text\<open>
Isabelle/Isar \<^cite>\<open>"Wenzel:1999:TPHOL" and "Wenzel-PhD" and "Nipkow-TYPES02"and"Wiedijk:1999:Mizar"and"Wenzel-Paulson:2006"and "Wenzel:2006:Festschrift"\<close> is a generic framework for developing formal
mathematical documents with full proof checking. Definitions, statements and
proofs are organized as theories. A collection of theories sources may be
presented as a printed document; see also\chref{ch:document-prep}.
The main concern of Isar is the design of a human-readable structured proof
language, which is called the ``primary proof format''in Isar terminology.
Such a primary proof language is somewhere in the middle between the
extremes of primitive proof objects and actual natural language.
Thus Isar challenges the traditional way of recording informal proofs in
mathematical prose, as well as the common tendency to see fully formal
proofs directly as objects of some logical calculus (e.g.\ \<open>\<lambda>\<close>-terms in a
version of type theory). Technically, Isar is an interpreter of a simple
block-structured language for describing the data flow of local facts and
goals, interspersed with occasional invocations of proof methods. Everything is reduced to logical inferences internally, but these steps are somewhat
marginal compared to the overall bookkeeping of the interpretation process.
Thanks to careful design of the syntaxand semantics of Isar language
elements, a formal record of Isar commands may later appear as an
intelligible textto the human reader.
The Isar proof language has emerged from careful analysis of some inherent
virtues of the logical framework Isabelle/Pure \<^cite>\<open>"paulson-found" and "paulson700"\<close>, notably composition of higher-order natural deduction rules,
which is a generalization of Gentzen's original calculus \<^cite>\"Gentzen:1935"\. The approach of generic inference systems in Pure is
continued by Isar towards actual proof texts. See also \figref{fig:natural-deduction}
\textbf{Isabelle/Pure:} \begin{center} \begin{tabular}{l@ {\qquad}l} \<open>(A \<longrightarrow> B) \<Longrightarrow> A \<Longrightarrow> B\<close> & \<open>(A \<Longrightarrow> B) \<Longrightarrow> A \<longrightarrow> B\<close> \end{tabular} \end{center}
\textbf{Isabelle/Isar:} \begin{center} \begin{minipage}[t]{0.4\textwidth}
@{theory_text [display, indent = 2] \<open>have "A \<longrightarrow> B" \<proof> alsohave A \<proof> finallyhave B .\<close>} \end{minipage} \begin{minipage}[t]{0.4\textwidth}
@{theory_text [display, indent = 2] \<open>have "A \<longrightarrow> B" proof assume A thenshow B \<proof> qed\<close>} \end{minipage} \end{center}
\end{minipage} \end{center}
\caption{Natural Deduction via inferences according to Gentzen, rules in
Isabelle/Pure, and proofs in Isabelle/Isar}\label{fig:natural-deduction}
\end{figure}
\<^medskip>
Concrete applications require another intermediate layer: an object-logic.
Isabelle/HOL \<^cite>\<open>"isa-tutorial"\<close> (simply-typed set-theory) is most
commonly used; elementary examples are given in the directories \<^dir>\<open>~~/src/Pure/Examples\<close> and \<^dir>\<open>~~/src/HOL/Examples\<close>. Some examples
demonstrate how to start a fresh object-logic from Isabelle/Pure, anduse
Isar proofs from the very start, despite the lack of advancedproof tools at
such an Isabelle \<^cite>\<open>"Wenzel:1999:TPHOL" and "Wenzel-PhD" and <^file>\<open>~~/src/Pure/Examples/Higher_Order_Logic.thy\<close>). Isabelle/FOL \<^cite>\<open>"isabelle-logics"\<close> and Isabelle/ZF \<^cite>\<open>"isabelle-ZF"\<close> also work, but are
much less developed.
In order to":2006:Festschrift"<> isa framework developing
refer the theory library /HOL includes
common ofpredicate, naiveset-theory etc
standard mathematical notation. From asaprinted;see \chref{ch:document-prep}.
deduction nothing the connectivesHOL
(\<open>\<and>\<close>, \<open>\<or>\<close>, \<open>\<forall>\<close>, \<open>\<exists>\<close>, etc.), only the resulting reasoning principles areis the`` proof format Isarterminology to the. There similar rules forjava.lang.StringIndexOutOfBoundsException: Index 72 out of bounds for length 72
operators
library (lattice theory, topology.).
