theory FirstSteps

imports Main

uses "antiquote_setup.ML"

     ("comp_simproc")

begin

(*<*)

ML {*

local structure O = ThyOutput

in

  fun check_exists f = 

    if File.exists (Path.explode ("~~/src/" ^ f)) then ()

    else error ("Source file " ^ quote f ^ " does not exist.")

  val _ = O.add_commands

   [("ML_file", O.args (Scan.lift Args.name) (O.output (fn _ => fn name =>

         (check_exists name; Pretty.str name))))];

end

*}

(*>*)

chapter {* First Steps *}

text {* 

  Isabelle programming is done in Standard ML.

  Just like lemmas and proofs, code in Isabelle is part of a 

  theory. If you want to follow the code written in this chapter, we 

  assume you are working inside the theory defined by

  \begin{center}

  \begin{tabular}{@ {}l}

  \isacommand{theory} CookBook\\

  \isacommand{imports} Main\\

  \isacommand{begin}\\

  \ldots

  \end{tabular}

  \end{center}

  The easiest and quickest way to include code in a theory is

  by using the \isacommand{ML} command. For example

*}

ML {*

  3 + 4

*}

text {*

  The expression inside \isacommand{ML} commands is immediately evaluated,

  like ``normal'' Isabelle proof scripts, by using the advance and undo buttons of 

  your Isabelle environment. The code inside the \isacommand{ML} command 

  can also contain value- and function bindings. However on such ML-commands the 

  undo operation behaves slightly counter-intuitive, because if you define

*}

ML {*

  val foo = true

*}

text {*

  then Isabelle's undo operation has no effect on the definition of 

  @{ML "foo"}. 

  in your code. This can be done in a ``quick-and-dirty'' fashion using 

*}

ML {*

  val _ = warning "any string"

*}

text {*

  will print out the string inside the response buffer of Isabelle.

*}

section {* Antiquotations *}

text {*

  The main advantage of embedding all code 

  in a theory is that the code can contain references to entities defined 

  on the logical level of Isabelle. This is done using antiquotations.

  For example, one can print out the name of 

  the current theory by typing

*}

ML {* Context.theory_name @{theory} *}

text {* 

  where @{text "@{theory}"} is an antiquotation that is substituted with the

  current theory (remember that we assumed we are inside the theory CookBook). 

  The name of this theory can be extrated using a the function @{ML "Context.theory_name"}. 

  So the code above returns the string @{ML "\"CookBook\""}.

  Note, however, that antiquotations are statically scoped, that is the value is

  determined at ``compile-time'' not ``run-time''. For example the function

*}

ML {* 

  fun current_thyname () = Context.theory_name @{theory}

*}

text {*

  does \emph{not} return the name of the current theory, if it is run in a 

  different theory. Instead, the code above defines the constant function 

  that always returns the string @{ML "\"CookBook\""}, no matter where the

  function is called. Operationally speaking,  @{text "@{theory}"} is 

  \emph{not} replaced with code that will look up the current theory in 

  some data structure and return it. Instead, it is literally

  replaced with the value representing the theory name.

  In a similar way you can use antiquotations to refer to types and theorems:

*}

ML {* @{typ "(int * nat) list"} *}

ML {* @{thm allI} *}

text {*

  In the course of this introduction, we will learn more about 

  these antoquotations: they greatly simplify Isabelle programming since one

  can directly access all kinds of logical elements from ML.

*}

section {* Terms *}

text {*

*}

ML {* @{term "(a::nat) + b = c"} *}

text {*

  This will show the term @{term "(a::nat) + b = c"}, but printed out using the internal

  datatype defined in @{ML_file "Pure/term.ML"}.

  the number of Abstractions (@{ML Abs}) we have to skip until we hit the @{ML Abs} that

  binds the corresponding variable. However, the names of bound variables are 

  \begin{readmore}

  Terms are described in detail in \ichcite{ch:logic}. Their

  definition and many useful operations can be found in @{ML_file "Pure/term.ML"}.

  \end{readmore}

  Sometimes the internal representation can be surprisingly different

  from what you see at the user level, because the layer of

  parsing/type checking/pretty printing can be quite elaborate. 

  \begin{exercise}

  Look at the internal term representation of the following terms, and

  find out why they are represented like this.

  \begin{itemize}

  \item @{term "case x of 0 \<Rightarrow> 0 | Suc y \<Rightarrow> y"}  

  \item @{term "\<lambda>(x,y). P y x"}  

  \item @{term "{ [x::int] | x. x \<le> -2 }"}  

  \end{itemize}

  Hint: The third term is already quite big, and the pretty printer

  may omit parts of it by default. If you want to see all of it, you

  can use @{ML "print_depth 50"} to set the limit to a value high enough.

