An Introduction to Isabelle/HOL 2009-1isabelle.in.tum.de/coursematerial/PSV2009-1/slides.pdf · Proof methods •Structural induction •Format: (induct x) x must be a free variable

An Introduction to Isabelle/HOL

2009-1

Tobias Nipkow

TU München

1

Overview of Isabelle/HOL

2

System Architecture

Isabelle generic theorem prover

3

System Architecture

Isabelle/HOL Isabelle instance for HOL


3

System Architecture

ProofGeneral (X)Emacs based interface

Isabelle/HOL Isabelle instance for HOL


3

HOL

HOL = Higher-Order Logic

4

HOL

HOL = Higher-Order LogicHOL = Functional programming + Logic

4

HOL


HOL has• datatypes• recursive functions• logical operators (∧, −→, ∀, ∃, . . . )

4

HOL



HOL is a programming language!

4

HOL



HOL is a programming language!

Higher-order = functions are values, too!

4

Formulae





Examples• ¬ A ∧ B ∨ C ≡ ((¬ A) ∧ B) ∨ C

5

Formulae





Examples• ¬ A ∧ B ∨ C ≡ ((¬ A) ∧ B) ∨ C• A = B ∧ C ≡ (A = B) ∧ C

5

Formulae





Examples• ¬ A ∧ B ∨ C ≡ ((¬ A) ∧ B) ∨ C• A = B ∧ C ≡ (A = B) ∧ C• ∀ x. P x ∧ Q x ≡ ∀ x. (P x ∧ Q x)

5

Formulae





Examples• ¬ A ∧ B ∨ C ≡ ((¬ A) ∧ B) ∨ C• A = B ∧ C ≡ (A = B) ∧ C• ∀ x. P x ∧ Q x ≡ ∀ x. (P x ∧ Q x)

Scope of quantifiers: as far to the right as possible

5

Formulae

Abbreviation: ∀ x y. P x y ≡ ∀ x. ∀ y. P x y

6

Formulae

Abbreviation: ∀ x y. P x y ≡ ∀ x. ∀ y. P x y (∀ , ∃ , λ, . . . )

6

Formulae


Parentheses:• ∧, ∨ and −→ associate to the right:

A ∧ B ∧ C ≡ A ∧ (B ∧ C)

6

Formulae


Parentheses:• ∧, ∨ and −→ associate to the right:

A ∧ B ∧ C ≡ A ∧ (B ∧ C)

• A −→ B −→ C ≡ A −→ (B −→ C) 6≡ (A −→ B) −→ C !

6

Warning

Quantifiers have low priority and need to be parenthesized:

! P ∧ ∀ x. Q x ; P ∧ (∀ x. Q x) !

7

Types and Terms

8

Types

Syntax:

τ ::= (τ)

| bool | nat | . . . base types

9

Types

Syntax:

τ ::= (τ)

| bool | nat | . . . base types| ’a | ’b | . . . type variables

9

Terms: Basic syntax

Syntax:

term ::= (term)

| a constant or variable (identifier)| term term function application| λx. term function “abstraction”

10

Terms: Basic syntax

Syntax:

term ::= (term)

| a constant or variable (identifier)| term term function application| λx. term function “abstraction”| . . . lots of syntactic sugar

10

Terms: Basic syntax

Syntax:

term ::= (term)


Examples: f (g x) y h (λx. f (g x))

10

Terms: Basic syntax

Syntax:

term ::= (term)


Examples: f (g x) y h (λx. f (g x))

Parantheses: f a1 a2 a3 ≡ ((f a1) a2) a3

10

λ-calculus on one slide

Informal notation: t[x]

11



• Function application:f a is the call of function f with argument a

11




• Function abstraction:λx.t[x] is the function with formal parameter x andbody/result t[x], i.e. x 7→ t[x].

11





• Computation:Replace formal by actual parameter (“β-reduction”):(λx.t[x]) a −→β t[a]

11





• Computation:Replace formal by actual parameter (“β-reduction”):(λx.t[x]) a −→β t[a]

Example: (λ x. x + 5) 3 −→β (3 + 5)11

−→β in Isabelle: Don’t worry, be happy

Isabelle performs β-reduction automatically

Isabelle considers (λx.t[x])a and t[a] equivalent

12

Terms and Types

Terms must be well-typed(the argument of every function call must be of the right type)

13

Terms and Types

Terms must be well-typed(the argument of every function call must be of the right type)

Notation: t :: τ means t is a well-typed term of type τ .

13

Type inference

Isabelle automatically computes (“infers”) the type of eachvariable in a term.

14

Type inference


In the presence of overloaded functions (functions withmultiple types) not always possible.

14

Type inference


In the presence of overloaded functions (functions withmultiple types) not always possible.

User can help with type annotations inside the term.

Example: f (x::nat)

14

Currying

Thou shalt curry your functions

15

Currying


• Curried: f :: τ1 ⇒ τ2 ⇒ τ• Tupled: f’ :: τ1 × τ2 ⇒ τ

15

Currying


• Curried: f :: τ1 ⇒ τ2 ⇒ τ• Tupled: f’ :: τ1 × τ2 ⇒ τ

Advantage: partial application f a1 with a1 :: τ1

15

Terms: Syntactic sugar

Some predefined syntactic sugar:

• Infix: +, -, * , #, @, . . .• Mixfix: if _ then _ else _, case _ of , . . .

16




Prefix binds more strongly than infix:

! f x + y ≡ (f x) + y 6≡ f (x + y) !

16




Prefix binds more strongly than infix:

! f x + y ≡ (f x) + y 6≡ f (x + y) !Enclose if and case in parentheses:

! (if _ then _ else _) !

16

Base types: bool, nat, list

17

Type bool

Formulae = terms of type bool

18

Type bool


True :: boolFalse :: bool∧, ∨, . . . :: bool ⇒ bool ⇒ bool...

18

Type bool


True :: boolFalse :: bool∧, ∨, . . . :: bool ⇒ bool ⇒ bool...

if-and-only-if: =

18

Type nat

0 :: natSuc :: nat ⇒ nat+, *, ... :: nat ⇒ nat ⇒ nat...

19

Type nat


! Numbers and arithmetic operations are overloaded:0,1,2,... :: ’a, + :: ’a ⇒ ’a ⇒ ’a

You need type annotations: 1 :: nat, x + (y::nat)

19

Type nat


! Numbers and arithmetic operations are overloaded:0,1,2,... :: ’a, + :: ’a ⇒ ’a ⇒ ’a

You need type annotations: 1 :: nat, x + (y::nat)

. . . unless the context is unambiguous: Suc z

19

Type list

• [] : empty list

• x # xs: list with first element x ("head")and rest xs ("tail")

• Syntactic sugar: [x1,. . . ,xn]

20

Type list

• [] : empty list

• x # xs: list with first element x ("head")and rest xs ("tail")

• Syntactic sugar: [x1,. . . ,xn]

Large library:hd, tl, map, length, filter, set, nth, take, drop, distinct, . . .

Don’t reinvent, reuse!; HOL/List.thy

20

Isabelle Theories

21

Theory = Module

Syntax: theory MyThimports ImpTh1 . . . ImpThnbegin

(declarations, definitions, theorems, proofs, ...)∗

end

• MyTh: name of theory. Must live in file MyTh.thy• ImpThi: name of imported theories. Import transitive.

22

Theory = Module

Syntax: theory MyThimports ImpTh1 . . . ImpThnbegin

(declarations, definitions, theorems, proofs, ...)∗

end

• MyTh: name of theory. Must live in file MyTh.thy• ImpThi: name of imported theories. Import transitive.

Usually: theory MyThimports Main...