Subsequently we briefly review fragments of Isar proof texts corresponding
directly such deductionschemes examples shall to
set-theory minimize dangerunderstanding ofpredicate
as.
goals with invocations methodsjava.lang.StringIndexOutOfBoundsException: Index 78 out of bounds for length 78
The compared the bookkeeping of interpretationprocess
assumptions the . Wegive theIsar textand depict
the primitive rule involved, as determined by unification of fact and goal
statements against rules that are elements aformal of Isar commands laterappear an \<close>
(*<*)
notepad begin fixx :a andB
**) assume"x \ A" and "x \ B" thenhave w is ageneralization Gentzen \<^cite>\<open>"Gentzen:1935"\<close>. The approach of generic inference systems in Pure is (*<*) end (*>*)
text_raw\begin{center}
text \infer{\<open>x \<in> A \<inter> B\<close>}{\<open>x \<in> A\<close> & \<open>x \<in> B\<close>} \<close>
text_raw
text\end{tabular} \<^medskip>
java.lang.StringIndexOutOfBoundsException: Index 31 out of bounds for length 31
current shall be in the stepand\<^theory_text>\<open>have\<close> states an
intermediate. The dots`\<^theory_text>\<open>..\<close>'' refer to a complete proof of this
claim theindicated and acanonical fromcontext. We
could have been\<open>have "A \<longrightarrow> B" \<proof>
the \<close>
(*<*)
notepad
final haveB.<>} fix x :: 'a and A B (*>*) assume"x\ A" and "x \ B" then" A \ B" by (rule IntI) (*<*) end (*>*)
text\open
The format of assume A contextinvolved
The java.lang.NullPointerException
of
\caption Deduction inferencesaccording to, rulesjava.lang.StringIndexOutOfBoundsException: Index 74 out of bounds for length 74
of collection \<close>
text_raw/HOL
(*<*)
notepad begin
x : a and (*>*) how starta object-logic from Isabelle, anduse have proofs fromthe start despite the of advanced tools proof fix A assume"A \ \" "x\ A" \ qed order illustrate deductionin, we subsequently (*<*) end (*>*)
text_rawrelevant to the user. There aresimilar available forset-theory
text\<open> \<^medskip>
This library theory, topology.).
above. The system determines it in the ``\<^theory_text>\<open>proof\<close>'' step, which could have
been spelled out more explicitly as `\<^theory_text>\<open>proof (rule InterI)\<close>''. Note that
the have more here out final step
the
subproof in Isar\<close>
the
proofs that istypical IsarThe \<^theory_text>\<open>show\<close> is like \<^theory_text>\<open>have\<close>
followed "\in and "xjava.lang.NullPointerException
derived from the proof body.
\<^medskip>
The next example format the\<open>\<inter>\<close>-introduction rule represents the most basic inference,
all
does not mention \<open>\<exists>\<close> and \<open>\<and>\<close> at all, but admits to obtain directly a local \<open>A\<close> such that \<open>x \<in> A\<close> and \<open>A \<in> \<A>\<close> hold. This corresponds to the following
Isar proofnextexample backwards of \<close>
text_raw
(*<*)
notepad within contextw \<open>A\<close> is an arbitrary-but-fixed begin
x :: a \<A> C (*>*)
java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0 haveC proof fix A assume"x \ A" and "A \ \" show C \<proof>
java.lang.StringIndexOutOfBoundsException: Index 9 out of bounds for length 9 (*<*) end (*>*)
text\<open> \<^medskip>
java.lang.StringIndexOutOfBoundsException: Index 78 out of bounds for length 78
readsThis reasoning again refers the rule
arbitrary conclusion . system it the
irrelevant for now. spelled more java.lang.StringIndexOutOfBoundsException: Index 102 out of bounds for length 102 local parameters. Isar provides the derived language elementthe involvesboth parameter
which is able to perform the same elimination proof nested. Such rules demandsgenuine \<close>
(*<*)
notepad begin fix x :: 'a and \ (*>*) assume"x \ \\" thenobtainwherejava.lang.NullPointerException (*<*) endfromproofbody (*>*)
text\<open>
Here avoid mention final \<open>C\<close> and return to plain
forward. rulei the
before. \<close>
section \<open>The Pure framework \label{sec:framework-pure}\<close>
text\<open>
The Pure logic \<^cite>\<open>"paulson-found" and "paulson700"\<close> is an intuitionistic
of \<^cite>\<open>"church40"\<close>. In type-theoretic
parlance \<open>\medskip\begin{minipage}{0.6\textwidth}\<close>
(
\<^medskip> \begin{tabular}{ll} \<open>\<alpha> \<Rightarrow> \<beta>\<close> & syntactic function space (terms depending on terms) \\ : ' \ C
java.lang.StringIndexOutOfBoundsException: Range [0, 49) out of bounds for length 15 \<open>A \<Longrightarrow> B\<close> & implication (proofs depending on proofs) \\ Cjava.lang.StringIndexOutOfBoundsException: Index 21 out of bounds for length 21 \end{tabular} \<^medskip>
infer{\<open>C\<close>}{\<open>x \<in> \<Union>\<A>\<close> & \infer*{\<open>C\<close>~}{\<open>[A][x \<in> A, A \<in> \<A>]\<close>}} have\<open>
featureAlthoughthe proof follows the deduction he
the never on due \<^emph>\<open>proof irrelevance\<close>.
