| Quellcodebibliothek Statistik Leitseite products/Sources/formale Sprachen/Isabelle/Doc/Locales/ (Beweissystem Isabelle Version 2025-1©) Datei vom 16.11.2025 mit Größe 31 kB |
|
Quelle Examples.thy Sprache: Isabelle |
|||||||||
|
theory Examples
imports Main begin (* text {* The following presentation will use notation of Isabelle's meta logic, hence a few sentences to explain this. The logical primitives are universal quantification (@{text "\<And>"}), entailment (@{text "\<Longrightarrow>"}) and equality (@{text "\<equiv>"}). Variables (not bound variables) are sometimes preceded by a question mark. The logic is typed. Type variables are denoted by~@{text "'a"},~@{text "'b"} etc., and~@{text "\<Rightarrow>"} is the function type. Double brackets~@{text "\<lbrakk>"} and~@{text "\<rbrakk>"} are used to abbreviate nested entailment. *} *) section \<open>Introduction\<close> text \<open> Locales are based on contexts. A \emph{context} can be seen as a formula schema \[ \<open>\<And>x\<^sub>1\<dots>x\<^sub>n. \<lbrakk> A\<^sub>1; \<dots> ;A\<^sub>m \<rbrakk> \<Longrightarrow> \< \] where the variables~\<open>x\<^sub>1\<close>, \ldots,~\<open>x\<^sub>n\<close> are called \emph{parameters} and the premises $\<open>A\<^sub>1\<close>, \ldots,~\<open>A\<^sub>m\<close>$ \e is a \emph{theorem} in the context if it is a conclusion \[ \<open>\<And>x\<^sub>1\<dots>x\<^sub>n. \<lbrakk> A\<^sub>1; \<dots> ;A\<^sub>m \<rbrakk> \<Longrightarrow> C \] Isabelle/Isar's notion of context goes beyond this logical view. Its contexts record, in a consecutive order, proved conclusions along with \emph{attributes}, which can provide context specific configuration information for proof procedures and concrete syntax. From a logical perspective, locales are just contexts that have been made persistent. To the user, though, they provide powerful means for declaring and combining contexts, and for the reuse of theorems proved in these contexts. \<close> section \<open>Simple Locales\<close> text \<open> In its simplest form, a \emph{locale declaration} consists of a sequence of context elements declaring parameters (keyword \isakeyword{fixes}) and assumptions (keyword \isakeyword{assumes}). The following is the specification of partial orders, as locale \<open>partial_order\<close>. \<close> locale partial_order = fixes le :: "'a \ assumes refl [intro, simp]: "x \ and anti_sym [intro]: "\ and trans [trans]: "\ text (in partial_order) \<open>The parameter of this locale is~\<open>le\<close>, which is a binary predicate with infix syntax~\<open>\<sqsubseteq>\<close>. The parameter syntax is available in the subsequent assumptions, which are the familiar partial order axioms. Isabelle recognises unbound names as free variables. In locale assumptions, these are implicitly universally quantified. That is, \<^term>\<open>\<lbrakk> x \<sqsubseteq> y; y \<sqsubseteq> z \<rbrakk> \<Longrightarrow> x \<sqsubseteq> z \<^term>\<open>\<And>x y z. \<lbrakk> x \<sqsubseteq> y; y \<sqsubseteq> z \<rbrakk> \<Longrightarrow> x \<sqs Two commands are provided to inspect locales: \isakeyword{print\_locales} lists the names of all locales of the current theory; \isakeyword{print\_locale}~$n$ prints the parameters and assumptions of locale $n$; the variation \isakeyword{print\_locale!}~$n$ additionally outputs the conclusions that are stored in the locale. We may inspect the new locale by issuing \isakeyword{print\_locale!