1 C ONTENT Intro & motivation, getting started with Isabelle - - PowerPoint PPT Presentation
NICTA Advanced Course Theorem Proving Principles, Techniques, Applications 1 C ONTENT Intro & motivation, getting started with Isabelle Foundations & Principles Lambda Calculus Higher Order Logic, natural
NICTA Advanced Course Theorem Proving Principles, Techniques, Applications
1
CONTENT
➜ Intro & motivation, getting started with Isabelle ➜ Foundations & Principles
➜ Proof & Specification Techniques
CONTENT 2
LAST TIME ON HOL
➜ Defining HOL
LAST TIME ON HOL 3
LAST TIME ON HOL
➜ Defining HOL ➜ Higher Order Abstract Syntax
LAST TIME ON HOL 3-A
LAST TIME ON HOL
➜ Defining HOL ➜ Higher Order Abstract Syntax ➜ Deriving proof rules
LAST TIME ON HOL 3-B
LAST TIME ON HOL
➜ Defining HOL ➜ Higher Order Abstract Syntax ➜ Deriving proof rules ➜ More automation
LAST TIME ON HOL 3-C
THE THREE BASIC WAYS OF INTRODUCING THEOREMS
➜ Axioms: Expample: axioms refl: ”t = t”
THE THREE BASIC WAYS OF INTRODUCING THEOREMS 4
THE THREE BASIC WAYS OF INTRODUCING THEOREMS
➜ Axioms: Expample: axioms refl: ”t = t” Do not use. Evil. Can make your logic inconsistent.
THE THREE BASIC WAYS OF INTRODUCING THEOREMS 4-A
THE THREE BASIC WAYS OF INTRODUCING THEOREMS
➜ Axioms: Expample: axioms refl: ”t = t” Do not use. Evil. Can make your logic inconsistent. ➜ Definitions: Example: defs inj def: ”inj f ≡ ∀x y. f x = f y − → x = y”
THE THREE BASIC WAYS OF INTRODUCING THEOREMS 4-B
THE THREE BASIC WAYS OF INTRODUCING THEOREMS
➜ Axioms: Expample: axioms refl: ”t = t” Do not use. Evil. Can make your logic inconsistent. ➜ Definitions: Example: defs inj def: ”inj f ≡ ∀x y. f x = f y − → x = y” ➜ Proofs: Example: lemma ”inj (λx. x + 1)”
THE THREE BASIC WAYS OF INTRODUCING THEOREMS 4-C
THE THREE BASIC WAYS OF INTRODUCING THEOREMS
➜ Axioms: Expample: axioms refl: ”t = t” Do not use. Evil. Can make your logic inconsistent. ➜ Definitions: Example: defs inj def: ”inj f ≡ ∀x y. f x = f y − → x = y” ➜ Proofs: Example: lemma ”inj (λx. x + 1)” The harder, but safe choice.
THE THREE BASIC WAYS OF INTRODUCING THEOREMS 4-D
THE THREE BASIC WAYS OF INTRODUCING TYPES
➜ typedecl: by name only Example: typedecl names
THE THREE BASIC WAYS OF INTRODUCING TYPES 5
THE THREE BASIC WAYS OF INTRODUCING TYPES
➜ typedecl: by name only Example: typedecl names Introduces new type names without any further assumptions
THE THREE BASIC WAYS OF INTRODUCING TYPES 5-A
THE THREE BASIC WAYS OF INTRODUCING TYPES
➜ typedecl: by name only Example: typedecl names Introduces new type names without any further assumptions ➜ types: by abbreviation Example: types α rel = ”α ⇒ α ⇒ bool”
THE THREE BASIC WAYS OF INTRODUCING TYPES 5-B
THE THREE BASIC WAYS OF INTRODUCING TYPES
➜ typedecl: by name only Example: typedecl names Introduces new type names without any further assumptions ➜ types: by abbreviation Example: types α rel = ”α ⇒ α ⇒ bool” Introduces abbreviation rel for existing type α ⇒ α ⇒ bool Type abbreviations are immediatly expanded internally
THE THREE BASIC WAYS OF INTRODUCING TYPES 5-C
THE THREE BASIC WAYS OF INTRODUCING TYPES
➜ typedecl: by name only Example: typedecl names Introduces new type names without any further assumptions ➜ types: by abbreviation Example: types α rel = ”α ⇒ α ⇒ bool” Introduces abbreviation rel for existing type α ⇒ α ⇒ bool Type abbreviations are immediatly expanded internally ➜ typedef: by definiton as a set Example: typdef new type = ”{some set}” <proof>
THE THREE BASIC WAYS OF INTRODUCING TYPES 5-D
THE THREE BASIC WAYS OF INTRODUCING TYPES
➜ typedecl: by name only Example: typedecl names Introduces new type names without any further assumptions ➜ types: by abbreviation Example: types α rel = ”α ⇒ α ⇒ bool” Introduces abbreviation rel for existing type α ⇒ α ⇒ bool Type abbreviations are immediatly expanded internally ➜ typedef: by definiton as a set Example: typdef new type = ”{some set}” <proof> Introduces a new type as a subset of an existing type. The proof shows that the set on the rhs in non-empty.