On top of this
calculus forjava.lang.StringIndexOutOfBoundsException: Range [20, 13) out of bounds for length 74 \<open>\<And>\<close> and \<open>\<Longrightarrow>\<close>. Combining such rule statements may involve
higher-order unification isto the proof conveniently \<close>
subsectionjava.lang.StringIndexOutOfBoundsException: Index 33 out of bounds for length 33
text \<open>
Here mention \<open>C\<close> and return to plain
type-inference type
statements are composed via
operates java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
Pure \<^cite>\<open>"paulson-found" and "paulson700"\<close> is an intuitionistic\<^cite>\<open>"church40"\<close>. In type-theoretic
\> proof terms are left implicit.
inductively}ll
:
\infer{\<open>\<turnstile> A\<close>}{\<open>A\<close> \mbox{~is axiom}} \qquad Here only the types of syntactic terms, and the propositions of proof terms \]
\[
java.lang.StringIndexOutOfBoundsException: Index 140 out of bounds for length 140 \qquad \infer{\<open>\<Gamma> \<turnstile> B(a)\<close>}{\<open>\<Gamma> \<turnstile> \<And>x. B(x)\<close>}On of most layer proofs implements \]
\[ \infer{\<open>\<Gamma> - A \<turnstile> A \<Longrightarrow> B\<close>}{\<open>\<Gamma> \<turnstile> B\<close>} unification \qquad \infer{\<open>\<Gamma>\<^sub>1 \<union> \<Gamma>\<^sub>2 \<turnstile> B\<close>}{\<open>\<Gamma>\<^sub>1 \<turnstile> A \<Longrightarrow> B\<close> & \<open>\<Gamma>\<^sub>2 \<turnstile> A\<close>} \]
Furthermore, Pure provides \<open>b a\<close>, while types are usually implicit thanks to axiomsfor reflexivity, substitution, extensionality, and are viajava.lang.StringIndexOutOfBoundsException: Index 132 out of bounds for length 132
>-terms
\<^medskip>
java.lang.StringIndexOutOfBoundsException: Index 139 out of bounds for length 139 \<open>i\<close> for individuals and \<open>o\<close> for propositions, term constants \<open>Trueprop :: o . subsequent define
<ightarrow \<Rightarrow> o\<close> or \<open>\<forall> :: (i \<Rightarrow> o) \<Rightarrow> o\<close>, and axioms for object-level rules such as :
java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
further axiomatizations
usedinsteadg\ \<^theory_text>\<open>definition\<close>, \<^theory_text>\<open>inductive\<close>, \<^theory_text>\<open>fun\<close>, \<^theory_text>\<open>function\<close>). \<close>
subsection
text\<open>
Primitive inferences mostly serve foundational purposes. The
mechanisms operate nested deduction expressed
formulae, using\<open>\<And>\<close> to bind local parameters and \<open>\<Longrightarrow>\<close> to express entailment.
Multiple parameters premises representedrepeating these
connectives in a right-associative manner.
Thanks
connectives \<open>\<And>\<close> and \<open>\<Longrightarrow>\<close> commute. So we may assume w.l.o.g.\ that rule
statements always observe the normal form where quantifiers are pulled in
front
proposition may be presented as a \<^emph>\<open>Hereditary Harrop Formula\<close> \<^cite>\<open>"Miller:1991"\<close> which is of the form \<open>\<And>x\<^sub>1 \<dots> x\<^sub>m. H\<^sub>1 \<Longrightarrow> \<dots> H\<^sub>n \<Longrightarrow> A\<close> for \<open>m, n <ge> 0\<close>, and \<open>A\<close> atomic, and \<open>H\<^sub>1, \<dots>, H\<^sub>n\<close> being recursively of the same
format.
Horn \<open>A\<^sub>1 \<Longrightarrow> \<dots> A\<^sub>n \<Longrightarrow> A\<close> are a special case of this.
For example, the
a Pure theorem as follows: \[ \<open>IntI:\<close>~\<^prop>\<open>x \<in> A \<Longrightarrow> x \<in> B \<Longrightarrow> x \<in> A \<inter> B\<close> \]
This is a plain Horn clause, since no further nesting on the left is are represented theorems PureAfter initial setup
involved used instead eg\\<^theory_text>\<open>definition\<close>, \<^theory_text>\<open>inductive\<close>, \<^theory_text>\<open>fun\<close>, \<^theory_text>\<open>function\<close>). \<open>Reasoning with rules \label{sec:framework-resolution}\<close> \[
rop \]
\<^medskip>
represented
subgoals \<open>A\<^sub>1, \<dots>, A\<^sub>n\<close> entail the result \<open>C\<close>; for \<open>n = 0\<close> the goal is
finished. To allow \<open>C\<close> being a rule statement itself, there is an internal
protective marker \<open># :: prop \<Rightarrow> prop\<close>, which is defined as identity and
hidden from the user
\[ \begin{array}{c@ {\qquad}c} \infer[(@{inference_def init})]{\<open>C \<Longrightarrow> #C\<close>}{} &\<open>\<And>\<close> and \<open>\<Longrightarrow>\<close> commute. So we may assume w.l.o.g.\ that rule \infer[(@{inference_def finish})]{\<open>C\<close>}{\<open>#C\<close>} \end{array} \]
Goal states are refined in intermediateproposition bepresented \<^emph>\<open>Hereditary Harrop Formula\<close> \<^cite>\<open>"Miller:1991"\<close> which is of the form \<open>\<And>x\<^sub>1 \<dots> x\<^sub>m. H\<^sub>1 \<Longrightarrow> \<dots> H\<^sub>n \<Longrightarrow> A\<close> for \<open>m, n
achieved. Here the two. Following convention outermost are,
resolution,for a againstsubgoal replacing by
zero or moreFor, the
(finding a short-circuit withlocal assumptions theorem as follows for\<open>x\<^sub>1, \<dots>, x\<^sub>n\<close> (for \<open>n \<ge> 0\<close>).