} \<^term>\<open>partial_order\<close>. The output is the following list of context elements. \begin{small} \begin{alltt} \isakeyword{fixes} le :: "'a \(\Rightarrow\) 'a \(\Rightarrow\) bool" (\isakeyword{infix \isakeyword{assumes} "partial_order (\(\sqsubseteq\))" \isakeyword{notes} assumption refl [intro, simp] = `?x \(\sqsubseteq\) ?x` \isakeyword{and} anti_sym [intro] = `\(\isasymlbrakk\)?x \(\sqsubseteq\) ?y; ?y \(\sqsubseteq\) ?x\(\isas \isakeyword{and} trans [trans] = `\(\isasymlbrakk\)?x \(\sqsubseteq\) ?y; ?y \(\sqsubseteq\) ?z\(\isasymr \end{alltt} \end{small} This differs from the declaration. The assumptions have turned into conclusions, denoted by the keyword \isakeyword{notes}. Also, there is only one assumption, namely \<^term>\<open>partial_order le\<close>. The locale declaration has introduced the predicate \<^term>\<open>partial_order\<close> to the \emph{locale predicate}. Its definition may be inspected by issuing \isakeyword{thm} @{thm [source] partial_order_def}. @{thm [display, indent=2] partial_order_def} In our example, this is a unary predicate over the parameter of the locale. It is equivalent to the original assumptions, which have been turned into conclusions and are available as theorems in the context of the locale. The names and attributes from the locale declaration are associated to these theorems and are effective in the context of the locale. Each conclusion has a \emph{foundational theorem} as counterpart in the theory. Technically, this is simply the theorem composed of context and conclusion. For the transitivity theorem, this is @{thm [source] partial_order.trans}: @{thm [display, indent=2] partial_order.trans} \<close> subsection \<open>Targets: Extending Locales\<close> text \<open> The specification of a locale is fixed, but its list of conclusions may be extended through Isar commands that take a \emph{target} argument. In the following, \isakeyword{definition} and \isakeyword{theorem} are illustrated. Table~\ref{tab:commands-with-target} lists Isar commands that accept a target. Isar provides various ways of specifying the target. A target for a single command may be indicated with keyword \isakeyword{in} in the following way: \begin{table} \hrule \vspace{2ex} \begin{center} \begin{tabular}{ll} \isakeyword{definition} & definition through an equation \\ \isakeyword{inductive} & inductive definition \\ \isakeyword{primrec} & primitive recursion \\ \isakeyword{fun}, \isakeyword{function} & general recursion \\ \isakeyword{abbreviation} & syntactic abbreviation \\ \isakeyword{theorem}, etc.\ & theorem statement with proof \\ \isakeyword{theorems}, etc.\ & redeclaration of theorems \\ \isakeyword{text}, etc.\ & document markup \end{tabular} \end{center} \hrule \caption{Isar commands that accept a target.} \label{tab:commands-with-target} \end{table} \<close> definition (in partial_order) less :: "'a \ where "(x \ text (in partial_order) \<open>The strict order \<open>less\<close> with infix syntax~\<open>\<sqsubset>\<close> is defined in terms of the locale parameter~\<open>le\<close> and the general equality of the object logic we work in. The definition generates a \emph{foundational constant} \<^term>\<open>partial_order.less\<close> with definition @{thm [source] partial_order.less_def}: @{thm [display, indent=2] partial_order.less_def} At the same time, the locale is extended by syntax transformations hiding this construction in the context of the locale. Here, the abbreviation \<open>less\<close> is available for \<open>partial_order.less le\<close>, and it is printed and parsed as infix~\<open>\<sqsubset>\<close>. Finally, the conclusion @{thm [source] less_def} is added to the locale: @{thm [display, indent=2] less_def} \<close> text \<open>The treatment of theorem statements is more straightforward. As an example, here is the derivation of a transitivity law for the strict order relation.\<close> lemma (in partial_order) less_le_trans [trans]: "\ unfolding %visible less_def by %visible (blast intro: trans) text \<open>In the context of the proof, conclusions of the locale may be used like theorems. Attributes are effective: \<open>anti_sym\<close> was declared as introduction rule, hence it is in the context's set of rules used by the classical reasoner by default.