THE THREE BASIC WAYS OF INTRODUCING TYPES 5-E
HOW TYPEDEF WORKS
✬ ✫ ✩ ✪ new type
HOW TYPEDEF WORKS 6
HOW TYPEDEF WORKS
✬ ✫ ✩ ✪ new type existing type
HOW TYPEDEF WORKS 6-A
HOW TYPEDEF WORKS
✬ ✫ ✩ ✪ new type existing type
HOW TYPEDEF WORKS 6-B
HOW TYPEDEF WORKS
✬ ✫ ✩ ✪ new type existing type ✛ Abs ✲ Rep
HOW TYPEDEF WORKS 6-C
HOW TYPEDEF WORKS
✬ ✫ ✩ ✪ new type existing type ✛ Abs ✲ Rep
HOW TYPEDEF WORKS 7
EXAMPLE: PAIRS
(α, β) Prod
➀ Pick existing type:
EXAMPLE: PAIRS 8
EXAMPLE: PAIRS
(α, β) Prod
➀ Pick existing type: α ⇒ β ⇒ bool ➁ Identify subset:
EXAMPLE: PAIRS 8-A
EXAMPLE: PAIRS
(α, β) Prod
➀ Pick existing type: α ⇒ β ⇒ bool ➁ Identify subset: (α, β) Prod = {f. ∃a b. f = λ(x :: α) (y :: β). x = a ∧ y = b} ➂ We get from Isabelle:
EXAMPLE: PAIRS 8-B
EXAMPLE: PAIRS
(α, β) Prod
➀ Pick existing type: α ⇒ β ⇒ bool ➁ Identify subset: (α, β) Prod = {f. ∃a b. f = λ(x :: α) (y :: β). x = a ∧ y = b} ➂ We get from Isabelle:
➃ We now can:
EXAMPLE: PAIRS 8-C
EXAMPLE: PAIRS
(α, β) Prod
➀ Pick existing type: α ⇒ β ⇒ bool ➁ Identify subset: (α, β) Prod = {f. ∃a b. f = λ(x :: α) (y :: β). x = a ∧ y = b} ➂ We get from Isabelle:
➃ We now can:
EXAMPLE: PAIRS 8-D
DEMO: INTRODUCTING NEW TYPES
9
TERM REWRITING
10
THE PROBLEM
Given a set of equations l1 = r1 l2 = r2 . . . ln = rn
THE PROBLEM 11
THE PROBLEM
Given a set of equations l1 = r1 l2 = r2 . . . ln = rn does equation l = r hold?