22

Proof General

An Isabelle Interface

by David Aspinall

23

Proof General

Customized version of (x)emacs:• all of emacs (info: C-h i )• Isabelle aware (when editing .thy files)• mathematical symbols (“x-symbols”)

24

X-Symbols

Input of funny symbols in Proof General• via menu (“X-Symbol”)• via ascii encoding (similar to LATEX): \ , \ , . . .• via abbreviation: /\ , \/ , --> , . . .

x-symbol ∀ ∃ λ ¬ ∧ ∨ −→ ⇒

ascii (1) \ \ \ \ /\ \/ --> =>

ascii (2) ALL EX % ˜ & |

(1) is converted to x-symbol, (2) stays ascii.

25

Demo: terms and types

26

An introduction to recursion and induction

27

A recursive datatype: toy lists

datatype ’a list = Nil | Cons ’a (’a list)

28



Nil : empty list

Cons x xs : head x :: ’a, tail xs :: ’a list

28



Nil : empty list


A toy list: Cons False (Cons True Nil)

28



Nil : empty list


A toy list: Cons False (Cons True Nil)

Predefined lists: [False, True]

28

Structural induction on lists

P xs holds for all lists xs if

29


P xs holds for all lists xs if• P Nil

29


P xs holds for all lists xs if• P Nil• and for arbitrary x and xs, P xs implies P (Cons x xs)

29

A recursive function: append

Definition by primitive recursion:

primrec app :: ’a list ⇒ ’a list ⇒ ’a list whereapp Nil ys = ? |app (Cons x xs) ys = ??

30

A recursive function: append

Definition by primitive recursion:

primrec app :: ’a list ⇒ ’a list ⇒ ’a list whereapp Nil ys = ? |app (Cons x xs) ys = ??

1 rule per constructorRecursive calls must drop the constructor =⇒ Termination

30

Concrete syntax

In .thy files:Types and formulas need to be inclosed in "

31

Concrete syntax


Except for single identifiers, e.g. ’a

31

Concrete syntax


Except for single identifiers, e.g. ’a

" normally not shown on slides

31

Demo: append and reverse

32

Proofs

General schema:

lemma name: "..."apply (...)apply (...)...done

If the lemma is suitable as a simplification rule:

lemma name[simp]: "..."

33

Proof methods

• Structural induction• Format: (induct x)

x must be a free variable in the first subgoal.The type of x must be a datatype.

• Effect: generates 1 new subgoal per constructor• Simplification and a bit of logic• Format: auto• Effect: tries to solve as many subgoals as possible

using simplification and basic logical reasoning.

34

Top down proofs

Commandsorry

“completes” any proof.

35

Top down proofs

Commandsorry

“completes” any proof.

Allows top down development:

Assume lemma first, prove it later.

35

Some useful tools

36

Disproving tools

Automatic counterexample search by random testing:quickcheck

37

Disproving tools

Automatic counterexample search by random testing:quickcheck

Counterexample search via SAT solver:nitpick

37

Finding theorems

1. Click on Find button

2. Input search pattern (e.g. "_ & True")

38

Demo: Disproving and Finding

39

Isabelle’s meta-logic

40

Basic constructs

Implication =⇒ (==>)For separating premises and conclusion of theorems

41

Basic constructs


Equality ≡ (==)For definitions

41

Basic constructs



Universal quantifier∧

(!! )For binding local variables

41

Basic constructs



Universal quantifier∧

(!! )For binding local variables

Do not use inside HOL formulae

41

Notation

[[ A1; . . . ; An ]] =⇒ B

abbreviates

A1 =⇒ . . . =⇒ An =⇒ B

42

Notation

[[ A1; . . . ; An ]] =⇒ B

abbreviates

A1 =⇒ . . . =⇒ An =⇒ B

; ≈ “and”

42

The proof state

1.∧

x1 . . . xp. [[ A1; . . . ; An ]] =⇒ B

x1 . . . xp Local constantsA1 . . . An Local assumptionsB Actual (sub)goal

43

Type and function definition in Isabelle/HOL

44

Type definition in Isabelle/HOL

45

Introducing new types

Keywords:• typedecl : pure declaration• types : abbreviation• datatype : recursive datatype

46

typedecl

typedecl name

Introduces new “opaque” type name without definition

47

typedecl

typedecl name

Introduces new “opaque” type name without definition

Example:

typedecl addr — An abstract type of addresses

47

types

types name = τ

Introduces an abbreviation name for type τ

48

types

types name = τ


Examples:

typesname = string(’a,’b)foo = ’a list × ’b list

48

types

types name = τ


Examples:

typesname = string(’a,’b)foo = ’a list × ’b list

Type abbreviations are expanded immediately after parsingNot present in internal representation and Isabelle output

48

datatype

49

The example


Properties:

• Types: Nil :: ’a listCons :: ’a ⇒ ’a list ⇒ ’a list

• Distinctness: Nil 6= Cons x xs• Injectivity: (Cons x xs = Cons y ys) = (x = y ∧ xs = ys)

50

The general case

datatype (α1, . . . , αn)τ = C1 τ1,1 . . . τ1,n1| . . .| Ck τk,1 . . . τk,nk

• Types: Ci :: τi,1 ⇒ · · · ⇒ τi,ni ⇒ (α1, . . . , αn)τ

• Distinctness: Ci . . . 6= Cj . . . if i 6= j• Injectivity:

(Ci x1 . . . xni = Ci y1 . . . yni) = (x1 = y1 ∧ . . . ∧ xni = yni)

51

The general case

datatype (α1, . . . , αn)τ = C1 τ1,1 . . . τ1,n1| . . .| Ck τk,1 . . . τk,nk

• Types: Ci :: τi,1 ⇒ · · · ⇒ τi,ni ⇒ (α1, . . . , αn)τ

• Distinctness: Ci . . . 6= Cj . . . if i 6= j• Injectivity:

(Ci x1 . . . xni = Ci y1 . . . yni) = (x1 = y1 ∧ . . . ∧ xni = yni)

Distinctness and Injectivity are applied automaticallyInduction must be applied explicitly

51

Function definition in Isabelle/HOL

52

Why nontermination can be harmful

How about f x = f x + 1 ?

53



Subtract f x on both sides.=⇒ 0 = 1

53



Subtract f x on both sides.=⇒ 0 = 1

! All functions in HOL must be total !

53

Function definition schemas in Isabelle/HOL

• Non-recursive with definitionNo problem

54



• Primitive-recursive with primrecTerminating by construction

54




• Well-founded recursion with funAutomatic termination proof

54




• Well-founded recursion with funAutomatic termination proof

• Well-founded recursion with functionUser-supplied termination proof

54

definition

55

Definition (non-recursive) by example

definition sq :: nat ⇒ nat where sq n = n * n

56

Definitions: pitfalls

definition prime :: nat ⇒ bool whereprime p = (1 < p ∧ (m dvd p −→ m = 1 ∨ m = p))

57



Not a definition: free m not on left-hand side

57




! Every free variable on the rhs must occur on the lhs !

