concrete semantics - tum · concrete semantics a proof assistant approach tobias nipkow fakult at...
TRANSCRIPT
![Page 1: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/1.jpg)
Concrete SemanticsA Proof Assistant Approach
Tobias Nipkow
Fakultat fur InformatikTechnische Universitat Munchen
2014-1-26
1
![Page 2: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/2.jpg)
Part I
Isabelle
2
![Page 3: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/3.jpg)
Chapter 2
Programming and Proving
3
![Page 4: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/4.jpg)
1 Overview of Isabelle/HOL
2 Type and function definitions
3 Induction Heuristics
4 Simplification
4
![Page 5: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/5.jpg)
Notation
Implication associates to the right:
A =⇒ B =⇒ C means A =⇒ (B =⇒ C)
Similarly for other arrows: ⇒, −→
A1 . . . An
Bmeans A1 =⇒ . . . =⇒ An =⇒ B
5
![Page 6: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/6.jpg)
1 Overview of Isabelle/HOL
2 Type and function definitions
3 Induction Heuristics
4 Simplification
6
![Page 7: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/7.jpg)
HOL = Higher-Order LogicHOL = Functional Programming + Logic
HOL has
• datatypes• recursive functions• logical operators
HOL is a programming language!
Higher-order = functions are values, too!
HOL Formulas:
• For the moment: only term = term,e.g. 1 + 2 = 4
• Later: ∧, ∨, −→, ∀, . . .7
![Page 8: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/8.jpg)
1 Overview of Isabelle/HOLTypes and termsInterfaceBy example: types bool, nat and listSummary
8
![Page 9: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/9.jpg)
Types
Basic syntax:
τ ::= (τ)| bool | nat | int | . . . base types| ′a | ′b | . . . type variables| τ ⇒ τ functions| τ × τ pairs (ascii: *)| τ list lists| τ set sets| . . . user-defined types
Convention: τ 1 ⇒ τ 2 ⇒ τ 3 ≡ τ 1 ⇒ (τ 2 ⇒ τ 3)
9
![Page 10: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/10.jpg)
Terms
Terms can be formed as follows:
• Function application:f tis the call of function f with argument t.If f has more arguments: f t1 t2 . . .Examples: sin π, plus x y
• Function abstraction:λx. tis the function with parameter x and result t,i.e. “x 7→ t”.Example: λx. plus x x
10
![Page 11: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/11.jpg)
TermsBasic syntax:
t ::= (t)| a constant or variable (identifier)| t t function application| λx. t function abstraction| . . . lots of syntactic sugar
Examples: f (g x) yh (λx. f (g x))
Convention: f t1 t2 t3 ≡ ((f t1) t2) t3
This language of terms is known as the λ-calculus.11
![Page 12: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/12.jpg)
The computation rule of the λ-calculus is thereplacement of formal by actual parameters:
(λx. t) u = t[u/x]
where t[u/x] is “t with u substituted for x”.
Example: (λx. x + 5) 3 = 3 + 5
• The step from (λx. t) u to t[u/x] is calledβ-reduction.
• Isabelle performs β-reduction automatically.
12
![Page 13: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/13.jpg)
Terms must be well-typed
(the argument of every function call must be of the right type)
Notation:t :: τ means “t is a well-typed term of type τ”.
t :: τ 1 ⇒ τ 2 u :: τ 1t u :: τ 2
13
![Page 14: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/14.jpg)
Type inference
Isabelle automatically computes the type of each variablein a term. This is called type inference.
In the presence of overloaded functions (functions withmultiple types) this is not always possible.
User can help with type annotations inside the term.Example: f (x::nat)
14
![Page 15: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/15.jpg)
Currying
Thou shalt Curry your functions
• Curried: f :: τ 1 ⇒ τ 2 ⇒ τ
• Tupled: f ′ :: τ 1 × τ 2 ⇒ τ
Advantage:
Currying allows partial applicationf a1 where a1 :: τ 1
15
![Page 16: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/16.jpg)
Predefined syntactic sugar
• Infix: +, −, ∗, #, @, . . .
• Mixfix: if then else , case of, . . .
Prefix binds more strongly than infix:
! f x + y ≡ (f x) + y 6≡ f (x + y) !
Enclose if and case in parentheses:
! (if then else ) !
16
![Page 17: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/17.jpg)
Isabelle text = Theory = Module
Syntax: theory MyThimports ImpTh1 . . . ImpThnbegin
(definitions, theorems, proofs, ...)∗
end
MyTh: name of theory. Must live in file MyTh.thy
ImpThi: name of imported theories. Import transitive.
Usually: imports Main
17
![Page 18: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/18.jpg)
Concrete syntax
In .thy files:Types, terms and formulas need to be inclosed in "
Except for single identifiers
" normally not shown on slides
18
![Page 19: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/19.jpg)
1 Overview of Isabelle/HOLTypes and termsInterfaceBy example: types bool, nat and listSummary
19
![Page 20: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/20.jpg)
isabelle jedit
• Based on jedit editor
• Processes Isabelle text automaticallywhen editing .thy files (like modern Java IDEs)
20
![Page 21: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/21.jpg)
Overview_Demo.thy
21
![Page 22: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/22.jpg)
1 Overview of Isabelle/HOLTypes and termsInterfaceBy example: types bool, nat and listSummary
22
![Page 23: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/23.jpg)
Type bool
datatype bool = True | False
Predefined functions:∧, ∨, −→, . . . :: bool ⇒ bool ⇒ bool
A formula is a term of type bool
if-and-only-if: =
23
![Page 24: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/24.jpg)
Type nat
datatype nat = 0 | Suc nat
Values of type nat: 0, Suc 0, Suc(Suc 0), . . .