THE PROBLEM 11-A
THE PROBLEM
Given a set of equations l1 = r1 l2 = r2 . . . ln = rn does equation l = r hold? Applications in:
➜ Mathematics (algebra, group theory, etc) ➜ Functional Programming (model of execution) ➜ Theorem Proving (dealing with equations, simplifying statements)
THE PROBLEM 11-B
TERM REWRITING: THE IDEA
use equations as reduction rules l1 − → r1 l2 − → r2 . . . ln − → rn decide l = r by deciding l
∗
← → r
TERM REWRITING: THE IDEA 12
ARROW CHEAT SHEET
− → = {(x, y)|x = y} identity
ARROW CHEAT SHEET 13
ARROW CHEAT SHEET
− → = {(x, y)|x = y} identity
n+1
− → =
n
− → ◦ − → n+1 fold composition
ARROW CHEAT SHEET 13-A
ARROW CHEAT SHEET
− → = {(x, y)|x = y} identity
n+1
− → =
n
− → ◦ − → n+1 fold composition
+
− → =
i
− → transitive closure
ARROW CHEAT SHEET 13-B
ARROW CHEAT SHEET
− → = {(x, y)|x = y} identity
n+1
− → =
n
− → ◦ − → n+1 fold composition
+
− → =
i
− → transitive closure
∗
− → =
+
− → ∪ − → refl exive transitive closure
ARROW CHEAT SHEET 13-C
ARROW CHEAT SHEET
− → = {(x, y)|x = y} identity
n+1
− → =
n
− → ◦ − → n+1 fold composition
+
− → =
i
− → transitive closure
∗
− → =
+
− → ∪ − → refl exive transitive closure
=
− → = − → ∪ − → refl exive closure
ARROW CHEAT SHEET 13-D
ARROW CHEAT SHEET
− → = {(x, y)|x = y} identity
n+1
− → =
n
− → ◦ − → n+1 fold composition
+
− → =
i
− → transitive closure
∗
− → =
+
− → ∪ − → refl exive transitive closure
=
− → = − → ∪ − → refl exive closure
−1
− → = {(y, x)|x − → y} inverse
ARROW CHEAT SHEET 13-E
ARROW CHEAT SHEET
− → = {(x, y)|x = y} identity
n+1
− → =
n
− → ◦ − → n+1 fold composition
+
− → =
i
− → transitive closure
∗
− → =
+
− → ∪ − → refl exive transitive closure
=
− → = − → ∪ − → refl exive closure
−1
− → = {(y, x)|x − → y} inverse ← − =
−1
− → inverse
ARROW CHEAT SHEET 13-F
ARROW CHEAT SHEET
− → = {(x, y)|x = y} identity
n+1
− → =
n
− → ◦ − → n+1 fold composition
+
− → =
i
− → transitive closure
∗
− → =
+
− → ∪ − → refl exive transitive closure
=
− → = − → ∪ − → refl exive closure
−1
− → = {(y, x)|x − → y} inverse ← − =
−1
− → inverse ← → = ← − ∪ − → symmetric closure
ARROW CHEAT SHEET 13-G
ARROW CHEAT SHEET
− → = {(x, y)|x = y} identity
n+1
− → =
n
− → ◦ − → n+1 fold composition
+
− → =
i
− → transitive closure
∗
− → =
+
− → ∪ − → refl exive transitive closure
=
− → = − → ∪ − → refl exive closure
−1
− → = {(y, x)|x − → y} inverse ← − =
−1
− → inverse ← → = ← − ∪ − → symmetric closure
+
← → =
i
← → transitive symmetric closure
∗
← → =
+
← → ∪ ← → refl exive transitive symmetric closure
ARROW CHEAT SHEET 13-H
HOW TO DECIDE l
∗
← → r
Same idea as for β:
HOW TO DECIDE l
∗
← → r 14
HOW TO DECIDE l
∗
← → r
Same idea as for β: look for n such that l
∗
− → n and r
∗
− → n Does this always work?
HOW TO DECIDE l
∗
← → r 14-A
HOW TO DECIDE l
∗
← → r
Same idea as for β: look for n such that l
∗
− → n and r
∗
− → n Does this always work? If l
∗
− → n and r
∗
− → n then l
∗
← → r. Ok.
HOW TO DECIDE l
∗
← → r 14-B
HOW TO DECIDE l
∗
← → r
Same idea as for β: look for n such that l
∗
− → n and r
∗
− → n Does this always work? If l
∗
− → n and r
∗
− → n then l
∗
← → r. Ok. If l
∗
← → r, will there always be a suitable n?
