public_html: comparison Nominal/activities/cas09/Lec1.thy

equal deleted inserted replaced

-:05e5d68c9627
+:f1be8028a4a9
+(*****************************************************************
+Isabelle Tutorial
+-----------------
+27th May 2009, Beijing
+This file contains most of the material that will be covered in the
+tutorial. The file can be "stepped through"; though it contains much
+commented code (purple text).
+*)
+(*****************************************************************
+Proof General
+-------------
+Proof General is the front end for Isabelle.
+Proof General "paints" blue the part of the proof-script that has already
+been processed by Isabelle. You can advance or retract the "frontier" of
+this processed part using the "Next" and "Undo" buttons in the
+menubar. "Goto" will process everything up to the current cursor position,
+or retract if the cursor is inside the blue part. The key-combination
+control-c control-return is a short-cut for the "Goto"-operation.
+Proof General gives feedback inside the "Response" and "Goals" buffers.
+The response buffer will contain warning messages (in yellow) and
+error messages (in red). Warning messages can generally be ignored. Error
+messages must be dealt with in order to advance the proof script. The goal
+buffer shows which goals need to be proved. The sole idea of interactive
+theorem proving is to get the message "No subgoals." ;o)
+*)
+(*****************************************************************
+X-Symbols
+---------
+X-symbols provide a nice way to input non-ascii characters. For example:
+\<forall>, \<exists>, \<Down>, \<sharp>, \<And>, \<Gamma>, \<times>, \<noteq>, \<in>, \<subseteq>, \<dots>
+They need to be input via the combination \<name-of-x-symbol>
+where name-of-x-symbol coincides with the usual latex name of
+that symbol.
+However, there are some handy short-cuts for frequently used X-symbols.
+For example
+[|  \<dots> \<lbrakk>
+|]  \<dots> \<rbrakk>
+==> \<dots> \<Longrightarrow>
+=>  \<dots> \<Rightarrow>
+--> \<dots> \<longrightarrow>
+/\  \<dots> \<and>
+\/  \<dots> \<or>
+|-> \<dots> \<mapsto>
+=_  \<dots> \<equiv>
+*)
+(*****************************************************************
+Theories
+--------
+Every Isabelle proof-script needs to have a name and must import
+some pre-existing theory. This will normally be the theory Main.
+*)
+theory Lec1
+imports "Main"
+begin
+text {*****************************************************************
+Types
+-----
+Isabelle is based on types including some polymorphism. It also includes
+some overloading, which means that sometimes explicit type annotations
+need to be given.
+- Base types include: nat, bool, string
+- Type formers include: 'a list, ('a\<times>'b), 'c set
+- Type variables are written like in ML with an apostrophe: 'a, 'b, \<dots>
+Types known to Isabelle can be queried using:
+*}
+typ nat
+typ bool
+typ string           (* the type for alpha-equated lambda-terms *)
+typ "('a \<times> 'b)"      (* pair type *)
+typ "'c set"         (* set type *)
+typ "'a list"        (* list type *)
+typ "nat \<Rightarrow> bool"    (* the type of functions from nat to bool *)
+(* These give errors: *)
+(*typ boolean *)
+(*typ set*)
+text {*****************************************************************
+Terms
+-----
+Every term in Isabelle needs to be well-typed (however they can have
+polymorphic type). Whether a term is accepted can be queried using:
+*}
+term c                 (* a variable of polymorphic type *)
+term "1::nat"          (* the constant 1 in natural numbers *)
+term 1                 (* the constant 1 with polymorphic type *)
+term "{1, 2, 3::nat}"  (* the set containing natural numbers 1, 2 and 3 *)
+term "[1, 2, 3]"       (* the list containing the polymorphic numbers 1, 2 and 3 *)
+term "(True, ''c'')"   (* a pair consisting of true and the string "c" *)
+term "Suc 0"           (* successor of 0, in other words 1 *)
+text {*
+Isabelle provides some useful colour feedback about what are constants (in black),
+free variables (in blue) and bound variables (in green). *}
+term "True"     (* a constant that is defined in HOL *)
+term "true"     (* not recognised as a constant, therefore it is interpreted as a variable *)
+term "\<forall>x. P x"  (* x is bound, P is free *)
+text {* Every formula in Isabelle needs to have type bool *}
+term "True"
+term "True \<and> False"
+term "True \<or> B"
+term "{1,2,3} = {3,2,1}"
+term "\<forall>x. P x"
+term "A \<longrightarrow> B"
+text {*
+When working with Isabelle, one is confronted with an object logic (that is HOL)
+and Isabelle's meta-logic (called Pure). Sometimes one has to pay attention
+to this fact. *}
+term "A \<longrightarrow> B" (* versus *)
+term "A \<Longrightarrow> B"
+term "\<forall>x. P x" (* versus *)
+term "\<And>x. P x"
+term "A \<Longrightarrow> B \<Longrightarrow> C" (* is synonymous with *)
+term "\<lbrakk>A; B\<rbrakk> \<Longrightarrow> C"
+text {*****************************************************************
+Inductive Definitions: The even predicate
+-----------------------------------------
+Inductive definitions start with the keyword "inductive" and a predicate name.