Predefined functions: +, ∗, ... :: nat ⇒ nat ⇒ nat
! Numbers and arithmetic operations are overloaded:0,1,2,... :: ′a, + :: ′a ⇒ ′a ⇒ ′a
You need type annotations: 1 :: nat, x + (y::nat)unless the context is unambiguous: Suc z
24
![Page 25: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/25.jpg)
Nat_Demo.thy
25
![Page 26: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/26.jpg)
An informal proof
Lemma add m 0 = mProof by induction on m.
• Case 0 (the base case):add 0 0 = 0 holds by definition of add.
• Case Suc m (the induction step):We assume add m 0 = m,the induction hypothesis (IH).We need to show add (Suc m) 0 = Suc m.The proof is as follows:add (Suc m) 0 = Suc (add m 0) by def. of add
= Suc m by IH
26
![Page 27: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/27.jpg)
Type ′a list
Lists of elements of type ′a
datatype ′a list = Nil | Cons ′a ( ′a list)
Some lists: Nil, Cons 1 Nil, Cons 1 (Cons 2 Nil), . . .
Syntactic sugar:
• [] = Nil: empty list
• x # xs = Cons x xs:list with first element x (“head”) and rest xs (“tail”)
• [x1, . . . , xn] = x1 # . . . xn # []
27
![Page 28: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/28.jpg)
Structural Induction for lists
To prove that P(xs) for all lists xs, prove
• P([]) and
• for arbitrary x and xs, P(xs) implies P(x#xs).
P([])∧x xs. P(xs) =⇒ P(x#xs)
P(xs)
28
![Page 29: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/29.jpg)
List_Demo.thy
29
![Page 30: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/30.jpg)
An informal proofLemma app (app xs ys) zs = app xs (app ys zs)Proof by induction on xs.• Case Nil: app (app Nil ys) zs = app ys zs =app Nil (app ys zs) holds by definition of app.
• Case Cons x xs: We assume app (app xs ys) zs =app xs (app ys zs) (IH), and we need to showapp (app (Cons x xs) ys) zs =app (Cons x xs) (app ys zs).The proof is as follows:app (app (Cons x xs) ys) zs= Cons x (app (app xs ys) zs) by definition of app= Cons x (app xs (app ys zs)) by IH= app (Cons x xs) (app ys zs) by definition of app
30
![Page 31: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/31.jpg)
Large library: HOL/List.thyIncluded in Main.
Don’t reinvent, reuse!
Predefined: xs @ ys (append), length, and map:
map f [x1, . . . , xn] = [f x1, . . . , f xn]
fun map :: ( ′a ⇒ ′b) ⇒ ′a list ⇒ ′b list wheremap f [] = [] |map f (x#xs) = f x # map f xs
Note: map takes function as argument.
31
![Page 32: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/32.jpg)
1 Overview of Isabelle/HOLTypes and termsInterfaceBy example: types bool, nat and listSummary
32
![Page 33: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/33.jpg)
• datatype defines (possibly) recursive data types.
• fun defines (possibly) recursive functions bypattern-matching over datatype constructors.
33
![Page 34: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/34.jpg)
Proof methods
• induction performs structural induction on somevariable (if the type of the variable is a datatype).
• auto solves as many subgoals as it can, mainly bysimplification (symbolic evaluation):
“=” is used only from left to right!
34
![Page 35: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/35.jpg)
Proofs
General schema:
lemma name: "..."
apply (...)
apply (...)...done
If the lemma is suitable as a simplification rule:
lemma name[simp]: "..."
35
![Page 36: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/36.jpg)
Top down proofs
Command
sorry
“completes” any proof.
Allows top down development:
Assume lemma first, prove it later.
36
![Page 37: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/37.jpg)
The proof state
1.∧
x1 . . . xp. A =⇒ B
x1 . . . xp fixed local variablesA local assumption(s)B actual (sub)goal
37
![Page 38: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/38.jpg)
Preview: Multiple assumptions
[[ A1; . . . ; An ]] =⇒ B
abbreviates
A1 =⇒ . . . =⇒ An =⇒ B
; ≈ “and”
38
![Page 39: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/39.jpg)
1 Overview of Isabelle/HOL
2 Type and function definitions
3 Induction Heuristics
4 Simplification
39
![Page 40: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/40.jpg)
2 Type and function definitionsType definitionsFunction definitions
40
![Page 41: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/41.jpg)
Type synonyms
type_synonym name = τ
Introduces a synonym name for type τ
Examples:
type_synonym string = char list
type_synonym ( ′a, ′b)foo = ′a list × ′b list
Type synonyms are expanded after parsingand are not present in internal representation and output
41
![Page 42: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/42.jpg)
datatype — the general casedatatype (α1, . . . , αn)τ = C1 τ1,1 . . . τ1,n1
| . . .| Ck τk,1 . . . τk,nk
• Types: Ci :: τi,1 ⇒ · · · ⇒ τi,ni⇒ (α1, . . . , αn)τ
• Distinctness: Ci . . . 6= Cj . . . if i 6= j
• Injectivity: (Ci x1 . . . xni= Ci y1 . . . yni
) =(x1 = y1 ∧ · · · ∧ xni
= yni)
Distinctness and injectivity are applied automaticallyInduction must be applied explicitly
42
![Page 43: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/43.jpg)
Case expressionsDatatype values can be taken apart with case:
(case xs of [] ⇒ . . . | y#ys ⇒ ... y ... ys ...)
