_$statement (keyword)} 937 | 938 | In the interactive editor a list of the named facts introduced by an outer syntax construct such as 939 | \<^theory_text>\theorem\ can be obtained by positioning the curser after the construct and using the Query panel\index{panel!query $\sim$} 940 | (see Section~\ref{system-jedit-query}) in tab ``Print Context'' by checking ``theorems''. For 941 | theorems the introduced facts are usually apparent, but there are constructs in HOL, such as 942 | inductive or recursive definitions (see Sections~\ref{holbasic-inductive} and~\ref{holbasic-recursive}), 943 | where it may be interesting to look at the introduced facts. 944 | \ 945 | 946 | subsubsection "Fact Search" 947 | 948 | text\ 949 | Named facts may be searched\index{fact!search $\sim$}\index{search!for facts} using the command 950 | @{theory_text[display] 951 | \find_theorems criterion\<^sub>1 \ criterion\<^sub>n\}\index{find-theorems@find$\_$theorems (keyword)} 952 | or using the Query panel\index{panel!query $\sim$} (see Section~\ref{system-jedit-query}) in the ``Find Theorems'' tab using 953 | the sequence \criterion\<^sub>1 \ criterion\<^sub>n\ as search specification\index{search!specification} in the ``Find:'' input field. The 954 | \criterion\<^sub>i\ are combined by conjunction. 955 | 956 | A \criterion\<^sub>i\ may be a term containing unknowns as subterms (called a ``term pattern''\index{term!pattern}). Then 957 | all facts are found which contain a matching subterm in their proposition. A term pattern matches 958 | a subterm if the unknowns in the pattern can be consistently replaced by terms so that the result 959 | is syntactically equal to the subterm. The term pattern is specified in inner syntax and must be 960 | quoted. Only named facts can be found in this way. 961 | 962 | The example theorems \example1\ and \example2\ can be found using the term pattern \"?t1 \ ?t2"\, 963 | whereas the pattern \"?t1 + ?c \ ?t2 + ?c"\ will only find \example2\. 964 | 965 | A \criterion\<^sub>i\ may also have the form \name: strpat\ where \strpat\ is a string pattern which may 966 | use ``*'' as wildcard (then the pattern must be enclosed in double quotes). Then all facts are found 967 | where the \strpat\ matches a substring of the fact name. After naming the example theorems 968 | as above the criterion \name: example\ will display the theorems \example1\ and \example2\ 969 | with their names and propositions. 970 | 971 | The commands for display and search may be entered in the text area outside of theorems and at most 972 | positions in a proof. The found facts are displayed with their names in the Output panel\index{panel!output $\sim$} (see 973 | Section~\ref{system-jedit-output}). 974 | \ 975 | end -------------------------------------------------------------------------------- /Chapter_methods.thy: -------------------------------------------------------------------------------- 1 | theory Chapter_methods 2 | imports Chapter_proofs 3 | begin 4 | chapter "Proof Methods" 5 | text_raw\\label{methods}\ 6 | 7 | text \ 8 | The basic building blocks of Isabelle proofs are the proof methods\index{proof!method} which modify the goal state. 9 | If there are several goals in the goal state it depends on the specific method which goals 10 | are affected by it. In most cases only the first goal is affected. 11 | \ 12 | 13 | section "The empty Method" 14 | text_raw\\label{methods-empty}\ 15 | 16 | text\ 17 | The empty method\index{method!empty $\sim$} is denoted by a single minus sign 18 | @{theory_text[display] 19 | \-\}\index{-@\-\ (method)} 20 | If no input facts are passed to it, it does nothing, it does not alter the goal state. An exception 21 | is a goal of the form \C\<^sub>1 &&& \ &&& C\<^sub>h\ which is always split to separate goals \C\<^sub>i\ whenever a 22 | method is applied (see section~\ref{proof-state-initial}). 23 | 24 | The empty method is useful at the beginning of a structured proof of the form 25 | @{theory_text[display] 26 | \proof method ST\<^sub>1 \ ST\<^sub>n qed\} 27 | If the statements \ST\<^sub>1 \ ST\<^sub>n\ shall process the unmodified original goal the 28 | empty method must be specified for \method\, thus the structured proof becomes 29 | @{theory_text[display] 30 | \proof - ST\<^sub>1 \ ST\<^sub>n qed\} 31 | 32 | Note that it is possible to syntactically omit the \method\ completely, but then it defaults to the 33 | method named \standard\ which alters the goal state (see Section~\ref{methods-rule-standard}). 34 | 35 | If input facts are passed to the empty method, it affects all goals by inserting the input facts as 36 | assumptions after the existing assumptions. If the input facts are \F\<^sub>1,\,F\<^sub>m\ a goal of the form 37 | \\A\<^sub>1;\;A\<^sub>n\ \ C\ is replaced by the goal \\A\<^sub>1;\;A\<^sub>n;F\<^sub>1,\,F\<^sub>m\ \ C\. 38 | 39 | This makes it possible to transfer facts stored in the proof context to the goal state where they 40 | are stored as rule assumptions (see Section~\ref{proof-proc-store}). Since this way of storing facts 41 | is not useful for structured proofs it is normally useless to input facts into a structured proof 42 | with the empty method as initial method. 43 | 44 | If a goal statement instead uses a proof script as subproof the script can be started by applying 45 | the empty method to transfer input facts into the goal state for use by further method applications: 46 | @{theory_text[display] 47 | \ \ then have "C" apply - MA\<^sub>1 \ MA\<^sub>n done\} 48 | If the current facts are \F\<^sub>1,\,F\<^sub>m\ before the \<^theory_text>\then\ statement the goal state in the subproof 49 | contains the goal \\F\<^sub>1,\,F\<^sub>m\ \ C\ before method application \MA\<^sub>1\, so the facts are available 50 | for use in the proof script. 51 | \ 52 | 53 | section "Terminating Proof Scripts" 54 | text_raw\\label{methods-assumption}\ 55 | 56 | text\ 57 | As described in Section~\ref{proof-state-goal} a proof is complete when its goal state is empty. 58 | In a structured proof goals are removed from the goal state by successful \<^theory_text>\show\ statements. 59 | Therefore a structured proof is usually terminated by a \<^theory_text>\show\ statement which removes the last 60 | goal in the goal state. 61 | 62 | Proof scripts, instead, are intended to store facts as rule assumptions in the goal state (see 63 | Section~\ref{proof-struct-syntax}). Then the proof of a goal is complete when the conclusion of the 64 | current goal unifies with one of its assumptions (see Section~\ref{proof-proc-construct}). 65 | \ 66 | 67 | subsection \The {\sl assumption} Method\ 68 | text_raw\\label{methods-assumption-method}\ 69 | 70 | text\ 71 | Such goals are removed from the goal state by the method 72 | @{theory_text[display] 73 | \assumption\}\index{assumption (method)} 74 | The method only affects the first goal. If that goal has the form \\A\<^sub>1;\;A\<^sub>n\ \ C\ and one 75 | assumption \A\<^sub>i\ unifies with \C\ the method removes the goal, otherwise an error is signaled. 76 | 77 | The \<^theory_text>\assumption\ method is automatically applied by a proof part of the form 78 | @{theory_text[display] 79 | \qed method\} 80 | after applying the specified \method\. The application of the \<^theory_text>\assumption\ method is repeated as 81 | long as it is applicable, thus \<^theory_text>\qed\\index{qed (keyword)} removes all goals from the goal state where the conclusion 82 | matches an assumption. The same holds for the abbreviated forms \<^theory_text>\by method\ and \<^theory_text>\by method\<^sub>1 83 | method\<^sub>2\ (see Section~\ref{proof-struct-syntax}). 84 | 85 | Therefore a proof script consisting of method applications \MA\<^sub>1 \ MA\<^sub>n\ can be terminated by \<^theory_text>\by -\ 86 | if the method applications refine all goals to the form where the conclusion unifies with an 87 | assumption. Note that \<^theory_text>\done\ does not remove such goals, when it is used to terminate a proof it 88 | expects that the goal state is already empty. 89 | \ 90 | 91 | section "Basic Rule Application" 92 | text_raw\\label{methods-rule}\ 93 | 94 | text \ 95 | As described in Section~\ref{proof-proc-construct} the basic step in the construction of a proof 96 | is to establish the connection between a fact \F\<^sub>i\ and a fact \F\<^sub>i\<^sub>+\<^sub>1\ in the fact sequence. Assume 97 | that there is already a valid derivation rule \RA\<^sub>i \ RC\<^sub>i\ named \r\<^sub>i\ where \RA\<^sub>i\ unifies with 98 | \F\<^sub>i\ and \RC\<^sub>i\ unifies with \F\<^sub>i\<^sub>+\<^sub>1\. Then the connection can be established by applying that rule\index{rule!application}. 99 | \ 100 | 101 | subsection \The {\sl rule} Method\ 102 | text_raw\\label{methods-rule-method}\ 103 | 104 | text\ 105 | A rule is applied by the method 106 | @{theory_text[display] 107 | \rule name\}\index{rule (method)} 108 | where \name\ is the name of a valid rule. The method only affects the first goal. If that goal 109 | has the form \\A\<^sub>1;\;A\<^sub>n\ \ C\ and the rule referred by \name\ has the form \\RA\<^sub>1;\;RA\<^sub>m\ \ RC\ 110 | the method first unifies \RC\ with the goal conclusion \C\. That yields the specialized rule 111 | \\RA\<^sub>1';\;RA\<^sub>m'\ \ RC'\ where \RC'\ is syntactically equal to \C\ and every \RA\<^sub>j'\ results from 112 | \RA\<^sub>j\ by substituting unknowns by the same terms as in \RC'\. If the goal does not contain unknowns 113 | (which is the normal case) \C\ is not modified by the unification. If the unification fails 114 | the method cannot be executed on the goal state and an error is signaled. Otherwise the method 115 | replaces the goal by the \m\ new goals \\A\<^sub>1;\;A\<^sub>n\ \ RA\<^sub>j'\. 116 | 117 | If the rule has the form \RA \ RC\ with only one assumption the method replaces the goal by 118 | the single new goal \\A\<^sub>1;\;A\<^sub>n\ \ RA'\. If the rule is a formula \RC\ without any 119 | assumptions the method removes the goal without introducing a new goal. 120 | 121 | Note that if facts are stored as rule assumptions in the goal state (see 122 | Section~\ref{proof-proc-store}) an application of method \<^theory_text>\rule\ preserves these facts and copies 123 | them to every new goal. 124 | 125 | If an assumption \RA\<^sub>j\ is again a rule (i.e., the applied rule is a meta rule) and has the form 126 | \\B\<^sub>1;\;B\<^sub>k\ \ B\ the \j\th new goal becomes \\A\<^sub>1;\;A\<^sub>n\ \ (\B\<^sub>1';\;B\<^sub>k'\ \ B')\ which by 127 | definition of the \\\;\ \\ syntax (see Section~\ref{theory-prop-altsynt}) is equivalent to 128 | \\A\<^sub>1;\;A\<^sub>n;B\<^sub>1';\;B\<^sub>k'\ \ B')\. In this way the rule can introduce additional assumptions in the 129 | resulting goals, which are inserted after the existing assumptions. 130 | \ 131 | 132 | subsection \Using the {\sl rule} Method for Backward Reasoning Steps\ 133 | text_raw\\label{methods-rule-backwards}\ 134 | 135 | text\ 136 | Assume that during a proof for \A \ C\ as described in Section~\ref{proof-proc-construct} the 137 | intermediate fact sequence \F\<^sub>i\<^sub>+\<^sub>1, \ F\<^sub>n\<^sub>-\<^sub>1, C\ has already been constructed by backward 138 | reasoning\index{backward reasoning}\index{reasoning!backward $\sim$}, i.e., the current goal is \F\<^sub>i\<^sub>+\<^sub>1\. If \r\<^sub>i\ names a rule \RA\<^sub>i \ RC\<^sub>i\, the successful 139 | method application 140 | @{theory_text[display] 141 | \apply (rule r\<^sub>i)\} 142 | will replace the current goal by \F\<^sub>i\ and thus extend the fact sequence to \F\<^sub>i, \, F\<^sub>n\<^sub>-\<^sub>1, C\. 143 | The fact \F\<^sub>i\ is the specialized assumption \RA\<^sub>i'\ constructed by the method from 144 | the assumption \RA\<^sub>i\ of rule \r\<^sub>i\. Together, this application of the \<^theory_text>\rule\ method implements 145 | the backwards reasoning step from \F\<^sub>i\<^sub>+\<^sub>1\ to \F\<^sub>i\. 146 | 147 | Therefore the fact sequence \F\<^sub>1, \, F\<^sub>n\<^sub>-\<^sub>1, C\ of the complete proof can be 148 | constructed by the proof script consisting of the backward reasoning steps 149 | @{theory_text[display] 150 | \apply (rule `r\<^sub>n\<^sub>-\<^sub>1`) 151 | \ 152 | apply(rule r\<^sub>1) 153 | apply(assumption) 154 | done\} 155 | 156 | Note that we used the \<^theory_text>\assumption\\index{assumption (method)} method to remove the goal \A \ F\<^sub>1\ by unifying \F\<^sub>1\ with \A\. 157 | Alternatively we can use the form 158 | @{theory_text[display] 159 | \apply (rule `r\<^sub>n\<^sub>-\<^sub>1`) 160 | \ 161 | apply(rule r\<^sub>1) 162 | by -\} 163 | where the \<^theory_text>\assumption\ method is applied implicitly, as described in 164 | Section~\ref{methods-assumption-method}, or even shorter 165 | @{theory_text[display] 166 | \apply (rule `r\<^sub>n\<^sub>-\<^sub>1`) 167 | \ 168 | by (rule r\<^sub>1)\} 169 | 170 | If the example from Section~\ref{proof-proc-construct} is proved this way the theorem is written 171 | together with its proof as 172 | @{theory_text[display] 173 | \theorem "(x::nat) < 5 \ 2*x+3 \ 2*5 + 3" 174 | apply (rule example2) 175 | by (rule example1)\} 176 | 177 | Note that the assumption \A\ of the initial goal must be reached exactly by the sequence of rule 178 | applications. If it is replaced in the example by the stronger assumption \x < 3\ the rule 179 | applications will lead to the goal \x < 3 \ x < 5\ which is trivial for the human reader 180 | but not applicable to the \<^theory_text>\assumption\ method. 181 | \ 182 | 183 | subsection "Automatic Rule Selection" 184 | text_raw\\label{methods-rule-select}\ 185 | 186 | text\ 187 | The \rule\ method can be specified in the form 188 | @{theory_text[display] 189 | \rule\} 190 | without naming the rule to be applied. Then it selects a rule automatically. It uses the first 191 | rule from the internal fact set \intro\\index{intro (fact set name)} for which the conclusion unifies with the goal conclusion. 192 | If there is no such rule in the set an error is signaled. 193 | 194 | If the rules \example1\ and \example2\ would be in the \intro\ set, the example proof could 195 | be written as 196 | @{theory_text[display] 197 | \theorem "(x::nat) < 5 \ 2*x+3 \ 2*5 + 3" 198 | apply rule 199 | by rule\} 200 | \ 201 | 202 | subsection "Introduction Rules" 203 | text_raw\\label{methods-rule-intro}\ 204 | 205 | text\ 206 | The set \intro\ is intended by Isabelle for a specific kind of rules called ``introduction rules''\index{rule!introduction $\sim$}. 207 | In such a rule a specific function \f\ (perhaps written using an operator name) occurs only in the 208 | conclusion, but not in any assumption, hence it is ``introduced'' by the rule. 209 | 210 | When an introduction rule for \f\ is applied to a goal by the \<^theory_text>\rule\ method, it works ``backwards'' 211 | and removes \f\ from the goal. If the set \intro\ only contains introduction rules and no rule 212 | adds a function which has been removed by another rule in the set, an iterated application of the 213 | \<^theory_text>\rule\ method with automatic rule selection will ``deconstruct'' the goal: every step removes a 214 | function from the goal. The iteration stops when no rule in \intro\ is applicable. In some sense 215 | the resulting goals are simpler because the set of functions used in them has been reduced. 216 | Some proofs can be written using this technique, however, they depend on the careful selection of 217 | the introduction rule in \intro\. 218 | 219 | A rule is also called an introduction rule for a function \f\ if \f\ occurs in some assumption(s) 220 | but in a different form (usually applied to other arguments). Then an application by the \<^theory_text>\rule\ 221 | method will replace a term containing \f\ by a different term containing \f\. The idea is to replace 222 | terms in several steps using one or more introduction rules until finally removing \f\ completely.