+One also needs to provide a type for the predicate. Clauses of the inductive
+predicate are introduced by "where" and more than two clauses need to be
+separated by "|". Optionally one can give a name to each clause and indicate
+that it should be added to the hints database ("[intro]"). A typical clause
+has some premises and a conclusion. This is written in Isabelle as:
+"premise \<Longrightarrow> conclusion"
+"\<lbrakk>premise1; premise2; \<dots> \<rbrakk> \<Longrightarrow> conclusion"
+If no premise is present, then one just writes
+"conclusion"
+Below we define the even predicate for natural numbers.
+*}
+inductive
+even :: "nat \<Rightarrow> bool"
+where
+eZ[intro]:  "even 0"
+| eSS[intro]: "even n \<Longrightarrow> even (Suc (Suc n))"
+text {*****************************************************************
+Theorems
+--------
+A central concept in Isabelle is that of theorems. Isabelle's theorem
+database can be queried using
+*}
+thm eZ
+thm eSS
+thm conjI
+thm conjunct1
+text {*
+Notice that theorems usually contain schematic variables (e.g. ?P, ?Q, \<dots>).
+These schematic variables can be substituted with any term (of the right type
+of course). It is sometimes useful to suppress the "?" from the schematic
+variables. This can be achieved by using the attribute "[no_vars]". *}
+thm eZ[no_vars]
+thm eSS[no_vars]
+thm conjI[no_vars]
+thm conjunct1[no_vars]
+text {*
+When defining the predicate eval, Isabelle provides us automatically with
+the following theorems that state how the even predicate can be introduced
+and what constitutes an induction over the predicate even. *}
+thm even.intros[no_vars]
+thm even.induct[no_vars]
+text {*****************************************************************
+Lemma / Theorem / Corollary Statements
+--------------------------------------
+Whether to use lemma, theorem or corollary makes no semantic difference
+in Isabelle. A lemma starts with "lemma" and consists of a statement
+("shows \<dots>") and optionally a lemma name, some type-information for
+variables ("fixes \<dots>") and some assumptions ("assumes \<dots>"). Lemmas
+also need to have a proof, but ignore this 'detail' for the moment.
+*}
+lemma even_double:
+shows "even (2 * n)"
+by (induct n) (auto)
+lemma even_add_n_m:
+assumes a: "even n"
+and     b: "even m"
+shows "even (n + m)"
+using a b by (induct) (auto)
+lemma neutral_element:
+fixes x::"nat"
+shows "x + 0 = x"
+by simp
+text {*****************************************************************
+Isar Proofs
+-----------
+Isar is a language for writing down proofs that can be understood by humans
+and by Isabelle. An Isar proof can be thought of as a sequence of 'stepping stones'
+that start with the assumptions and lead to the goal to be established. Every such
+stepping stone is introduced by "have" followed by the statement of the stepping
+stone. An exception is the goal to be proved, which need to be introduced with "show".
+Since proofs usually do not proceed in a linear fashion, a label can be given
+to each stepping stone and then used later to refer to this stepping stone
+("using").