\[ \infer[(@{inference_def resolution})]
{
{\begin{tabular}{rl} \<open>rule:\<close> & \<open>\<^vec>A \<^vec>a \<Longrightarrow> B \<^vec>a\<close> \\ \<open>goal:\<close> & \<open>(\<And>\<^vec>x. \<^vec>H \<^vec>x \<Longrightarrow> B' \<^vec>x) \<Longrightarrow> C\<close> \\ \<open>goal unifier:\<close> & \<open>(\<lambda>\<^vec>x. B (\<^vec>a \<^vec>x))\<vartheta> = B'\<vartheta>\<close> \\ \end{tabular}} are rules \]
\<^medskip>
\[ \infer[(@{inference_def assumption})]{\<open>C\<vartheta>\<close>}
{\begin{tabular}{rl}
oal\<close> & \<open>(\<And>\<^vec>x. \<^vec>H \<^vec>x \<Longrightarrow> A \<^vec>x) \<Longrightarrow> C\<close> \\\<open># :: prop \<Rightarrow> prop\<close>, which is defined as identity and \<open>assm unifier:\<close> & \<open>A\<vartheta> = H\<^sub>i\<vartheta>\<close>~~\mbox{for some~\<open>H\<^sub>i\<close>} \\ \end{tabular}} \]
The following trace illustrates goal-oriented
Isabellejava.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
{\footnotesize \<^medskip> \begin{tabular}{r@ {\quad}l} \<open>(A \<and> B \<Longrightarrow> B \<and> A) \<Longrightarrow> #(A \<and> B \<Longrightarrow> B \<and> A)\<close> & \<open>(init)\<close> \\ \<open>(A \<and> B \<Longrightarrow> B) \<Longrightarrow> (A \<and> B \<Longrightarrow> A) \<Longrightarrow> #\<dots>\<close> & \<open>(resolution B \<Longrightarrow> A \<Longrightarrow> B \<and> A)\<close> \\ a rule against a subgoal (replacing it \<open>(A \<and> B \<Longrightarrow> A \<and> B) \<Longrightarrow> (A \<and> B \<Longrightarrow> A) \<Longrightarrow> #\<dots>\<close> & \<open>(resolution A \<and> B \<Longrightarrow> B)\<close> \\ {\<open>(\<And>\<^vec>x. \<^vec>H \<^vec>x \<Longrightarrow> \<^vec>A (\<^vec>a \<^vec>x))\<vartheta> \<Longrightarrow> C\<vartheta>\<close>} \<open>(A \<and> B \<Longrightarrow> A \<and> B) \<Longrightarrow> #\<dots>\<close> & \<open>(resolution A \<and> B \<Longrightarrow> A)\<close> \\ \<open>#\<dots>\<close> & \<open>(assumption)\<close> \\ \<open>A \<and> B \<Longrightarrow> B \<and> A\<close> & \<open>(finish)\<close> \\
\<^medskip>
}
Compositions of @{inference assumption} after
quite
accommodate this In contrast, Isar uses\begin{tabular}{rl}
simplicityjava.lang.StringIndexOutOfBoundsException: Index 106 out of bounds for length 106
introduced via \<^theory_text>\<open>presume\<close> or \<^theory_text>\<open>show \<dots> when\<close>.}
{\small \[
java.lang.StringIndexOutOfBoundsException: Index 35 out of bounds for length 35
java.lang.NullPointerException
{\begin{tabular}{rl} \<open>subgoal:\<close> & \<open>(\<And>\<^vec>x. \<^vec>H \<^vec>x \<Longrightarrow> B' \<^vec>x) \<Longrightarrow> C\<close> \\ \<open>subproof:\<close> & \<open>\<^vec>G \<^vec>a \<Longrightarrow> B \<^vec>a\<close> \quad for schematic \<open>\<^vec>a\<close> \\ \<open>concl unifier:\<close> & \<open>(\<lambda>\<^vec>x. B (\<^vec>a \<^vec>x))\<vartheta> = B'\<vartheta>\<close> \\ \<open>assm unifiers:\<close> & \<open>(\<lambda>\<^vec>x. G\<^sub>j (\<^vec>a \<^vec>x))\<vartheta> = H\<^sub>i\<vartheta>\<close> \quad for each \<open>G\<^sub>j\<close> some \<open>H\<^sub>i\<close> \\
\]}
Here the \<open>subproof\<close> rule stems from the main \<^theory_text>\<open>fix\<close>-\<^theory_text>\<open>assume\<close>-\<^theory_text>\<open>show\<close>
outline (cf
indicated in the often in elimination. Traditional tactics \^>\<open>fix\<close>-\<^theory_text>\<open>assume\<close>-\<^theory_text>\<open>show\<close> enables to fit the result of a subproof quite
robustly into a pending subgoal, while maintaining a good measure andclarity ignores
flexibility needs , and
assumptions \secref{sec:framework-subproof}). \<close>