\ 223 | 224 | subsubsection "The \intro\ Method" 225 | 226 | text\ 227 | This proof technique can also be applied by the method 228 | @{theory_text[display] 229 | \intro name\<^sub>1 \ name\<^sub>n\}\index{intro (method)} 230 | where \name\<^sub>1 \ name\<^sub>n\ refer to valid rules. It iterates applying rules from the given set to a goal 231 | in the goal state as long as this is possible. It is intended to be used with introduction rules. 232 | Then it automatically deconstructs the goals as much as possible with the given rules. Note that 233 | the method does not use the \intro\ set.\ 234 | 235 | subsubsection "Examples" 236 | 237 | text\ 238 | The rule \example1\ from Section~\ref{theory-theorem-named} is an introduction rule for both 239 | functions \(\)\ and \(*)\, but it is only applicable to special uses of them and it replaces them 240 | by the function \(<)\ which also is only useful for some specific proofs. In the rule \example2\ 241 | the function \(\)\ also occurs in the assumption, however applied to other arguments, therefore it 242 | can also be considered as an introduction rule for \(\)\. 243 | 244 | Using the \<^theory_text>\intro\ method the example proof can be written as 245 | @{theory_text[display] 246 | \theorem "(x::nat) < 5 \ 2*x+3 \ 2*5 + 3" 247 | by (intro example1 example2)\} 248 | 249 | The rules usually present in \intro\ in Isabelle are carefully selected to be as generally 250 | applicable and useful for a large number of proofs as possible. Besides by the \<^theory_text>\rule\ method the 251 | \intro\ set is also used internally by some of the automatic methods described in 252 | Section~\ref{methods-auto-methods}.\ 253 | 254 | subsubsection "Searching Introduction Rules" 255 | 256 | text\ 257 | If the cursor in the text area is positioned in a proof, introduction rules applicable to the first 258 | goal in the goal state of the enclosing proof can be searched\index{search!for introduction rules} using the keyword \intro\ as criterion 259 | for a search by \<^theory_text>\find_theorems\ or in the Query panel\index{panel!query $\sim$}, as described in 260 | Section~\ref{theory-theorem-search}. It finds all named facts which can be applied by the \rule\ 261 | method to the first goal, i.e., the conclusions can be unified. 262 | \ 263 | 264 | subsection \The {\sl standard} Method\ 265 | text_raw\\label{methods-rule-standard}\ 266 | 267 | text\ 268 | The method 269 | @{theory_text[display] 270 | \standard\}\index{standard (method)} 271 | is a method alias which can be varied for different Isabelle applications. Usually it is mainly 272 | an alias for the \rule\ method. 273 | 274 | The \standard\ method is the default, if no method is specified as the initial step in a 275 | structured proof. Thus 276 | @{theory_text[display] 277 | \proof ST\<^sub>1 \ ST\<^sub>n qed\} 278 | is an abbreviation for 279 | @{theory_text[display] 280 | \proof standard ST\<^sub>1 \ ST\<^sub>n qed\} 281 | 282 | Note that the \<^theory_text>\standard\ method as initial method in a structured proof will usually affect the 283 | goal by applying a rule from the set \intro\ to it. That may be useful in some cases, but it has to 284 | be taken into account when writing the statements of the proof. If the rules \example1\ 285 | and \example2\ are again considered to be in the set \intro\, the example proof could be written as 286 | @{theory_text[display] 287 | \theorem "(x::nat) < 5 \ 2*x+3 \ 2*5 + 3" 288 | proof 289 | show "x < 5 \ 2*x \ 2*5" by (rule example1) 290 | qed\} 291 | because \proof\ (without the empty method \\\) already applies the rule \example2\ by applying 292 | the \<^theory_text>\standard\ method. It replaces the original goal by \x < 5 \ 2*x \ 2*5\, so only this goal 293 | remains to be proved. However, this goal replacement is often not apparent to the reader of the 294 | proof. Therefore this form of structured proof should be used with care, it is only intended for 295 | some standard cases where the goal replacement is clearly expected by the proof reader and writer. 296 | Also note that \?thesis\ still abbreviates the original goal conclusion and thus cannot be used in 297 | the proof anymore.\ 298 | 299 | subsubsection "The \..\ Proof" 300 | 301 | text\ 302 | In the abbreviated form \<^theory_text>\by method\ of a structured proof the method cannot be omitted, but 303 | the proof \<^theory_text>\by standard\ can be abbreviated to 304 | @{theory_text[display] 305 | \..\}\index{.. (keyword)} 306 | (two dots). It can be used as complete proof for a proposition which can be proved by a single 307 | automatic rule application. Since in the example proof also rule \example1\ could be automatically 308 | selected by the \<^theory_text>\standard\ method, it could be further abbreviated as 309 | @{theory_text[display] 310 | \theorem "(x::nat) < 5 \ 2*x+3 \ 2*5 + 3" 311 | proof 312 | show "x < 5 \ 2*x \ 2*5" .. 313 | qed\}\ 314 | 315 | section "Rule Application in Forward Reasoning" 316 | text_raw\\label{methods-forward}\ 317 | 318 | text\ 319 | Assume that during a proof for \A \ C\ as described in Section~\ref{proof-proc-construct} the 320 | intermediate fact sequence \A, F\<^sub>2, \, F\<^sub>i\ has already been constructed by forward reasoning\index{forward reasoning}\index{reasoning!forward $\sim$} and has 321 | been stored in the proof context. Then the next step is to state fact \F\<^sub>i\<^sub>+\<^sub>1\ and prove it using a 322 | rule \RA\<^sub>i \ RC\<^sub>i\ named \r\<^sub>i\. \ 323 | 324 | subsection \Using the {\sl rule} Method for Forward Reasoning Steps\ 325 | text_raw\\label{methods-forward-rule}\ 326 | 327 | text\ 328 | Using method \<^theory_text>\rule\\index{rule (method)} the step can be started by the statement 329 | @{theory_text[display] 330 | \have "F\<^sub>i\<^sub>+\<^sub>1" proof (rule r\<^sub>i)\} 331 | The goal of this subproof is simply \F\<^sub>i\<^sub>+\<^sub>1\, so applying the \<^theory_text>\rule\ method with \r\<^sub>i\ will result 332 | in the new goal \RA\<^sub>i'\ which unifies with \F\<^sub>i\. The subproof is not finished, since its goal state 333 | is not empty. But the goal unifies with an already known fact. Solving a goal which 334 | resulted from an assumption of an applied rule is also called ``discharging an assumption''.\ 335 | 336 | subsubsection "Discharging Assumptions Using the \fact\ Method" 337 | 338 | text\ 339 | The proof method 340 | @{theory_text[display] 341 | \fact name\}\index{fact (method)} 342 | can be used to remove that goal. The method only affects the first goal. If the fact referred by 343 | \name\ unifies with it, the goal is removed, otherwise an error is signaled. 344 | 345 | Using this method the forward reasoning step can be completed as 346 | @{theory_text[display] 347 | \have "F\<^sub>i\<^sub>+\<^sub>1" proof (rule r\<^sub>i) qed (fact f\<^sub>i)\} 348 | if \F\<^sub>i\ has been named \f\<^sub>i\. This can be abbreviated (see Section~\ref{proof-struct-syntax}) to 349 | @{theory_text[display] 350 | \have "F\<^sub>i\<^sub>+\<^sub>1" by (rule r\<^sub>i) (fact f\<^sub>i)\} 351 | 352 | Therefore the fact sequence \A, F\<^sub>2, \, F\<^sub>n\<^sub>-\<^sub>1, C\ of the complete proof for the goal \A \ C\ can be 353 | constructed by the structured proof of the form 354 | @{theory_text[display] 355 | \proof - 356 | assume a: "A" 357 | have f\<^sub>2: "F\<^sub>2" by (rule r\<^sub>1) (fact a) 358 | \ 359 | have `f\<^sub>n\<^sub>-\<^sub>1`: "F\<^sub>n\<^sub>-\<^sub>1" by (rule `r\<^sub>n\<^sub>-\<^sub>2`) (fact `f\<^sub>n\<^sub>-\<^sub>2`) 360 | show "?thesis" by (rule `r\<^sub>n\<^sub>-\<^sub>1`) (fact `f\<^sub>n\<^sub>-\<^sub>1`) 361 | qed\} 362 | where \?thesis\ abbreviates the conclusion \C\, as usual. 363 | 364 | If the example from Section~\ref{proof-proc-construct} is proved this way the theorem is written 365 | together with its proof as 366 | @{theory_text[display] 367 | \theorem "(x::nat) < 5 \ 2*x+3 \ 2*5 + 3" 368 | proof - 369 | assume a: "x < 5" 370 | have f\<^sub>2: "2*x \ 2*5" by (rule example1) (fact a) 371 | show ?thesis by (rule example2) (fact f\<^sub>2) 372 | qed\}\ 373 | 374 | subsubsection "Automatic Fact Selection" 375 | 376 | text\ 377 | The \fact\ method can be specified in the form 378 | @{theory_text[display] 379 | \fact\} 380 | without naming the fact to be used. Then it selects a fact automatically. It uses the first 381 | fact from the proof context which unifies with the goal. If there is no such fact in the 382 | proof context an error is signaled. 383 | 384 | Thus the example can be written without naming the facts as 385 | @{theory_text[display] 386 | \theorem "(x::nat) < 5 \ 2*x+3 \ 2*5 + 3" 387 | proof - 388 | assume "x < 5" 389 | have "2*x \ 2*5" by (rule example1) fact 390 | show ?thesis by (rule example2) fact 391 | qed\}\ 392 | 393 | subsection \Input Facts for the {\sl rule} Method\ 394 | text_raw\\label{methods-forward-input}\ 395 | 396 | text\ 397 | If input facts \F\<^sub>1, \, F\<^sub>n\ are passed to the \rule\ method, they are used to remove assumptions 398 | from the rule applied by the method. If the rule has the form \\RA\<^sub>1;\;RA\<^sub>n\<^sub>+\<^sub>m\ \ RC\ and 399 | every fact \F\<^sub>i\ unifies with assumption \RA\<^sub>i\ the first \n\ assumptions are removed and the 400 | rule becomes \\RA\<^sub>n\<^sub>+\<^sub>1';\;RA\<^sub>n\<^sub>+\<^sub>m'\ \ RC'\, specialized according to the term substitutions performed 401 | by the unifications. Then it is applied to the first goal in the usual way. 402 | If there are more input facts than assumptions or if a fact does not unify, an error is signaled. 403 | 404 | This behavior of the \<^theory_text>\rule\ method can be explained as follows: as described above, for every 405 | assumption in the applied rule the method creates a goal which has the assumption as conclusion. As 406 | usual, the goal is considered solved, if the conclusion unifies with a fact in the proof context. 407 | By unifying the input facts with the rule assumptions the method determines the goals which would 408 | immediately be solved and thus can be omitted, then it removes the assumptions from the rule so 409 | that the corresponding goals are never created.\ 410 | 411 | subsubsection "Discharging Assumptions Using Explicit Fact Input" 412 | 413 | text\ 414 | This allows to establish the connection from a fact \F\<^sub>i\ to \F\<^sub>i\<^sub>+\<^sub>1\ in a fact chain by a 415 | forward reasoning step of the form 416 | @{theory_text[display] 417 | \from f\<^sub>i have "F\<^sub>i\<^sub>+\<^sub>1" by (rule r\<^sub>i)\} 418 | where \f\<^sub>i\ names the fact \F\<^sub>i\. When it is input to the goal statement it is passed to 419 | the \<^theory_text>\rule\ method and removes the assumption from the applied rule \RA\<^sub>i \ RC\<^sub>i\, resulting 420 | in the assumption-less ``rule'' \RC\<^sub>i\. When it is applied to the goal \F\<^sub>i\<^sub>+\<^sub>1\ it unifies and 421 | removes the goal, thus the subproof is complete.\ 422 | 423 | subsubsection "Discharging Assumptions Using Chaining" 424 | 425 | text\ 426 | For the fact sequence chaining can be used to write a structured proof without naming the facts: 427 | @{theory_text[display] 428 | \proof - 429 | assume "F\<^sub>1" 430 | then have "F\<^sub>2" by (rule r\<^sub>1) 431 | \ 432 | then have "F\<^sub>n\<^sub>-\<^sub>1" by (rule `r\<^sub>n\<^sub>-\<^sub>2`) 433 | then show "F\<^sub>n" by (rule `r\<^sub>n\<^sub>-\<^sub>1`) 434 | qed\} 435 | As described in Section~\ref{methods-rule-standard} the subproof \by (rule r\<^sub>i)\ can be abbreviated as 436 | \..\ if the rule \r\<^sub>i\ is in the \intro\ rule set. 437 | 438 | If the example from Section~\ref{proof-proc-construct} is proved this way the theorem is written 439 | together with its proof as 440 | @{theory_text[display] 441 | \theorem "(x::nat) < 5 \ 2*x+3 \ 2*5 + 3" 442 | proof - 443 | assume "x < 5" 444 | then have "2*x \ 2*5" by (rule example1) 445 | then show ?thesis by (rule example2) 446 | qed\} 447 | \ 448 | 449 | subsection \The Method {\sl this}\ 450 | text_raw\\label{methods-forward-this}\ 451 | 452 | text\ 453 | Rule application can also be done by the method 454 | @{theory_text[display] 455 | \this\}\index{this (method)} 456 | Instead of applying a named method, it applies the input fact as rule to the first goal. 457 | 458 | If several input facts are given, the method applies them exactly in the given order. Therefore 459 | the fact sequence can also be constructed by a structured proof of the form: 460 | @{theory_text[display] 461 | \proof - 462 | assume "F\<^sub>1" 463 | with r\<^sub>1 have "F\<^sub>2" by this 464 | \ 465 | with `r\<^sub>n\<^sub>-\<^sub>2` have "F\<^sub>n\<^sub>-\<^sub>1" by this 466 | with `r\<^sub>n\<^sub>-\<^sub>1` show "F\<^sub>n" by this 467 | qed\} 468 | The \<^theory_text>\with\ statement inserts the explicitly specified facts \<^emph>\before\ the current facts. 469 | Therefore every goal statement for \F\<^sub>i\ gets as input the rule \r\<^sub>i\<^sub>-\<^sub>1\ followed by the 470 | chained fact \F\<^sub>i\<^sub>-\<^sub>1\. The method \this\ first applies the rule which replaces the goal 471 | by \F\<^sub>i\<^sub>-\<^sub>1\. Then it applies the fact \F\<^sub>i\<^sub>-\<^sub>1\ as rule to this goal which removes it and finishes 472 | the subproof.\ 473 | 474 | subsubsection "The \.\ Proof" 475 | 476 | text\ 477 | The proof 478 | @{theory_text[display] 479 | \by this\} 480 | can be abbreviated by \.\\index{. (keyword)} (a single dot). 481 | 482 | Therefore the example from Section~\ref{proof-proc-construct} can also be proved in the form 483 | @{theory_text[display] 484 | \theorem "(x::nat) < 5 \ 2*x+3 \ 2*5 + 3" 485 | proof - 486 | assume "x < 5" 487 | with example1 have "2*x \ 2*5" . 488 | with example2 show ?thesis . 489 | qed\}\ 490 | 491 | subsection \The Methods {\sl frule} and {\sl drule}\ 492 | text_raw\\label{methods-forward-frule}\ 493 | 494 | text\ 495 | Instead of storing facts in the proof context and using a structured proof for a forward reasoning 496 | proof the facts may be stored as rule assumptions in the goal state and the forward reasoning proof 497 | may be written as a proof script (see Section~\ref{proof-struct-syntax}). 498 | 499 | To construct a proof for the goal \A \ C\ as fact sequence \A, F\<^sub>2 \ F\<^sub>n\ by forward reasoning as 500 | described in Section~\ref{proof-proc-construct} in this way, the intermediate fact sequence 501 | \A, F\<^sub>2, \, F\<^sub>i\ is stored in the extended goal \\A; F\<^sub>2; \; F\<^sub>i\ \ C\ where the last assumption is 502 | the current fact \F\<^sub>i\. Then the next forward reasoning step consists of adding the fact \F\<^sub>i\<^sub>+\<^sub>1\ as 503 | new assumption to the goal and prove it using a rule \RA\<^sub>i \ RC\<^sub>i\ named \r\<^sub>i\. When the fact 504 | sequence is complete the goal is \\A; F\<^sub>2; \; F\<^sub>n\ \ C\ and \F\<^sub>n\ unifies with \C\, thus an 505 | application of method \<^theory_text>\assumption\ will remove the goal and terminate the proof 506 | (see Section~\ref{methods-assumption-method}).