\<close> subsection \<open>Context Blocks\<close> text \<open>When working with locales, sequences of commands with the same target are frequent. A block of commands, delimited by \isakeyword{begin} and \isakeyword{end}, makes a theory-like style of working possible. All commands inside the block refer to the same target. A block may immediately follow a locale declaration, which makes that locale the target. Alternatively the target for a block may be given with the \isakeyword{context} command. This style of working is illustrated in the block below, where notions of infimum and supremum for partial orders are introduced, together with theorems about their uniqueness.\<close> context partial_order begin definition is_inf where "is_inf x y i = (i \<sqsubseteq> x \<and> i \<sqsubseteq> y \<and> (\<forall>z. z \<sqsubseteq> x \<and> z \<sqsubseteq> y \<long definition is_sup where "is_sup x y s = (x \<sqsubseteq> s \<and> y \<sqsubseteq> s \<and> (\<forall>z. x \<sqsubseteq> z \<and> y \<sqsubseteq> z \<long lemma %invisible is_infI [intro?]: "i \ (\<And>z. z \<sqsubseteq> x \<Longrightarrow> z \<sqsubseteq> y \<Longrightarrow> z \<sqsubseteq> i) \<Lo by (unfold is_inf_def) blast lemma %invisible is_inf_lower [elim?]: "is_inf x y i \ by (unfold is_inf_def) blast lemma %invisible is_inf_greatest [elim?]: "is_inf x y i \ by (unfold is_inf_def) blast theorem is_inf_uniq: "\ proof - assume inf: "is_inf x y i" assume inf': "is_inf x y i'" show ?thesis proof (rule anti_sym) from inf' show "i \ proof (rule is_inf_greatest) from inf show "i \ from inf show "i \ qed from inf show "i' \ proof (rule is_inf_greatest) from inf' show "i' \<sqsubseteq> x" .. from inf' show "i' \<sqsubseteq> y" .. qed qed qed theorem %invisible is_inf_related [elim?]: "x \ proof - assume "x \ show ?thesis proof show "x \ show "x \ fix z assume "z \ qed qed lemma %invisible is_supI [intro?]: "x \ (\<And>z. x \<sqsubseteq> z \<Longrightarrow> y \<sqsubseteq> z \<Longrightarrow> s \<sqsubseteq> z) \<Lo by (unfold is_sup_def) blast lemma %invisible is_sup_least [elim?]: "is_sup x y s \ by (unfold is_sup_def) blast lemma %invisible is_sup_upper [elim?]: "is_sup x y s \ by (unfold is_sup_def) blast theorem is_sup_uniq: "\ proof - assume sup: "is_sup x y s" assume sup': "is_sup x y s'" show ?thesis proof (rule anti_sym) from sup show "s \ proof (rule is_sup_least) from sup' show "x \ from sup' show "y \ qed from sup' show "s' \<sqsubseteq> s" proof (rule is_sup_least) from sup show "x \ from sup show "y \ qed qed qed theorem %invisible is_sup_related [elim?]: "x \ proof - assume "x \ show ?thesis proof show "x \ show "y \ fix z assume "x \ show "y \ qed qed end text \<open>The syntax of the locale commands discussed in this tutorial is shown in Table~\ref{tab:commands}. The grammar is complete with the exception of the context elements \isakeyword{constrains} and \isakeyword{defines}, which are provided for backward compatibility. See the Isabelle/Isar Reference Manual \<^cite>\<open>IsarRef\<close> for full documentation.\<close> section \<open>Import \label{sec:import}\<close> text \<open> Algebraic structures are commonly defined by adding operations and properties to existing structures. For example, partial orders are extended to lattices and total orders. Lattices are extended to distributive lattices.\<close> text \<open> With locales, this kind of inheritance is achieved through \emph{import} of locales. The import part of a locale declaration, if present, precedes the context elements. Here is an example, where partial orders are extended to lattices. \<close> locale lattice = partial_order + assumes ex_inf: "\ and ex_sup: "\ begin text \<open>These assumptions refer to the predicates for infimum and supremum defined for \<open>partial_order\<close> in the previous section. We now introduce the notions of meet and join, together with an example theorem.