HOW TO DECIDE l
∗
← → r 14-C
HOW TO DECIDE l
∗
← → r
Same idea as for β: look for n such that l
∗
− → n and r
∗
− → n Does this always work? If l
∗
− → n and r
∗
− → n then l
∗
← → r. Ok. If l
∗
← → r, will there always be a suitable n? No! Example: Rules: f x − → a, g x − → b, f (g x) − → b
HOW TO DECIDE l
∗
← → r 14-D
HOW TO DECIDE l
∗
← → r
Same idea as for β: look for n such that l
∗
− → n and r
∗
− → n Does this always work? If l
∗
− → n and r
∗
− → n then l
∗
← → r. Ok. If l
∗
← → r, will there always be a suitable n? No! Example: Rules: f x − → a, g x − → b, f (g x) − → b f x
∗
← → g x because f x − → a ← − f (g x) − → b ← − g x
HOW TO DECIDE l
∗
← → r 14-E
HOW TO DECIDE l
∗
← → r
Same idea as for β: look for n such that l
∗
− → n and r
∗
− → n Does this always work? If l
∗
− → n and r
∗
− → n then l
∗
← → r. Ok. If l
∗
← → r, will there always be a suitable n? No! Example: Rules: f x − → a, g x − → b, f (g x) − → b f x
∗
← → g x because f x − → a ← − f (g x) − → b ← − g x But: f x − → a and g x − → b and a, b in normal form
HOW TO DECIDE l
∗
← → r 14-F
HOW TO DECIDE l
∗
← → r
Same idea as for β: look for n such that l
∗
− → n and r
∗
− → n Does this always work? If l
∗
− → n and r
∗
− → n then l
∗
← → r. Ok. If l
∗
← → r, will there always be a suitable n? No! Example: Rules: f x − → a, g x − → b, f (g x) − → b f x
∗
← → g x because f x − → a ← − f (g x) − → b ← − g x But: f x − → a and g x − → b and a, b in normal form Works only for systems with Church-Rosser property: l
∗
← → r = ⇒ ∃n. l
∗
− → n ∧ r
∗
− → n
HOW TO DECIDE l
∗
← → r 14-G
HOW TO DECIDE l
∗
← → r
Same idea as for β: look for n such that l
∗
− → n and r
∗
− → n Does this always work? If l
∗
− → n and r
∗
− → n then l
∗
← → r. Ok. If l
∗
← → r, will there always be a suitable n? No! Example: Rules: f x − → a, g x − → b, f (g x) − → b f x
∗
← → g x because f x − → a ← − f (g x) − → b ← − g x But: f x − → a and g x − → b and a, b in normal form Works only for systems with Church-Rosser property: l
∗
← → r = ⇒ ∃n. l
∗
− → n ∧ r
∗
− → n Fact: − → is Church-Rosser iff it is confl uent.
HOW TO DECIDE l
∗
← → r 14-H
CONFLUENCE
s x y t ∗ ∗ ∗ ∗ Problem: is a given set of reduction rules confl uent?
CONFLUENCE 15
CONFLUENCE
s x y t ∗ ∗ ∗ ∗ Problem: is a given set of reduction rules confl uent? undecidable
CONFLUENCE 15-A
CONFLUENCE
s x y t ∗ ∗ ∗ ∗ Problem: is a given set of reduction rules confl uent? undecidable Local Confluence s x y t ∗ ∗
CONFLUENCE 15-B
CONFLUENCE
s x y t ∗ ∗ ∗ ∗ Problem: is a given set of reduction rules confl uent? undecidable Local Confluence s x y t ∗ ∗ Fact: local confl uence and termination = ⇒ confl uence
CONFLUENCE 15-C
TERMINATION
− → is terminating if there are no infinite reduction chains − → is normalizing if each element has a normal form − → is convergent if it is terminating and confl uent Example:
TERMINATION 16
TERMINATION
− → is terminating if there are no infinite reduction chains − → is normalizing if each element has a normal form − → is convergent if it is terminating and confl uent Example: − →β in λ is not terminating, but confl uent
TERMINATION 16-A
TERMINATION
− → is terminating if there are no infinite reduction chains − → is normalizing if each element has a normal form − → is convergent if it is terminating and confl uent Example: − →β in λ is not terminating, but confl uent − →β in λ→ is terminating and confl uent, i.e. convergent
TERMINATION 16-B
TERMINATION
− → is terminating if there are no infinite reduction chains − → is normalizing if each element has a normal form − → is convergent if it is terminating and confl uent Example: − →β in λ is not terminating, but confl uent − →β in λ→ is terminating and confl uent, i.e. convergent Problem: is a given set of reduction rules terminating?