\ 507 | 508 | subsubsection "The \frule\ Method" 509 | 510 | text\ 511 | A rule is applied for forward reasoning by the method 512 | @{theory_text[display] 513 | \frule name\}\index{frule (method)} 514 | where \name\ is the name of a valid rule. The method only affects the first goal. If that goal 515 | has the form \\A\<^sub>1;\;A\<^sub>n\ \ C\ and the rule referred by \name\ has the form \\RA\<^sub>1;\;RA\<^sub>m\ \ RC\ 516 | the method first unifies the first assumption \RA\<^sub>1\ in the rule with the first assumption \A\<^sub>k\ of 517 | the \A\<^sub>1 \ A\<^sub>n\ which can be unified with \RA\<^sub>1\. That yields the specialized rule 518 | \\RA\<^sub>1';\;RA\<^sub>m'\ \ RC'\ where \RA\<^sub>1'\ is syntactically equal to \A\<^sub>k\ and every \RA\<^sub>j'\ with \j > 1\ 519 | and \RC'\ results from \RA\<^sub>j\ or \RC\, respectively, by substituting unknowns by the same terms as 520 | in \RA\<^sub>1'\. If the goal does not contain unknowns (which is the normal case) \A\<^sub>k\ is not 521 | modified by the unification. If no \A\<^sub>i\ unifies with \RA\<^sub>1\ the method cannot be executed on the goal 522 | state and an error is signaled. Otherwise the method replaces the goal by the \m-1\ new goals 523 | \\A\<^sub>1;\;A\<^sub>n\ \ RA\<^sub>j'\ for \j > 1\ and the goal \\A\<^sub>1;\;A\<^sub>n;RC'\ \ C\. 524 | 525 | If the rule has the form \RA \ RC\ with only one assumption the method replaces the goal by 526 | the single new goal \\A\<^sub>1;\;A\<^sub>n;RC'\ \ C\, i.e., it adds the conclusion of the rule as assumption 527 | in the goal. If the rule is a formula \RC\ without any assumptions the method is not applicable and 528 | signals an error. 529 | 530 | Since the first assumption \RA\<^sub>1\ in the rule plays a special role in this context, it is also 531 | called the ``major premise''\index{major premise} of the rule. 532 | 533 | Together, a forward reasoning step as described above can be implemented by the method application 534 | @{theory_text[display] 535 | \apply (frule r\<^sub>i)\} 536 | and the full proof script for a forward reasoning proof has the form 537 | @{theory_text[display] 538 | \apply(frule r\<^sub>1) 539 | \ 540 | apply (frule `r\<^sub>n\<^sub>-\<^sub>1`) 541 | apply(assumption) 542 | done\} 543 | or shorter 544 | @{theory_text[display] 545 | \apply (frule r\<^sub>1) 546 | \ 547 | by (frule `r\<^sub>n\<^sub>-\<^sub>1`)\} 548 | 549 | If the example from Section~\ref{proof-proc-construct} is proved this way the theorem is written 550 | together with its proof as 551 | @{theory_text[display] 552 | \theorem "(x::nat) < 5 \ 2*x+3 \ 2*5 + 3" 553 | apply (frule example1) 554 | by (frule example2)\} 555 | 556 | However, this form of forward reasoning proof has several drawbacks. First, as always in proof 557 | scripts, the facts \F\<^sub>i\ are not specified explicitly, they are constructed implicitly by the 558 | \<^theory_text>\frule\ method and can only be seen by interactively inspecting the goal state. Next, since the 559 | current fact is the last assumption in the goal, it is not guaranteed that the rule \r\<^sub>i\ is 560 | applied to it. If a previous assumption also unifies with the major premise of \r\<^sub>i\ the rule is 561 | not applied in the intended way. Finally, it is not possible to generalize this approach to proofs 562 | with several branches. The branches cannot be joined, because \<^theory_text>\frule\ always takes only one 563 | assumption into account.\ 564 | 565 | subsubsection "The \drule\ Method" 566 | 567 | text\ 568 | The second drawback can be compensated for by using another method for applying the rule. This is 569 | done by the method 570 | @{theory_text[display] 571 | \drule name\}\index{drule (method)} 572 | where \name\ is the name of a valid rule. The method works like \<^theory_text>\frule\, but instead of adding 573 | \RC'\ to the assumptions it replaces \A\<^sub>k\ by it. Thus the method replaces the goal by the \m-1\ new 574 | goals \\A\<^sub>1;\;A\<^sub>k\<^sub>-\<^sub>1; A\<^sub>k\<^sub>+\<^sub>1;\;A\<^sub>n\ \ RA\<^sub>j'\ for \j > 1\ and the goal \\A\<^sub>1;\;A\<^sub>k\<^sub>-\<^sub>1;A\<^sub>k\<^sub>+\<^sub>1;\;A\<^sub>n;RC'\ \ C\. 575 | 576 | When using \<^theory_text>\drule\ for constructing a proof in the way described above, it always replaces the 577 | current fact by the next one in the fact sequence. The intermediate fact sequence is represented by 578 | the goal \F\<^sub>i \ C\. Since the current fact is the only assumption present in the goal, the step 579 | \<^theory_text>\apply (drule r\<^sub>i)\ is always applied to it and replaces the goal by \F\<^sub>i\<^sub>+\<^sub>1 \ C\, as intended. 580 | 581 | The methods \<^theory_text>\frule\ and \<^theory_text>\drule\ do not support input facts. 582 | \ 583 | 584 | subsection "Destruction Rules" 585 | text_raw\\label{methods-forward-dest}\ 586 | 587 | text\ 588 | Not all rules can always usefully be applied by \<^theory_text>\frule\ and \<^theory_text>\drule\. Since both methods only 589 | unify their first assumption (the major premise) of the rule with a term in the goal and then replace 590 | it by the conclusion, the first assumption should have some effect on the conclusion. In particular, 591 | the conclusion should not be a single unknown which does not occur in the first assumption. 592 | 593 | If additionally a specific function \f\ (perhaps written using an operator name) occurs only in the 594 | first assumption and neither in the conclusion, nor in other assumptions, the rule is called a 595 | ``destruction rule''\index{rule!destruction $\sim$} for \f\. If it is applied in forward direction, such as with \<^theory_text>\frule\ 596 | and \<^theory_text>\drule\, \f\ will be removed from the goal, it will be ``destructed''. 597 | 598 | Similar to introduction rules (see Section~\ref{methods-rule-intro}) \f\ may occur in the 599 | conclusion if it has a different form, so that it may be removed by several steps through 600 | intermediate forms. 601 | 602 | Analogous to the \intro\ set for introduction rules there is an internal fact set \dest\\index{dest (fact set name)} for 603 | destruction rules. It is used by some automatic methods, however, it is not used for automatically 604 | selecting rules for \<^theory_text>\frule\ and \<^theory_text>\drule\.\ 605 | 606 | subsubsection "Searching Destruction Rules" 607 | 608 | text\ 609 | If the cursor in the text area is positioned in a proof, destruction rules applicable to the first 610 | goal in the goal state of the enclosing proof can be searched\index{search!for destruction rules} using the keyword \dest\ as criterion 611 | for a search by \<^theory_text>\find_theorems\ or in the Query panel, as described in 612 | Section~\ref{theory-theorem-search}. It finds all named facts which can be applied by the \frule\ 613 | or \drule\ method to the first goal, i.e., the major premise unifies with a goal assumption.\ 614 | 615 | subsubsection "Examples" 616 | 617 | text\ 618 | The rule \example1\ from Section~\ref{theory-theorem-named} is a 619 | destruction rule for function \(<)\, but it is also only applicable to special uses of it and it 620 | replaces it by the functions \(\)\, \(*)\, and \(+)\ which does not help for most proofs. 621 | In the rule \example2\ the operator \(\)\ also occurs in the conclusion, but in different form. 622 | Therefore it can be considered as destruction rule for \(\)\, although the form in the conclusion 623 | is more complex which also does not help for most proofs. 624 | \ 625 | 626 | section "Composed Proof Methods" 627 | text_raw\\label{methods-composed}\ 628 | 629 | text \ 630 | Proof methods can be composed\index{method!composed $\sim$} from simpler methods with the help of ``method expressions''\index{method!expression}. 631 | A method expression has one of the following forms: 632 | \<^item> \m\<^sub>1, \, m\<^sub>n\ : a sequence of methods which are applied in their order, 633 | \<^item> \m\<^sub>1; \; m\<^sub>n\ : a sequence of methods where each is applied to the goals created by the previous method, 634 | \<^item> \m\<^sub>1| \| m\<^sub>n\ : a sequence of methods where only the first applicable method is applied, 635 | \<^item> \m[n]\ : the method \m\ is applied to the first \n\ goals, 636 | \<^item> \m?\ : the method \m\ is applied if it is applicable, 637 | \<^item> \m+\ : the method \m\ is applied once and then repeated as long as it is applicable. 638 | 639 | Parentheses\index{parentheses} are used to structure and nest composed methods. 640 | 641 | Composed methods can be used to combine method applications to a single step. Using composed 642 | methods the example backward reasoning proof script from Section~\ref{methods-rule-backwards} can be 643 | written as 644 | @{theory_text[display] 645 | \theorem "(x::nat) < 5 \ 2*x+3 \ 2*5 + 3" 646 | apply(rule example2,rule example1,assumption) 647 | done\} 648 | 649 | In particular, it is also possible to apply an arbitrarily complex composed method as initial 650 | method in a structured proof. Using composed methods the example forward reasoning proof in 651 | Section~\ref{methods-forward-rule} can be written as 652 | @{theory_text[display] 653 | \theorem "(x::nat) < 5 \ 2*x+3 \ 2*5 + 3" 654 | proof - 655 | assume a: "x < 5" 656 | have f\<^sub>2: "2*x \ 2*5" by (rule example1,fact a) 657 | show ?thesis by (rule example2,fact f\<^sub>2) 658 | qed\} 659 | \ 660 | 661 | section "The Simplifier" 662 | text_raw\\label{methods-simp}\ 663 | 664 | text \ 665 | A common proof technique is ``rewriting''\index{rewriting}. If it is known that a term \a\ is equal to a term 666 | \b\, some occurrences of \a\ in a proposition can be replaced by \b\ without changing the 667 | validity of the proposition. 668 | 669 | Equality of two terms \a\ and \b\ can be expressed by the proposition \a = b\. If that 670 | proposition has been proved to be valid, i.e., is a fact, \a\ can be substituted by \b\ 671 | and vice versa in goals during a proof. 672 | \ 673 | 674 | subsection \The {\sl subst} Method\ 675 | text_raw\\label{methods-simp-subst}\ 676 | 677 | text \ 678 | Rewriting is performed by the method 679 | @{theory_text[display] 680 | \subst name\}\index{subst (method)} 681 | where \name\ references an equality fact. The method only affects the first goal. If the 682 | referenced fact has the form \a = b\ the method replaces the first occurrence of \a\ in 683 | the goal conclusion by \b\. The order of the terms in the equality fact matters, the 684 | method always substitutes the term on the left by that on the right. 685 | 686 | If the equality contains unknowns unification is used: \a\ is 687 | unified with every sub-term of the goal conclusion, the first match is replaced by \b'\ 688 | which is \b\ after substituting unknowns in the same way as in \a\. If there is no match 689 | of \a\ in the goal conclusion an error is signaled.\ 690 | 691 | subsubsection "Rewriting in Goal Assumptions" 692 | 693 | text\ 694 | For a goal \\A\<^sub>1; \; A\<^sub>n\ \ C\ the method only rewrites in the conclusion \C\. The first 695 | match in the assumptions \A\<^sub>1 \ A\<^sub>n\ can be substituted by the form 696 | @{theory_text[display] 697 | \subst (asm) name\}\ 698 | 699 | subsubsection "Rewriting Specific Sub-Term Occurrences" 700 | 701 | text\ 702 | If not only the first match shall be substituted, a number of the match or a range of numbers 703 | may be specified in both forms as in 704 | @{theory_text[display] 705 | \subst (asm) (i..j) name\}\ 706 | 707 | subsubsection "Rewriting With Defining Equations" 708 | 709 | text\ 710 | The equality fact can also be a meta equality of the form \a \ b\. Therefore the method can 711 | be used to expand constant definitions. After the definition 712 | @{theory_text[display] 713 | \definition "inc x \ x + 1"\} 714 | the method \<^theory_text>\subst inc_def\ will rewrite the first occurrence of a function application 715 | \(inc t)\ in the goal conclusion to \(t + 1)\. Remember from Section~\ref{theory-theorem-defs} 716 | that the defining equation is automatically named \inc_def\. Note the use of unification to 717 | handle the actual argument term \t\.\ 718 | 719 | subsubsection "Rewriting With Conditional Equations" 720 | 721 | text\ 722 | The equality fact may be conditional, i.e., it may be a derivation rule with assumptions of the 723 | form \\RA\<^sub>1; \; RA\<^sub>m\ \ a = b\. When the \subst\ method applies a conditional equation of this 724 | form to a goal \\A\<^sub>1; \; A\<^sub>n\ \ C\, it adds the goals \\A\<^sub>1; \; A\<^sub>n\ \ RA\<^sub>i'\ to the goal state 725 | after rewriting, where \RA\<^sub>i'\ result from \RA\<^sub>i\ by the unification of \a\ in \C\. These 726 | goals are inserted before the original goal, so the next method application will usually process 727 | the goal \\A\<^sub>1; \; A\<^sub>n\ \ RA\<^sub>1'\.\ 728 | 729 | subsubsection "Examples" 730 | 731 | text\ 732 | As an example if there are theorems 733 | @{theory_text[display] 734 | \theorem eq1: "n = 10 \ n+3 = 13" for n::nat \ 735 | theorem eq2: "n = 5 \ 2*n = 10" for n::nat \\} 736 | the method \<^theory_text>\subst (2) eq2\ replaces the goal \(x::nat) < 5 \ 2*x+3 \ 2*5 + 3\ by the 737 | goals 738 | @{text[display] 739 | \x < 5 \ 5 = 5 740 | x < 5 \ 2 * x + 3 \ 10 + 3\} 741 | where the first is trivial (but still must be removed by applying a rule). The second 742 | goal is replaced by the method \<^theory_text>\subst (2) eq1\ by 743 | @{text[display] 744 | \x < 5 \ 10 = 10 745 | x < 5 \ 2 * x + 3 \ 13\} 746 | 747 | Note that the method \<^theory_text>\subst eq2\ would unify \2*n\ with the first match \2*x\ in the original 748 | goal and replace it by 749 | @{text[display] 750 | \x < 5 \ x = 5 751 | x < 5 \ 10 + 3 \ 2 * 5 + 3\} 752 | where the first goal cannot be proved because it is invalid. 753 | \ 754 | 755 | subsection "Simplification" 756 | text_raw\\label{methods-simp-simplif}\ 757 | 758 | text\ 759 | If the term \b\ in an equation \a = b\ is in some sense ``simpler'' than \a\, the goal will 760 | also become simpler by successful rewriting with the equation. If there are several 761 | such equations a goal can be replaced by successively simpler goals by rewriting with these 762 | equations. This technique can contribute to the goal's proof and is called ``simplification''\index{simplification}. 763 | 764 | Basically, simplification uses a set of equations and searches an equation in the set where 765 | the left hand side unifies with a sub-term in the goal, then substitutes it. This step is 766 | repeated until no sub-term in the goal unifies with a left hand side in an equation in the set.\ 767 | 768 | subsubsection "Non-Terminating Simplification" 769 | 770 | text\ 771 | It is apparent that great care must be taken when populating the set of equations, otherwise 772 | simplification may not terminate. If two equations \a = b\ and \b = a\ are in the set simplification 773 | will exchange matching terms forever. If an equation \a = a+0\ is in the set, a term matching 774 | \a\ will be replaced by an ever growing sum with zeroes.\ 775 | 776 | subsubsection "Simplification With Definitional Equations" 777 | 778 | text\ 779 | Simplification with a set of definitional equations from constant definitions (see 780 | Section~\ref{theory-definition-defs}) always terminates. Since constant definitions cannot 781 | be recursive, every substitution removes one occurrence of a defined constant from the goal. 782 | Simplification terminates if no defined constant from the set remains in the goal. 783 | Although the resulting goal usually is larger than the original goal, it is simpler in the 784 | sense that it uses fewer defined constants.\ 785 | 786 | subsubsection "Simplification and Trivial Goals" 787 | 788 | text\ 789 | If the set contains conditional equations, simplification may produce additional goals. Then 790 | simplification is applied to these goals as well. Together, simplification may turn a single 791 | complex goal into a large number of simple goals, but it cannot reduce the number of goals. 792 | Therefore simplification is usually complemented by methods which remove trivial goals 793 | like \x = x\, \A \ A\, and \True\. Such an extended simplification may completely solve and remove 794 | the goal to which it is applied. 