\<close> definition meet (infixl \<open>\<sqinter>\<close> 70) where "x \<sqinter> y = (THE inf. is_inf x y inf)" definition join (infixl \<open>\<squnion>\<close> 65) where "x \<squnion> y = (THE sup. is_sup x y sup)" lemma %invisible meet_equality [elim?]: "is_inf x y i \ proof (unfold meet_def) assume "is_inf x y i" then show "(THE i. is_inf x y i) = i" by (rule the_equality) (rule is_inf_uniq [OF _ \<open>is_inf x y i\<close>]) qed lemma %invisible meetI [intro?]: "i \ by (rule meet_equality, rule is_infI) blast+ lemma %invisible is_inf_meet [intro?]: "is_inf x y (x \ proof (unfold meet_def) from ex_inf obtain i where "is_inf x y i" .. then show "is_inf x y (THE i. is_inf x y i)" by (rule theI) (rule is_inf_uniq [OF _ \<open>is_inf x y i\<close>]) qed lemma meet_left(*<*)[intro?](*>*): "x \<sqinter> y \<sqsubseteq> x" by (rule is_inf_lower) (rule is_inf_meet) lemma %invisible meet_right [intro?]: "x \ by (rule is_inf_lower) (rule is_inf_meet) lemma %invisible meet_le [intro?]: "\ by (rule is_inf_greatest) (rule is_inf_meet) lemma %invisible join_equality [elim?]: "is_sup x y s \ proof (unfold join_def) assume "is_sup x y s" then show "(THE s. is_sup x y s) = s" by (rule the_equality) (rule is_sup_uniq [OF _ \<open>is_sup x y s\<close>]) qed lemma %invisible joinI [intro?]: "x \ (\<And>z. x \<sqsubseteq> z \<Longrightarrow> y \<sqsubseteq> z \<Longrightarrow> s \<sqsubseteq> z) \<Lo by (rule join_equality, rule is_supI) blast+ lemma %invisible is_sup_join [intro?]: "is_sup x y (x \ proof (unfold join_def) from ex_sup obtain s where "is_sup x y s" .. then show "is_sup x y (THE s. is_sup x y s)" by (rule theI) (rule is_sup_uniq [OF _ \<open>is_sup x y s\<close>]) qed lemma %invisible join_left [intro?]: "x \ by (rule is_sup_upper) (rule is_sup_join) lemma %invisible join_right [intro?]: "y \ by (rule is_sup_upper) (rule is_sup_join) lemma %invisible join_le [intro?]: "\ by (rule is_sup_least) (rule is_sup_join) theorem %invisible meet_assoc: "(x \ proof (rule meetI) show "x \ proof show "x \ show "x \ proof - have "x \ also have "\ finally show ?thesis . qed qed show "x \ proof - have "x \ also have "\ finally show ?thesis . qed fix w assume "w \ show "w \ proof show "w \ proof - have "w \ also have "\ finally show ?thesis . qed show "w \ proof show "w \ proof - have "w \ also have "\ finally show ?thesis . qed show "w \ qed qed qed theorem %invisible meet_commute: "x \ proof (rule meetI) show "y \ show "y \ fix z assume "z \ then show "z \ qed theorem %invisible meet_join_absorb: "x \ proof (rule meetI) show "x \ show "x \ fix z assume "z \ show "z \ qed theorem %invisible join_assoc: "(x \ proof (rule joinI) show "x \ proof show "x \ show "y \ proof - have "y \ also have "... \ finally show ?thesis . qed qed show "z \ proof - have "z \ also have "... \ finally show ?thesis . qed fix w assume "x \ show "x \ proof show "x \ proof - have "x \ also have "\ finally show ?thesis . qed show "y \ proof show "y \ proof - have "y \ also have "... \ finally show ?thesis . qed show "z \ qed qed qed theorem %invisible join_commute: "x \ proof (rule joinI) show "x \ show "y \ fix z assume "y \ then show "y \ qed theorem %invisible join_meet_absorb: "x \ proof (rule joinI) show "x \ show "x \ fix z assume "x \ show "x \ qed theorem %invisible meet_idem: "x \ proof - have "x \ also have "x \ finally show ?thesis . qed theorem %invisible meet_related [elim?]: "x \ proof (rule meetI) assume "x \ show "x \ show "x \ fix z assume "z \ show "z \ qed theorem %invisible meet_related2 [elim?]: "y \ by (drule meet_related) (simp add: meet_commute) theorem %invisible join_related [elim?]: "x \ proof (rule joinI) assume "x \ show "y \ show "x \ fix z assume "x \ show "y \ qed theorem %invisible join_related2 [elim?]: "y \ by (drule join_related) (simp add: join_commute) theorem %invisible meet_connection: "(x \ proof assume "x \ then have "is_inf x y x" .. then show "x \ next have "x \ also assume "x \ finally show "x \ qed theorem %invisible join_connection: "(x \ proof assume "x \ then have "is_sup x y y" .. then show "x \ next have "x \ also assume "x \ finally show "x \ qed theorem %invisible meet_connection2: "(x \ using meet_commute meet_connection by simp theorem %invisible join_connection2: "(x \ using join_commute join_connection by simp text %invisible \<open>Naming according to Jacobson I, p.