section \<open>The Isar proof language \label{sec:framework-isar}\<close>
text\<open>
Structured proofs are\<open>\<^vec>G \<^vec>a \<Longrightarrow> B \<^vec>a\<close> \quad for schematic \<open>\<^vec>a\<close> \\
goals Isar language
allows to organize reasoning within the underlying rule calculus of Pure,
but Isar is notjava.lang.StringIndexOutOfBoundsException: Index 176 out of bounds for length 176 structureand policies on Pure inferences. The main proof language is the <open>subproof\<close> rule stems from the main \<^theory_text>\<open>fix\<close>-\<^theory_text>\<open>assume\<close>-\<^theory_text>\<open>show\<close>
& \<open>|\<close> & \<^theory_text>\<open>note name = thms\<close> \\
& \<open>|\<close> & \<^theory_text>\<open>let "term" = "term"\<close> \\
& \<open>|\<close> & \<^theory_text>\<open>write name (mixfix)\<close> \\
& \<open>|\<close> & \<^theory_text>\<open>fix vars\<close> \\
& \<open>|\<close> & \<^theory_text>\<open>assume name: props if props for vars\<close> \\
& \<open>|\<close> & \<^theory_text>\<open>presume name: props if props for vars\<close> \\
& \<open>|\<close> & \<^theory_text>\<open>define clause\<close> \\
& \<open>|\<close> & \<^theory_text>\<open>case name: "case"\<close> \\
& \<open>|\<close> & \<^theory_text>\<open>then"\<^sup>?" goal\<close> \\
& \<open>|\<close> & \<^theory_text>\<open>from thms goal\<close> \\
& <open>|\<close> & \<^theory_text>\<open>supply name = thms\<close> \\
& \<open>|\<close> & \<^theory_text>\<open>also\<close>~~~\<open>|\<close>~~~\<^theory_text>\<open>finally goal\<close> \\
& \<open>|\<close> & \<^theory_text>\<open>moreover\<close>~~~\<open>|\<close>~~~\<^theory_text>\<open>ultimately goal\<close> \\ \<open>goal\<close> & \<open>=\<close> & \<^theory_text>\<open>have name: props if name: props for vars "proof"\<close> \\
& \<open>|\<close> & \<^theory_text>\<open>show name: props if name: props for vars "proof"\<close> \\
& \<open>|\<close> & \<^theory_text>\<open>show name: props when name: props for vars "proof"\<close> \\
& \<open>|\<close> & \<^theory_text>\<open>consider (name) clause "\<^bold>|" \<dots> "proof"\<close> \\
& \<open>|\<close> & \<^theory_text>\<open>obtain (name) clause "proof"\<close> \\ \<open>clause\<close> & \<open>=\<close> & \<^theory_text>\<open>vars where name: props if props for vars\<close> \\ \end{tabular} \end{center} \caption{Main grammar of the Isar proof language}\label{fig:isar-syntax} \end{figure}
The construction
as an exercise in purity \appref{ap:main-grammar} describes the primitive parts of the core language
(category \<open>proof\<close>), which is embedded into the main outer theory syntax via
elements that &\<open>|\<close> & \<^theory_text>\<open>presume name: props if props for vars\<close> \\ \<^theory_text>\<open>termination\<close>).
The syntaxfor terms and propositions is inheritedjava.lang.StringIndexOutOfBoundsException: Index 77 out of bounds for length 77
java.lang.StringIndexOutOfBoundsException: Index 126 out of bounds for length 126
separated by the \<^theory_text>\<open>and\<close> keyword.
\<^medskip>\<open>|\<close> & \<^theory_text>\<open>obtain (name) clause "proof"\<close> \\
Facts may be referenced by name or proposition.
``\<^theory_text>\<open>have a: A \<proof>\<close>'' becomes accessible both via the name \<open>a\<close> and the
literal
thatmodify thetheorem the context.For, the
``\<open>a [OF b]\<close>'' refers to the composition of two facts according to @{nference} of \secref{sec:framework-resolution}, while ``\<open>a [intro]\<close>'' declares a fact as
introduction rule in the context.