795 | \ 796 | 797 | subsection \The {\sl simp} Method\ 798 | text_raw\\label{methods-simp-simp}\ 799 | 800 | text\ 801 | Isabelle supports simplification by the method 802 | @{theory_text[display] 803 | \simp\}\index{simp (method)} 804 | which is also called ``the simplifier''\index{simplifier}. It uses the dynamic fact set \simp\\index{simp (fact set name)} as the set of 805 | equations, which is also called ``the simpset''\index{simpset}. The method only affects the first goal. 806 | If no equation in the simpset is applicable to it or it is not modified by the applicable equations 807 | an error is signaled. 808 | 809 | The \simp\ method simplifies the whole goal, i.e., it applies rewriting to the conclusion and 810 | to all assumptions.\ 811 | 812 | subsubsection "Simplification Using Arbitrary Facts" 813 | 814 | text\ 815 | The simpset may contain facts which are not directly equations, but can be converted to an 816 | equation. In particular, an arbitrary derivation rule \\A\<^sub>1; \; A\<^sub>n\ \ C\ can always be converted 817 | to the conditional equation \\A\<^sub>1; \; A\<^sub>n\ \ C = True\. The simplifier (and also the \subst\ method) 818 | performs this conversion if no other conversion technique applies, therefore the simpset may 819 | actually contain arbitrary facts. 820 | 821 | The \simp\ method also detects several forms of trivial goals and removes them. Thus a complete 822 | proof may be performed by a single application of the simplifier in the form 823 | @{theory_text[display] 824 | \by simp\}\ 825 | 826 | subsubsection "Simplification in HOL" 827 | 828 | text\ 829 | In Isabelle HOL (see Section~\ref{holbasic}) the simpset is populated with a large number of facts 830 | which make the simplifier a very useful proof tool. Actually all examples of facts used 831 | in the previous sections can be proved by the simplifier: 832 | @{theory_text[display] 833 | \theorem example1: "(x::nat) < c \ n*x \ n*c" by simp 834 | theorem example2: "(x::nat) \ c \ x + m \ c + m" by simp 835 | theorem "(x::nat) < 5 \ 2*x+3 \ 2*5 + 3" by simp 836 | theorem eq1: "n = 10 \ n+3 = 13" for n::nat by simp 837 | theorem eq2: "n = 5 \ 2*n = 10" for n::nat by simp\}\ 838 | 839 | subsection "Configuring the Simplifier" 840 | text_raw\\label{methods-simp-config}\ 841 | 842 | text \ 843 | The simplifier can be configured by modifying the equations it uses. The form 844 | @{theory_text[display] 845 | \simp add: name\<^sub>1 \ name\<^sub>n\}\index{add: (method argument)} 846 | uses the facts \name\<^sub>1, \, name\<^sub>n\ in addition to the facts in the simpset for its rewriting 847 | steps. The form 848 | @{theory_text[display] 849 | \simp del: name\<^sub>1 \ name\<^sub>n\}\index{del: (method argument)} 850 | uses only the facts from the simpset without the facts \name\<^sub>1, \, name\<^sub>n\, and the form 851 | @{theory_text[display] 852 | \simp only: name\<^sub>1 \ name\<^sub>n\}\index{only: (method argument)} 853 | uses only the facts \name\<^sub>1, \, name\<^sub>n\. The three forms can be arbitrarily combined. 854 | 855 | As usual, a theorem may be added permanently to the simpset as described in 856 | Section~\ref{theory-theorem-named} by specifying it as 857 | @{theory_text[display] 858 | \theorem [simp]: "prop" \\} 859 | and the defining equation of a definition can be added by 860 | @{theory_text[display] 861 | \definition name::type where [simp]: "name \ term"\} 862 | 863 | Adding own constant definitions to the simplifier is a common technique to expand the definition 864 | during simplification. However, this may also have a negative effect: If an equation has been 865 | specified using the defined constant, it is no more applicable for rewriting after expanding 866 | the definition. Note that the facts in the simpset and the facts provided by \add:\, \del:\, and 867 | \only:\ are not simplified themselves, the defined constant will not be expanded there. 868 | 869 | Therefore it is usually not recommended to add defining equations to the simpset permanently. 870 | Instead, they can be specified by \add:\ when they really shall be expanded during simplification. 871 | \ 872 | 873 | subsection "Splitting Terms" 874 | text_raw\\label{methods-simp-split}\ 875 | 876 | text \ 877 | There are certain terms in which the simplifier will not apply its simpset rules. A typical 878 | example are terms with an internal case distinction (see Section~\ref{holtdefs-data-destr}). To 879 | process such terms in a goal conclusion the terms must be split. Splitting a term\index{term!splitting} usually results 880 | in several new goals with simpler terms which are then further processed by the simplifier.\ 881 | 882 | subsubsection "Split Rules" 883 | 884 | text\ 885 | Term splitting is done by applying specific rules to the goal. These rules are called ``split 886 | rules''\index{rule!split $\sim$}. Usually split rules are not automatically determined and applied by the simplifier, this 887 | must be configured explicitly in the form 888 | @{theory_text[display] 889 | \simp split: name\<^sub>1 \ name\<^sub>n\}\index{split: (method argument)} 890 | where the \name\<^sub>i\ are the names of the split rules to use. This configuration can be arbitrarily 891 | combined with the other simplifier configuration options. 892 | 893 | The usual form of a split rule is a proposition 894 | @{theory_text[display] 895 | \"?P(term) = ((Q\<^sub>1 \ ?P(term\<^sub>1)) \ \ \ (Q\<^sub>n \ ?P(term\<^sub>n)))"\} 896 | where the \term\<^sub>i\ are subterms of \term\ and every \Q\<^sub>i\ represents a condition for which \term\ 897 | can be reduced to \term\<^sub>i\. The simplifier applies such a split rule to a goal \\A\<^sub>1;\;A\<^sub>m\ \ C\ 898 | by first unifying the left hand side with the conclusion \C\ (which succeeds if \term\ occurs in 899 | \C\), then replacing it by the conjunction on the right, then splitting the goal into a separate 900 | goal for every conjunct, and finally moving every \Q\<^sub>i\ to the assumptions of their goal. Thus the 901 | resulting goals have the form 902 | @{text[display] 903 | \\A\<^sub>1;\;A\<^sub>m;Q\<^sub>1\ \ C\<^sub>1 904 | \ 905 | \A\<^sub>1;\;A\<^sub>m;Q\<^sub>n\ \ C\<^sub>n\} 906 | where \C\<^sub>i\ is constructed from \C\ by mainly replacing \term\ by \term\<^sub>i\. 907 | 908 | Note that this form of a split rule can only be applied for splitting terms in the conclusion of a 909 | goal. See the Isabelle/Isar reference manual \<^cite>\"isar-ref"\ for other forms which split 910 | terms in assumptions of a goal. 911 | \ 912 | 913 | subsection "Searching Simplifier Equations" 914 | text_raw\\label{methods-simp-search}\ 915 | 916 | text \ 917 | Named facts applicable for simplification may be searched\index{search!for simplifier equations} using the command \<^theory_text>\find_theorems\ or in 918 | the Query panel\index{panel!query $\sim$}, as described in Section~\ref{theory-theorem-search}, using a \criterion\<^sub>i\ of the 919 | form \simp: termpat\ where \termpat\ is a term pattern (a term which may contain unknowns) specified 920 | in inner syntax. 921 | 922 | Such a search finds named facts where the conclusion is an equation (using either the operator \=\ 923 | or the meta equality \\\) and the left side unifies with the specified term pattern. It also finds 924 | facts where the conclusion unifies with the term pattern, if the term pattern has type \bool\, 925 | because such facts are equivalent to an equation with \True\ (see above). Facts are found 926 | independent of whether they are in the simpset or not. 927 | 928 | A found fact may be used by specifying it for the \subst\ method or, if not yet in the simpset, by 929 | configuring the \simp\ method to use it with the help of \add:\ or \only:\. 930 | \ 931 | 932 | subsection \Input Facts for the {\sl simp} Method\ 933 | text_raw\\label{methods-simp-input}\ 934 | 935 | text \ 936 | As usual, facts may be input to the \simp\ method. Like the empty method (see 937 | Section~\ref{methods-empty}) it inserts these facts as assumptions into the goal, 938 | before it starts simplification. Since simplification is also applied to the assumptions, 939 | the input facts will be simplified as well. 940 | 941 | As a possible effect of this behavior, after simplifying an input fact and the goal conclusion 942 | the results may unify, leading to the situation where the goal is removed by the \assumption\ 943 | method (see Section~\ref{methods-assumption-method}). This is also done by the simplifier, hence in 944 | this way the input fact may contribute to prove the goal. 945 | \ 946 | 947 | subsection \The {\sl simp$\_$all} Method\ 948 | text_raw\\label{methods-simp-all}\ 949 | 950 | text \ 951 | The method 952 | @{theory_text[display] 953 | \simp_all\}\index{simp-all@simp$\_$all (method)} 954 | behaves like the \simp\ method but processes all goals. It inserts input facts to all goals 955 | in the goal state and simplifies them. If it fails for all goals an error is signaled. Otherwise 956 | it simplifies only the goals for which it does not fail. If it achieves to remove all goals 957 | the proof is finished. 958 | 959 | The \simp_all\ method can be configured by \add:\, \del:\, \only:\, and \split:\ in the same way as 960 | the \simp\ method. 961 | 962 | The \simp_all\ method is useful, if first a method \m\ is applied to the goal which splits 963 | it into several subgoals which all can be solved by simplification. Then the complete 964 | proof can be written as 965 | @{theory_text[display] 966 | \by m simp_all\} 967 | \ 968 | 969 | subsection "Debugging the Simplifier" 970 | text_raw\\label{methods-simp-debug}\ 971 | 972 | text \ 973 | If the simplifier fails, it may be difficult to find out the reason. There are several debugging 974 | techniques which may help. 975 | 976 | The content of the simpset can be displayed by the command 977 | @{theory_text[display] 978 | \print_simpset\}\index{print-simpset@print$\_$simpset (keyword)} 979 | which may be specified in the proof text in modes \proof(prove)\ and \proof(state)\ and outside 980 | of proofs. In the interactive editor the result is displayed in the Output panel\index{panel!output $\sim$} (see 981 | Section~\ref{system-jedit-output}). 982 | 983 | There is also a simplifier trace\index{simplifier!trace} which displays the successful rewrite steps. It is activated 984 | by the command 985 | @{theory_text[display] 986 | \declare [[simp_trace_new depth=n]]\} 987 | outside a theorem or definition. The number \n\ should be atleast \2\. When the cursor is 988 | positioned on an application of the \simp\ method the button ``Show trace'' can be used 989 | in the Simplifier Trace panel to display the trace in a separate window. See the Isabelle/Isar 990 | reference manual \<^cite>\"isar-ref"\ for more information about how to use the trace. 991 | 992 | Another technique is to replace the \simp\ method by a sequence of \subst\ method applications 993 | and explicitly specify the equations which should have been used. To do this for a structured 994 | proof, replace it by a proof script for the \subst\ method applications. 995 | \ 996 | 997 | section "Other Automatic Proof Methods" 998 | text_raw\\label{methods-auto}\ 999 | 1000 | text\ 1001 | Isabelle provides several other proof methods which internally perform several steps, 1002 | like the simplifier. 1003 | \ 1004 | 1005 | subsection "Automatic Methods" 1006 | text_raw\\label{methods-auto-methods}\ 1007 | 1008 | text\ 1009 | The following list contains automatic methods other than \simp\: 1010 | \<^item> \blast\\index{blast (method)} mainly applies logical rules and can be used to solve complex logical formulas. 1011 | \<^item> \clarify\\index{clarify (method)} is similar but does not split goals and does not follow unsafe paths. It can 1012 | be used to show the problem if \blast\ fails. 1013 | \<^item> \auto\\index{auto (method)} combines logical rule application with simplification. It processes all goals and 1014 | leaves those it cannot solve. 1015 | \<^item> \clarsimp\\index{clarsimp (method)} combines \clarify\ with simplification. It processes only the first goal and 1016 | usually does not split goals. 1017 | \<^item> \fastforce\\index{fastforce (method)} uses more techniques than \auto\, but processes only the first goal. 1018 | \<^item> \force\\index{force (method)} uses even more techniques and tries to solve the first goal. 1019 | \<^item> \linarith\\index{linarith (method)} solves linear arithmetic problems (on integer and real numbers) for the first goal. 1020 | It is automatically included by the simplifier. 1021 | \<^item> \arith\\index{arith (method)} uses more techniques than \linarith\ but may be slower. 1022 | \<^item> \metis\\index{metis (method)} is a versatile method using other techniques. 1023 | \ 1024 | 1025 | text\ 1026 | The methods which do simplification can be configured like the simplifier by adding 1027 | specifications \simp add:\, \simp del:\, \simp only:\, and \split:\. For example, additional 1028 | simplification rules can be specified for the \auto\ method in the form 1029 | @{theory_text[display] 1030 | \auto simp add: name\<^sub>1 \ name\<^sub>n\} 1031 | 1032 | For more information about these methods see the Isabelle/Isar reference manual \<^cite>\"isar-ref"\. 1033 | \ 1034 | 1035 | subsection "Trying Methods" 1036 | text_raw\\label{methods-auto-try}\ 1037 | 1038 | text\ 1039 | Instead of manually trying several automatic methods it is possible to specify the command 1040 | @{theory_text[display] 1041 | \try\}\index{try (keyword)} 1042 | anywhere in mode \proof(prove)\, i.e. at the beginning of a proof or in a proof script. 1043 | It will try many automatic proof methods and describe the result in the Output window. 1044 | It may take some time until results are displayed, in particular, if the goal is invalid and 1045 | cannot be proved. 1046 | 1047 | If \<^theory_text>\try\ finds a proof for one or more goals it displays it as a single (composed) proof method, 1048 | which, by clicking on it can be copied to the cursor position in the text area. The \<^theory_text>\try\ command 1049 | must be removed manually. 1050 | 1051 | If \<^theory_text>\try\ tells you that the goal can be ``directly solved'' by some fact, you can usually prove it 1052 | by the \fact\ method, but that also means that there is already a fact of the same form and 1053 | your theorem is redundant. 1054 | 1055 | It may also be the case that \<^theory_text>\try\ finds a counterexample, meaning that the goal is invalid 1056 | and cannot be proved. 1057 | \ 1058 | 1059 | end -------------------------------------------------------------------------------- /Chapter_case.thy: -------------------------------------------------------------------------------- 1 | theory Chapter_case 2 | imports Chapter_methods 3 | begin 4 | chapter "Case Based Proofs" 5 | text_raw\\label{case}\ 6 | 7 | text \ 8 | If during a proof the goal state contains several goals they are often proved sequentially. Although 9 | there are proof methods which process several goals at once (see examples in 10 | Section~\ref{methods-auto-methods}) most methods only process the first goal. In a proof script, when 11 | a method has solved and removed the first goal, the next goal will become the first and will be 12 | processed by the next method application steps. In a structured proof (see 13 | Section~\ref{proof-struct-syntax}) it is not so simple. To prove a goal which is in the goal state 14 | its bound variables and assumptions have to be inserted into the local proof context (by \<^theory_text>\fix\ and 15 | \<^theory_text>\assume\ statements) and its conclusion must be stated by a \<^theory_text>\show\ statement and must be proved. 