\ 459.\<close> lemmas %invisible L1 = join_commute meet_commute lemmas %invisible L2 = join_assoc meet_assoc (* lemmas L3 = join_idem meet_idem *) lemmas %invisible L4 = join_meet_absorb meet_join_absorb end text \<open>Locales for total orders and distributive lattices follow to establish a sufficiently rich landscape of locales for further examples in this tutorial.\<close> locale total_order = partial_order + assumes total: "x \ lemma (in total_order) less_total: "x \ using total by (unfold less_def) blast locale distrib_lattice = lattice + assumes meet_distr: "x \ lemma (in distrib_lattice) join_distr: "x \ proof - have "x \ also have "... = x \ also have "... = x \ also have "... = ((x \ also have "... = (x \ finally show ?thesis . qed text \<open> The locale hierarchy obtained through these declarations is shown in Figure~\ref{fig:lattices}(a). \begin{figure} \hrule \vspace{2ex} \begin{center} \subfigure[Declared hierarchy]{ \begin{tikzpicture} \node (po) at (0,0) {\<open>partial_order\<close>}; \node (lat) at (-1.5,-1) {\<open>lattice\<close>}; \node (dlat) at (-1.5,-2) {\<open>distrib_lattice\<close>}; \node (to) at (1.5,-1) {\<open>total_order\<close>}; \draw (po) -- (lat); \draw (lat) -- (dlat); \draw (po) -- (to); % \draw[->, dashed] (lat) -- (to); \end{tikzpicture} } \\ \subfigure[Total orders are lattices]{ \begin{tikzpicture} \node (po) at (0,0) {\<open>partial_order\<close>}; \node (lat) at (0,-1) {\<open>lattice\<close>}; \node (dlat) at (-1.5,-2) {\<open>distrib_lattice\<close>}; \node (to) at (1.5,-2) {\<open>total_order\<close>}; \draw (po) -- (lat); \draw (lat) -- (dlat); \draw (lat) -- (to); % \draw[->, dashed] (dlat) -- (to); \end{tikzpicture} } \quad \subfigure[Total orders are distributive lattices]{ \begin{tikzpicture} \node (po) at (0,0) {\<open>partial_order\<close>}; \node (lat) at (0,-1) {\<open>lattice\<close>}; \node (dlat) at (0,-2) {\<open>distrib_lattice\<close>}; \node (to) at (0,-3) {\<open>total_order\<close>}; \draw (po) -- (lat); \draw (lat) -- (dlat); \draw (dlat) -- (to); \end{tikzpicture} } \end{center} \hrule \caption{Hierarchy of Lattice Locales.} \label{fig:lattices} \end{figure} \<close> section \<open>Changing the Locale Hierarchy \label{sec:changing-the-hierarchy}\<close> text \<open> Locales enable to prove theorems abstractly, relative to sets of assumptions. These theorems can then be used in other contexts where the assumptions themselves, or instances of the assumptions, are theorems. This form of theorem reuse is called \emph{interpretation}. Locales generalise interpretation from theorems to conclusions, enabling the reuse of definitions and other constructs that are not part of the specifications of the locales. The first form of interpretation we will consider in this tutorial is provided by the \isakeyword{sublocale} command. It enables to modify the import hierarchy to reflect the \emph{logical} relation between locales. Consider the locale hierarchy from Figure~\ref{fig:lattices}(a). Total orders are lattices, although this is not reflected here, and definitions, theorems and other conclusions from \<^term>\<open>lattice\<close> are not available in \<^term>\<open>total_order\<close>. To obtain the situation in Figure~\ref{fig:lattices}(b), it is sufficient to add the conclusions of the latter locale to the former. The \isakeyword{sublocale} command does exactly this. The declaration \isakeyword{sublocale} $l_1 \subseteq