  \end{exercise}

*}

ML {*

  @{const_name plus}

*}

ML {*

  @{term "{ [x::int] | x. x \<le> -2 }"}

*}

text {*

  The internal names of constants like @{term "zero"} or @{text "+"} are

  often more complex than one first expects. Here, the extra prefixes

  @{text zero_class} and @{text plus_class} are present because the

  constants are defined within a type class. Guessing such internal

  names can be extremely hard, which is why the system provides

  another antiquotation: @{ML "@{const_name plus}"} gives just this

  name.

  FIXME: maybe explain @{text "@{prop \<dots>}"} as a special kind of terms 

*}

ML {* @{prop "True"} *}

section {* Type checking *}

text {* 

  We can freely construct and manipulate terms, since they are just

  arbitrary unchecked trees. However, we eventually want to see if a

  term is wellformed, or type checks, relative to a theory.

  Type checking is done via the function @{ML cterm_of}, which turns 

  a @{ML_type term} into a  @{ML_type cterm}, a \emph{certified} term. 

  Unlike @{ML_type term}s, which are just trees, @{ML_type

  "cterm"}s are abstract objects that are guaranteed to be

  type-correct, and can only be constructed via the official

  interfaces.

  (FIXME: Alex what do you mean concretely by ``official interfaces'')

  Type checking is always relative to a theory context. For now we can use

  the @{ML "@{theory}"} antiquotation to get hold of the current theory.

  For example we can write:

*}

ML {* cterm_of @{theory} @{term "(a::nat) + b = c"} *}

section {* Theorems *}

text {*

  Just like @{ML_type cterm}s, theorems (of type @{ML_type thm}) are

  abstract objects that can only be built by going through the kernel

  interfaces, which means that all your proofs will be checked. The

  basic rules of the Isabelle/Pure logical framework are defined in

  @{ML_file "Pure/thm.ML"}. 

  Using these rules, which are just ML functions, you can do simple

  natural deduction proofs on the ML level. For example, the statement

*}

  lemma 

   assumes assm\<^isub>1: "\<And>(x::nat). P x \<Longrightarrow> Q x" 

   and     assm\<^isub>2: "P t"

   shows "Q t"

   (*<*)oops(*>*) 

text {*

  can be proved in ML like 

  this\footnote{Note that @{text "|>"} is just reverse

  application. This combinator, and several variants are defined in

  @{ML_file "Pure/General/basics.ML"}}:

*}

ML {*

let

  val thy = @{theory}

  val assm1 = cterm_of thy @{prop "\<And>(x::nat). P x \<Longrightarrow> Q x"}

  val assm2 = cterm_of thy @{prop "((P::nat\<Rightarrow>bool) t)"}

  val Pt_implies_Qt = 

        assume assm1

        |> forall_elim (cterm_of thy @{term "t::nat"});

  val Qt = implies_elim Pt_implies_Qt (assume assm2);

in

  Qt 

  |> implies_intr assm2

  |> implies_intr assm1

end

*}

text {*

*}

section {* Tactical reasoning *}

text {*

  The goal-oriented tactical style is similar to the @{text apply}

  style at the user level. Reasoning is centered around a \emph{goal},

  which is modified in a sequence of proof steps until it is solved.

  A goal (or goal state) is a special @{ML_type thm}, which by

  convention is an implication:

  @{text[display] "A\<^isub>1 \<Longrightarrow> \<dots> \<Longrightarrow> A\<^isub>n \<Longrightarrow> #(C)"}

  Since the final result @{term C} could again be an implication, there is the

  @{text "#"} around the final result, which protects its premises from being

  misinterpreted as open subgoals. The protection @{text "# :: prop \<Rightarrow>

  prop"} is just the identity and used as a syntactic marker.

  Now tactics are just functions that map a goal state to a (lazy)

  sequence of successor states, hence the type of a tactic is

  @{ML_type[display] "thm -> thm Seq.seq"}

  See @{ML_file "Pure/General/seq.ML"} for the implementation of lazy

  sequences.

  Of course, tactics are expected to behave nicely and leave the final

  conclusion @{term C} intact. In order to start a tactical proof for

  @{term A}, we

  just set up the trivial goal @{text "A \<Longrightarrow> #(A)"} and run the tactic

  on it. When the subgoal is solved, we have just @{text "#(A)"} and

  can remove the protection.

  The operations in @{ML_file "Pure/goal.ML"} do just that and we can use

  them.