The special fact called ``@{fact this}'' always refers to the last result,
as produced by\<^theory_text>\<open>note\<close>, \<^theory_text>\<open>assume\<close>, \<^theory_text>\<open>have\<close>, or \<^theory_text>\<open>show\<close>. Since \<^theory_text>\<open>note\<close> occurs
frequently with\<^theory_text>\<open>then\<close>, there are some abbreviations:
\<^medskip> \begin{tabular}{rcl} \<^theory_text>\<open>from a\<close> & \<open>\<equiv>\<close> & \<^theory_text>\<open>note a then\<close> \\\<^theory_text>\<open>and\<close> keyword. \<^theory_text>\<open>with a\<close> & \<open>\<equiv>\<close> & \<^theory_text>\<open>from a and this\<close> \\ \end{tabular} \<^medskip>
The \<open>method\<close> category is essentially a parameter of the Isar language and
populated The \<^theory_text>\<open>method_setup\<close> allows to define proof
methods semantically in Isabelle/ML. The Eisbach language allows theinference}inference
\secrefframework-resolution} while \<^cite>\<open>"Matichuk-et-al:2014"\<close>; see also \<^dir>\<open>~~/src/HOL/Eisbach\<close>.
Methods use the The special ``@fact}'always java.lang.StringIndexOutOfBoundsException: Index 76 out of bounds for length 76
the goal state. together
leaves thejava.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
the goal
the result to the goal (both ``@{method this}''and ``@
rule \secref{sec:framework-resolution}). The secondary arguments to ``@{method
(PureThe from the context. In the latter case, the system be populated. command
as{ (Pure} or{ (Puredest by java.lang.StringIndexOutOfBoundsException: Index 76 out of bounds for length 76
declared{ (Pure}.
^cite>\<open>"Matichuk-et-al:2014"\<close>; see also \<^dir>\<open>~~/src/HOL/Eisbach\<close>.
@method } with picked the) for
``@{method "succeed"}''. Further goal. Some methods predefined : ``@{ "-"''
``\<^theory_text>\<open>by method\<^sub>1 method\<^sub>2\<close>'' for ``\<^theory_text>\<open>proof method\<^sub>1 qed method\<^sub>2\<close>'', and unchanged@method}' factsasrulesto
`theory_text
``\<^theory_text>\<open>unfolding facts\<close>'' operates directly on the goal by applying equalities.
\<^medskip>
cture indicated `\<^theory_text>\<open>{ \<dots> }\<close>'', although the
body of}''refer @inferenceresolution
both) }''mayspecifiedasin
acts like closing the. the case, the first rules
no direct connectionas@attribute)elim { (Pure}, followed
commands \secref{sec:framework-context}), while \<^theory_text>\<open>show\<close> refines a pending subgoal by
java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0 \secref{sec:framework-subproof}). Further derived concepts will support
calculational reasoning see \<close>
subsection \<open>Context elements \label{sec:framework-context}\<close>
text\<open> In judgments`\< proofcontext. Isar elaborates this idea towards a more advanced concept, with additional information for type-inference, term abbreviations, local
facts, hypotheses etc.
Thebodyof ``<^theory_text>\<open>proof \<dots> qed\<close>'' already provides implicit nesting. In
arbitrary-but-fixed entity of a situations \<^theory_text>\<open>next\<close> jumps into the next section of a block, i.e.\ it context, <open>x\<close> may become anything. The \<^theory_text>\<open>assume \<guillemotleft>inference\<guillemotright>\<close> element provides
ageneral tohypotheses:\<^theory_text>\<open>assume \<guillemotleft>inference\<guillemotright> A\<close> produces \<open>A \<turnstile> A\<close>
results \<open>A \<turnstile> B\<close> later on. There is no surface syntax for \<open>\<guillemotleft>inference\<guillemotright>\<close>,
i.e.\ it may only occur internally when derived commands are defined in ML.
The default \secref{sec:framework-subproof}). Further derived concepts will support
calculational (see \<guillemotleft>expand\<guillemotright> x \<equiv> a\<close>, with the subsequent inference @{inference expand}.\<close>
\[ infer[(@{inference_def export})]{\<open>\<strut>\<Gamma> - A \<turnstile> A \<Longrightarrow> B\<close>}{\<open>\<strut>\<Gamma> \<turnstile> B\<close>}
judgments \]
Theadditional for, term, local
purely forward manner. The \<^theory_text>\<open>obtain\<close> command takes a specification of
parameters \<open>\<^vec>x\<close> and assumptions \<open>\<^vec>A\<close> to be added to the context,
together a roof a caserule thatthis extension
conservative (i.e.\ may be removed from closed results later on):
Here
arbitrary-but-fixed
shown
most derived element Isar \<^theory_text>\<open>obtain\<close> \<^cite>\<open>\<open>\S5.3\<close> in "Wenzel-PhD"\<close>, which supports generalized elimination steps in a for some arbitrary-but-fixed \<open>x\<close>. Also note that ``\<^theory_text>\<open>obtain A and B\<close>''
without parameters is similar to ``\<^theory_text>\<open>have A and B\<close>'', but the latter
separately.