TERMINATION 16-C
TERMINATION
− → is terminating if there are no infinite reduction chains − → is normalizing if each element has a normal form − → is convergent if it is terminating and confl uent Example: − →β in λ is not terminating, but confl uent − →β in λ→ is terminating and confl uent, i.e. convergent Problem: is a given set of reduction rules terminating? undecidable
TERMINATION 16-D
WHEN IS − → TERMINATING?
Basic Idea:
WHEN IS − → TERMINATING? 17
WHEN IS − → TERMINATING?
Basic Idea: when the ri are in some way simpler then the li
WHEN IS − → TERMINATING? 17-A
WHEN IS − → TERMINATING?
Basic Idea: when the ri are in some way simpler then the li More formally: − → is terminating when there is a well founded order < in which ri < li for all rules. (well founded = no infinite decreasing chains a1 > a2 > . . .) Example:
WHEN IS − → TERMINATING? 17-B
WHEN IS − → TERMINATING?
Basic Idea: when the ri are in some way simpler then the li More formally: − → is terminating when there is a well founded order < in which ri < li for all rules. (well founded = no infinite decreasing chains a1 > a2 > . . .) Example: f (g x) − → g x, g (f x) − → f x This system always terminates. Reduction order:
WHEN IS − → TERMINATING? 17-C
WHEN IS − → TERMINATING?
Basic Idea: when the ri are in some way simpler then the li More formally: − → is terminating when there is a well founded order < in which ri < li for all rules. (well founded = no infinite decreasing chains a1 > a2 > . . .) Example: f (g x) − → g x, g (f x) − → f x This system always terminates. Reduction order: s <r t iff size(s) < size(t) with size(s) = numer of function symbols in s
WHEN IS − → TERMINATING? 17-D
WHEN IS − → TERMINATING?
Basic Idea: when the ri are in some way simpler then the li More formally: − → is terminating when there is a well founded order < in which ri < li for all rules. (well founded = no infinite decreasing chains a1 > a2 > . . .) Example: f (g x) − → g x, g (f x) − → f x This system always terminates. Reduction order: s <r t iff size(s) < size(t) with size(s) = numer of function symbols in s
➀ g x <r f (g x) and f x <r g (f x)
WHEN IS − → TERMINATING? 17-E
WHEN IS − → TERMINATING?
Basic Idea: when the ri are in some way simpler then the li More formally: − → is terminating when there is a well founded order < in which ri < li for all rules. (well founded = no infinite decreasing chains a1 > a2 > . . .) Example: f (g x) − → g x, g (f x) − → f x This system always terminates. Reduction order: s <r t iff size(s) < size(t) with size(s) = numer of function symbols in s
➀ g x <r f (g x) and f x <r g (f x) ➁ <r is well founded, because < is well founded on I N
WHEN IS − → TERMINATING? 17-F
TERM REWRITING IN ISABELLE
Term rewriting engine in Isabelle is called Simplifier
TERM REWRITING IN ISABELLE 18
TERM REWRITING IN ISABELLE
Term rewriting engine in Isabelle is called Simplifier apply simp
➜ uses simplification rules
TERM REWRITING IN ISABELLE 18-A
TERM REWRITING IN ISABELLE
Term rewriting engine in Isabelle is called Simplifier apply simp
➜ uses simplification rules ➜ (almost) blindly from left to right
TERM REWRITING IN ISABELLE 18-B
TERM REWRITING IN ISABELLE
Term rewriting engine in Isabelle is called Simplifier apply simp
➜ uses simplification rules ➜ (almost) blindly from left to right ➜ until no rule is applicable.
TERM REWRITING IN ISABELLE 18-C
TERM REWRITING IN ISABELLE
Term rewriting engine in Isabelle is called Simplifier apply simp
➜ uses simplification rules ➜ (almost) blindly from left to right ➜ until no rule is applicable.
termination: not guaranteed (may loop)
TERM REWRITING IN ISABELLE 18-D
TERM REWRITING IN ISABELLE
Term rewriting engine in Isabelle is called Simplifier apply simp
➜ uses simplification rules ➜ (almost) blindly from left to right ➜ until no rule is applicable.