Wildcards:
(case m of 0 ⇒ Suc 0 | Suc ⇒ 0)
Nested patterns:
(case xs of [0] ⇒ 0 | [Suc n] ⇒ n | ⇒ 2)
Complicated patterns mean complicated proofs!
Need ( ) in context
43
![Page 44: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/44.jpg)
Tree_Demo.thy
44
![Page 45: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/45.jpg)
The option type
datatype ′a option = None | Some ′a
If ′a has values a1, a2, . . .then ′a option has values None, Some a1, Some a2, . . .
Typical application:
fun lookup :: ( ′a × ′b) list ⇒ ′a ⇒ ′b option wherelookup [] x = None |lookup ((a,b) # ps) x =
(if a = x then Some b else lookup ps x)
45
![Page 46: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/46.jpg)
2 Type and function definitionsType definitionsFunction definitions
46
![Page 47: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/47.jpg)
Non-recursive definitions
Example:definition sq :: nat ⇒ nat where sq n = n∗n
No pattern matching, just f x1 . . . xn = . . .
47
![Page 48: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/48.jpg)
The danger of nontermination
How about f x = f x + 1 ?
Subtract f x on both sides.=⇒ 0 = 1
! All functions in HOL must be total !
48
![Page 49: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/49.jpg)
Key features of fun
• Pattern-matching over datatype constructors
• Order of equations matters
• Termination must be provable automaticallyby size measures
• Proves customized induction schema
49
![Page 50: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/50.jpg)
Example: separation
fun sep :: ′a ⇒ ′a list ⇒ ′a list wheresep a (x#y#zs) = x # a # sep a (y#zs) |sep a xs = xs
50
![Page 51: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/51.jpg)
Example: Ackermann
fun ack :: nat ⇒ nat ⇒ nat whereack 0 n = Suc n |ack (Suc m) 0 = ack m (Suc 0) |ack (Suc m) (Suc n) = ack m (ack (Suc m) n)
Terminates because the arguments decreaselexicographically with each recursive call:
• (Suc m, 0) > (m, Suc 0)
• (Suc m, Suc n) > (Suc m, n)
• (Suc m, Suc n) > (m, )
51
![Page 52: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/52.jpg)
primrec
• A restrictive version of fun
• Means primitive recursive
• Most functions are primitive recursive
• Frequently found in Isabelle theories
The essence of primitive recursion:
f(0) = . . . no recursionf(Suc n) = . . . f(n). . .
g([]) = . . . no recursiong(x#xs) = . . . g(xs). . .
52
![Page 53: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/53.jpg)
1 Overview of Isabelle/HOL
2 Type and function definitions
3 Induction Heuristics
4 Simplification
53
![Page 54: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/54.jpg)
Basic induction heuristics
Theorems about recursive functions are proved byinduction
Induction on argument number i of fif f is defined by recursion on argument number i
54
![Page 55: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/55.jpg)
A tail recursive reverse
Our initial reverse:
fun rev :: ′a list ⇒ ′a list whererev [] = [] |rev (x#xs) = rev xs @ [x]
A tail recursive version:
fun itrev :: ′a list ⇒ ′a list ⇒ ′a list whereitrev [] ys = ys |itrev (x#xs) ys =
itrev xs (x#ys)
lemma itrev xs [] = rev xs
55
![Page 56: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/56.jpg)
Induction_Demo.thy
Generalisation
56
![Page 57: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/57.jpg)
Generalisation
• Replace constants by variables
• Generalize free variables• by arbitrary in induction proof• (or by universal quantifier in formula)
57
![Page 58: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/58.jpg)
So far, all proofs were by structural inductionbecause all functions were primitive recursive.
In each induction step, 1 constructor is added.In each recursive call, 1 constructor is removed.
Now: induction for complex recursion patterns.
58
![Page 59: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/59.jpg)
Computation Induction:Example
fun div2 :: nat ⇒ nat wherediv2 0 = 0 |div2 (Suc 0) = 0 |div2 (Suc(Suc n)) = Suc(div2 n)
; induction rule div2.induct:
P (0) P (Suc 0)∧n. P (n) =⇒ P (Suc(Suc n))
P (m)
59
![Page 60: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/60.jpg)
Computation Induction
If f :: τ ⇒ τ ′ is defined by fun, a special inductionschema is provided to prove P (x) for all x :: τ :
for each defining equation
f(e) = . . . f(r1) . . . f(rk) . . .
prove P (e) assuming P (r1), . . . , P (rk).
Induction follows course of (terminating!) computationMotto: properties of f are best proved by rule f.induct
60
![Page 61: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/61.jpg)
How to apply f.induct
If f :: τ1 ⇒ · · · ⇒ τn ⇒ τ ′:
(induction a1 . . . an rule: f.induct)
Heuristic:
• there should be a call f a1 . . . an in your goal
• ideally the ai should be variables.
61
![Page 62: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/62.jpg)
Induction_Demo.thy
Computation Induction
62
![Page 63: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/63.jpg)
1 Overview of Isabelle/HOL
2 Type and function definitions
3 Induction Heuristics
4 Simplification
63
![Page 64: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/64.jpg)
Simplification means . . .