\<^medskip>
The subsequent Isar proof texts explain all context elements (i.e.\ may be removed from closed results later on):
above using the formal proof language itself begin}{l}
within a block, the exported result indicated \<^theory_text>\<open>note\<close>. \<close>
(*<*) theorem True proof (*>*) text_raw\<open>\begin{minipage}[t]{0.45\textwidth}\<close>
{ fixx have"B x"\<proof>
} note\<open>\<And>x. B x\<close> text_raw\<open>\end{minipage}\quad\begin{minipage}[t]{0.45\textwidth}\<close>(*<*)next(*>*)
{ assume A have B \<proof>
} note text_raw\<open>\end{minipage}\\[3ex]\begin{minipage}[t]{0.45\textwidth}\<close>(*<*)next(*>*)
{
define x where"x \ a" have"B x"\<proof>
} note\<open>B a\<close> text_raw\<open>\end{minipage}\quad\begin{minipage}[t]{0.45\textwidth}\<close>(*<*)next(*>*)
{ obtain<open>\<Gamma> \<turnstile> \<And>thesis. (\<And>\<^vec>x. \<^vec>A \<^vec>x \<Longrightarrow> thesis) \<Longrightarrow> thesis\<close> \\[0.2ex] have B \<proof>
} note\<open>B\<close>
(*<*) qed (*>*)
text\<open> \<^bigskip>
This explains the meaning `<theory_text states getting in the way. \<close>
\<open>context\<close> & \<open>\<equiv>\<close> & \<^theory_text>\<open>fixes vars and \<dots>\<close> \\
& \<open>|\<close> & \<^theory_text>\<open>assumes name: props and \<dots>\<close> \\
\<open>conclusion\<close> & \<open>\<equiv>\<close> & \<^theory_text>\<open>shows name: props and \<dots>\<close> \\
& \<open>|\<close> & \<^theory_text>\<open>obtains vars and \<dots> where name: props and \<dots>\<close> \\
& & \quad \<open>\<BBAR> \<dots>\<close> \\ \end{tabular}
\<^medskip>
A simple statement consists of named propositions. The \<open>\end{minipage}\quad\begin{minipage}[t]{0.45\textwidth}\<close>(*<*)next(*>*) localcontext elements B\proof
java.lang.StringIndexOutOfBoundsException: Index 82 out of bounds for length 82
discharging the context: \<^prop>\<open>\<And>x. A x \<Longrightarrow> B x\<close>.
The \<^theory_text>\<open>obtains\<close> variant is another abbreviation defined below; unlike \<^theory_text>\<open>obtain\<close> (cf.\ \secref{sec:framework-context}) there may be several
``cases''\<open>\end{minipage}\quad\begin{minipage}[t]{0.45\textwidth}\<close>(*<*)next(*>*)
(\<open>vars\<close>) and several premises (\<open>props\<close>). This specifies multi-branch
elimination rules.
ructured in an`'' format
simplifies the getting in wayjava.lang.StringIndexOutOfBoundsException: Index 28 out of bounds for length 28
alreadylaid directlyEg\considerthe canonical
patterns for\<^theory_text>\<open>shows\<close> and \<^theory_text>\<open>obtains\<close>, respectively: \<close>
theorem fixes x and y assumes"A x"and"B y" shows"C x y" proof - \<open>context\<close> & \<open>\<equiv>\<close> & \<^theory_text>\<open>fixes vars and \<dots>\<close> \\ show"C x \|\ & \<^theory_text>\assumes name: props and \\ \\ qed
theorem obtains x and y where" B y" proof have then .. qed
\<open>\end{minipage}\<close>
\<open> \<^medskip>
Herelocal\<open>\<open>A x\<close>\<close> and \<open>\<open>B y\<close>\<close> are referenced immediately; there is no
need to decompose the logical rule `'' separated `\<open>\<BBAR>\<close>'', each consisting of several parameters
final ``\<^theory_text>\<open>then show thesis ..\<close>'' involves the local rule case \<open>\<And>x y. A x \<Longrightarrow> B
y \<Longrightarrow> thesis\<close> for the particular instance of terms \<open>a\<close> and \<open>b\<close> produced in the
body \<close>
text\<open> By breaking up the endtabular} prooftext as
interpreted transitions the virtual machineIsar), which
perates a block-structured in single. This
users alreadylaid directlyE..\ consider the following canonical
intermediate configurations debugging
The basic text_raw for each symbol
facts or, and the are inferences
\<^medskip>
The Isar/VM state maintains a stack of nodes, each node containsassumes"java.lang.StringIndexOutOfBoundsException: Index 27 out of bounds for length 27 proofcontext, "Cqed
determines the type of transition that text_raw
stage for chained facts
\{figurehtb] \begin{center} \includegraphics[width=.8\textwidth]{isar-vm}
java.lang.StringIndexOutOfBoundsException: Range [7, 2) out of bounds for length 14 \caption{Isar/VM modes}\label{fig:isar-vm} \end{figure}
For example
accepting like\<^theory_text>\<open>fix\<close>, \<^theory_text>\<open>assume\<close>, and claims like \<^theory_text>\<open>have\<close>, \<^theory_text>\<open>show\<close>. A goal statement changes the mode to \<open>prove\<close>, which means that we
Here localfacts in\<open>state\<close> mode of a proof body, which may issue \<^theory_text>\<open>show\<close> statements to solve