57




! Every free variable on the rhs must occur on the lhs !

prime p = (1 < p ∧ (∀m. m dvd p −→ m = 1 ∨ m = p))

57

Using definitions

Definitions are not used automatically

58

Using definitions

Definitions are not used automatically

Unfolding the definition of sq:

apply (unfold sq_def)

58

primrec

59

The example

primrec app :: ’a list ⇒ ’a list ⇒ ’a list where

app Nil ys = ys |

app (Cons x xs) ys = Cons x (app xs ys)

60

The general case

If τ is a datatype (with constructors C1, . . . , Ck) thenf :: · · · ⇒ τ ⇒ · · · ⇒ τ ′ can be defined by primitive recursion:

f x1 . . . (C1 y1,1 . . . y1,n1) . . . xp = r1 |...f x1 . . . (Ck yk,1 . . . yk,nk) . . . xp = rk

61

The general case

If τ is a datatype (with constructors C1, . . . , Ck) thenf :: · · · ⇒ τ ⇒ · · · ⇒ τ ′ can be defined by primitive recursion:

f x1 . . . (C1 y1,1 . . . y1,n1) . . . xp = r1 |...f x1 . . . (Ck yk,1 . . . yk,nk) . . . xp = rk

The recursive calls in ri must be structurally smaller,i.e. of the form f a1 . . . yi,j . . . ap

61

nat is a datatype

datatype nat = 0 | Suc nat

62

nat is a datatype

datatype nat = 0 | Suc nat

Functions on nat definable by primrec!

primrec f :: nat ⇒ ...f 0 = ...f(Suc n) = ... f n ...

62

More predefined types and functions

63

Type option

datatype ’a option = None | Some ’a

64

Type option


Important application:

. . . ⇒ ’a option ≈ partial function:

None ≈ no resultSome a ≈ result a

64

Type option





Example:primrec lookup :: ’k ⇒ (’k × ’v) list ⇒ ’v option where

64

Type option





Example:primrec lookup :: ’k ⇒ (’k × ’v) list ⇒ ’v option wherelookup k [] = None

64

Type option





Example:primrec lookup :: ’k ⇒ (’k × ’v) list ⇒ ’v option wherelookup k [] = None |lookup k (x#xs) =

(if fst x = k then Some(snd x) else lookup k xs)

64

case

Datatype values can be taken apart with case expressions:

(case xs of [] ⇒ . . . | y#ys ⇒ ... y ... ys ...)

65

case


(case xs of [] ⇒ . . . | y#ys ⇒ ... y ... ys ...)

Wildcards:(case xs of [] ⇒ [] | y#_ ⇒ [y])

65

case


(case xs of [] ⇒ . . . | y#ys ⇒ ... y ... ys ...)


Nested patterns:(case xs of [0] ⇒ 0 | [Suc n] ⇒ n | _ ⇒ 2)

65

case


(case xs of [] ⇒ . . . | y#ys ⇒ ... y ... ys ...)



Complicated patterns mean complicated proofs!

65

case


(case xs of [] ⇒ . . . | y#ys ⇒ ... y ... ys ...)



Complicated patterns mean complicated proofs!

Needs ( ) in context

65

Proof by case distinction

If t :: τ and τ is a datatypeapply (case_tac t)

66

Proof by case distinction

If t :: τ and τ is a datatypeapply (case_tac t)

creates k subgoals

t = Ci x1 . . . xp =⇒ . . .

one for each constructor Ci of type τ .

66

Demo: trees

67

fun

From primitive recursionto arbitrary pattern matching

68

Example: Fibonacchi

fun fib :: nat ⇒ nat where

fib 0 = 0 |fib (Suc 0) = 1 |fib (Suc(Suc n)) = fib (n+1) + fib n

69

Example: Separation

fun sep :: ’a ⇒ ’a list ⇒ ’a list where

sep a [] = [] |sep a [x] = [x] |sep a (x#y#zs) = x # a # sep a (y#zs)

70

Example: Ackermann

fun ack :: nat ⇒ nat ⇒ nat where

ack 0 n = Suc n |ack (Suc m) 0 = ack m (Suc 0) |ack (Suc m) (Suc n) = ack m (ack (Suc m) n)

71

Key features of fun

• Arbitrary pattern matching

72

Key features of fun

• Arbitrary pattern matching• Order of equations matters

72

Key features of fun

• Arbitrary pattern matching• Order of equations matters• Termination must be provable

by lexicographic combination of size measures

72

Size

• size(n::nat) = n

73

Size

• size(n::nat) = n• size(xs) = length xs

73

Size

• size(n::nat) = n• size(xs) = length xs• size counts number of (non-nullary) constructors

73

Lexicographic ordering

Either the first component decreases, or it stays unchangedand the second component decreases:

74



(5, 3) > (4, 7) > (4, 6) > (4, 0) > (3, 42) > · · ·

74



(5, 3) > (4, 7) > (4, 6) > (4, 0) > (3, 42) > · · ·

Similar for tuples:

(5, 6, 3) > (4, 12, 5) > (4, 11, 9) > (4, 11, 8) > · · ·

74



(5, 3) > (4, 7) > (4, 6) > (4, 0) > (3, 42) > · · ·

Similar for tuples:

(5, 6, 3) > (4, 12, 5) > (4, 11, 9) > (4, 11, 8) > · · ·

Theorem If each component ordering terminates, thentheir lexicographic product terminates, too.

74

Ackermann terminates

ack 0 n = Suc n

ack (Suc m) 0 = ack m (Suc 0)

ack (Suc m) (Suc n) = ack m (ack (Suc m) n)

75


ack 0 n = Suc n



because the arguments of each recursive call arelexicographically smaller than the arguments on the lhs.

75


ack 0 n = Suc n



because the arguments of each recursive call arelexicographically smaller than the arguments on the lhs.

Note: order of arguments not important for Isabelle!

75

Computation Induction

If f :: τ ⇒ τ ′ is defined by fun , a special induction schema isprovided to prove P (x) for all x :: τ :

76



for each equation f(e) = t,prove P (e) assuming P (r) for all recursive calls f(r) in t.

76



for each equation f(e) = t,prove P (e) assuming P (r) for all recursive calls f(r) in t.

Induction follows course of (terminating!) computation

76

Computation Induction: Example

fun div2 :: nat ⇒ nat wherediv2 0 = 0 |div2 (Suc 0) = 0 |div2(Suc(Suc n)) = Suc(div2 n)

77

Computation Induction: Example

fun div2 :: nat ⇒ nat wherediv2 0 = 0 |div2 (Suc 0) = 0 |div2(Suc(Suc n)) = Suc(div2 n)

; induction rule div2.induct :

P (0) P (Suc 0) P (n) =⇒ P (Suc(Suc n))

P (m)

77

Demo: fun

78

Proof by Simplification

79

Overview

• Term rewriting foundations• Term rewriting in Isabelle/HOL• Basic simplification• Extensions

80

Term rewriting foundations

81

Term rewriting means . . .

Using equations l = r from left to right

82



As long as possible

82



As long as possible

Terminology: equation ; rewrite rule

82

An example

Equations:

0 + n = n (1)

(Suc m) + n = Suc (m + n) (2)

(Suc m ≤ Suc n) = (m ≤ n) (3)

(0 ≤ m) = True (4)

83

An example

Equations:

0 + n = n (1)

(Suc m) + n = Suc (m + n) (2)

(Suc m ≤ Suc n) = (m ≤ n) (3)

(0 ≤ m) = True (4)

Rewriting:

0 + Suc 0 ≤ Suc 0 + x

83

An example

Equations:

0 + n = n (1)

(Suc m) + n = Suc (m + n) (2)

(Suc m ≤ Suc n) = (m ≤ n) (3)

(0 ≤ m) = True (4)

Rewriting:

0 + Suc 0 ≤ Suc 0 + x(1)=

Suc 0 ≤ Suc 0 + x

83

An example

Equations:

0 + n = n (1)

(Suc m) + n = Suc (m + n) (2)

(Suc m ≤ Suc n) = (m ≤ n) (3)

(0 ≤ m) = True (4)

Rewriting:

0 + Suc 0 ≤ Suc 0 + x(1)=

Suc 0 ≤ Suc 0 + x(2)=

Suc 0 ≤ Suc (0 + x)

83

An example

Equations:

0 + n = n (1)

(Suc m) + n = Suc (m + n) (2)

(Suc m ≤ Suc n) = (m ≤ n) (3)

(0 ≤ m) = True (4)

Rewriting:

0 + Suc 0 ≤ Suc 0 + x(1)=

Suc 0 ≤ Suc 0 + x(2)=

Suc 0 ≤ Suc (0 + x)(3)=

0 ≤ 0 + x

83

An example

Equations:

0 + n = n (1)

(Suc m) + n = Suc (m + n) (2)

(Suc m ≤ Suc n) = (m ≤ n) (3)

(0 ≤ m) = True (4)

Rewriting:

0 + Suc 0 ≤ Suc 0 + x(1)=

Suc 0 ≤ Suc 0 + x(2)=

Suc 0 ≤ Suc (0 + x)(3)=

0 ≤ 0 + x(4)=

True

83

More formally

substitution = mapping from variables to terms

84

More formally


• l = r is applicable to term t[s]if there is a substitution σ such that σ(l) = s

84

More formally



• Result: t[σ(r)]

84

More formally



• Result: t[σ(r)]• Note: t[s] = t[σ(r)]

84

More formally




Example:

Equation: 0 + n = n

Term: a + (0 + (b + c))

84

More formally




Example:

Equation: 0 + n = n

Term: a + (0 + (b + c))

σ = {n 7→ b + c}

84

More formally




Example:

Equation: 0 + n = n

Term: a + (0 + (b + c))

σ = {n 7→ b + c}

Result: a + (b + c)84

Extension: conditional rewriting

Rewrite rules can be conditional:

[[P1 . . . Pn]] =⇒ l = r

85

Extension: conditional rewriting

Rewrite rules can be conditional:

[[P1 . . . Pn]] =⇒ l = r

is applicable to term t[s] with σ if• σ(l) = s and• σ(P1), . . . , σ(Pn) are provable (again by rewriting).

85

Interlude: Variables in Isabelle

86

Schematic variables

Three kinds of variables:• bound: ∀ x. x = x• free: x = x

87

Schematic variables

Three kinds of variables:• bound: ∀ x. x = x• free: x = x• schematic: ?x = ?x (“unknown”)

87

Schematic variables


Schematic variables:

87

Schematic variables



• Logically: free = schematic

87

Schematic variables



• Logically: free = schematic• Operationally:• free variables are fixed• schematic variables are instantiated by substitutions

87

From x to ?x

State lemmas with free variables:

lemma app_Nil2[simp]: xs @ [] = xs

88

From x to ?x


lemma app_Nil2[simp]: xs @ [] = xs...done

88

From x to ?x



After the proof: Isabelle changes xs to ?xs (internally):?xs @ [] = ?xs

Now usable with arbitrary values for ?xs

88

From x to ?x



After the proof: Isabelle changes xs to ?xs (internally):?xs @ [] = ?xs

Now usable with arbitrary values for ?xs

Example: rewritingrev(a @ []) = rev a

using app_Nil2 with σ = {?xs 7→ a}

88

Term rewriting in Isabelle

89

Basic simplification

Goal: 1. [[ P1; . . . ; Pm ]] =⇒ C

apply (simp add: eq1 . . . eqn)

90


Goal: 1. [[ P1; . . . ; Pm ]] =⇒ C


Simplify P1 . . . Pm and C using• lemmas with attribute simp

90


Goal: 1. [[ P1; . . . ; Pm ]] =⇒ C


Simplify P1 . . . Pm and C using• lemmas with attribute simp• rules from primrec , fun and datatype

90


Goal: 1. [[ P1; . . . ; Pm ]] =⇒ C


Simplify P1 . . . Pm and C using• lemmas with attribute simp• rules from primrec , fun and datatype• additional lemmas eq1 . . . eqn

90


Goal: 1. [[ P1; . . . ; Pm ]] =⇒ C


Simplify P1 . . . Pm and C using• lemmas with attribute simp• rules from primrec , fun and datatype• additional lemmas eq1 . . . eqn• assumptions P1 . . . Pm

90


Goal: 1. [[ P1; . . . ; Pm ]] =⇒ C


Simplify P1 . . . Pm and C using• lemmas with attribute simp• rules from primrec , fun and datatype• additional lemmas eq1 . . . eqn• assumptions P1 . . . Pm

Variations:• (simp . . . del: . . . ) removes simp-lemmas• add and del are optional

90

auto versus simp

• auto acts on all subgoals• simp acts only on subgoal 1• auto applies simp and more

91

Termination

Simplification may not terminate.Isabelle uses simp-rules (almost) blindly from left to right.

92

Termination


Example: f(x) = g(x), g(x) = f(x)

92

Termination



[[P1 . . . Pn]] =⇒ l = r

is suitable as a simp-rule onlyif l is “bigger” than r and each Pi

92

Termination



[[P1 . . . Pn]] =⇒ l = r


n < m =⇒ (n < Suc m) = TrueSuc n < m =⇒ (n < m) = True

92

Termination



[[P1 . . . Pn]] =⇒ l = r


n < m =⇒ (n < Suc m) = True YESSuc n < m =⇒ (n < m) = True NO

92

Rewriting with definitions

Definitions do not have the simp attribute.

93

Rewriting with definitions

Definitions do not have the simp attribute.

They must be used explicitly: (simp add: f_def . . . )

93

Extensions of rewriting

94

Local assumptions

Simplification of A −→ B:

1. Simplify A to A′

2. Simplify B using A′

95

Case splitting with simp

P(if A then s else t)=

(A −→ P(s)) ∧ (¬A −→ P(t))

96



(A −→ P(s)) ∧ (¬A −→ P(t))

Automatic

96



(A −→ P(s)) ∧ (¬A −→ P(t))

Automatic

P(case e of 0 ⇒ a | Suc n ⇒ b)=

(e = 0 −→ P(a)) ∧ (∀n. e = Suc n −→ P(b))

96



(A −→ P(s)) ∧ (¬A −→ P(t))

Automatic


(e = 0 −→ P(a)) ∧ (∀n. e = Suc n −→ P(b))

By hand: (simp split: nat.split)

96



(A −→ P(s)) ∧ (¬A −→ P(t))

Automatic


(e = 0 −→ P(a)) ∧ (∀n. e = Suc n −→ P(b))

By hand: (simp split: nat.split)

Similar for any datatype t : t.split

96

Ordered rewriting

Problem: ?x + ?y = ?y + ?x does not terminate

97

Ordered rewriting


Solution: permutative simp-rules are used only if the termbecomes lexicographically smaller.

97

Ordered rewriting



Example: b + a ; a + b but not a + b ; b + a.