Using equations l = r from left to right
As long as possible
Terminology: equation ; simplification rule
Simplification = (Term) Rewriting
64
![Page 65: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/65.jpg)
An example
Equations:
0 + n = n (1)(Suc m) + n = Suc (m+ n) (2)
(Suc m ≤ Suc n) = (m ≤ n) (3)(0 ≤ m) = True (4)
Rewriting:
0 + Suc 0 ≤ Suc 0 + x(1)=
Suc 0 ≤ Suc 0 + x(2)=
Suc 0 ≤ Suc (0 + x)(3)=
0 ≤ 0 + x(4)=
True65
![Page 66: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/66.jpg)
Conditional rewriting
Simplification rules can be conditional:
[[ P1; . . . ; Pk ]] =⇒ l = r
is applicable only if all Pi can be proved first,again by simplification.
Example:p(0) = True
p(x) =⇒ f(x) = g(x)
We can simplify f(0) to g(0) butwe cannot simplify f(1) because p(1) is not provable.
66
![Page 67: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/67.jpg)
Termination
Simplification may not terminate.Isabelle uses simp-rules (almost) blindly from left to right.
Example: f(x) = g(x), g(x) = f(x)
[[ P1; . . . ; Pk ]] =⇒ l = r
is suitable as a simp-rule onlyif l is “bigger” than r and each Pi
n < m =⇒ (n < Suc m) = True YESSuc n < m =⇒ (n < m) = True NO
67
![Page 68: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/68.jpg)
Proof method simpGoal: 1. [[ P1; . . . ; Pm ]] =⇒ C
apply(simp add: eq1 . . . eqn)
Simplify P1 . . . Pm and C using
• lemmas with attribute simp
• rules from fun and datatype
• additional lemmas eq1 . . . eqn• assumptions P1 . . . Pm
Variations:
• (simp . . . del: . . . ) removes simp-lemmas
• add and del are optional68
![Page 69: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/69.jpg)
auto versus simp
• auto acts on all subgoals
• simp acts only on subgoal 1
• auto applies simp and more
• auto can also be modified:(auto simp add: . . . simp del: . . . )
69
![Page 70: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/70.jpg)
Rewriting with definitions
Definitions (definition) must be used explicitly:
(simp add: f def . . . )
f is the function whose definition is to be unfolded.
70
![Page 71: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/71.jpg)
Case splitting with simpAutomatic:
P(if A then s else t)=
(A −→ P(s)) ∧ (¬A −→ P(t))
By hand:
P(case e of 0 ⇒ a | Suc n ⇒ b)=
(e = 0 −→ P(a)) ∧ (∀ n. e = Suc n −→ P(b))
Proof method: (simp split: nat.split)Or auto. Similar for any datatype t: t.split
71
![Page 72: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/72.jpg)
Simp_Demo.thy
72
![Page 73: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/73.jpg)
Chapter 3
Case Study: IMP Expressions
73
![Page 74: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/74.jpg)
5 Case Study: IMP Expressions
74
![Page 75: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/75.jpg)
5 Case Study: IMP Expressions
75
![Page 76: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/76.jpg)
This section introduces
arithmetic and boolean expressions
of our imperative language IMP.
IMP commands are introduced later.
76
![Page 77: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/77.jpg)
5 Case Study: IMP ExpressionsArithmetic ExpressionsBoolean ExpressionsStack Machine and Compilation
77
![Page 78: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/78.jpg)
Concrete and abstract syntax
Concrete syntax: strings, eg "a+5*b"
Abstract syntax: trees, eg+@@@
���a *
AAA
���
5 b
Parser: function from strings to trees
Linear view of trees: terms, eg Plus a (Times 5 b)
Abstract syntax trees/terms are datatype values!
78
![Page 79: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/79.jpg)
Concrete syntax is defined by a context-free grammar, eg
a ::= n | x | (a) | a+ a | a ∗ a | . . .
where n can be any natural number and x any variable.
We focus on abstract syntaxwhich we introduce via datatypes.
79
![Page 80: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/80.jpg)
Datatype aexp
Variable names are strings, values are integers:
type_synonym vname = stringdatatype aexp = N int | V vname | Plus aexp aexp
Concrete Abstract5 N 5x V ′′x ′′
x+y Plus (V ′′x ′′) (V ′′y ′′)2+(z+3) Plus (N 2) (Plus (V ′′z ′′) (N 3))
80
![Page 81: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/81.jpg)
Warning
This is syntax, not (yet) semantics!
N 0 6= Plus (N 0) (N 0)
81
![Page 82: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/82.jpg)
The (program) state
What is the value of x+1?
• The value of an expressiondepends on the value of its variables.
• The value of all variables is recorded in the state.
• The state is a function from variable names tovalues:
type_synonym val = inttype_synonym state = vname ⇒ val
82
![Page 83: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/83.jpg)
Function update notation
If f :: τ 1 ⇒ τ 2 and a :: τ 1 and b :: τ 2 then
f(a := b)
is the function that behaves like fexcept that it returns b for argument a.
f(a := b) = (λx. if x = a then b else f x)
83
![Page 84: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/84.jpg)
How to write down a state
Some states:
• λx. 0• (λx. 0)( ′′a ′′ := 3)
• ((λx. 0)( ′′a ′′ := 5))( ′′x ′′ := 3)
Nicer notation:
< ′′a ′′ := 5, ′′x ′′ := 3, ′′y ′′ := 7>
Maps everything to 0, but ′′a ′′ to 5, ′′x ′′ to 3, etc.