16 | Isabelle provides some support for simplifying these tasks for working on a sequence of goals. 17 | \ 18 | 19 | section "Named Proof Contexts" 20 | text_raw\\label{case-context}\ 21 | 22 | text \ 23 | Isabelle supports some methods which are able to create ``cases''\index{case} for goals. A case contains bound 24 | variables and assumptions from a goal and it may contain other context elements, such as names for 25 | assumptions or assumption groups and an abbreviation for the conclusion of a goal. The cases are 26 | named. Using these names a proof context can be populated with all content of a case in a single 27 | step. 28 | 29 | Since a case contains context elements it can be seen as a named 30 | context\index{named context}\index{proof!context!named $\sim$} which has been prepared by a method for later use, but has not been ``activated'' yet. 31 | Usually a named context is used to initialize a new nested proof context\index{proof!context!nested $\sim$} immediately after its 32 | beginning by inserting the content of the named context into the new context. 33 | \ 34 | 35 | subsection \The {\sl case} Statement\ 36 | text_raw\\label{case-context-case}\ 37 | 38 | text \ 39 | The content of a case may be inserted into the current proof context by the statement 40 | @{theory_text[display] 41 | \case name\}\index{case (keyword)} 42 | where \name\ is the case name\index{case!name}\index{name!for case}. It mainly has the effect of the sequence 43 | @{theory_text[display] 44 | \fix x\<^sub>1 \ x\<^sub>k 45 | let ?a\<^sub>1 = t\<^sub>1 and \ ?a\<^sub>m = t\<^sub>m 46 | assume name: "A\<^sub>1" \ "A\<^sub>n"\} 47 | where \x\<^sub>1 \ x\<^sub>k\ are the local variables, \?a\<^sub>1, \, ?a\<^sub>m\ are the term abbreviations, and 48 | \A\<^sub>1, \, A\<^sub>n\ are the facts in the named context of the case. The facts are inserted as assumptions 49 | and the set of these assumptions is named using the case name. Moreover, like the \<^theory_text>\assume\ 50 | statement, the \<^theory_text>\case\ statement makes the assumed facts current.\ 51 | 52 | subsubsection "Explicit Assumption Naming" 53 | 54 | text\ 55 | Instead of using the case name for naming the assumptions an explicit assumption name\index{assumption!name}\index{name!for assumption} \aname\ may be 56 | specified: 57 | @{theory_text[display] 58 | \case aname: name\} 59 | If defined in the case, other names for single assumptions or assumption groups may be automatically 60 | introduced.\ 61 | 62 | subsubsection "Naming Local Variables" 63 | 64 | text\ 65 | The local variables \x\<^sub>1 \ x\<^sub>k\ are fixed by the \<^theory_text>\case\ statement but are hidden, they cannot be 66 | used in the subsequent proof text. If they should be used, explicit names must be specified for 67 | them in the form 68 | @{theory_text[display] 69 | \case (name y\<^sub>1 \ y\<^sub>j)\} 70 | Then the names \y\<^sub>1 \ y\<^sub>j\ can be used to reference the fixed variables\index{name!for fixed variable}\index{fixed variable!name} in the current proof 71 | context. If fewer names are specified only the first variables are named, if more names are 72 | specified than there are local variables in the case an error is signaled. 73 | 74 | When methods create a named context for a goal they usually only define the term abbreviation 75 | \?case\\index{?case (term abbreviation)} for the conclusion of the goal. 76 | \ 77 | 78 | subsection "Proof Structure with Cases" 79 | text_raw\\label{case-context-struct}\ 80 | 81 | text \ 82 | The usual proof structure using cases\index{proof!case based $\sim$} consists of an initial method which creates cases and of a 83 | sequence of nested contexts (see Section~\ref{proof-struct-nesting}). At its beginning each context 84 | is initialized by a \<^theory_text>\case\ statement naming one of the created cases, at its end it uses a \<^theory_text>\show\ 85 | statement to remove the corresponding goal: 86 | @{theory_text[display] 87 | \proof `method` 88 | case name\<^sub>1 89 | \ 90 | show ?case \ 91 | next 92 | case name\<^sub>2 93 | \ 94 | show ?case \ 95 | next 96 | \ 97 | next 98 | case name\<^sub>n 99 | \ 100 | show ?case \ 101 | qed\} 102 | Every \<^theory_text>\show\ statement uses the local term abbreviation \?case\ to refer to the conclusion of 103 | the corresponding goal.\ 104 | 105 | subsubsection "Determining the Cases Introduced by a Method Application" 106 | 107 | text\ 108 | To find out which cases have been introduced by a method application, the command 109 | @{theory_text[display] 110 | \print_cases\}\index{print-cases@print$\_$cases (keyword)} 111 | can be used at arbitrary places in the following proof to display the cases in the Output panel\index{panel!output $\sim$}. 112 | 113 | In the interactive editor also the Query panel\index{panel!query $\sim$} (see Section~\ref{system-jedit-query}) can be used 114 | to display the cases available at the cursor position by selecting the tab ``Print Context'' and 115 | checking ``cases''. 116 | 117 | Also in the interactive editor, when the cursor is positioned on \<^theory_text>\proof `method`\ where the method 118 | supports cases, a skeleton\index{proof!case based $\sim$!skeleton} of a proof using the specific cases provided by the method is 119 | displayed in the Output panel. By clicking on it it may be copied into the text area immediately 120 | after the method specification. 121 | \ 122 | 123 | section \The {\sl goal$\_$cases} Method\ 124 | text_raw\\label{case-goalcases}\ 125 | 126 | text\ 127 | The simplest method with support for cases is 128 | @{theory_text[display] 129 | \goal_cases\}\index{goal-cases@goal$\_$cases (method)} 130 | Without modifying the goal state it creates a named case\index{case} for every existing goal. Input facts 131 | are ignored. 132 | 133 | For a goal \<^theory_text>\\ x\<^sub>1 \ x\<^sub>m. \A\<^sub>1; \; A\<^sub>n\ \ C\ the created named context contains the local variables 134 | \x\<^sub>1 \ x\<^sub>m\, the facts \A\<^sub>1, \, A\<^sub>n\, and the term abbreviation \?case\\index{?case (term abbreviation)} bound to \C\. If the goal 135 | contains variables which are not explicitly bound by \\\ these variables are not added to the 136 | context. 137 | 138 | The effect is that if no other variables are fixed and no other facts are assumed a statement 139 | \<^theory_text>\show ?case\ after the corresponding \<^theory_text>\case\ statement will refine the goal and remove it from the 140 | goal state.\ 141 | 142 | subsubsection "Case Naming" 143 | 144 | text\ 145 | The cases are named\index{case!name}\index{name!for case} by numbers starting with \1\. If other names should be used they may be 146 | specified as arguments to the method: 147 | @{theory_text[display] 148 | \goal_cases name\<^sub>1 \ name\<^sub>n\} 149 | If fewer names are specified than goals are present, only for the first \n\ goals cases are created. 150 | If more names are specified an error is signaled.\ 151 | 152 | subsubsection "Composed Methods" 153 | 154 | text\ 155 | When \<^theory_text>\goal_cases\ is used in a composed proof method\index{method!composed $\sim$} it can provide cases for the goals produced 156 | by arbitrary other methods: 157 | @{theory_text[display] 158 | \proof (method, goal_cases)\} 159 | provides cases for all goals existing after \<^theory_text>\method\ has been applied. If \<^theory_text>\method\ does not split 160 | the goal there will be only one case. This can be useful to work with a goal produced by 161 | \<^theory_text>\method\. In particular, the conclusion of that goal is available as \?case\.\ 162 | 163 | subsubsection "Inspecting the Cases" 164 | 165 | text\ 166 | Note that the proof state(s) resulting from \<^theory_text>\goal_cases\ are not visible for the reader of the proof. 167 | Therefore it should only be applied if the goals produced by \<^theory_text>\method\ are apparent. In a case the 168 | goal conclusion can be shown partially or fully by defining a possibly abbreviated form of it by 169 | @{theory_text[display] 170 | \let "pattern" = ?case\} 171 | where the \pattern\ may contain unknowns which abbreviate sub terms of the conclusion. 172 | 173 | A better way to use cases is together with a method which combines both: creating new goals in a 174 | simple and expected way, and immediately creating cases only for these goals. 175 | \ 176 | 177 | section "Case Based Reasoning" 178 | text_raw\\label{case-reasoning}\ 179 | 180 | text\ 181 | Case based proofs are especially convenient for implementing case based reasoning. 182 | The technique of ``case based reasoning''\index{reasoning!case based $\sim$} uses a specific kind of forward reasoning steps 183 | (see Section~\ref{proof-proc-construct}). It adds a new fact \F\<^sub>i\<^sub>+\<^sub>1\ to the proof context ``out of the 184 | blue'' without proving it from the existing facts. For the proof to stay correct, this must be done 185 | for ``all possible cases'' of \F\<^sub>i\<^sub>+\<^sub>1\, and the proof must be completed separately for each of them. 186 | 187 | In its simplest form this can be done by adding an arbitrary fact \F\<^sub>i\<^sub>+\<^sub>1\ and its negation \\ F\<^sub>i\<^sub>+\<^sub>1\, 188 | this covers all possibilities, since \F\<^sub>i\<^sub>+\<^sub>1\ may be either \True\ or \False\. 189 | 190 | Consider the derivation rule \(x::nat) < c \ n*x \ n*c\ named \example1\ in 191 | Section~\ref{theory-theorem-named}. To prove it using case based reasoning the 192 | additional assumption that \n\ is zero can be used. Then there are the two cases 193 | \n = 0\ and \n \ 0\ and clearly these cover all possibilities. Using the first case as assumption 194 | implies that \n*x\ and \n*c\ are both zero and thus \n*x = n*c\. Using the second case as assumption 195 | together with the original assumption implies that \n*x < n*c\. Together the conclusion \n*x \ n*c\ 196 | follows. 197 | 198 | Since the proof must be completed separately for every such case, a separate goal is required for 199 | each of them. This cannot be achieved by statements, the old goal must be replaced by several new 200 | goals which is only possible by applying a proof method. 201 | 202 | More specific, if \Q\<^sub>1 \ Q\<^sub>k\ are propositions for the different cases which together cover all 203 | possibilities, a goal \<^theory_text>\\ x\<^sub>1 \ x\<^sub>m. \A\<^sub>1; \; A\<^sub>n\ \ C\ must be replaced by the \k\ goals 204 | @{text[display] 205 | \\ x\<^sub>1 \ x\<^sub>m. \A\<^sub>1; \; A\<^sub>n; Q\<^sub>1\ \ C 206 | \ 207 | \ x\<^sub>1 \ x\<^sub>m. \A\<^sub>1; \; A\<^sub>n; Q\<^sub>k\ \ C\} 208 | where every goal has one of the propositions \Q\<^sub>i\ as additional assumption. 209 | 210 | Note that this technique extends the proof procedure described in Section~\ref{proof-proc-construct}. 211 | There a proof consisted of a single tree of facts which started at the assumptions and all branches 212 | joined to finally reach the conclusion. With case based reasoning at any position the remaining 213 | tree may be split into several ``copies'' with additional assumptions which then must all be 214 | completed separately. 215 | \ 216 | 217 | subsection "Case Rules" 218 | text_raw\\label{case-reasoning-rules}\ 219 | 220 | text\ 221 | This splitting of a goal into goals for different cases\index{case!split} can be done by applying a single meta rule 222 | of the specific form 223 | @{text[display] 224 | \\Q\<^sub>1 \ ?P; \; Q\<^sub>k \ ?P\ \ ?P\} 225 | where \Q\<^sub>1 \ Q\<^sub>k\ are all cases of the additional assumption. Such rules are called ``case rules''\index{rule!case $\sim$}\index{case!rule}. 226 | 227 | When this case rule is applied to the goal \<^theory_text>\\ x\<^sub>1 \ x\<^sub>m. \A\<^sub>1; \; A\<^sub>n\ \ C\ as described in 228 | Section~\ref{methods-rule-method}, it unifies \?P\ with the conclusion \C\ and replaces the goal 229 | in the way described above.\ 230 | 231 | subsubsection "Validity of Case Rules" 232 | 233 | text\ 234 | A case rule is only valid, if the \Q\<^sub>i\ together cover all possibilities, i.e., if 235 | \Q\<^sub>1 \ \ \ Q\<^sub>k\ holds. If this has been proved the case rule is available as a fact which can be 236 | applied. Since the whole conclusion is the single unknown \?P\ it unifies with every proposition 237 | used as conclusion in a goal, hence a case rule can always be applied to arbitrary goals. It 238 | depends on the \Q\<^sub>i\ whether splitting a specific goal with the case rule is useful for proving 239 | the goal.\ 240 | 241 | subsubsection "Examples" 242 | 243 | text\ 244 | A case rule for testing a natural number for being zero would be 245 | @{text[display] 246 | \\?n = 0 \ ?P; ?n \ 0 \ ?P\ \ ?P\} 247 | It contains the number to be tested as the unknown \?n\, so that an arbitrary term can be substituted 248 | for it. This is not automatically done by unifying \?P\ with the goal's conclusion, thus the rule 249 | must be ``prepared'' for 250 | application to a specific goal. To apply it to the goal \(x::nat) < c \ n*x \ n*c\ in the intended 251 | way the unknown \?n\ must be substituted by the variable \n\ from the goal conclusion. If the 252 | prepared rule is then applied to the goal it splits it into the goals 253 | @{text[display] 254 | \\(x::nat) < c; n = 0\ \ n*x \ n*c 255 | \(x::nat) < c; n \ 0\ \ n*x \ n*c\} 256 | which can now be proved separately. 257 | 258 | Actually, the much more general case rule 259 | @{text[display] 260 | \\?Q \ ?P; \ ?Q \ ?P\ \ ?P\} 261 | is used for this purpose. Here the unknown \?Q\ represents the complete proposition to be used as 262 | additional assumption, therefore the rule can be used for arbitrary propositions. By substituting 263 | the term \n = 0\ for \?Q\ the rule is prepared to be applied in the same way as above.\ 264 | 265 | subsubsection "General Form of Case Rules" 266 | 267 | text\ 268 | Case rules may even be more general than shown above. Instead of a single proposition \Q\<^sub>i\ every 269 | case may have locally bound variables and an arbitrary number of assumptions, resulting in a 270 | meta rule of the form 271 | @{text[display] 272 | \\P\<^sub>1; \; P\<^sub>k\ \ ?P\} 273 | where every \P\<^sub>i\ is a rule of the form 274 | @{text[display] 275 | \\x\<^sub>i\<^sub>,\<^sub>1\x\<^latex>\$_{i,p_i}$\. \Q\<^sub>i\<^sub>,\<^sub>1;\;Q\<^latex>\$_{i,q_i}$\\ \ ?P\} 276 | That means, the \P\<^sub>i\ may be arbitrary rules but they must all have as conclusion the unknown \?P\ 277 | which is also the conclusion of the overall case rule. When such a case rule is applied to a goal 278 | it splits\index{case!split} the goal into \k\ cases and adds the variables \x\<^sub>i\<^sub>,\<^sub>1 \ x\<^latex>\$_{i,p_i}$\\ and the assumptions 279 | \Q\<^sub>i\<^sub>,\<^sub>1 \ Q\<^latex>\$_{i,q_i}$\\ to the \i\th case.\ 280 | 281 | subsubsection "Case Rules and \<^theory_text>\obtain\ Statements" 282 | 283 | text\ 284 | Note that the goal which must be proved for an \<^theory_text>\obtain\\index{obtain (keyword)} statement (see 285 | Section~\ref{proof-obtain}) has the form of a case rule with only one case of the form 286 | \\x\<^sub>1 \ x\<^sub>m. prop \ P\. Thus a proof for this goal shows that \prop\ covers all cases, i.e., it 287 | is redundant.\ 288 | 289 | subsubsection "Specifying Case Rules" 290 | 291 | text\ 292 | Remember that to write your own case rule you have to specify a theorem which uses variables in 293 | place of the unknowns, such as 294 | @{theory_text[display] 295 | \theorem mycaserule: "\n = 0 \ P; n \ 0 \ P\ \ P" \\}\index{mycaserule (example fact)} 296 | which will be converted to unknowns upon turning the proposition to a fact after the proof. 