97

Ordered rewriting




For types nat, int etc:• lemmas add_ac sort any sum (+)• lemmas times_ac sort any product (∗)

97

Ordered rewriting




For types nat, int etc:• lemmas add_ac sort any sum (+)• lemmas times_ac sort any product (∗)

Example: (simp add: add_ac) yields

(b + c) + a ; · · ·; a + (b + c)

97

Preprocessing

simp-rules are preprocessed (recursively) for maximalsimplification power:

¬A 7→ A = False

A −→ B 7→ A =⇒ B

A ∧ B 7→ A, B∀x.A(x) 7→ A(?x)

A 7→ A = True

98

Preprocessing


¬A 7→ A = False

A −→ B 7→ A =⇒ B

A ∧ B 7→ A, B∀x.A(x) 7→ A(?x)

A 7→ A = True

Example:

(p −→ q ∧ ¬ r) ∧ s 7→

98

Preprocessing


¬A 7→ A = False

A −→ B 7→ A =⇒ B

A ∧ B 7→ A, B∀x.A(x) 7→ A(?x)

A 7→ A = True

Example:

(p −→ q ∧ ¬ r) ∧ s 7→

p =⇒ q = Truep =⇒ r = False

s = True

98

When everything else fails: Tracing

Set trace mode on/off in Proof General:

Isabelle → Settings → Trace simplifier

Output in separate trace buffer

99

Demo: simp

100

Induction heuristics

101

Basic heuristics

Theorems about recursive functions are proved byinduction

102

Basic heuristics

Theorems about recursive functions are proved byinduction

Induction on argument number i of fif f is defined by recursion on argument number i

102

A tail recursive reverse

primrec itrev :: ’a list ⇒ ’a list ⇒ ’a list

103


primrec itrev :: ’a list ⇒ ’a list ⇒ ’a list whereitrev [] ys = ys |itrev (x#xs) ys =

103


primrec itrev :: ’a list ⇒ ’a list ⇒ ’a list whereitrev [] ys = ys |itrev (x#xs) ys = itrev xs (x#ys)

103



lemma itrev xs [] = rev xs

103




Why in this direction?

103




Why in this direction?

Because the lhs is “more complex” than the rhs.

103

Demo

104

Generalisation

• Replace constants by variables

105

Generalisation

• Replace constants by variables

• Generalize free variables• by ∀ in formula• by arbitrary in induction proof

105

HOL: Propositional Logic

106

Overview

• Natural deduction• Rule application in Isabelle/HOL

107

Rule notation

A1 . . . AnA instead of [[A1 . . . An]] =⇒ A

108

Natural Deduction

109

Natural deduction

Two kinds of rules for each logical operator ⊕:

110

Natural deduction


Introduction: how can I prove A⊕B?

110

Natural deduction


Introduction: how can I prove A⊕B?

Elimination: what can I prove from A⊕ B?

110

Natural deduction for propositional logic

A ∧ BconjI conjE

disjI1/2 disjE

impI impE

iffI iffD1 iffD2

notI notE

111


A BA ∧ B

conjI conjE

disjI1/2 disjE

impI impE

iffI iffD1 iffD2

notI notE

111


A BA ∧ B

conjI conjE

A ∨ B A ∨ BdisjI1/2 disjE

impI impE

iffI iffD1 iffD2

notI notE

111


A BA ∧ B

conjI conjE

AA ∨ B

BA ∨ B

disjI1/2 disjE

impI impE

iffI iffD1 iffD2

notI notE

111


A BA ∧ B

conjI conjE

AA ∨ B

BA ∨ B

disjI1/2 disjE

A −→ BimpI impE

iffI iffD1 iffD2

notI notE

111


A BA ∧ B

conjI conjE

AA ∨ B

BA ∨ B

disjI1/2 disjE

A =⇒ BA −→ B

impI impE

iffI iffD1 iffD2

notI notE

111


A BA ∧ B

conjI conjE

AA ∨ B

BA ∨ B

disjI1/2 disjE

A =⇒ BA −→ B

impI impE

A = B iffI iffD1 iffD2

notI notE

111


A BA ∧ B

conjI conjE

AA ∨ B

BA ∨ B

disjI1/2 disjE

A =⇒ BA −→ B

impI impE

A =⇒ B B =⇒ AA = B iffI iffD1 iffD2

notI notE

111


A BA ∧ B

conjI conjE

AA ∨ B

BA ∨ B

disjI1/2 disjE

A =⇒ BA −→ B

impI impE


¬ AnotI notE

111


A BA ∧ B

conjI conjE

AA ∨ B

BA ∨ B

disjI1/2 disjE

A =⇒ BA −→ B

impI impE


A =⇒ False¬ A

notI notE

111


A BA ∧ B

conjIA ∧ B

CconjE

AA ∨ B

BA ∨ B

disjI1/2 disjE

A =⇒ BA −→ B

impI impE


A =⇒ False¬ A

notI notE

111


A BA ∧ B

conjIA ∧ B [[A;B]] =⇒ C

CconjE

AA ∨ B

BA ∨ B

disjI1/2 disjE

A =⇒ BA −→ B

impI impE


A =⇒ False¬ A

notI notE

111


A BA ∧ B


CconjE

AA ∨ B

BA ∨ B

disjI1/2 A ∨ BC

disjE

A =⇒ BA −→ B

impI impE


A =⇒ False¬ A

notI notE

111


A BA ∧ B


CconjE

AA ∨ B

BA ∨ B

disjI1/2 A ∨ B A =⇒ C B =⇒ CC

disjE

A =⇒ BA −→ B

impI impE


A =⇒ False¬ A

notI notE

111


A BA ∧ B


CconjE

AA ∨ B

BA ∨ B


disjE

A =⇒ BA −→ B

impI A −→ BC

impE


A =⇒ False¬ A

notI notE

111


A BA ∧ B


CconjE

AA ∨ B

BA ∨ B


disjE

A =⇒ BA −→ B

impI A −→ B A B =⇒ CC

impE


A =⇒ False¬ A

notI notE

111


A BA ∧ B


CconjE

AA ∨ B

BA ∨ B


disjE

A =⇒ BA −→ B


impE

A =⇒ B B =⇒ AA = B iffI

A=B iffD1 A=B iffD2

A =⇒ False¬ A

notI notE

111


A BA ∧ B


CconjE

AA ∨ B

BA ∨ B


disjE

A =⇒ BA −→ B


impE


A=BA =⇒ B iffD1

A=BB =⇒ A iffD2

A =⇒ False¬ A

notI notE

111


A BA ∧ B


CconjE

AA ∨ B

BA ∨ B


disjE

A =⇒ BA −→ B


impE


A=BA =⇒ B iffD1

A=BB =⇒ A iffD2

A =⇒ False¬ A

notI ¬ AC

notE

111


A BA ∧ B


CconjE

AA ∨ B

BA ∨ B


disjE

A =⇒ BA −→ B


impE


A=BA =⇒ B iffD1

A=BB =⇒ A iffD2

A =⇒ False¬ A

notI ¬ A AC

notE

111

Operational reading

A1 . . . AnA

112

Operational reading

A1 . . . AnA

Introduction rule:To prove A it suffices to prove A1 . . . An.

112

Operational reading

A1 . . . AnA

Introduction rule:To prove A it suffices to prove A1 . . . An.

Elimination ruleIf I know A1 and want to prove Ait suffices to prove A2 . . . An.

112

Equality

t = t refls = tt = s

sym r = s s = tr = t trans

113

Equality



s = t A(s)A(t)

subst

113

Equality



s = t A(s)A(t)

subst

Rarely needed explicitly — used implicitly by simp

113

More rules

A −→ B AB

mp

114

More rules

A −→ B AB

mp

¬ A =⇒ FalseA

ccontr ¬ A =⇒ AA classical

114

More rules

A −→ B AB

mp

¬ A =⇒ FalseA


Remark:

ccontr and classical are not derivable from theND-rules.

114

More rules

A −→ B AB

mp

¬ A =⇒ FalseA


Remark:

ccontr and classical are not derivable from theND-rules.They make the logic “classical”, i.e. “non-constructive”.

114

Proof by assumption

A1 . . . AnAi

assumption

115

Rule application: the rough idea

Applying rule [[ A1; . . . ; An ]] =⇒ A to subgoal C:

116


Applying rule [[ A1; . . . ; An ]] =⇒ A to subgoal C:• Unify A and C

116


Applying rule [[ A1; . . . ; An ]] =⇒ A to subgoal C:• Unify A and C• Replace C with n new subgoals A1 . . . An

116



Working backwards, like in Prolog!