+Each stepping stone (or have-statement) needs to have a justification. The
+simplest justification is "sorry" which admits any stepping stone, even false
+ones (this is good during the development of proofs). Assumption can be
+"justified" using "by fact". Derived facts can be justified using
+- by simp    (* simplification *)
+- by auto    (* proof search and simplification *)
+- by blast   (* only proof search *)
+If facts or lemmas are needed in order to justify a have-statement, then
+one can feed these facts into the proof by using "using label \<dots>" or
+"using theorem-name \<dots>". More than one label at the time is allowed.
+Induction proofs in Isar are set up by indicating over which predicate(s)
+the induction proceeds ("using a b") followed by the command "proof (induct)".
+In this way, Isabelle uses default settings for which induction should
+be performed. These default settings can be overridden by giving more
+information, like the variable over which a structural induction should
+proceed, or a specific induction principle such as well-founded inductions.
+After the induction is set up, the proof proceeds by cases. In Isar these
+cases can be given in any order, but must be started with "case" and the
+name of the case, and optionally some legible names for the variables
+referred to inside the case.
+The possible case-names can be found by looking inside the menu "Isabelle ->
+Show me -> cases". In each "case", we need to establish a statement introduced
+by "show". Once this has been done, the next case can be started using "next".
+When all cases are completed, the proof can be finished using "qed".
+This means a typical induction proof has the following pattern
+proof (induct)
+case \<dots>
+\<dots>
+show \<dots>
+next
+case \<dots>
+\<dots>
+show \<dots>
+\<dots>
+qed
+The four lemmas are by induction on the predicate machines. All proofs establish
+the same property, namely a transitivity rule for machines. The complete Isar
+proofs are given for the first three proofs. The point of these three proofs is
+that each proof increases the readability for humans.
+*}
+text {*****************************************************************
+1.) EXERCISE
+------------
+Remove the sorries in the proof below and fill in the correct
+justifications.
+*}
+lemma
+shows "even (2 * n)"
+proof (induct n)
+case 0
+show "even (2 * 0)" sorry
+next
+case (Suc n)
+have ih: "even (2 * n)" by fact
+have eq: "2 * (Suc n) = Suc (Suc (2 * n))" sorry
+have h1: "even (Suc (Suc (2 * n)))" sorry
+show "even (2 * (Suc n))" sorry
+qed
+text {*****************************************************************
+2.) EXERCISE
+------------
+Remove the sorries in the proof below and fill in the correct
+justifications.
+*}
+lemma
+shows "even (n + n)"
+proof (induct n)
+case 0
+show "even (0 + 0)" sorry
+next
+case (Suc n)
+have ih: "even (n + n)" by fact
+have eq: "(Suc n) + (Suc n) = Suc (Suc (n + n))" sorry
+have a: "even (Suc (Suc (n + n)))" sorry
+show "even ((Suc n) + (Suc n))" sorry
+qed
+text {*
+Just like gotos in the Basic programming language, labels can reduce
+the readability of proofs. Therefore one can use in Isar the notation
+"then have" in order to feed a have-statement to the proof of
+the next have-statement. In the proof below this has been used
+in order to get rid of the labels a.