84
![Page 85: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/85.jpg)
AExp.thy
85
![Page 86: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/86.jpg)
5 Case Study: IMP ExpressionsArithmetic ExpressionsBoolean ExpressionsStack Machine and Compilation
86
![Page 87: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/87.jpg)
BExp.thy
87
![Page 88: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/88.jpg)
5 Case Study: IMP ExpressionsArithmetic ExpressionsBoolean ExpressionsStack Machine and Compilation
88
![Page 89: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/89.jpg)
ASM.thy
89
![Page 90: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/90.jpg)
This was easy.Because evaluation of expressions always terminates.But execution of programs may not terminate.Hence we cannot define it by a total recursive function.
We need more logical machineryto define program execution and reason about it.
90
![Page 91: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/91.jpg)
Chapter 4
Logic and ProofBeyond Equality
91
![Page 92: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/92.jpg)
6 Logical Formulas
7 Proof Automation
8 Single Step Proofs
9 Inductive Definitions
92
![Page 93: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/93.jpg)
6 Logical Formulas
7 Proof Automation
8 Single Step Proofs
9 Inductive Definitions
93
![Page 94: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/94.jpg)
Syntax (in decreasing precedence):
form ::= (form) | term = term | ¬form| form ∧ form | form ∨ form | form −→ form| ∀x. form | ∃x. form
Examples:¬ A ∧ B ∨ C ≡ ((¬ A) ∧ B) ∨ C
s = t ∧ C ≡ (s = t) ∧ CA ∧ B = B ∧ A ≡ A ∧ (B = B) ∧ A∀ x. P x ∧ Q x ≡ ∀ x. (P x ∧ Q x)
Input syntax: ←→ (same precedence as −→)
94
![Page 95: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/95.jpg)
Variable binding convention:
∀ x y. P x y ≡ ∀ x. ∀ y. P x y
Similarly for ∃ and λ.
95
![Page 96: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/96.jpg)
Warning
Quantifiers have low precedenceand need to be parenthesized (if in some context)
! P ∧ ∀ x. Q x ; P ∧ (∀ x. Q x) !
96
![Page 97: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/97.jpg)
Mathematical symbols
. . . and their ascii representations:
∀ \<forall> ALL
∃ \<exists> EX
λ \<lambda> %
−→ -->
←→ <-->
∧ /\ &
∨ \/ |
¬ \<not> ~
6= \<noteq> ~=
97
![Page 98: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/98.jpg)
Sets over type ′a
′a set
• {}, {e1,. . . ,en}• e ∈ A, A ⊆ B
• A ∪ B, A ∩ B, A − B, − A
• . . .
∈ \<in> :
⊆ \<subseteq> <=
∪ \<union> Un
∩ \<inter> Int
98
![Page 99: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/99.jpg)
Set comprehension
• {x. P} where x is a variable
• But not {t. P} where t is a proper term
• Instead: {t |x y z. P}is short for {v. ∃ x y z. v = t ∧ P}where x, y, z are the free variables in t
99
![Page 100: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/100.jpg)
6 Logical Formulas
7 Proof Automation
8 Single Step Proofs
9 Inductive Definitions
100
![Page 101: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/101.jpg)
simp and auto
simp: rewriting and a bit of arithmetic
auto: rewriting and a bit of arithmetic, logic and sets
• Show you where they got stuck
• highly incomplete
• Extensible with new simp-rules
Exception: auto acts on all subgoals
101
![Page 102: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/102.jpg)
fastforce
• rewriting, logic, sets, relations and a bit of arithmetic.
• incomplete but better than auto.
• Succeeds or fails
• Extensible with new simp-rules
102
![Page 103: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/103.jpg)
blast
• A complete proof search procedure for FOL . . .
• . . . but (almost) without “=”
• Covers logic, sets and relations
• Succeeds or fails
• Extensible with new deduction rules
103
![Page 104: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/104.jpg)
Automating arithmetic
arith:
• proves linear formulas (no “∗”)
• complete for quantifier-free real arithmetic
• complete for first-order theory of nat and int(Presburger arithmetic)
104
![Page 105: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/105.jpg)
Sledgehammer
105
![Page 106: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/106.jpg)
Architecture:
Isabelle
Goal& filtered library
↓ ↑ Proof
externalATPs1
Characteristics:
• Sometimes it works,
• sometimes it doesn’t.
Do you feel lucky?
1Automatic Theorem Provers106
![Page 107: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/107.jpg)
by(proof-method)
≈
apply(proof-method)done
107
![Page 108: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/108.jpg)
Auto_Proof_Demo.thy
108
![Page 109: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/109.jpg)
6 Logical Formulas
7 Proof Automation
8 Single Step Proofs
9 Inductive Definitions
109
![Page 110: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/110.jpg)
Step-by-step proofs can be necessary if automation failsand you have to explore where and why it failed bytaking the goal apart.
110
![Page 111: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/111.jpg)
What are these ?-variables ?
After you have finished a proof, Isabelle turns all freevariables V in the theorem into ?V.
Example: theorem conjI: [[?P; ?Q]] =⇒ ?P ∧ ?Q
These ?-variables can later be instantiated:
• By hand:conjI[of "a=b" "False"] ;[[a = b; False]] =⇒ a = b ∧ False
• By unification:unifying ?P ∧ ?Q with a=b ∧ Falsesets ?P to a=b and ?Q to False.