termination: not guaranteed (may loop) confluence: not guaranteed (result may depend on which rule is used first)
TERM REWRITING IN ISABELLE 18-E
CONTROL
➜ Equations turned into simplifaction rules with [simp] attribute
CONTROL 19
CONTROL
➜ Equations turned into simplifaction rules with [simp] attribute ➜ Adding/deleting equations locally: apply (simp add: <rules>) and apply (simp del: <rules>)
CONTROL 19-A
CONTROL
➜ Equations turned into simplifaction rules with [simp] attribute ➜ Adding/deleting equations locally: apply (simp add: <rules>) and apply (simp del: <rules>) ➜ Using only the specified set of equations: apply (simp only: <rules>)
CONTROL 19-B
DEMO
20
ISAR A LANGUAGE FOR STRUCTURED PROOFS
21
ISAR
apply scripts ➜ unreadable
ISAR 22
ISAR
apply scripts ➜ unreadable ➜ hard to maintain
ISAR 22-A
ISAR
apply scripts ➜ unreadable ➜ hard to maintain ➜ do not scale
ISAR 22-B
ISAR
apply scripts ➜ unreadable ➜ hard to maintain ➜ do not scale
No structure.
ISAR 22-C
ISAR
apply scripts What about.. ➜ unreadable ➜ Elegance? ➜ hard to maintain ➜ do not scale
No structure.
ISAR 22-D
ISAR
apply scripts What about.. ➜ unreadable ➜ Elegance? ➜ hard to maintain ➜ Explaining deeper insights? ➜ do not scale
No structure.
ISAR 22-E
ISAR
apply scripts What about.. ➜ unreadable ➜ Elegance? ➜ hard to maintain ➜ Explaining deeper insights? ➜ do not scale ➜ Large developments?
No structure.
ISAR 22-F
ISAR
apply scripts What about.. ➜ unreadable ➜ Elegance? ➜ hard to maintain ➜ Explaining deeper insights? ➜ do not scale ➜ Large developments?
No structure. Isar!
ISAR 22-G
A TYPICAL ISAR PROOF
proof assume formula0 have formula1 by simp . . . have formulan by blast show formulan+1 by . . . qed
A TYPICAL ISAR PROOF 23
A TYPICAL ISAR PROOF
proof assume formula0 have formula1 by simp . . . have formulan by blast show formulan+1 by . . . qed proves formula0 = ⇒ formulan+1
A TYPICAL ISAR PROOF 23-A
A TYPICAL ISAR PROOF
proof assume formula0 have formula1 by simp . . . have formulan by blast show formulan+1 by . . . qed proves formula0 = ⇒ formulan+1 (analogous to assumes/shows in lemma statements)
A TYPICAL ISAR PROOF 23-B
ISAR CORE SYNTAX
proof = proof [method] statement∗ qed | by method
ISAR CORE SYNTAX 24
ISAR CORE SYNTAX
proof = proof [method] statement∗ qed | by method method = (simp . . . ) | (blast . . . ) | (rule . . . ) | . . .
ISAR CORE SYNTAX 24-A
ISAR CORE SYNTAX
proof = proof [method] statement∗ qed | by method method = (simp . . . ) | (blast . . . ) | (rule . . . ) | . . . statement = fix variables () | assume proposition (= ⇒) | [from name+] (have | show) proposition proof | next
(separates subgoals)
ISAR CORE SYNTAX 24-B
ISAR CORE SYNTAX
proof = proof [method] statement∗ qed | by method method = (simp . . . ) | (blast . . . ) | (rule . . . ) | . . . statement = fix variables () | assume proposition (= ⇒) | [from name+] (have | show) proposition proof | next
(separates subgoals)
proposition = [name:] formula
ISAR CORE SYNTAX 24-C
PROOF AND QED
proof [method] statement∗ qed lemma ”[ [A; B] ] = ⇒ A ∧ B”
PROOF AND QED
25
PROOF AND QED
proof [method] statement∗ qed lemma ”[ [A; B] ] = ⇒ A ∧ B” proof (rule conjI)
PROOF AND QED
25-A
PROOF AND QED