116




Example: rule: [[?P; ?Q]] =⇒ ?P ∧ ?Qsubgoal: 1. A ∧ B

116




Example: rule: [[?P; ?Q]] =⇒ ?P ∧ ?Qsubgoal: 1. A ∧ B

Result: 1. A2. B

116

Rule application: the details

Rule: [[ A1; . . . ; An ]] =⇒ ASubgoal: 1. [[ B1; . . . ; Bm ]] =⇒ C

117



Substitution: σ(A) ≡ σ(C)

117



Substitution: σ(A) ≡ σ(C)New subgoals: 1. σ( [[ B1; . . . ; Bm ]] =⇒ A1)

...n. σ( [[ B1; . . . ; Bm ]] =⇒ An)

117



Substitution: σ(A) ≡ σ(C)New subgoals: 1. σ( [[ B1; . . . ; Bm ]] =⇒ A1)

...n. σ( [[ B1; . . . ; Bm ]] =⇒ An)

Command:

apply (rule )

117

Proof by assumption

apply assumptionproves

1. [[ B1; . . . ; Bm ]] =⇒ C

by unifying C with one of the Bi

118

Proof by assumption

apply assumptionproves

1. [[ B1; . . . ; Bm ]] =⇒ C

by unifying C with one of the Bi (backtracking!)

118

Applying elimination rules

apply (erule )

Like rule but also• unifies first premise of rule with an assumption• eliminates that assumption

119


apply (erule )


Example:Rule: [[?P ∧ ?Q; [[?P; ?Q]] =⇒ ?R]] =⇒ ?R

Subgoal: 1. [[ X; A ∧ B; Y ]] =⇒ Z

119


apply (erule )



Subgoal: 1. [[ X; A ∧ B; Y ]] =⇒ ZUnification: ?P ∧ ?Q ≡ A ∧ B and ?R ≡ Z

119


apply (erule )




New subgoal: 1. [[ X; Y ]] =⇒ [[ A; B ]] =⇒ Z

119


apply (erule )




New subgoal: 1. [[ X; Y ]] =⇒ [[ A; B ]] =⇒ Zsame as: 1. [[ X; Y; A; B ]] =⇒ Z

119

How to prove it by natural deduction

• Intro rules decompose formulae to the right of =⇒.

apply (rule )

120

How to prove it by natural deduction

• Intro rules decompose formulae to the right of =⇒.

apply (rule )• Elim rules decompose formulae on the left of =⇒.

apply (erule )

120

Demo: propositional proofs

121

=⇒ vs −→

To facilitate application of theorems:

write them like this [[A1; . . . ; An]] =⇒ Anot like this A1 ∧ . . . ∧ An −→ A

122

HOL: Predicate Logic

123

Parameters

Subgoal:

1.∧

x1 . . . xn. Formula

The x i are called parameters of the subgoal.Intuition: local constants, i.e. arbitrary but fixed values.

124

Parameters

Subgoal:

1.∧

x1 . . . xn. Formula

The x i are called parameters of the subgoal.Intuition: local constants, i.e. arbitrary but fixed values.

Rules are automatically lifted over∧

x1 . . . xn and applieddirectly to Formula.

124

Scope

• Scope of parameters: whole subgoal• Scope of ∀ , ∃ , . . . : ends with ; or =⇒

125

Scope

• Scope of parameters: whole subgoal• Scope of ∀ , ∃ , . . . : ends with ; or =⇒

∧x y. [[ ∀ y. P y −→ Q z y; Q x y ]] =⇒ ∃ x. Q x y

means∧

x y. [[ (∀ y1. P y1 −→ Q z y1); Q x y ]] =⇒ ∃ x1. Q x1 y

125

α-Conversion

Bound variables are renamed automatically to avoid nameclashes with other variables.

126

Natural deduction for quantifiers

∀ x. P(x)allI allE

exI exE

127


∧x. P(x)∀ x. P(x)

allI allE

exI exE

127


∧x. P(x)∀ x. P(x)

allI allE

∃ x. P(x)exI exE

127


∧x. P(x)∀ x. P(x)

allI allE

P(?x)∃ x. P(x)

exI exE

127


∧x. P(x)∀ x. P(x)

allI∀ x. P(x)

R allE

P(?x)∃ x. P(x)

exI exE

127


∧x. P(x)∀ x. P(x)

allI∀ x. P(x) P(?x) =⇒ R

R allE

P(?x)∃ x. P(x)

exI exE

127


∧x. P(x)∀ x. P(x)


R allE

P(?x)∃ x. P(x)

exI∃ x. P(x)

RexE

127


∧x. P(x)∀ x. P(x)


R allE

P(?x)∃ x. P(x)

exI∃ x. P(x)

∧x. P(x) =⇒ RR

exE

127


∧x. P(x)∀ x. P(x)


R allE

P(?x)∃ x. P(x)

exI∃ x. P(x)

∧x. P(x) =⇒ RR

exE

• allI and exE introduce new parameters (∧

x).

127


∧x. P(x)∀ x. P(x)


R allE

P(?x)∃ x. P(x)

exI∃ x. P(x)

∧x. P(x) =⇒ RR

exE

• allI and exE introduce new parameters (∧

x).• allE and exI introduce new unknowns (?x).

127

Instantiating rules

apply (rule_tac x = term in rule)

Like rule, but ?x in rule is instantiated by term beforeapplication.

128

Instantiating rules



Similar: erule_tac

128

Instantiating rules



Similar: erule_tac

! x is in rule, not in the goal !

128

A quantifier proof

1. ∀a. ∃b. a = b

129

A quantifier proof

1. ∀a. ∃b. a = bapply (rule allI)

129

A quantifier proof

1. ∀a. ∃b. a = bapply (rule allI)1.

∧a. ∃b. a = b

129

A quantifier proof


∧a. ∃b. a = b

apply (rule_tac x = "a" in exI)

129

A quantifier proof


∧a. ∃b. a = b

apply (rule_tac x = "a" in exI)1.

∧a. a = a

129

A quantifier proof


∧a. ∃b. a = b

apply (rule_tac x = "a" in exI)1.

∧a. a = a

apply (rule refl)

129

Demo: quantifier proofs

130

More proof methods

131

Forward proofs: frule and drule

“Forward” rule: A1 =⇒ ASubgoal: 1. [[ B1; . . . ; Bn ]] =⇒ C

132


“Forward” rule: A1 =⇒ ASubgoal: 1. [[ B1; . . . ; Bn ]] =⇒ CSubstitution: σ(Bi) ≡ σ(A1)

132


“Forward” rule: A1 =⇒ ASubgoal: 1. [[ B1; . . . ; Bn ]] =⇒ CSubstitution: σ(Bi) ≡ σ(A1)New subgoal: 1. σ( [[ B1; . . . ; Bn; A ]] =⇒ C)

132



Command:apply (frule rulename)

132



Command:apply (frule rulename)

Like frule but also deletes Bi:apply (drule rulename)

132

frule and drule: the general case

Rule: [[ A1; . . . ; Am ]] =⇒ A

Creates additional subgoals:

1. σ( [[ B1; . . . ; Bn ]] =⇒ A2)...m-1. σ( [[ B1; . . . ; Bn ]] =⇒ Am)m. σ( [[ B1; . . . ; Bn; A ]] =⇒ C)

133

Forward proofs: OF

r[OF r 1 . . . rn]

Prove assumption 1 of theorem r with theorem r 1,and assumption 2 with theorem r 2, and . . .