297 | \ 298 | 299 | subsection \The {\sl cases} Method\ 300 | text_raw\\label{case-reasoning-cases}\ 301 | 302 | text\ 303 | Case based reasoning can be performed in a structured proof using the method \<^theory_text>\cases\ in the form 304 | @{theory_text[display] 305 | \cases "term" rule: name\}\index{cases (method)}\index{rule: (method argument)} 306 | where \name\ is the name of a valid case rule. The method prepares the rule by substituting the 307 | specified \term\ for the first unknown in the assumptions, and applies the rule to the first goal 308 | in the goal state. 309 | 310 | Additionally, the method creates a named context\index{named context} for every goal resulting from the rule 311 | application. The context contains (only) the variables and assumptions specified in the corresponding 312 | case\index{case} in the case rule. For the most general form depicted above the context for the \i\th case 313 | contains the variables \x\<^sub>i\<^sub>,\<^sub>1 \ x\<^latex>\$_{i,p_i}$\\ and the assumptions \Q\<^sub>i\<^sub>,\<^sub>1 \ Q\<^latex>\$_{i,q_i}$\\. No term abbreviation 314 | \?case\ is defined, because the conclusion of every new goal is the same as that of the original 315 | goal, thus the existing abbreviation \?thesis\\index{?thesis (term abbreviation)} can be used instead. 316 | 317 | The names\index{name!for case}\index{case name} used for the contexts created by the \<^theory_text>\cases\ method can be specified by attributing 318 | the case rule. Therefore, predefined case rules often create cases with names which are easy to 319 | understand by a proof writer.\ 320 | 321 | subsubsection "Examples" 322 | 323 | text\ 324 | In Isabelle HOL (see Section~\ref{holtypes}) the rule \\?Q \ ?P; \ ?Q \ ?P\ \ ?P\ is available 325 | under the name \case_split\\index{case-split@case$\_$split (fact name)}. It is attributed to use the case names \True\\index{True (case name)} and \False\\index{False (case name)}. Note that 326 | these are names, not the constants for the values of type \bool\. 327 | 328 | Together, a structured proof for the goal 329 | \(x::nat) < c \ n*x \ n*c\ with case splitting may have the form 330 | @{theory_text[display] 331 | \proof (cases "n = 0" rule: case_split) 332 | case True 333 | \ 334 | show ?thesis \ 335 | next 336 | case False 337 | \ 338 | show ?thesis \ 339 | qed\} 340 | The \<^theory_text>\cases\ method adds the assumptions \n=0\ and \n\0\ respectively to the goals of the cases, 341 | the \<^theory_text>\case\ statements add them as assumed facts to the local context, so that they are part of the 342 | rule exported by the \<^theory_text>\show\ statement and match the assumption in the corresponding goal. 343 | 344 | Note that the \<^theory_text>\case\ statement adds only the assumptions originating from the case rule. The other 345 | assumptions in the original goal (here \x < c\) must be added to the context in the usual ways (see 346 | Section~\ref{proof-assume}) if needed for the proof.\ 347 | 348 | subsubsection "Case Rules with Several Unknowns" 349 | 350 | text\ 351 | Often a case rule has only one unknown in the case assumptions. If there are more, several terms 352 | may be specified in the \<^theory_text>\cases\ method for preparing the rule. If less terms are specified than 353 | there are unknowns in the case assumptions the resulting goals will contain unbound unknowns which 354 | must be instantiated in the rest of the proof (e.g., by method \<^theory_text>\drule\). If more terms are 355 | specified an error is signaled.\ 356 | 357 | subsubsection "Input Facts for the \<^theory_text>\cases\ Method" 358 | 359 | text\ 360 | The \<^theory_text>\cases\ method treats input facts like the empty method (see Section~\ref{methods-empty}) 361 | by inserting them as assumptions into the original goal before splitting it. Therefore it can be 362 | used both in proof scripts, where facts are stored as rule assumptions in the goal state, and in 363 | structured proofs where facts are stored in the proof context and are input to the initial methods 364 | of subproofs. 365 | 366 | However, if the \<^theory_text>\cases\ method is specified in the form 367 | @{theory_text[display] 368 | \cases "term"\} 369 | without explicitly naming a case rule and the first input fact has the form of a case rule, it is 370 | used as case rule to split the goal and create the named cases. Therefore in a proof the example 371 | goal can be proved as local fact by inputting (see Section~\ref{proof-this-input}) the case rule in 372 | the form 373 | @{theory_text[display] 374 | \from case_split 375 | have "(x::nat) < c \ n*x \ n*c" 376 | proof (cases "n = 0") 377 | \\}\ 378 | 379 | subsubsection "Automatic Case Rule Selection" 380 | 381 | text\ 382 | Like the \<^theory_text>\rule\ method (see Section~\ref{methods-rule-method}) the \<^theory_text>\cases\ method supports 383 | automatic rule selection for the case rule, if no case rule is specified or input to the method. 384 | Normally the rule is selected according to the type of the specified \term\. In Isabelle HOL (see 385 | Section~\ref{holbasic}) most types have an associated case rule\index{case!rule!associated $\sim$}\index{rule!case $\sim$!associated $\sim$}. Only case rules with a single 386 | unknown in the case assumptions can be automatically selected in this way. 387 | 388 | The rule \case_split\ is associated with type \bool\. Therefore the example sub proof shown above 389 | also works without inputting the method to the \<^theory_text>\have\ statement, because then it is selected 390 | automatically because the term \n = 0\ has type \bool\. 391 | 392 | The proof writer may not know the case names specified by an automatically selected case rule. 393 | However, they can be determined using the command \<^theory_text>\print_cases\ or from the proof skeleton which 394 | is displayed in the interactive editor when the cursor is positioned on the \<^theory_text>\cases\ method (see 395 | Section~\ref{case-context-struct}). 396 | \ 397 | 398 | subsection "Alternative Syntax for Case Rules" 399 | text_raw\\label{case-reasoning-altsynt}\ 400 | 401 | text\ 402 | A case rule as described above always uses an unknown \?P\ (or with any other name) as conclusion 403 | and as conclusion in all assumptions. It is used technically to preserve the original conclusion 404 | when a goal is split by applying the rule. Therefore Isabelle supports an alternative syntax for 405 | specifying case rules\index{syntax!alternative $\sim$!for case rules} as theorems which omits the variable for this unknown and specifies only the 406 | information which becomes the content of the named cases. 407 | 408 | In a theorem specified in structured form using \<^theory_text>\shows\ (see Section~\ref{theory-theorem-altsynt}) 409 | the part of the form \<^theory_text>\shows "C"\ may alternatively be specified in the form 410 | @{theory_text[display] 411 | \obtains C\<^sub>1 | \ | C\<^sub>k\}\index{obtains (keyword)} 412 | where every case \C\<^sub>i\ has the form 413 | @{theory_text[display] 414 | \x\<^sub>i\<^sub>,\<^sub>1 \ x\<^latex>\$_{i,p_i}$\ where "Q\<^sub>i\<^sub>,\<^sub>1" \ "Q\<^latex>\$_{i,q_i}$\"\}\index{where (keyword)} 415 | As usual, the variables \x\<^sub>i\<^sub>,\<^sub>1 \ x\<^latex>\$_{i,p_i}$\\ and the propositions \Q\<^sub>i\<^sub>,\<^sub>1 \ Q\<^latex>\$_{i,q_i}$\\ may be grouped by \and\, for 416 | every variable group a type may be specified and the proposition groups may be named. The keywords 417 | and the \|\ separators belong to the outer syntax, the propositions must be individually quoted. 418 | 419 | This form is mainly equivalent to 420 | @{theory_text[display] 421 | \shows "\P\<^sub>1; \; P\<^sub>k\ \ thesis"\} 422 | where every \P\<^sub>i\ is a rule 423 | @{text[display] 424 | \\x\<^sub>i\<^sub>,\<^sub>1\x\<^latex>\$_{i,p_i}$\. \Q\<^sub>i\<^sub>,\<^sub>1;\;Q\<^latex>\$_{i,q_i}$\\ \ thesis\} 425 | which is exactly the general form of a case rule stated by the \<^theory_text>\shows\ clause, using, after proof, 426 | the unknown \?thesis\ for all conclusions. 427 | 428 | For its own proof the \<^theory_text>\obtains\ form creates the same goal as the \<^theory_text>\shows\ form, but additionally 429 | it adds all \P\<^sub>i\ as assumed facts to the outermost proof context and names this set \that\\index{that (assumption name)}.\ 430 | 431 | subsubsection "Specifying Explicit Case Names" 432 | 433 | text\ 434 | When the theorem is applied as case rule by the \<^theory_text>\cases\ method the named context created for case 435 | \C\<^sub>i\ is simply named \i\. An explicit name\index{case!name}\index{name!for case} may be specified for it by using the extended form 436 | @{theory_text[display] 437 | \(name\<^sub>i) x\<^sub>i\<^sub>,\<^sub>1 \ x\<^latex>\$_{i,p_i}$\ where "Q\<^sub>i\<^sub>,\<^sub>1" \ "Q\<^latex>\$_{i,q_i}$\"\} 438 | For its own proof the \<^theory_text>\obtains\ form uses \name\<^sub>i\, if present, as additional name for \P\<^sub>i\ in its 439 | proof context. 440 | 441 | If a case \C\<^sub>i\ has no bound variables it has simply the form 442 | @{theory_text[display] 443 | \"Q\<^sub>i\<^sub>,\<^sub>1" \ "Q\<^latex>\$_{i,q_i}$\"\} 444 | which omits the keyword \<^theory_text>\where\, also if an explicit name is specified. 445 | 446 | As an example, the rule \case_split\ may be defined and proved as 447 | @{theory_text[display] 448 | \theorem case_split: 449 | obtains (True) "Q" | (False) "\ Q" 450 | by blast\} 451 | using the case names \True\ and \False\, as described above, and using the \<^theory_text>\blast\ method (see 452 | Section~\ref{methods-auto-methods}) for the proof.\ 453 | 454 | subsubsection "The \<^theory_text>\consider\ Statement" 455 | 456 | text\ 457 | There is also a statement for stating a case rule on the fly in a structured proof. It has the form 458 | @{theory_text[display] 459 | \consider C\<^sub>1 | \ | C\<^sub>k \\}\index{consider (keyword)} 460 | where the cases \C\<^sub>i\ are as above. It is mainly equivalent to the statement 461 | @{theory_text[display] 462 | \have "\P\<^sub>1; \; P\<^sub>k\ \ thesis" \\} 463 | with \P\<^sub>i\ as above and is thus also a goal statement\index{goal!statement}. 464 | 465 | However, it is not possible to introduce additional unknowns in the \P\<^sub>i\ in a \<^theory_text>\consider\ statement. 466 | All variables occurring free in the \P\<^sub>i\ are assumed to be bound in the context and are not 467 | converted to unknowns at the end of the statement. Therefore the statement cannot be used to 468 | define general case rules like \case_split\ which contains the additional unknown \?Q\. It can only 469 | be used to state that specific propositions cover all (remaining) possibilities in the local proof 470 | context. They need not cover all globally possible cases, if some cases have already been excluded 471 | using locally assumed or proved facts, only the remaining possibilities need to be covered.\ 472 | 473 | subsubsection "Chaining a \<^theory_text>\consider\ Statement" 474 | 475 | text\ 476 | Since case rules can be input as fact to a proof by case based reasoning, fact chaining\index{fact!chaining} can be used 477 | to immediately apply a locally defined case rule in a subsequent subproof. This yields the pattern 478 | @{theory_text[display] 479 | \consider C\<^sub>1 | \ | C\<^sub>k \ 480 | then have "prop" 481 | proof cases 482 | case 1 \ show ?thesis \ 483 | next 484 | \ 485 | case k \ show ?thesis \ 486 | qed\} 487 | using the default case names. The first \\\ proves that the cases cover all local possibilities, 488 | the other \\\s prove the stated proposition, each using one of the cases \C\<^sub>i\ as additional 489 | assumption. The \<^theory_text>\cases\ method is always applied without arguments, since there are no additional 490 | unknowns in the \C\<^sub>i\ which can be instantiated.\ 491 | 492 | subsubsection "Example" 493 | 494 | text\ 495 | If the example goal \(x::nat) < c \ n*x \ n*c\ should be stated for locally fixed variables, 496 | the cases \n=0\ and \n\0\ can be proved to cover all possibilities and then used as cases by the 497 | statements 498 | @{theory_text[display] 499 | \fix x c n::nat 500 | consider (Zero) "n = 0" | (Notzero) "n \ 0" by blast 501 | then have "(x::nat) < c \ n*x \ n*c" 502 | proof cases 503 | case Zero \ show ?thesis \ 504 | next 505 | case Notzero \ show ?thesis \ 506 | qed\} 507 | \ 508 | 509 | section "Elimination" 510 | text_raw\\label{case-elim}\ 511 | 512 | text\ 513 | The proof technique of ``(generalized) elimination''\index{elimination} can be seen as a combination of applying a 514 | destruction rule\index{rule!destruction $\sim$} (see Section~\ref{methods-forward-dest}) and an optional case split\index{case!split}. It removes an 515 | assumption with a function application from a goal and splits the rest into cases with additional 516 | assumptions. 517 | \ 518 | 519 | subsection \The Method {\sl erule}\ 520 | text_raw\\label{case-elim-erule}\ 521 | 522 | text\ 523 | Like destruction rule application and case splitting such a step can be implemented by applying a 524 | rule in a specific way to a goal. This is done by the method 525 | @{theory_text[display] 526 | \erule name\}\index{erule (method)} 527 | where \name\ is the name of a valid rule. The method only affects the first goal. If that goal 528 | has the form \\A\<^sub>1;\;A\<^sub>n\ \ C\ and the rule referred by \name\ has the form \\RA\<^sub>1;\;RA\<^sub>m\ \ RC\ 529 | the method first unifies the first assumption \RA\<^sub>1\ in the rule with the first assumption \A\<^sub>k\ of 530 | the \A\<^sub>1 \ A\<^sub>n\ which can be unified with \RA\<^sub>1\ \<^emph>\and\ it unifies the rule conclusion \RC\ with the 531 | goal conclusion \C\. That yields the specialized rule \\RA\<^sub>1';\;RA\<^sub>m'\ \ RC'\ where \RA\<^sub>1'\ is 532 | syntactically equal to \A\<^sub>k\, \RC'\ is syntactically equal to \C\ and every \RA\<^sub>j'\ with \j > 1\ 533 | results from \RA\<^sub>j\ by substituting unknowns by the same terms as in \RA\<^sub>1'\ and \RC'\. If the goal 534 | does not contain unknowns (which is the normal case), \A\<^sub>k\ and \C\ are not modified by the 535 | unifications. If no \A\<^sub>i\ unifies with \RA\<^sub>1\ or \C\ does not unify with \RC\ the method cannot be 536 | executed on the goal state and an error is signaled. Otherwise the method replaces the goal by the 537 | \m-1\ new goals \\A\<^sub>1;\;A\<^sub>n\ \ RA\<^sub>j'\ for \j > 1\. 538 | 539 | If the rule has the form \RA \ RC\ with only one assumption a successful application with \<^theory_text>\erule\ 540 | removes the goal from the goal state. If the rule is a formula \RC\ without any 541 | assumptions the method cannot be applied to the goal state and an error is signaled. If an 542 | assumption \RA\<^sub>j\ is a rule with own assumptions, these assumptions are appended to the assumptions 543 | in the resulting goal, as described for the \<^theory_text>\rule\ method in Section~\ref{methods-rule-method}. 544 | 545 | As for rules applied by \<^theory_text>\frule\ or \<^theory_text>\drule\ (see Section~\ref{methods-forward-frule}) the first 546 | assumption \RA\<^sub>1\ in the rule is called the ``major premise''\index{major premise} in this context. 547 | 548 | The method \<^theory_text>\erule\ does not support input facts. 549 | \ 550 | 551 | subsection "Elimination Rules" 552 | text_raw\\label{case-elim-rules}\ 553 | 554 | text\ 555 | An elimination rule\index{rule!elimination $\sim$} is a generalized combination of a destruction rule and a case rule. It has the 556 | specific form 557 | @{text[display] 558 | \\RA\<^sub>1; \; RA\<^sub>n\ \ ?P\} 559 | where the first assumption contains the application of a specific function \f\ (perhaps written 560 | using an operator name) which may only occur in different form in the other assumptions. The 561 | conclusion is a single unknown which must not occur in the first assumption and may only occur as 562 | conclusion in other assumption (as in an assumption in a case rule). 