proof [method] statement∗ qed lemma ”[ [A; B] ] = ⇒ A ∧ B” proof (rule conjI) assume A: ”A” from A show ”A” by assumption
PROOF AND QED
25-B
PROOF AND QED
proof [method] statement∗ qed lemma ”[ [A; B] ] = ⇒ A ∧ B” proof (rule conjI) assume A: ”A” from A show ”A” by assumption next
PROOF AND QED
25-C
PROOF AND QED
proof [method] statement∗ qed lemma ”[ [A; B] ] = ⇒ A ∧ B” proof (rule conjI) assume A: ”A” from A show ”A” by assumption next assume B: ”B” from B show ”B” by assumption
PROOF AND QED
25-D
PROOF AND QED
proof [method] statement∗ qed lemma ”[ [A; B] ] = ⇒ A ∧ B” proof (rule conjI) assume A: ”A” from A show ”A” by assumption next assume B: ”B” from B show ”B” by assumption qed
PROOF AND QED
25-E
PROOF AND QED
proof [method] statement∗ qed lemma ”[ [A; B] ] = ⇒ A ∧ B” proof (rule conjI) assume A: ”A” from A show ”A” by assumption next assume B: ”B” from B show ”B” by assumption qed ➜ proof (<method>) applies method to the stated goal
PROOF AND QED
25-F
PROOF AND QED
proof [method] statement∗ qed lemma ”[ [A; B] ] = ⇒ A ∧ B” proof (rule conjI) assume A: ”A” from A show ”A” by assumption next assume B: ”B” from B show ”B” by assumption qed ➜ proof (<method>) applies method to the stated goal ➜ proof applies a single rule that fits
PROOF AND QED
25-G
PROOF AND QED
proof [method] statement∗ qed lemma ”[ [A; B] ] = ⇒ A ∧ B” proof (rule conjI) assume A: ”A” from A show ”A” by assumption next assume B: ”B” from B show ”B” by assumption qed ➜ proof (<method>) applies method to the stated goal ➜ proof applies a single rule that fits ➜ proof - does nothing to the goal
PROOF AND QED
25-H
HOW DO I KNOW WHAT TO ASSUME AND SHOW?
Look at the proof state! lemma ”[ [A; B] ] = ⇒ A ∧ B” proof (rule conjI)
HOW DO I KNOW WHAT TO ASSUME AND SHOW? 26
HOW DO I KNOW WHAT TO ASSUME AND SHOW?
Look at the proof state! lemma ”[ [A; B] ] = ⇒ A ∧ B” proof (rule conjI)
➜ proof (rule conjI) changes proof state to
[A; B] ] = ⇒ A
[A; B] ] = ⇒ B
HOW DO I KNOW WHAT TO ASSUME AND SHOW? 26-A
HOW DO I KNOW WHAT TO ASSUME AND SHOW?
Look at the proof state! lemma ”[ [A; B] ] = ⇒ A ∧ B” proof (rule conjI)
➜ proof (rule conjI) changes proof state to
[A; B] ] = ⇒ A
[A; B] ] = ⇒ B ➜ so we need 2 shows: show ”A” and show ”B”
HOW DO I KNOW WHAT TO ASSUME AND SHOW? 26-B
HOW DO I KNOW WHAT TO ASSUME AND SHOW?
Look at the proof state! lemma ”[ [A; B] ] = ⇒ A ∧ B” proof (rule conjI)
➜ proof (rule conjI) changes proof state to
[A; B] ] = ⇒ A
[A; B] ] = ⇒ B ➜ so we need 2 shows: show ”A” and show ”B” ➜ We are allowed to assume A, because A is in the assumptions of the proof state.
HOW DO I KNOW WHAT TO ASSUME AND SHOW? 26-C
THE THREE MODES OF ISAR
➜ [prove]: goal has been stated, proof needs to follow.
THE THREE MODES OF ISAR 27
THE THREE MODES OF ISAR
➜ [prove]: goal has been stated, proof needs to follow. ➜ [state]: proof block has openend or subgoal has been proved, new from statement, goal statement or assumptions can follow.
THE THREE MODES OF ISAR 27-A
THE THREE MODES OF ISAR
➜ [prove]: goal has been stated, proof needs to follow. ➜ [state]: proof block has openend or subgoal has been proved, new from statement, goal statement or assumptions can follow. ➜ [chain]: from statement has been made, goal statement needs to follow.