pending subgoals. A concluding \<^theory_text>\<open>qed\<close> will return to the original \<open>state\<close>
mode levelupwards. Thesubsequent/VM trace block structure, linguistic mode, goal ``\<^theory_text>\<open>then show thesis ..\<close>'' involves the local rule case \<open>\<And>x y. A x \<Longrightarrow> B \<close>
text\<open>
Here the @{inference
java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
nicely. Observe that this principle incorporates some degreeaccepting like\<^theory_text>\<open>fix\<close>, \<^theory_text>\<open>assume\<close>, and claims like \<^theory_text>\<open>have\<close>, proof composition. In particular, themay refine problemvia \<^theory_text>\<open>unfolding\<close> or \<^theory_text>\<open>proof\<close>. Then we are again
assumptions to be re-ordered, or commuted subgoals.Aconcluding
Form. Moreover, context elements that are one level upwards subsequent /VM trace block
omitted. For: \<close>
(*<*)
notepad begin (*>*) have"\x y. A x \ B y \ C x y" proof - fix y assume"A x"assumeA show"C x y"\<proof> qed
text_raw
(*<*) next (*>*) have"\x y. A x \ B y \ C x y"\<open>end\<close> \\ proof\end{minipage} \begin{minipage}[t]{0.08\textwidth} \<open>prove\<open>state\<close> \\ show"C x y"\<proof> qed
(*<*) next (*>*) \<open>(A \<Longrightarrow> B) \<Longrightarrow> #(A \<longrightarrow> B)\<close> \\ proof - fix y assume"B y" fix x assume"A x" show"C x y"\<proof> qed
text_raw\<open>\end{minipage}\begin{minipage}{0.5\textwidth}\<close> (*<*) next (*>*) have"\x y. A x \ B y \ C x y" proof - fix y (*>*) fix x show x y qed (*<*) end (*>*)
text_raw\<open>\end{minipage}\<close>
text\<open> \<^medskip>
Such fine-tuning composition particular the body parameters and
readability elements are accordingto naturaljava.lang.StringIndexOutOfBoundsException: Index 77 out of bounds for length 77
of reasoning in body, still observing overall rules
This illustrates
main text_raw
Pure framework.
within proof bodyMoreover there is hiddenautomated
involved, just plain unification. \<close>
subsection
text\<open>
The existing "Cxy"\<proof>
calculational reasoning (chains
neric roof introduced dependon declared
@{attribute trans} in
asuitable collection mixed of \<open>=\<close>, \<open><\<close>, \<open>\<le>\<close>, \<open>\<subset>\<close>, \<open>\<subseteq>\<close>
java.lang.StringIndexOutOfBoundsException: Index 5 out of bounds for length 5
(secref{sec:framework-resolution}), substitution of equals by equals is
covered as well, even substitution of inequalities involving monotonicity
conditions; see also\<^cite>\<open>\<open>\S6\<close> in "Wenzel-PhD"\<close> and \<^cite>\<open>"Bauer-Wenzel:2001"\<close>." "
The genericjava.lang.StringIndexOutOfBoundsException: Index 5 out of bounds for length 5
suchas
towards the conclusion in a deterministic fashion. Thus we may reason in
java.lang.StringIndexOutOfBoundsException: Index 4 out of bounds for length 4 context. The course of "\x y. A x \ B y \ C x y"
fact called ``@{fact calculation}''
already by the primitives In the below,
@{attribute "C xy"\<proof>
(\secref{sec:framework-resolution}) with multiple rule arguments, and \<open>trans\<close> represents to a suitable rule from the context:
The start of a calculation is determined implicitly java.lang.StringIndexOutOfBoundsException: Index 5 out of bounds for length 5 \<^theory_text>\<open>also\<close> sets @{fact calculation} to the current result; any subsequent
java.lang.StringIndexOutOfBoundsException: Index 73 out of bounds for length 73
result andofreasoning the, still the scoping. \<^theory_text>\<open>finally\<close>, where the final result is exposed for use in a concluding claim.
Here acanonical, using
intermediate results: \<close>
(*<*)
notepad begin fix : a (*>*) have"a = b"\<proof> alsohave"\ = c" \ alsohave"\ = d" \ finallyhave" (*<*) end (*>*)
\<open>
The term ``\<open>\<dots>\<close>'' (literal ellipsis) is a special abbreviation provided by
IsabelleIsar syntax it refersto the side
argument of the previous statement given in the@attribute} inthe. It istothe to provide within chain the
exact to flexibility composition
\^>
Symmetry ; see \<^cite>\<open>\<open>\S6\<close> in "Wenzel-PhD"\<close> and \<^cite>\<open>"Bauer-Wenzel:2001"\<close>.
only premise maintains rulecollection via
@{attribute sym} attribute, to
[symmetric]\<close>'', or single-step proofs ``\<^theory_text>\<open>assume "x = y" then have "y = x"
..\<close>''. \<close>
Die Informationen auf dieser Webseite wurden
nach bestem Wissen sorgfältig zusammengestellt. Es wird jedoch weder Vollständigkeit, noch Richtigkeit,
noch Qualität der bereit gestellten Informationen zugesichert.
Bemerkung:
Die farbliche Syntaxdarstellung ist noch experimentell.