111
![Page 112: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/112.jpg)
Rule applicationExample: rule: [[?P; ?Q]] =⇒ ?P ∧ ?Q
subgoal: 1. . . . =⇒ A ∧ BResult: 1. . . . =⇒ A
2. . . . =⇒ B
The general case: applying rule [[ A1; . . . ; An ]] =⇒ Ato subgoal . . . =⇒ C:
• Unify A and C
• Replace C with n new subgoals A1 . . .An
apply(rule xyz)
“Backchaining”
112
![Page 113: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/113.jpg)
Typical backwards rules
?P ?Q?P ∧ ?Q
conjI
?P =⇒ ?Q?P −→ ?Q
impI
∧x. ?P x∀ x. ?P x
allI
?P =⇒ ?Q ?Q =⇒ ?P?P = ?Q
iffI
They are known as introduction rulesbecause they introduce a particular connective.
113
![Page 114: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/114.jpg)
Teaching blast new intro rulesIf r is a theorem [[ A1; . . . ; An ]] =⇒ A then
(blast intro: r)
allows blast to backchain on r during proof search.
Example:
theorem trans: [[ ?x ≤ ?y; ?y ≤ ?z ]] =⇒ ?x ≤ ?z
goal 1. [[ a ≤ b; b ≤ c; c ≤ d ]] =⇒ a ≤ d
proof apply(blast intro: trans)
Can greatly increase the search space!
114
![Page 115: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/115.jpg)
Forward proof: OF
If r is a theorem A =⇒ Band s is a theorem that unifies with A then
r[OF s]
is the theorem obtained by proving A with s.
Example: theorem refl: ?t = ?t
conjI[OF refl[of "a"]]
;?Q =⇒ a = a ∧ ?Q
115
![Page 116: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/116.jpg)
The general case:
If r is a theorem [[ A1; . . . ; An ]] =⇒ Aand r1, . . . , rm (m≤n) are theorems then
r[OF r1 . . . rm]
is the theorem obtainedby proving A1 . . . Am with r1 . . . rm.
Example: theorem refl: ?t = ?t
conjI[OF refl[of "a"] refl[of "b"]]
;a = a ∧ b = b
116
![Page 117: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/117.jpg)
From now on: ? mostly suppressed on slides
117
![Page 118: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/118.jpg)
Single_Step_Demo.thy
118
![Page 119: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/119.jpg)
=⇒ versus −→
=⇒ is part of the Isabelle framework. It structurestheorems and proof states: [[ A1; . . . ; An ]] =⇒ A
−→ is part of HOL and can occur inside the logicalformulas Ai and A.
Phrase theorems like this [[ A1; . . . ; An ]] =⇒ Anot like this A1 ∧ . . . ∧ An −→ A
119
![Page 120: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/120.jpg)
6 Logical Formulas
7 Proof Automation
8 Single Step Proofs
9 Inductive Definitions
120
![Page 121: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/121.jpg)
Example: even numbers
Informally:
• 0 is even
• If n is even, so is n+ 2
• These are the only even numbers
In Isabelle/HOL:
inductive ev :: nat ⇒ boolwhereev 0 |ev n =⇒ ev (n + 2)
121
![Page 122: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/122.jpg)
An easy proof: ev 4
ev 0 =⇒ ev 2 =⇒ ev 4
122
![Page 123: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/123.jpg)
Consider
fun even :: nat ⇒ bool whereeven 0 = True |even (Suc 0) = False |even (Suc (Suc n)) = even n
A trickier proof: ev m =⇒ even m
By induction on the structure of the derivation of ev m
Two cases: ev m is proved by
• rule ev 0=⇒ m = 0 =⇒ even m = True
• rule ev n =⇒ ev (n+2)=⇒ m = n+2 and even n (IH)=⇒ even m = even (n+2) = even n = True
123
![Page 124: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/124.jpg)
Rule induction for evTo prove
ev n =⇒ P n
by rule induction on ev n we must prove
• P 0
• P n =⇒ P(n+2)
Rule ev.induct:
ev n P 0∧n. [[ ev n; P n ]] =⇒ P(n+2)
P n
124
![Page 125: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/125.jpg)
Format of inductive definitions
inductive I :: τ ⇒ bool where[[ I a1; . . . ; I an ]] =⇒ I a |...
Note:
• I may have multiple arguments.
• Each rule may also contain side conditions notinvolving I.
125
![Page 126: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/126.jpg)
Rule induction in general
To prove
I x =⇒ P x
by rule induction on I xwe must prove for every rule
[[ I a1; . . . ; I an ]] =⇒ I a
that P is preserved:
[[ I a1; P a1; . . . ; I an; P an ]] =⇒ P a
126
![Page 127: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/127.jpg)
!Rule induction is absolutely central
to (operational) semanticsand the rest of this lecture course
!
127
![Page 128: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/128.jpg)
Inductive_Demo.thy
128
![Page 129: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/129.jpg)
Inductively defined sets
inductive_set I :: τ set where[[ a1 ∈ I; . . . ; an ∈ I ]] =⇒ a ∈ I |...
Difference to inductive:
• arguments of I are tupled, not curried
• I can later be used with set theoretic operators,eg I ∪ . . .
129
![Page 130: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/130.jpg)
Chapter 5
Isar: A Language forStructured Proofs
130
![Page 131: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/131.jpg)
10 Isar by example
11 Proof patterns
12 Streamlining Proofs
13 Proof by Cases and Induction
131
![Page 132: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/132.jpg)
Apply scripts
• unreadable
• hard to maintain
• do not scale
No structure!
132
![Page 133: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/133.jpg)
Apply scripts versus Isar proofs
Apply script = assembly language program
Isar proof = structured program with comments
But: apply still useful for proof exploration
133
![Page 134: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/134.jpg)
A typical Isar proof
proofassume formula0
have formula1 by simp...have formulan by blastshow formulan+1 by . . .
qed
proves formula0 =⇒ formulan+1
134
![Page 135: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/135.jpg)
Isar core syntaxproof = proof [method] step∗ qed
| by method
method = (simp . . . ) | (blast . . . ) | (induction . . . ) | . . .
step = fix variables (∧
)| assume prop (=⇒)| [from fact+] (have | show) prop proof
prop = [name:] ”formula”
fact = name | . . .