+*}
+lemma even_twice:
+shows "even (n + n)"
+proof (induct n)
+case 0
+show "even (0 + 0)" by auto
+next
+case (Suc n)
+have ih: "even (n + n)" by fact
+have eq: "(Suc n) + (Suc n) = Suc (Suc (n + n))" by simp
+have "even (Suc (Suc (n + n)))" using ih by auto
+then show "even ((Suc n) + (Suc n))" using eq by simp
+qed
+text {*
+The label eq cannot be got rid of in this way, because both
+facts are needed to prove the show-statement. We can still avoid the
+labels by feeding a sequence of facts into a proof using the chaining
+mechanism:
+have "statement1" \<dots>
+moreover
+have "statement2" \<dots>
+\<dots>
+moreover
+have "statementn" \<dots>
+ultimately have "statement" \<dots>
+In this chain, all "statementi" can be used in the proof of the final
+"statement". With this we can simplify our proof further to:
+*}
+lemma
+shows "even (n + n)"
+proof (induct n)
+case 0
+show "even (0 + 0)" by auto
+next
+case (Suc n)
+have ih: "even (n + n)" by fact
+have "(Suc n) + (Suc n) = Suc (Suc (n + n))" by simp
+moreover
+have "even (Suc (Suc (n + n)))" using ih by auto
+ultimately show "even ((Suc n) + (Suc n))" by simp
+qed
+text {*
+While automatic proof procedures in Isabelle are not able to prove statements
+like "P = NP" assuming usual definitions for P and NP, they can automatically
+discharge the lemmas we just proved. For this we only have to set up the induction
+and auto will take care of the rest. This means we can write:
+*}
+lemma
+shows "even (2 * n)"
+by (induct n) (auto)
+lemma
+shows "even (n + n)"
+by (induct n) (auto)
+text {*****************************************************************
+Rule Inductions
+---------------
+Inductive predicates are defined in terms of rules of the form
+prem1 \<dots> premn
+--------------
+concl
+In Isabelle we write such rules as
+\<lbrakk>prem1; \<dots>; premn\<rbrakk> \<Longrightarrow> concl
+You can do induction over such rules according to the following
+scheme:
+1.) Assume the property for the premises. Assume the side-conditions.
+2.) Show the property for the conclusion.
+In Isabelle the corresponding theorem is called, for example
+*}
+thm even.induct
+text {*****************************************************************
+3.) EXERCISE
+------------
+Remove the sorries in the proof below and fill in the correct
+justifications.
+*}
+lemma even_add:
+assumes a: "even n"
+and     b: "even m"
+shows "even (n + m)"
+using a b
+proof (induct)
+case eZ
+have as: "even m" by fact
+show "even (0 + m)" sorry
+next
+case (eSS n)
+have ih: "even m \<Longrightarrow> even (n + m)" by fact
+have as: "even m" by fact
+show "even (Suc (Suc n) + m)" sorry
+qed
+text {*
+Whenever a lemma is of the form
+lemma
+assumes "pred"
+and     \<dots>
+shows "something"
+then a rule induction is generally appropriate (but
+not always).
+In case of even_add it is definitely *not* appropriate.
+Compare for example what you have to prove when you attempt
+an induction over natural numbers.
+*}
+lemma even_add_does_not_work:
+assumes a: "even n"
+and     b: "even m"
+shows "even (n + m)"
+using a b
+proof (induct n rule: nat_induct)
+case 0
+have "even m" by fact
+then show "even (0 + m)" by simp
+next
+case (Suc n)
+have ih: "\<lbrakk>even n; even m\<rbrakk> \<Longrightarrow> even (n + m)" by fact
+have as1: "even (Suc n)" by fact
+have as2: "even m" by fact
+show "even ((Suc n) + m)" oops
+text {*****************************************************************
+4.) EXERCISE (Last fact about even)
+-----------------------------------
+Remove the sorries in the proof below and fill in the correct
+justifications. The following two lemmas should be useful
+*}
+thm even_twice[no_vars]
+thm even_add[no_vars]
+text {*
+Remember you can include lemmas in the "using" statement,
+just like other facts. For example:
+have "something" using even_twice by simp
+*}
+lemma even_mul:
+assumes a: "even n"
+shows "even (n * m)"
+using a
+proof (induct)
+case eZ
+show "even (0 * m)" by auto
+next
+case (eSS n)
+have as: "even n" by fact
+have ih: "even (n * m)" by fact
+show "even (Suc (Suc n) * m)" sorry
+qed
+text {*****************************************************************
+Definitions
+-----------
+Often it is useful to define new concepts in terms of existsing
+concepts. In Isabelle you introduce definitions with the key-
+word "definition". For example
+*}
+definition
+divide :: "nat \<Rightarrow> nat \<Rightarrow> bool" ("_ DVD _" [100,100] 100)
+where
+"m DVD n = (\<exists>k. n = m * k)"
+text {*
+The annotation ("_ DVD _" [100,100] 100) introduces some fancier
+syntax. In this case we define this predicate as infix. The underscores
+correspond to the to arguments. The numbers stand for precedences.