563 | 564 | When an elimination rule is applied to a goal by the \<^theory_text>\erule\ method, it removes (``eliminates'') 565 | the function application from an assumption in the goal or it replaces it by a different form, so 566 | that it may be removed in several steps. Depending on the form of the other 567 | assumptions the resulting goals have either the same conclusion as the original goal or are 568 | unrelated to it. Therefore such an application of an elimination rule can be seen as a forward 569 | reasoning step, possibly with case splitting. 570 | 571 | Since the order of the assumptions after the major premise is irrelevant for the rule application 572 | the general form of an elimination rule can be considered to be 573 | @{theory_text[display] 574 | \theorem "\RA\<^sub>1;\;RA\<^sub>m; P\<^sub>1; \; P\<^sub>k\ \ P" \\} 575 | where every \P\<^sub>i\ is a rule of the form 576 | @{text[display] 577 | \\x\<^sub>i\<^sub>,\<^sub>1\x\<^latex>\$_{i,p_i}$\. \Q\<^sub>i\<^sub>,\<^sub>1;\;Q\<^latex>\$_{i,q_i}$\\ \ P\} 578 | and the variable \P\ does not occur in the \RA\<^sub>1 \ RA\<^sub>m\. 579 | 580 | Analogous to the \intro\ set for introduction rules there is an internal fact set \elim\\index{elim (fact set name)} for 581 | elimination rules. It is used by some automatic methods, however, it is not used for automatically 582 | selecting rules for \erule\.\ 583 | 584 | subsubsection "Example" 585 | 586 | text\ 587 | As an example consider the elimination rule specified as 588 | @{theory_text[display] 589 | \theorem elimexmp: "\(x::nat) \ c; x < c \ P; x = c \ P\ \ P"\}\index{elimexmp (example fact)} 590 | It replaces an assumption \x \ c\ by two cases with assumptions \x < c\ and \x = c\. If applied to 591 | the goal \(x::nat) \ 5 \ C\ by 592 | @{theory_text[display] 593 | \apply (erule elimexmp)\} 594 | it replaces the goal by the two goals 595 | @{text[display] 596 | \x < 5 \ C 597 | x = 5 \ C\}\ 598 | 599 | subsubsection "Searching Elimination Rules" 600 | 601 | text\ 602 | If the cursor in the text area is positioned in a proof, elimination rules applicable to the first 603 | goal in the goal state of the enclosing proof can be searched\index{search!for elimination rules} using the keyword \elim\ as criterion 604 | for a search by \<^theory_text>\find_theorems\ or in the Query panel, as described in 605 | Section~\ref{theory-theorem-search}. It finds all named facts which can be applied by the \erule\ 606 | method to the first goal, i.e., the major premise unifies with a goal assumption and the conclusions 607 | unify as well.\ 608 | 609 | subsubsection "The \elim\ Method" 610 | 611 | text\ 612 | Elimination rule application can be iterated by the method 613 | @{theory_text[display] 614 | \elim name\<^sub>1 \ name\<^sub>n\}\index{elim (method)} 615 | where \name\<^sub>1 \ name\<^sub>n\ refer to valid rules. It iterates applying rules by \<^theory_text>\erule\ from the given 616 | set to a goal in the goal state as long as this is possible. It is intended to be used with 617 | elimination rules. Then it automatically eliminates functions from assumptions in the goals as much 618 | as possible with the given rules. Note that the method does not use the \elim\ set.\ 619 | 620 | subsubsection "Destruction Rules as Elimination Rules" 621 | 622 | text\ 623 | Every destruction rule\index{rule!destruction $\sim$} \\RA\<^sub>1;\;RA\<^sub>n\ \ C\ can be re-stated as the elimination rule 624 | \\RA\<^sub>1;\;RA\<^sub>n;C\?P\ \ ?P\. If that is applied by \<^theory_text>\erule\ it has the same effect as if the 625 | original rule is applied by method \<^theory_text>\drule\. 626 | \ 627 | 628 | subsection "Alternative Syntax for Elimination Rules" 629 | text_raw\\label{case-elim-altsynt}\ 630 | 631 | text\ 632 | The alternative syntax available for case rules described in Section~\ref{case-reasoning-altsynt} can 633 | be extended for elimination rules\index{syntax!alternative $\sim$!for elimination rules}. An elimination rule 634 | @{theory_text[display] 635 | \theorem "\RA\<^sub>1;\;RA\<^sub>m; P\<^sub>1; \; P\<^sub>k\ \ P" \\} 636 | where every \P\<^sub>i\ is a rule of the form 637 | @{text[display] 638 | \\x\<^sub>i\<^sub>,\<^sub>1\x\<^latex>\$_{i,p_i}$\. \Q\<^sub>i\<^sub>,\<^sub>1;\;Q\<^latex>\$_{i,q_i}$\\ \ P\} 639 | can be specified using the alternative syntax 640 | @{theory_text[display] 641 | \theorem 642 | assumes "RA\<^sub>1" \ "RA\<^sub>m" 643 | obtains C\<^sub>1 | \ | C\<^sub>k 644 | \\}\index{obtains (keyword)} 645 | where every \C\<^sub>i\ is 646 | @{theory_text[display] 647 | \x\<^sub>i\<^sub>,\<^sub>1 \ x\<^latex>\$_{i,p_i}$\ where "Q\<^sub>i\<^sub>,\<^sub>1" \ "Q\<^latex>\$_{i,q_i}$\"\} 648 | The major premise and possibly other additional assumptions are specified using \<^theory_text>\assumes\, then 649 | the assumptions for the cases are specified using \<^theory_text>\obtains\. As usual, the set \RA\<^sub>1, \, RA\<^sub>m\ is 650 | automatically named \assms\ and the set of the \P\<^sub>i\ is automatically named \that\ in the outermost 651 | proof context of the theorem, additional names may be specified explicitly. 652 | 653 | The example rule \elimexmp\ from the previous section can alternatively be specified as 654 | @{theory_text[display] 655 | \theorem 656 | assumes "(x::nat) \ c" 657 | obtains "x < c" | "x = c" 658 | \\}\ 659 | 660 | subsection "Elimination in Structured Proofs" 661 | text_raw\\label{case-elim-struct}\ 662 | 663 | text\ 664 | The method \erule\ is intended to be used in proof scripts, therefore it does not process input 665 | facts and does not create named cases. In structured proofs elimination can be done using the 666 | \cases\ method. 667 | 668 | The \cases\ method\index{cases (method)} applies a rule by elimination, if the rule is attributed by \[consumes 1]\. This 669 | means the rule will ``consume'' one assumption by unifying it with its major premise and removing 670 | it. A rule may be attributed upon definition in the form 671 | @{theory_text[display] 672 | \theorem [consumes 1]: "prop" \\}\index{consumes (attribute)} 673 | or it may be attributed on the fly when it is applied by the \cases\ method: 674 | @{theory_text[display] 675 | \cases "term" rule: name[consumes 1]\} 676 | 677 | Since the \cases\ method is intended to be used in structured proofs where facts are stored in the 678 | proof context it does not unify the rule's major premise with an assumption in the goal, it 679 | unifies it with the first input fact (possibly after the rule itself if not specified as method 680 | argument). 681 | 682 | Now the rule \elimexmp\ from the previous sections can be defined in the form 683 | @{theory_text[display] 684 | \theorem elimexmp[consumes 1]: 685 | assumes "(x::nat) \ c" 686 | obtains (lower) "x < c" | (equal) "x = c" 687 | \\}\index{elimexmp (example fact)} 688 | naming the cases by \lower\ and \equal\. Then an example for an application in a structured proof 689 | with cases is 690 | @{theory_text[display] 691 | \theorem "C" if "(x::nat) \ 5" 692 | using that 693 | proof (cases rule: elimexmp) 694 | case lower \ show ?thesis \ 695 | next 696 | case equal \ show ?thesis \ 697 | qed 698 | \} 699 | Note the use of the structured theorem form which puts the assumption \(x::nat) \ 5\ into the proof 700 | context and names it \that\ so that it can be input by \<^theory_text>\using that\ into the structured proof 701 | and into its initial method \cases\ which consumes it. 702 | \ 703 | 704 | section "Induction" 705 | text_raw\\label{case-induction}\ 706 | 707 | text\ 708 | With induction\index{induction} a goal is proved by processing ``all possible cases'' for certain values which 709 | occur in it. If the goal can be proved for all these cases and the cases cover all 710 | possibilities, the goal holds generally. A specific 711 | technique is to assume the goal for some values and then prove it for other values. In this 712 | way it is possible to cover infinite value sets by proofs for only a finite number of values and 713 | steps from values to other values. 714 | 715 | Perhaps the best known example of induction is a proposition which is proved for the natural number 716 | \0\ and the step from a number \n\ to its successor \n+1\, which together covers the whole infinite 717 | set of natural numbers. 718 | 719 | As a (trivial) example consider the proposition \0\n\. To prove that it is valid for all natural numbers 720 | \n\ we prove the ``base case''\index{induction!base case} where \n\ is \0\, which is true because \0\0\. Then we prove the 721 | ``induction step''\index{induction!step}, by assuming that \0\n\ (the ``induction hypothesis''\index{induction!hypothesis}) and proving that \0\n+1\ 722 | follows, which is true because addition increases the value. 723 | \ 724 | 725 | subsection "Induction Rules" 726 | text_raw\\label{case-induction-rules}\ 727 | 728 | text\ 729 | As for case based reasoning (see Section~\ref{case-reasoning}) a goal is split into these 730 | cases\index{case!split} by applying a meta rule. For induction the splitting can be done by a meta rule of the form 731 | @{text[display] 732 | \\P\<^sub>1 ; ...; P\<^sub>n \ \ ?P ?a\} 733 | where every \P\<^sub>i\ is a rule of the form 734 | @{text[display] 735 | \\y\<^sub>i\<^sub>,\<^sub>1 \ y\<^latex>\$_{i,p_i}$\. \Q\<^sub>i\<^sub>,\<^sub>1; \; Q\<^latex>\$_{i,q_i}$\\ \ ?P term\<^sub>i\} 736 | where the assumptions \Q\<^sub>i\<^sub>,\<^sub>j\ may contain the unknown \?P\ but no other unknowns, in particular not 737 | \?a\. A rule for a base case usually has no bound variables \y\<^sub>i\<^sub>,\<^sub>j\ and no assumptions 738 | \Q\<^sub>i\<^sub>,\<^sub>j\, at least the \Q\<^sub>i\<^sub>,\<^sub>j\ do not contain \?P\. The remaining rules mostly have only a single 739 | assumption \Q\<^sub>i\<^sub>,\<^sub>j\ which contains \?P\. 740 | 741 | Rules of this form are called ``induction rules''\index{induction!rule}\index{rule!induction $\sim$}. Note that the unknown \?a\ only occurs once in the conclusion of the meta rule and nowhere else. Like 742 | the case rules induction rules must be ``prepared'' for use, this is done by replacing \?a\ 743 | by a specific term \term\. This is the term for which all possible cases shall be processed 744 | in the goal. It must have the same type as all \term\<^sub>i\ in the \P\<^sub>i\. 745 | 746 | Usually, ``all possible cases'' means all values of the type of \term\, then \term\ consists of a 747 | single variable which may adopt any values of its type. There are also other forms of induction where 748 | more complex terms are used, but they are not presented in this introduction, refer to other 749 | Isabelle documentations \<^cite>\"isar-ref" and "prog-prove"\ for them. In the following the unknown \?a\ will always be replaced by a 750 | variable \x\.\ 751 | 752 | subsubsection "Applying Induction Rules" 753 | 754 | text\ 755 | When a prepared induction rule is applied to a goal \C\ without bound variables and assumptions as 756 | described in Section~\ref{methods-rule-method}, it unifies \?P x\ with the conclusion \C\. This has 757 | the effect of abstracting \C\ to a (boolean) function \PC\ by identifying all places where \x\ 758 | occurs in \C\ and replacing it by the function argument. The function \PC\ is then bound to the 759 | unknown \?P\, so that applying \?P\ to the argument \x\ again yields \C\. The function 760 | \PC\ is the property to be proved for all possible argument values. Therefore the cases of the proof 761 | can be described by applying \?P\ to the terms \term\<^sub>i\ for the specific values in the rules \P\<^sub>i\ for 762 | the cases. 763 | 764 | The application of the prepared rule results in the \n\ goals 765 | @{text[display] 766 | \\ y\<^sub>1\<^sub>,\<^sub>1 \ y\<^latex>\$_{1,p_1}$\. \Q\<^sub>1\<^sub>,\<^sub>1; \; Q\<^latex>\$_{1,q_1}$\\ \ PC term\<^sub>1 767 | \ 768 | \ y\<^sub>n\<^sub>,\<^sub>1 \ y\<^latex>\$_{n,p_n}$\. \Q\<^sub>n\<^sub>,\<^sub>1; \; Q\<^latex>\$_{n,q_n}$\\ \ PC term\<^sub>n\} 769 | 770 | The induction rule is only valid if the terms \term\<^sub>i\ cover all possible values of their associated 771 | type. If this has been proved the induction rule is available as a fact which can be applied. 772 | After preparing the induction rule for application, its conclusion \?P x\ 773 | matches all propositions which contain the variable \x\ in one or more copies. It depends 774 | on the \P\<^sub>i\ in the rule whether splitting a specific goal with the induction rule is useful for 775 | proving the goal. 776 | 777 | The real power of induction rules emerges, when a \Q\<^sub>i\<^sub>,\<^sub>j\ contains the unknown \?P\. Due to the 778 | type associated with \?P\ it must be applied to an argument \term\<^sub>i\<^sub>,\<^sub>j\ of the same type as \x\ and 779 | the \term\<^sub>i\. Then the goal resulting from \P\<^sub>i\ states the property that if \Q\<^sub>i\<^sub>,\<^sub>j\ holds when 780 | specialized to \PC term\<^sub>i\<^sub>,\<^sub>j\, \PC\ holds for \term\<^sub>i\ (an ``induction step''\index{induction!step}). Thus, for covering the 781 | possible values of \x\, the step from \term\<^sub>i\<^sub>,\<^sub>j\ to \term\<^sub>i\ can be repeated arbitrarily often which 782 | allows to cover some types with infinite value sets.\ 783 | 784 | subsubsection "Example" 785 | 786 | text\ 787 | An induction rule for the natural numbers is 788 | @{text[display] 789 | \\?P 0; \y. ?P y \ ?P (y+1)\ \ ?P ?a\} 790 | \P\<^sub>1\ is the base case, it has no variables and assumptions and only consists of the conclusion 791 | \?P 0\. \P\<^sub>2\ binds the variable \y\, has one assumption \?P y\ and the conclusion \?P (y+1)\. 792 | \P\<^sub>1\ covers the value \0\, \P\<^sub>2\ covers the step from a value \y\ to its successor \y+1\, together 793 | they cover all possible values of type \nat\. 794 | 795 | To apply the rule to the goal \0\n\, it must be prepared by substituting the variable \n\ for the 796 | unknown \?a\. Then the rule conclusion \?P n\ is unified with the goal which abstracts the 797 | goal to the boolean function \PC = (\i. 0\i)\ and substitutes it for all occurrences of \?P\. 798 | This results in the rule instance 799 | \\(\i. 0\i) 0; \y. (\i. 0\i) y \ (\i. 0\i) (y+1)\ \ (\i. 0\i) n\. 800 | By substituting the arguments in the function applications its assumption part yields the two goals 801 | @{text[display] 802 | \0\0 803 | \y. 0\y \ 0\(y+1)\} 804 | which correspond to the base case and induction step as described above.\ 805 | 806 | subsubsection "General Form of Induction Rules" 807 | 808 | text\ 809 | Induction rules\index{induction!rule}\index{rule!induction $\sim$} may even be more general than shown above. Instead of applying \?P\ to a single 810 | argument it may have several arguments and the conclusion becomes \?P ?a\<^sub>1 \ ?a\<^sub>r\. Also in the 811 | \P\<^sub>i\ every occurrence of \?P\ then has \r\ terms as arguments. Such an induction rule is valid if it 812 | covers all possible cases for all combinations of the \r\ argument values. Finally, in addition 813 | to the assumptions \P\<^sub>i\ an induction rule may have assumptions about the argument \?a\ 814 | or the arguments \?a\<^sub>1 \ ?a\<^sub>r\. 815 | 816 | Note, however, that there is no alternative syntax for induction rules, such as the \<^theory_text>\obtains\ form 817 | for case rules. 