134

Forward proofs: OF

r[OF r 1 . . . rn]


Rule r [[ A1; . . . ; Am ]] =⇒ ARule r 1 [[ B1; . . . ; Bn ]] =⇒ BSubstitution σ(B) ≡ σ(A1)r[OF r 1]

134

Forward proofs: OF

r[OF r 1 . . . rn]


Rule r [[ A1; . . . ; Am ]] =⇒ ARule r 1 [[ B1; . . . ; Bn ]] =⇒ BSubstitution σ(B) ≡ σ(A1)r[OF r 1] σ( [[ B1; . . . ; Bn; A2; . . . ; Am ]] =⇒ A)

134

Clarifying the goal

135

Clarifying the goal

• apply (clarify)Repeated application of safe ruleswithout splitting the goal

135

Clarifying the goal

• apply (clarify)Repeated application of safe ruleswithout splitting the goal

• apply (clarsimp simp add: . . . )Combination of clarify and simp.

135

Demo: proof methods

136

Sets

137

Overview

• Set notation• Inductively defined sets

138

Set notation

139

Sets

Sets over type ’a:

’a set

140

Sets


’a set = ’a ⇒ bool

140

Sets



• {}, {e1,. . . ,en}, {x. P x}

140

Sets



• {}, {e1,. . . ,en}, {x. P x}• e ∈ A, A ⊆ B

140

Sets



• {}, {e1,. . . ,en}, {x. P x}• e ∈ A, A ⊆ B• A ∪ B, A ∩ B, A - B, - A

140

Sets



• {}, {e1,. . . ,en}, {x. P x}• e ∈ A, A ⊆ B• A ∪ B, A ∩ B, A - B, - A•

⋃

x∈A B x,⋂

x∈A B x

140

Sets




⋃

x∈A B x,⋂

x∈A B x• {i..j}

140

Sets




⋃

x∈A B x,⋂

x∈A B x• {i..j}• insert :: ’a ⇒ ’a set ⇒ ’a set

140

Sets




⋃

x∈A B x,⋂

x∈A B x• {i..j}• insert :: ’a ⇒ ’a set ⇒ ’a set• . . .

140

Proofs about sets

Natural deduction proofs:• equalityI : [[A ⊆ B; B ⊆ A]] =⇒ A = B

141

Proofs about sets

Natural deduction proofs:• equalityI : [[A ⊆ B; B ⊆ A]] =⇒ A = B• subsetI : (

∧x. x ∈ A =⇒ x ∈ B) =⇒ A ⊆ B

141

Proofs about sets

Natural deduction proofs:• equalityI : [[A ⊆ B; B ⊆ A]] =⇒ A = B• subsetI : (

∧x. x ∈ A =⇒ x ∈ B) =⇒ A ⊆ B

• . . . (see Tutorial)

141

Demo: proofs about sets

142

Bounded quantifiers

• ∀ x∈A. P x

143

Bounded quantifiers

• ∀ x∈A. P x ≡ ∀ x. x∈A −→ P x

143

Bounded quantifiers

• ∀ x∈A. P x ≡ ∀ x. x∈A −→ P x• ∃ x∈A. P x

143

Bounded quantifiers

• ∀ x∈A. P x ≡ ∀ x. x∈A −→ P x• ∃ x∈A. P x ≡ ∃ x. x∈A ∧ P x

143

Bounded quantifiers

• ∀ x∈A. P x ≡ ∀ x. x∈A −→ P x• ∃ x∈A. P x ≡ ∃ x. x∈A ∧ P x• ballI : (

∧x. x ∈ A =⇒ P x) =⇒ ∀ x∈A. P x

• bspec : [[∀ x∈A. P x; x ∈ A]] =⇒ P x

143

Bounded quantifiers

• ∀ x∈A. P x ≡ ∀ x. x∈A −→ P x• ∃ x∈A. P x ≡ ∃ x. x∈A ∧ P x• ballI : (

∧x. x ∈ A =⇒ P x) =⇒ ∀ x∈A. P x

• bspec : [[∀ x∈A. P x; x ∈ A]] =⇒ P x• bexI : [[P x; x ∈ A]] =⇒ ∃ x∈A. P x• bexE : [[∃ x∈A. P x;

∧x. [[x ∈ A; P x ]] =⇒ Q]] =⇒ Q

143

Inductively defined sets

144

Example: even numbers

Informally:

145


Informally:• 0 is even

145


Informally:• 0 is even• If n is even, so is n + 2

145


Informally:• 0 is even• If n is even, so is n + 2• These are the only even numbers

145



In Isabelle/HOL:

inductive set Ev :: nat set — The set of all even numbers

145



In Isabelle/HOL:

inductive set Ev :: nat set — The set of all even numberswhere

0 ∈ Ev |n ∈ Ev =⇒ n + 2 ∈ Ev

145

Format of inductive definitions

inductive set S :: τ set

146


inductive set S :: τ setwhere

[[ a1 ∈ S; . . . ; an ∈ S; A1; . . . ; Ak ]] =⇒ a ∈ S |...

146


inductive set S :: τ setwhere

[[ a1 ∈ S; . . . ; an ∈ S; A1; . . . ; Ak ]] =⇒ a ∈ S |...

where A1; . . . ; Ak are side conditions not involving S.

146

Proving properties of even numbers

Easy: 4 ∈ Ev0 ∈ Ev =⇒ 2 ∈ Ev =⇒ 4 ∈ Ev

147


Easy: 4 ∈ Ev0 ∈ Ev =⇒ 2 ∈ Ev =⇒ 4 ∈ Ev

Trickier: m ∈ Ev =⇒ m+m ∈ Ev

147


Easy: 4 ∈ Ev0 ∈ Ev =⇒ 2 ∈ Ev =⇒ 4 ∈ Ev

Trickier: m ∈ Ev =⇒ m+m ∈ EvIdea: induction on the length of the derivation of m ∈ Ev

147


Easy: 4 ∈ Ev0 ∈ Ev =⇒ 2 ∈ Ev =⇒ 4 ∈ Ev

Trickier: m ∈ Ev =⇒ m+m ∈ EvIdea: induction on the length of the derivation of m ∈ EvBetter: induction on the structure of the derivation

147


Easy: 4 ∈ Ev0 ∈ Ev =⇒ 2 ∈ Ev =⇒ 4 ∈ Ev

Trickier: m ∈ Ev =⇒ m+m ∈ EvIdea: induction on the length of the derivation of m ∈ EvBetter: induction on the structure of the derivationTwo cases: m ∈ Ev is proved by• rule 0 ∈ Ev

147


Easy: 4 ∈ Ev0 ∈ Ev =⇒ 2 ∈ Ev =⇒ 4 ∈ Ev


=⇒ m = 0 =⇒ 0+0 ∈ Ev

147


Easy: 4 ∈ Ev0 ∈ Ev =⇒ 2 ∈ Ev =⇒ 4 ∈ Ev


=⇒ m = 0 =⇒ 0+0 ∈ Ev• rule n ∈ Ev =⇒ n+2 ∈ Ev

147


Easy: 4 ∈ Ev0 ∈ Ev =⇒ 2 ∈ Ev =⇒ 4 ∈ Ev


=⇒ m = 0 =⇒ 0+0 ∈ Ev• rule n ∈ Ev =⇒ n+2 ∈ Ev

=⇒ m = n+2 and n+n ∈ Ev (ind. hyp.!)