  Let us transcribe a simple apply style proof from the

  tutorial\cite{isa-tutorial} into ML:

*}

lemma disj_swap: "P \<or> Q \<Longrightarrow> Q \<or> P"

apply (erule disjE)

 apply (rule disjI2)

 apply assumption

apply (rule disjI1)

apply assumption

done

ML {*

let

  val ctxt = @{context}

  val goal = @{prop "P \<or> Q \<Longrightarrow> Q \<or> P"}

in

  Goal.prove ctxt ["P", "Q"] [] goal (fn _ => 

    eresolve_tac [disjE] 1

    THEN resolve_tac [disjI2] 1

    THEN assume_tac 1

    THEN resolve_tac [disjI1] 1

    THEN assume_tac 1)

end

*}

text {*

  Tactics that affect only a certain subgoal, take a subgoal number as

  an integer parameter. Here we always work on the first subgoal,

  following exactly the @{text "apply"} script.

*}

section {* Case Study: Relation Composition *}

text {*

  \emph{Note: This is completely unfinished. I hoped to have a section

  with a nontrivial example, but I ran into several problems.}

  Recall that HOL has special syntax for set comprehensions:

  @{term "{ f x y |x y. P x y}"} abbreviates 

  @{term[source] "{u. \<exists>x y. u = f x y \<and> P x y}"}. 

  We will automatically prove statements of the following form:

  @{lemma[display] "{(l\<^isub>1 x, r\<^isub>1 x) |x. P\<^isub>1 x} O {(l\<^isub>2 x, r\<^isub>2 x) |x. P\<^isub>2 x}

  = {(l\<^isub>2 x, r\<^isub>1 y) |x y. r\<^isub>2 x = l\<^isub>1 y \<and>

  P\<^isub>2 x \<and> P\<^isub>1 y}" by auto}

  In Isabelle, relation composition is defined to be consistent with

  function composition, that is, the relation applied ``first'' is

  written on the right hand side. This different from what many

  textbooks do.

  The above statement about composition is not proved automatically by

  @{method simp}, and it cannot be solved by a fixed set of rewrite

  rules, since the number of (implicit) quantifiers may vary. Here, we

  only have one bound variable in each comprehension, but in general

  there can be more. On the other hand, @{method auto} proves the

  above statement quickly, by breaking the equality into two parts and

  proving them separately. However, if e.g.\ @{term "P\<^isub>1"} is a

  complicated expression, the automated tools may get confused.

  Our goal is now to develop a small procedure that can compute (with proof) the

  composition of two relation comprehensions, which can be used to

  extend the simplifier.

*}

section {*A tactic *}

text {* Let's start with a step-by-step proof of the above statement *}

lemma "{(l\<^isub>1 x, r\<^isub>1 x) |x. P\<^isub>1 x} O {(l\<^isub>2

  x, r\<^isub>2 x) |x. P\<^isub>2 x}

  = {(l\<^isub>2 x, r\<^isub>1 y) |x y. r\<^isub>2 x = l\<^isub>1 y \<and> P\<^isub>2 x \<and> P\<^isub>1 y}"

apply (rule set_ext)

apply (rule iffI)

 apply (erule rel_compE)  -- {* @{text "\<subseteq>"} *}

 apply (erule CollectE)     -- {* eliminate @{text "Collect"}, @{text "\<exists>"}, @{text "\<and>"}, and pairs *}

 apply (erule CollectE)

 apply (erule exE)

 apply (erule exE)

 apply (erule conjE)

 apply (erule conjE)

 apply (erule Pair_inject)

 apply (erule Pair_inject)

 apply (simp only:)

 apply (rule CollectI)    -- {* introduce them again *}

 apply (rule exI)

 apply (rule exI)

 apply (rule conjI)

  apply (rule refl)

 apply (rule conjI)

  apply (rule sym)

  apply (assumption)

 apply (rule conjI)

  apply assumption

 apply assumption

apply (erule CollectE)   -- {* @{text "\<subseteq>"} *}

apply (erule exE)+

apply (erule conjE)+

apply (simp only:)

apply (rule rel_compI)

 apply (rule CollectI)

 apply (rule exI)

 apply (rule conjI)

  apply (rule refl)

 apply assumption

apply (rule CollectI)

apply (rule exI)

apply (rule conjI)

apply (subst Pair_eq)

apply (rule conjI)

 apply assumption

apply (rule refl)

apply assumption

done

text {*

  The reader will probably need to step through the proof and verify

  that there is nothing spectacular going on here.

  The @{text apply} script just applies the usual elimination and introduction rules in the right order.