818 | \ 819 | 820 | subsection \The {\sl induction} Method\ 821 | text_raw\\label{case-induction-method}\ 822 | 823 | text\ 824 | Induction can be performed in a structured proof using the method \<^theory_text>\induction\ in the form 825 | @{theory_text[display] 826 | \induction x rule: name\}\index{induction (method)}\index{rule: (method argument)} 827 | where \name\ is the name of a valid induction rule. The method prepares the rule by substituting the 828 | specified variable \x\ for the unknown \?a\ and applies the rule to the first goal in the 829 | goal state. 830 | 831 | Additionally, the method creates a named context\index{named context} for every goal resulting from the rule 832 | application. The context contains the variables and assumptions specified in the corresponding 833 | case in the induction rule. For the general form depicted above the context for the \i\th case 834 | contains the variables \y\<^sub>i\<^sub>,\<^sub>1 \ y\<^latex>\$_{i,p_i}$\\ and the assumptions \Q\<^sub>i\<^sub>,\<^sub>1; \; Q\<^latex>\$_{i,q_i}$\\. 835 | The term abbreviation \?case\\index{?case (term abbreviation)} is defined for the case conclusion \PC term\<^sub>i\ which is to 836 | be proved for the case.\ 837 | 838 | subsubsection "Input Facts" 839 | 840 | text\ 841 | The \<^theory_text>\induction\ method treats input facts like the empty method (see Section~\ref{methods-empty}) 842 | and the \<^theory_text>\cases\ method (see Section~\ref{case-reasoning-cases}) by inserting them as assumptions 843 | into the original goal before splitting it.\ 844 | 845 | subsubsection "Automatic Rule Selection" 846 | 847 | text\ 848 | Also like the \<^theory_text>\cases\ method the \<^theory_text>\induction\ method supports 849 | automatic rule selection for the induction rule. This is only possible if \?P\ is applied to a single 850 | argument, which means that only one variable is specified in the method: 851 | @{theory_text[display] 852 | \induction x\} 853 | Then the rule is selected according to the type of \x\. In Isabelle HOL (see 854 | Section~\ref{holbasic}) most types have an associated induction rule.\ 855 | 856 | subsubsection "Examples" 857 | 858 | text\ 859 | The rule \\?P True; ?P False\ \ ?P ?a\ is associated with type \bool\. Therefore induction can be 860 | applied to every proposition which contains a variable of type \bool\, such as the goal \b \ False = False\. 861 | Applying the method 862 | @{theory_text[display] 863 | \induction b\} 864 | will split the goal into the goals 865 | @{text[display] 866 | \False \ False = False 867 | True \ False = False\} 868 | which cover all possible cases for \b\. Here, the type has only two values, therefore induction is 869 | not really needed. 870 | 871 | As for the \<^theory_text>\cases\ method (see Section~\ref{case-reasoning-cases}) the names used for the contexts 872 | created by the \<^theory_text>\induction\ method can be specified by attributing the induction rule. They can be 873 | determined from the proof skeleton which is displayed in the interactive editor 874 | when the cursor is positioned on the \<^theory_text>\induction\ method (see Section~\ref{case-context-struct}). 875 | 876 | If the induction rule \\?P 0; \y. ?P y \ ?P (y+1)\ \ ?P ?a\ for the natural numbers has been 877 | proved and named \induct_nat\ with case names \Start\ and \Step\, a structured proof for the goal 878 | \0\n\ may have the form 879 | @{theory_text[display] 880 | \proof (induction n rule: induct_nat) 881 | case Start 882 | \ 883 | show ?case \ 884 | next 885 | case Step 886 | \ 887 | show ?case \ 888 | qed\} 889 | The \<^theory_text>\induction\ method creates the named contexts \Start\ and \Step\. The former has no local 890 | variables and assumptions and binds \?case\ to the proposition \0\0\, the latter has the local 891 | variable \y\, the assumption \0\y\ named \Step\ and binds \?case\ to the proposition \0 \ y + 1\. 892 | 893 | If the rule \induct_nat\ has been associated with type \nat\ the rule specification 894 | may be omitted in the method: 895 | @{theory_text[display] 896 | \proof (induction n) 897 | \\}\ 898 | 899 | subsection "Case Assumption Naming and the \<^theory_text>\induct\ Method" 900 | text_raw\\label{case-induction-naming}\ 901 | 902 | text\ 903 | As usual, the \<^theory_text>\case\ statement uses the case name as name for the assumptions \Q\<^sub>i\<^sub>,\<^sub>1 \ Q\<^latex>\$_{i,q_i}$\\ in the 904 | \i\th case or an explicit name\index{name!for assumption}\index{assumption!name} may be specified for them (see Section~\ref{case-context-case}). 905 | Additionally, the \induction\ method arranges the named context for a case so that the set of 906 | assumptions is split into those which in the rule contain the unknown \?P\ and those which do not. 907 | These sets are separately named, so that they can be referenced individually. 908 | 909 | The set of assumptions which originally contained \?P\ now contain an application of \PC\ to 910 | a value \term\<^sub>i\<^sub>,\<^sub>j\ and allow the step from this value to value \term\<^sub>i\ by induction. These assumptions 911 | are called ``induction hypotheses'' and are named \"cname.IH"\\index{IH@.IH (fact name suffix)} where \cname\ is the case name or the 912 | explicit name for the case assumptions. The other assumptions are independent from \PC\, they are 913 | additional hypotheses and are named \"cname.hyps"\\index{hyps@.hyps (fact name suffix)}. Both forms of names 914 | must be enclosed in quotes because the dot is not a normal name constituent. 915 | 916 | For an example consider the induction rule \\?P 0; ?P 1; \y. \y\1; ?P y\ \ ?P (y+1)\ \ ?P ?a\ 917 | with an additional base case for the value \1\ and a step which always starts at value \1\ or 918 | greater. If applied to the goal \0\n\ the \induction\ method produces the three goals 919 | @{text[display] 920 | \0\0 921 | 0\1 922 | \y. \y\1; 0\y\ \ 0\(y+1)\} 923 | If the default case name \3\ is used for the third case, the induction hypothesis \0\y\ is named 924 | \"3.IH"\ and the additional hypothesis \y\1\ is named \"3.hyps"\. 925 | 926 | There is a method \<^theory_text>\induct\\index{induct (method)} which behaves like \<^theory_text>\induction\ with the only difference that it does 927 | not introduce the name \"cname.IH"\, it uses \"cname.hyps"\ for all assumptions \Q\<^sub>i\<^sub>1 \ Q\<^sub>i\<^sub>q\<^sub>i\, whether 928 | they contain \?P\ or not. 929 | \ 930 | 931 | subsection "Goals with Assumptions" 932 | text_raw\\label{case-induction-assms}\ 933 | 934 | text\ 935 | If the \induction\ method would apply the prepared induction rule in the same way as the \rule\ 936 | method to a goal \\A\<^sub>1; \; A\<^sub>m\ \ C\ with assumptions it would 937 | unify \?P x\ only with the conclusion \C\ and copy the assumptions \A\<^sub>1, \, A\<^sub>m\ 938 | to all resulting goals unchanged. However, if \x\ also occurs in one or more of the \A\<^sub>l\ this 939 | connection with \C\ is lost after applying the prepared induction rule. 940 | 941 | Consider the goal 942 | @{text[display] 943 | \4 < n \ 5 \ n\} 944 | which is of the form 945 | @{text[display] 946 | \A \ C\} 947 | When applying the prepared induction rule for the natural numbers 948 | \\?P 0; \y. ?P y \ ?P (y+1)\ \ ?P n\ in the way of the \rule\ method the conclusion will be 949 | matched which leads to the abstracted function \PC \ (\i. 5\i)\ and the resulting goals are 950 | @{text[display] 951 | \4 < n \ 5 \ 0 952 | \y. \4 < n; 5 \ y\ \ 5 \ (y+1)\} 953 | where the first goal is invalid. Although the second goal is valid, it shows that the relation 954 | between the variable \n\ in the assumption and the variable \y\ used in the induction rule has been 955 | lost. 956 | 957 | For a goal with assumptions every occurrence of \?P\ in the rule, applied to a specific term must 958 | be replaced by \PC\ applied to the term together with all assumptions which must also be adapted to 959 | the same term. Therefore the \induction\ and \induct\ methods work in a different way. They unify 960 | \?P x\ with the conclusion \C\ and separately with every assumption \A\<^sub>l\ and thus additionally 961 | determine an abstracted function \PA\<^sub>l\ for every \A\<^sub>l\. Then they replace every \?P term\ in a \P\<^sub>i\ 962 | or in a \Q\<^sub>i\<^sub>,\<^sub>j\ in the rule by an application \PC term\ together with assumptions \PA\<^sub>1 term; \; 963 | PA\<^sub>m term\. 964 | 965 | The assumptions for a direct occurrence of \?P term\<^sub>i\ as conclusion in a \P\<^sub>i\ are added after all 966 | \Q\<^sub>i\<^sub>,\<^sub>j\, so that the \i\th goal created by the \induction\ method now has the form 967 | @{text[display] 968 | \\ y\<^sub>i\<^sub>,\<^sub>1 \ y\<^latex>\$_{i,p_i}$\. \Q\<^sub>i\<^sub>,\<^sub>1; \; Q\<^latex>\$_{i,q_i}$\; PA\<^sub>1 term\<^sub>i; \; PA\<^sub>m term\<^sub>i\ \ PC term\<^sub>i\} 969 | Additionally, the assumptions for occurrences of a \?P term\ in a \Q\<^sub>i\<^sub>,\<^sub>j\ must be added which usually 970 | can be done by replacing \Q\<^sub>i\<^sub>,\<^sub>j\ by the rule \Q\<^sub>i\<^sub>,\<^sub>j'\ of the form \\PA\<^sub>1 term; \; PA\<^sub>m term\ \ Q\<^sub>i\<^sub>,\<^sub>j''\ 971 | where \Q\<^sub>i\<^sub>,\<^sub>j''\ results by substituting \?P term\ in \Q\<^sub>i\<^sub>j\ by \PC term\. If \?P\ is applied to several 972 | different terms in \Q\<^sub>i\<^sub>,\<^sub>j\, several sets of corresponding assumptions are added in \Q\<^sub>i\<^sub>,\<^sub>j'\. 973 | 974 | Moreover, the \induction\ method (and also the \induct\ method) arranges the named contexts in a 975 | way that the assumptions \PA\<^sub>1 term\<^sub>i; \; PA\<^sub>m term\<^sub>i\ which originate from the goal are named by 976 | \"cname.prems"\\index{prems@.prems (fact name suffix)} and can thus be referenced separate from the \Q\<^sub>i\<^sub>j'\ which are named \"cname.hyps"\ 977 | and possibly \"cname.IH"\ as described above. 978 | 979 | In the example above the \induction\ method additionally unifies \?P n\ with the assumption \4 < n\ 980 | which yields the abstracted function \PA \ (\i. 4 and produces the goals 981 | @{text[display] 982 | \4 < 0 \ 5 \ 0 983 | \y. \4 < y \ 5 \ y; 4 < (y+1)\ \ 5 \ (y+1)\} 984 | Here \4 < (y+1)\ results from applying \PA\ to \(y+1)\ and \4 < y\ results from adding \PA\ applied 985 | to \y\ as assumption to the assumption \?P y\ from the rule. If the default case name \2\ is used 986 | for the second case, the case assumption \4 < y \ 5 \ y\ will be named \"2.IH"\ and the case 987 | assumption \4 < (y+1)\ will be named \"2.prems"\ by the \<^theory_text>\case\ statement. 988 | 989 | Like the \cases\ method the methods \induction\ and \induct\ insert input facts as assumptions into 990 | the goal before they process the goal assumptions in the described way. Therefore both methods can 991 | be used both in proof scripts, where facts are stored as rule assumptions in the goal state, and in 992 | structured proofs where facts are stored in the proof context and are input to the initial methods 993 | of subproofs. 994 | 995 | Other than for the \cases\ method it is not possible to pass the induction rule as input fact to 996 | the methods \induction\ and \induct\. 997 | \ 998 | 999 | subsection "Induction with Elimination" 1000 | text_raw\\label{case-induction-elim}\ 1001 | 1002 | text\ 1003 | Like case rules, induction rules can be extended to include elimination\index{elimination} (see 1004 | Section~\ref{case-elim-rules}). Such induction rules have an additional first assumption which is 1005 | used as major premise\index{major premise} to unify with a goal assumption and eliminate it, before processing the 1006 | remaining goal assumptions and splitting the goal into cases. 1007 | 1008 | Like case rules such extended induction rules must be attributed by \[consumes 1]\\index{consumes (attribute)}, then the methods 1009 | \induction\ and \induct\ apply elimination before doing the rest of processing. 1010 | 1011 | As example consider the rule \\?a \ 42; ?P 42; \y. ?P y \ ?P (y+1)\ \ ?P ?a\. It uses \42\ as 1012 | its base case and can thus only prove a property for numbers equal to or greater than \42\. The 1013 | major premise restricts \?a\ to these cases. If this rule has been proved and named \induct_nat42\ 1014 | it may be applied with elimination as initial method of a structured proof for the goal \4 < n \ 1015 | 5 \ n\ by 1016 | @{theory_text[display] 1017 | \proof (induction n rule: induct_nat42[consumes 1])\} 1018 | If the fact \n \ 42\ is available as first input fact the application will be successful, consume 1019 | that fact, and split the goal into the goals 1020 | @{text[display] 1021 | \4 < 42 \ 5 \ 42 1022 | \y. \4 < y \ 5 \ y; 4 < (y+1)\ \ 5 \ (y+1)\} 1023 | 1024 | In contrast to the \cases\ method the methods \induction\ and \induct\ will also consume the 1025 | first assumption present in the goal, if it unifies with the major premise of the induction rule 1026 | and no input facts are present. 1027 | \ 1028 | 1029 | subsection "Arbitrary Variables" 1030 | text_raw\\label{case-induction-arbitrary}\ 1031 | 1032 | text\ 1033 | If the goal contains bound variables, i.e., is of the form \\ x\<^sub>1 \ x\<^sub>k. \A\<^sub>1; \; A\<^sub>m\ \ C\ these 1034 | variables may occur in the assumptions \A\<^sub>1, \, A\<^sub>m\ and the conclusion \C\. When these are 1035 | instantiated for the occurrences of \?P\ in the rule as described above, every such instance needs 1036 | its own separate copy of bound variables \x\<^sub>1 \ x\<^sub>k\. 1037 | 1038 | Consider the goal 1039 | @{text[display] 1040 | \\c. n 2*n < 2*c\} 1041 | When applying the prepared induction rule for the natural numbers 1042 | \\?P 0; \y. ?P y \ ?P (y+1)\ \ ?P n\ in the way described above, the variable \c\ must be bound 1043 | separately for the occurrences \?P y\ and \?P (y+1)\ because it need not denote the same value in 1044 | both positions. This can be accomplished by creating the goals 1045 | @{text[display] 1046 | \\c. 0 2*0 < 2*c 1047 | \y c. \\c. y 2*y < 2*c; y+1 < c\ \ 2*(y + 1) < 2*c\} 1048 | with two nested bindings of \c\. 1049 | 1050 | The methods \induction\ and \induct\ treat explicit bindings of variables in the goal in this way. 1051 | However, if variables are not bound explicitly in the goal (i.e., they are free in the goal), there 1052 | are two possible meanings: in a theorem all variables are implicitly bound and therefore need a 1053 | separate binding for every occurrence of \?P\, whereas in a local goal statement variables may have 1054 | been fixed in the enclosing context, then they must denote the same value for every occurrence of 1055 | \?P\ and must not be bound separately. Since it is difficult for Isabelle to determine the correct 1056 | treatment of free variables automatically, it may be specified explicitly by the proof writer. 1057 | The free variables which do not denote a fixed value from the context but an ``arbitrary'' value 1058 | used only locally in the goal can be specified to the \induction\ method in the form 1059 | @{theory_text[display] 1060 | \induction x arbitrary: x\<^sub>1 \ x\<^sub>k rule: name\}\index{arbitrary: (method argument)} 1061 | and in the same form for the \induct\ method. 1062 | 1063 | In particular, if a theorem or goal statement is specified in structured form the free variables 1064 | are not bound in the goal but in the outermost proof context (see Section~\ref{proof-state-initial}) 1065 | and the goal only consists of the conclusion \C\. To apply induction as initial proof method the 1066 | assumptions must be input to it and the variables must be specified as arbitrary: 1067 | @{theory_text[display] 1068 | \theorem 1069 | fixes x\<^sub>1 \ x\<^sub>k 1070 | assumes "A\<^sub>1" \ "A\<^sub>m" 1071 | shows "C" 1072 | using assms 1073 | proof (induction \ arbitrary: x\<^sub>1 \ x\<^sub>k \) \ qed\}\ 1074 | 1075 | 1076 | end --------------------------------------------------------------------------------