135
![Page 136: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/136.jpg)
10 Isar by example
11 Proof patterns
12 Streamlining Proofs
13 Proof by Cases and Induction
136
![Page 137: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/137.jpg)
Example: Cantor’s theorem
lemma ¬ surj(f :: ′a ⇒ ′a set)proof default proof: assume surj, show False
assume a: surj ffrom a have b: ∀ A. ∃ a. A = f a
by(simp add: surj def)from b have c: ∃ a. {x. x /∈ f x} = f a
by blastfrom c show False
by blastqed
137
![Page 138: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/138.jpg)
Isar_Demo.thy
Cantor and abbreviations
138
![Page 139: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/139.jpg)
Abbreviations
this = the previous proposition proved or assumedthen = from thisthus = then show
hence = then have
139
![Page 140: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/140.jpg)
using and with
(have|show) prop using facts=
from facts (have|show) prop
with facts=
from facts this
140
![Page 141: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/141.jpg)
Structured lemma statement
lemmafixes f :: ′a ⇒ ′a setassumes s: surj fshows False
proof − no automatic proof step
have ∃ a. {x. x /∈ f x} = f a using sby(auto simp: surj def)
thus False by blastqed
Proves surj f =⇒ Falsebut surj f becomes local fact s in proof.
141
![Page 142: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/142.jpg)
The essence of structured proofs
Assumptions and intermediate factscan be named and referred to explicitly and selectively
142
![Page 143: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/143.jpg)
Structured lemma statements
fixes x :: τ1 and y :: τ2 . . .assumes a: P and b: Q . . .shows R
• fixes and assumes sections optional
• shows optional if no fixes and assumes
143
![Page 144: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/144.jpg)
10 Isar by example
11 Proof patterns
12 Streamlining Proofs
13 Proof by Cases and Induction
144
![Page 145: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/145.jpg)
Case distinction
show Rproof cases
assume P...show R . . .
nextassume ¬ P...show R . . .
qed
have P ∨ Q . . .then show Rproof
assume P...show R . . .
nextassume Q...show R . . .
qed
145
![Page 146: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/146.jpg)
Contradiction
show ¬ Pproof
assume P...show False . . .
qed
show Pproof (rule ccontr)
assume ¬P...show False . . .
qed
146
![Page 147: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/147.jpg)
←→
show P ←→ Qproof
assume P...show Q . . .
nextassume Q...show P . . .
qed
147
![Page 148: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/148.jpg)
∀ and ∃ introduction
show ∀ x. P(x)proof
fix x local fixed variable
show P(x) . . .qed
show ∃ x. P(x)proof...show P(witness) . . .
qed
148
![Page 149: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/149.jpg)
∃ elimination: obtain
have ∃ x. P(x)then obtain x where p: P(x) by blast... x fixed local variable
Works for one or more x
149
![Page 150: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/150.jpg)
obtain example
lemma ¬ surj(f :: ′a ⇒ ′a set)proof
assume surj fhence ∃ a. {x. x /∈ f x} = f a by(auto simp: surj def)
then obtain a where {x. x /∈ f x} = f a by blasthence a /∈ f a ←→ a ∈ f a by blast
thus False by blastqed
150
![Page 151: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/151.jpg)
Set equality and subset
show A = Bproof
show A ⊆ B . . .next
show B ⊆ A . . .qed
show A ⊆ Bproof
fix xassume x ∈ A...show x ∈ B . . .
qed
151
![Page 152: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/152.jpg)
Isar_Demo.thy
Exercise
152
![Page 153: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/153.jpg)
10 Isar by example
11 Proof patterns
12 Streamlining Proofs
13 Proof by Cases and Induction
153
![Page 154: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/154.jpg)
12 Streamlining ProofsPattern Matching and QuotationsTop down proof developmentmoreover and raw proof blocks
154
![Page 155: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/155.jpg)
Example: pattern matching
show formula1 ←→ formula2 (is ?L ←→ ?R)proof
assume ?L...show ?R . . .
nextassume ?R...show ?L . . .
qed
155
![Page 156: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/156.jpg)
?thesis
show formula (is ?thesis)proof -
...show ?thesis . . .
qed
Every show implicitly defines ?thesis
156
![Page 157: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/157.jpg)
let
Introducing local abbreviations in proofs:
let ?t = "some-big-term"...have ". . . ?t . . . "
157
![Page 158: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/158.jpg)
Quoting facts by valueBy name:
have x0: ”x > 0” . . ....from x0 . . .
By value:
have ”x > 0” . . ....from ‘x>0‘ . . .
↑ ↑back quotes
158
![Page 159: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/159.jpg)
Isar_Demo.thy
Pattern matching and quotation
159
![Page 160: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/160.jpg)
12 Streamlining ProofsPattern Matching and QuotationsTop down proof developmentmoreover and raw proof blocks
160
![Page 161: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/161.jpg)
Example
lemma(∃ ys zs. xs = ys @ zs ∧ length ys = length zs) ∨(∃ ys zs. xs = ys @ zs ∧ length ys = length zs + 1)
proof ???
161
![Page 162: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/162.jpg)
Isar_Demo.thy
Top down proof development
162
![Page 163: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/163.jpg)
When automation failsSplit proof up into smaller steps.