THE THREE MODES OF ISAR 27-B
THE THREE MODES OF ISAR
➜ [prove]: goal has been stated, proof needs to follow. ➜ [state]: proof block has openend or subgoal has been proved, new from statement, goal statement or assumptions can follow. ➜ [chain]: from statement has been made, goal statement needs to follow.
lemma ”[ [A; B] ] = ⇒ A ∧ B”
THE THREE MODES OF ISAR 27-C
THE THREE MODES OF ISAR
➜ [prove]: goal has been stated, proof needs to follow. ➜ [state]: proof block has openend or subgoal has been proved, new from statement, goal statement or assumptions can follow. ➜ [chain]: from statement has been made, goal statement needs to follow.
lemma ”[ [A; B] ] = ⇒ A ∧ B” [prove]
THE THREE MODES OF ISAR 27-D
THE THREE MODES OF ISAR
➜ [prove]: goal has been stated, proof needs to follow. ➜ [state]: proof block has openend or subgoal has been proved, new from statement, goal statement or assumptions can follow. ➜ [chain]: from statement has been made, goal statement needs to follow.
lemma ”[ [A; B] ] = ⇒ A ∧ B” [prove] proof (rule conjI) [state]
THE THREE MODES OF ISAR 27-E
THE THREE MODES OF ISAR
➜ [prove]: goal has been stated, proof needs to follow. ➜ [state]: proof block has openend or subgoal has been proved, new from statement, goal statement or assumptions can follow. ➜ [chain]: from statement has been made, goal statement needs to follow.
lemma ”[ [A; B] ] = ⇒ A ∧ B” [prove] proof (rule conjI) [state] assume A: ”A” [state]
THE THREE MODES OF ISAR 27-F
THE THREE MODES OF ISAR
➜ [prove]: goal has been stated, proof needs to follow. ➜ [state]: proof block has openend or subgoal has been proved, new from statement, goal statement or assumptions can follow. ➜ [chain]: from statement has been made, goal statement needs to follow.
lemma ”[ [A; B] ] = ⇒ A ∧ B” [prove] proof (rule conjI) [state] assume A: ”A” [state] from A [chain]
THE THREE MODES OF ISAR 27-G
THE THREE MODES OF ISAR
➜ [prove]: goal has been stated, proof needs to follow. ➜ [state]: proof block has openend or subgoal has been proved, new from statement, goal statement or assumptions can follow. ➜ [chain]: from statement has been made, goal statement needs to follow.
lemma ”[ [A; B] ] = ⇒ A ∧ B” [prove] proof (rule conjI) [state] assume A: ”A” [state] from A [chain] show ”A” [prove] by assumption [state] next [state] . . .
THE THREE MODES OF ISAR 27-H
HAVE
Can be used to make intermediate steps. Example:
HAVE 28
HAVE
Can be used to make intermediate steps. Example: lemma ”(x :: nat) + 1 = 1 + x” proof - have A: ”x + 1 = Suc x” by simp have B: ”1 + x = Suc x” by simp show ”x + 1 = 1 + x” by (simp only: A B) qed
HAVE 28-A
DEMO: ISAR PROOFS
29
WE HAVE LEARNED TODAY ...
➜ Introducing new Types
WE HAVE LEARNED TODAY ... 30
WE HAVE LEARNED TODAY ...
➜ Introducing new Types ➜ Equations and Term Rewriting
WE HAVE LEARNED TODAY ... 30-A
WE HAVE LEARNED TODAY ...
➜ Introducing new Types ➜ Equations and Term Rewriting ➜ Confluence and Termination of reduction systems
WE HAVE LEARNED TODAY ... 30-B
WE HAVE LEARNED TODAY ...
➜ Introducing new Types ➜ Equations and Term Rewriting ➜ Confluence and Termination of reduction systems ➜ Term Rewriting in Isabelle
WE HAVE LEARNED TODAY ... 30-C
WE HAVE LEARNED TODAY ...
➜ Introducing new Types ➜ Equations and Term Rewriting ➜ Confluence and Termination of reduction systems ➜ Term Rewriting in Isabelle ➜ First structured proofs (Isar)
WE HAVE LEARNED TODAY ... 30-D
EXERCISES
➜ use typedef to define a new type v with exactly one element. ➜ define a constant u of type v ➜ show that every element of v is equal to u ➜ design a set of rules that turns formulae with ∧, ∨, − →, ¬ into disjunctive normal form (= disjunction of conjunctions with negation only directly on variables) ➜ prove those rules in Isabelle ➜ use simp only with these rules on (¬B − → C) − → A − → B
EXERCISES 31