147


Easy: 4 ∈ Ev0 ∈ Ev =⇒ 2 ∈ Ev =⇒ 4 ∈ Ev


=⇒ m = 0 =⇒ 0+0 ∈ Ev• rule n ∈ Ev =⇒ n+2 ∈ Ev

=⇒ m = n+2 and n+n ∈ Ev (ind. hyp.!)=⇒ m+m = (n+2)+(n+2) = ((n+n)+2)+2 ∈ Ev

147

Rule induction for Ev

To prove

n ∈ Ev =⇒ P n

by rule induction on n ∈ Ev we must prove

148


To prove

n ∈ Ev =⇒ P n

by rule induction on n ∈ Ev we must prove• P 0

148


To prove

n ∈ Ev =⇒ P n

by rule induction on n ∈ Ev we must prove• P 0• P n =⇒ P(n+2)

148


To prove

n ∈ Ev =⇒ P n

by rule induction on n ∈ Ev we must prove• P 0• P n =⇒ P(n+2)

Rule Ev.induct :

[[ n ∈ Ev; P 0;∧

n. P n =⇒ P(n+2) ]] =⇒ P n

148

Rule induction in general

Set S is defined inductively.

149


Set S is defined inductively.To prove

x ∈ S =⇒ P x

by rule induction on x ∈ S

149



x ∈ S =⇒ P x

by rule induction on x ∈ Swe must prove for every rule

[[ a1 ∈ S; . . . ; an ∈ S ]] =⇒ a ∈ Sthat P is preserved:

149



x ∈ S =⇒ P x



[[ P a1; . . . ; P an ]] =⇒ P a

149



x ∈ S =⇒ P x



[[ P a1; . . . ; P an ]] =⇒ P a

In Isabelle/HOL:apply (induct rule: S.induct)

149

Demo: inductively defined sets

150

Inductive predicates

x ∈ S ; S x

151


x ∈ S ; S x

Example:inductive Ev :: nat ⇒ boolwhere

Ev 0 |Ev n =⇒ Ev (n + 2)

151


x ∈ S ; S x


Ev 0 |Ev n =⇒ Ev (n + 2)

Comparison:predicate: simpler syntaxset: direct usage of ∪ etc

151


x ∈ S ; S x


Ev 0 |Ev n =⇒ Ev (n + 2)

Comparison:predicate: simpler syntaxset: direct usage of ∪ etc

Inductive predicates can be of type τ1 ⇒ ... ⇒ τn ⇒ bool

151

Automating it

152

simp and auto

simp rewriting and a bit of arithmetic

auto rewriting and a bit of arithmetic, logic & sets

153

simp and auto



• Show you where they got stuck

153

simp and auto



• Show you where they got stuck• highly incomplete wrt logic

153

blast

• A complete (for FOL) tableaux calculus implementation

154

blast

• A complete (for FOL) tableaux calculus implementation• Covers logic, sets, relations, . . .

154

blast

• A complete (for FOL) tableaux calculus implementation• Covers logic, sets, relations, . . .• Extensible with intro/elim rules

154

blast

• A complete (for FOL) tableaux calculus implementation• Covers logic, sets, relations, . . .• Extensible with intro/elim rules• Almost no “=”

154

Demo: blast

155

blast: A 2-stage implementation

1. Search for proof with quick, dirty and possibly buggyprogram

156


1. Search for proof with quick, dirty and possibly buggyprogram (while recording proof tree)

156



2. Check proof tree with Isabelle kernel

156




This is the LCF-architecture by Robin Milner:

156




This is the LCF-architecture by Robin Milner:• Proofs only constructable via small trustworthy kernel

156




This is the LCF-architecture by Robin Milner:• Proofs only constructable via small trustworthy kernel• Proof search programmable in ML on top

156




This is the LCF-architecture by Robin Milner:• Proofs only constructable via small trustworthy kernel• Proof search programmable in ML on top

Isabelle follows the LCF architecture

156

fast and friends

fast slow and incomplete version of blast

157

fast and friends


fastsimp rewriting and logic

157

fast and friends


fastsimp rewriting and logic

force slower but completer version of fastsimp

157

metis

• An fast resolution theorem prover in ML

158

metis

• An fast resolution theorem prover in ML• Can deal with bidirectional “=”

158

metis

• An fast resolution theorem prover in ML• Can deal with bidirectional “=”• Knows only pure logic, not sets etc

158

Demo: beyond blast

159

Problems

• Most proofs require additional lemmas.

160

Problems

• Most proofs require additional lemmas.• Adding arbitrary lemmas slows blast down significantly;

160

Problems


metis copes better.

160

Problems


metis copes better.• Finding the right lemmas in a library of thousands of

lemmas is light years beyond blast and metis.

160

Problems


metis copes better.• Finding the right lemmas in a library of thousands of

lemmas is light years beyond blast and metis.• There are highly optimized ATPs (automatic theorem

provers) for FOL that can deal with large libraries . . .

160

Sledgehammer

161

Architecture

Isabelle

↓↑ATPs

162

Architecture

Isabelle

Formula ↓↑ATPs

162

Architecture

Isabelle

Formula ↓↑ Proof

ATPs

162

Architecture

Isabelle

Formula& filtered library

↓↑ Proof

ATPs

162

Architecture

Isabelle


↓↑ Proof=lemmas used

ATPs

162

Architecture

Isabelle


↓↑ Proof=lemmas used

ATPs

Empirical study:

Sledgehammer works for 1/3 of non-trivial Isabelle proofs

162

Demo: Sledghehammer

163

Automating Arithmetic

164

Automating arithmetic

arith:

165


arith:• proves linear formulas (no “∗”)

165


arith:• proves linear formulas (no “∗”)• complete for quantifier-free real arithmetic

165


arith:• proves linear formulas (no “∗”)• complete for quantifier-free real arithmetic• complete for first-order theory of nat and int

(Presburger arithmetic)

165


Theorem (Tarski) Th(R,+,−, ∗,

Demo: Arithmetic

167

Isar — A language for structured proofs

168

Apply scripts

• unreadable

169

Apply scripts

• unreadable• hard to maintain

169

Apply scripts

• unreadable• hard to maintain• do not scale

169

Apply scripts

• unreadable• hard to maintain• do not scale

No structure!

169

Apply scripts versus Isar proofs

Apply script = assembly language program

170



Isar proof = structured program with comments

170



Isar proof = structured program with comments

But: apply still useful for proof exploration

170

A typical Isar proof

proof

assume formula0have formula1 by simp...have formulan by blastshow formulan+1 by . . .

qed

171

A typical Isar proof

proof

assume formula0have formula1 by simp...have formulan by blastshow formulan+1 by . . .

qed

proves formula0 =⇒ formulan+1

171

Overview

• Basic Isar• Isar by example• Proof patterns• Streamlining proofs

172

Isar core syntax

proof = proof [method] statement∗ qed| by method

173

Isar core syntax


method = (simp . . . ) | (blast . . . ) | (rule . . . ) | . . .

173

Isar core syntax



statement = fix variables (∧

)| assume prop (=⇒)| [from fact+] (have | show ) prop proof

173

Isar core syntax




)| assume prop (=⇒)| [from fact+] (have | show ) prop proof| next (separates subgoals)

173

Isar core syntax





prop = [name:] "formula"

173

Isar core syntax





prop = [name:] "formula"

fact = name | name[OF fact+] | ‘formula‘173

Isar by example

174

Example: Cantor’s theorem

lemma Cantor: ¬ surj(f :: ’a ⇒ ’a set)

175


lemma Cantor: ¬ surj(f :: ’a ⇒ ’a set)proof

175


lemma Cantor: ¬ surj(f :: ’a ⇒ ’a set)proof assume surj, show False

175



assume a: surj f

175



assume a: surj ffrom a have b: ∀ A. ∃ a. A = f a

175




by(simp add: surj_def)

175




by(simp add: surj_def)from b have c: ∃ a. {x. x /∈ f x} = f a

175

Documents

An Introduction to Isabelle/HOL 2009-1isabelle.in.tum.de/coursematerial/PSV2009-1/slides.pdf · Proof methods •Structural induction •Format: (induct x) x must be a free variable