Or explore by apply:
have . . . using . . .apply - to make incoming facts
part of proof stateapply auto or whateverapply . . .
At the end:
• done
• Better: convert to structured proof163
![Page 164: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/164.jpg)
12 Streamlining ProofsPattern Matching and QuotationsTop down proof developmentmoreover and raw proof blocks
164
![Page 165: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/165.jpg)
moreover—ultimately
have P1 . . .moreoverhave P2 . . .moreover...moreoverhave Pn . . .ultimatelyhave P . . .
≈
have lab1: P1 . . .have lab2: P2 . . ....have labn: Pn . . .from lab1 lab2 . . .have P . . .
With names
165
![Page 166: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/166.jpg)
Raw proof blocks
{ fix x1 . . . xnassume A1 . . . Am...have B}
proves [[ A1; . . . ; Am ]] =⇒ Bwhere all xi have been replaced by ?xi.
166
![Page 167: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/167.jpg)
Isar_Demo.thy
moreover and { }
167
![Page 168: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/168.jpg)
Proof state and Isar text
In general: proof method
Applies method and generates subgoal(s):∧x1 . . . xn [[ A1; . . . ; Am ]] =⇒ B
How to prove each subgoal:
fix x1 . . . xnassume A1 . . . Am...show B
Separated by next
168
![Page 169: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/169.jpg)
10 Isar by example
11 Proof patterns
12 Streamlining Proofs
13 Proof by Cases and Induction
169
![Page 170: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/170.jpg)
Isar_Induction_Demo.thy
Proof by cases
170
![Page 171: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/171.jpg)
Datatype case analysisdatatype t = C1 ~τ | . . .
proof (cases "term")case (C1 x1 . . . xk). . . xj . . .
next...qed
where case (Ci x1 . . . xk) ≡fix x1 . . . xkassume Ci:︸︷︷︸
label
term = (Ci x1 . . . xk)︸ ︷︷ ︸formula
171
![Page 172: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/172.jpg)
Isar_Induction_Demo.thy
Structural induction for nat
172
![Page 173: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/173.jpg)
Structural induction for nat
show P(n)proof (induction n)
case 0 ≡ let ?case = P (0)...show ?case
nextcase (Suc n) ≡ fix n assume Suc: P (n)... let ?case = P (Suc n)...show ?case
qed
173
![Page 174: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/174.jpg)
Structural induction with =⇒show A(n) =⇒ P(n)proof (induction n)
case 0 ≡ assume 0: A(0)... let ?case = P(0)show ?case
nextcase (Suc n) ≡ fix n... assume Suc: A(n) =⇒ P(n)
A(Suc n)... let ?case = P(Suc n)show ?case
qed
174
![Page 175: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/175.jpg)
Named assumptions
In a proof of
A1 =⇒ . . . =⇒ An =⇒ B
by structural induction:In the context of
case C
we have
C.IH the induction hypotheses
C.prems the premises Ai
C C.IH + C.prems
175
![Page 176: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/176.jpg)
A remark on style
• case (Suc n) . . . show ?caseis easy to write and maintain
• fix n assume formula . . . show formula ′
is easier to read:• all information is shown locally• no contextual references (e.g. ?case)
176
![Page 177: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/177.jpg)
13 Proof by Cases and InductionRule InductionRule Inversion
177
![Page 178: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/178.jpg)
Isar_Induction_Demo.thy
Rule induction
178
![Page 179: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/179.jpg)
Rule induction
inductive I :: τ ⇒ σ ⇒ boolwhererule1: . . ....rulen: . . .
show I x y =⇒ P x yproof (induction rule: I.induct)
case rule1. . .show ?case
next...next
case rulen. . .show ?case
qed
179
![Page 180: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/180.jpg)
Fixing your own variable names
case (rulei x1 . . . xk)
Renames the first k variables in rulei (from left to right)to x1 . . . xk.
180
![Page 181: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/181.jpg)
Named assumptionsIn a proof of
I . . . =⇒ A1 =⇒ . . . =⇒ An =⇒ B
by rule induction on I . . . :In the context of
case R
we have
R.IH the induction hypotheses
R.hyps the assumptions of rule R
R.prems the premises Ai
R R.IH + R.hyps + R.prems
181
![Page 182: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/182.jpg)
13 Proof by Cases and InductionRule InductionRule Inversion
182
![Page 183: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/183.jpg)
Rule inversion
inductive ev :: nat ⇒ bool whereev0: ev 0 |evSS: ev n =⇒ ev(Suc(Suc n))
What can we deduce from ev n ?That it was proved by either ev0 or evSS !
ev n =⇒ n = 0 ∨ (∃ k. n = Suc (Suc k) ∧ ev k)
Rule inversion = case distinction over rules
183
![Page 184: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/184.jpg)
Isar_Induction_Demo.thy
Rule inversion
184
![Page 185: Concrete Semantics - TUM · Concrete Semantics A Proof Assistant Approach Tobias Nipkow Fakult at fur Informatik Technische Universit at Munchen 2014-1-26 1. Part I Isabelle 2. Chapter](https://reader031.vdocument.in/reader031/viewer/2022041720/5e4e49be3565ef76d331f601/html5/thumbnails/185.jpg)
Rule inversion templatefrom ‘ev n‘ have Pproof cases
case ev0 n = 0...show ?thesis . . .
nextcase (evSS k) n = Suc (Suc k), ev k...show ?thesis . . .
qed
Impossible cases disappear automatically
185