l_2$ causes locale $l_2$ to be \emph{interpreted} in the context of $l_1$. This means that all conclusions of $l_2$ are made available in $l_1$. Of course, the change of hierarchy must be supported by a theorem that reflects, in our example, that total orders are indeed lattices. Therefore the \isakeyword{sublocale} command generates a goal, which must be discharged by the user. This is illustrated in the following paragraphs. First the sublocale relation is stated. \<close> sublocale %visible total_order \<subseteq> lattice txt \<open>\normalsize This enters the context of locale \<open>total_order\<close>, in which the goal @{subgoals [display]} must be shown. Now the locale predicate needs to be unfolded --- for example, using its definition or by introduction rules provided by the locale package. For automation, the locale package provides the methods \<open>intro_locales\<close> and \<open>unfold_locales\<close>. They are aw current context and dependencies between locales and automatically discharge goals implied by these. While \<open>unfold_locales\<close> always unfolds locale predicates to assumptions, \<open>intro_locales\<close> only unfolds de hierarchy, leaving a goal consisting of predicates defined by the locale package. Occasionally the latter is of advantage since the goal is smaller. For the current goal, we would like to get hold of the assumptions of \<open>lattice\<close>, which need to be shown, hence \<open>unfold_locales\<close> is appropriate.\<close> proof unfold_locales txt \<open>\normalsize Since the fact that both lattices and total orders are partial orders is already reflected in the locale hierarchy, the assumptions of \<open>partial_order\<close> are discharged automatically, and only the assumptions introduced in \<open>lattice\<close> remain as subgoals @{subgoals [display]} The proof for the first subgoal is obtained by constructing an infimum, whose existence is implied by totality.\<close> fix x y from total have "is_inf x y (if x \ by (auto simp: is_inf_def) then show "\ txt \<open>\normalsize The proof for the second subgoal is analogous and not reproduced here.\<close> next %invisible fix x y from total have "is_sup x y (if x \ by (auto simp: is_sup_def) then show "\ text \<open>Similarly, we may establish that total orders are distributive lattices with a second \isakeyword{sublocale} statement.\<close> sublocale total_order \<subseteq> distrib_lattice proof unfold_locales fix %"proof" x y z show "x \ txt \<open>Jacobson I, p.\ 462\<close> proof - { assume c: "y \ from c have "?l = y \ by (metis c join_connection2 join_related2 meet_related2 total) also from c have "... = ?r" by (metis meet_related2) finally have "?l = ?r" . } moreover { assume c: "x \ from c have "?l = x" by (metis join_connection2 join_related2 meet_connection total trans) also from c have "... = ?r" by (metis join_commute join_related2 meet_connection meet_related2 total) finally have "?l = ?r" . } moreover note total ultimately show ?thesis by blast qed qed text \<open>The locale hierarchy is now as shown in Figure~\ref{fig:lattices}(c).\<close> text \<open> Locale interpretation is \emph{dynamic}. The statement \isakeyword{sublocale} $l_1 \subseteq l_2$ will not just add the current conclusions of $l_2$ to $l_1$. Rather the dependency is stored, and conclusions that will be added to $l_2$ in future are automatically propagated to $l_1$. The sublocale relation is transitive --- that is, propagation takes effect along chains of sublocales. Even cycles in the sublocale relation are supported, as long as these cycles do not lead to infinite chains. Details are discussed in the technical report \<^cite>\<open>Ballarin2006a\<close>. See also Section~\ref{sec:infinite-chains} of this tutorial.\<close> end ¤ Dauer der Verarbeitung: 0.17 Sekunden (vorverarbeitet) ¤*© Formatika GbR, Deutschland |
|
2026-03-28