+Once this definition is stated, it can be accessed as a normal
+theorem. For example
+*}
+thm divide_def
+text {*
+Below we prove the really last fact about even. Note
+how we deal with existential quantified formulas, where
+we have to use
+obtain \<dots> where \<dots>
+in order to obtain a witness with which we can reason further.
+*}
+lemma even_divide:
+assumes a: "even n"
+shows "2 DVD n"
+using a
+proof (induct)
+case eZ
+have "0 = 2 * (0::nat)" by simp
+then show "2 DVD 0" by (auto simp add: divide_def)
+next
+case (eSS n)
+have "2 DVD n" by fact
+then have "\<exists>k. n = 2 * k" by (simp add: divide_def)
+then obtain k where eq: "n = 2 * k" by (auto)
+have "Suc (Suc n) = 2 * (Suc k)" using eq by simp
+then have "\<exists>k. Suc (Suc n) = 2 * k" by blast
+then show "2 DVD (Suc (Suc n))" by (simp add: divide_def)
+qed
+text {*****************************************************************
+Function Definitions
+--------------------
+Many functions over datatypes can be defined by recursion on the
+structure. For this purpose, Isabelle provides "fun". To use it one needs
+to give a name for the function, its type, optionally some pretty-syntax
+and then some equations defining the function. Like in "inductive",
+"fun" expects that more than one such equation is separated by "|".
+Below we define function iteration using function composition
+defined as "o".
+*}
+fun
+iter :: "('a \<Rightarrow> 'a) \<Rightarrow> nat \<Rightarrow> ('a \<Rightarrow> 'a)" ("_ !! _")
+where
+"f !! 0 = (\<lambda>x. x)"
+| "f !! (Suc n) = (f !! n) o f"
+text {*
+5.) EXERCISE
+Prove the following property by induction over n.
+*}
+lemma
+shows "f !! (m + n) = (f !! m) o (f !! n)"
+sorry
+text {*
+A textbook proof of this lemma usually goes:
+Case 0: Trivial
+Case (Suc n): We have to prove that
+"f !! (m + (Suc n)) = f !! m o (f !! (Suc n))"
+holds. The induction hypothesis is
+"f !! (m + n) = (f !! m) o (f !! n)"
+The proof is as follows
+"f !! (m + (Suc n)) = f !! (Suc (m + n))"
+= f !! (m + n) o f
+= (f !! m) o (f !! n) o f     (by ih)
+= (f !! m) o ((f !! n) o f)   (by o_assoc)
+= (f !! m) o (f !! (Suc n))
+Done.
+*}
+lemma
+shows "f !! (m + n) = (f !! m) o (f !! n)"
+proof (induct n)
+case 0
+show "f !! (m + 0) = (f !! m) o (f !! 0)" sorry
+next
+case (Suc n)
+have ih: "f !! (m + n) = (f !! m) o (f !! n)" by fact
+show "f !! (m + (Suc n)) = f !! m o (f !! (Suc n))" sorry
+qed
+text {*
+The following proof involves several steps of equational reasoning.
+Isar provides some convenient means to express such equational
+reasoning in a much cleaner fashion using the "also have"
+construction. *}
+lemma
+shows "f !! (m + n) = (f !! m) o (f !! n)"
+proof (induct n)
+case 0
+show "f !! (m + 0) = (f !! m) o (f !! 0)" by (simp add: comp_def)
+next
+case (Suc n)
+have ih: "f !! (m + n) = (f !! m) o (f !! n)" by fact
+have eq1: "f !! (m + (Suc n)) = f !! (Suc (m + n))" by simp
+have eq2: "f !! (Suc (m + n)) = f !! (m + n) o f" by simp
+have eq3: "f !! (m + n) o f = (f !! m) o (f !! n) o f" using ih by simp
+have eq4: "(f !! m) o (f !! n) o f = (f !! m) o ((f !! n) o f)" by (simp add: o_assoc)
+have eq5: "(f !! m) o ((f !! n) o f) = (f !! m) o (f !! (Suc n))" by simp
+show "f !! (m + (Suc n)) = f !! m o (f !! (Suc n))"
+using eq1 eq2 eq3 eq4 eq5 by (simp only:)
+qed
+text {*
+The equations can be stringed together with "also have" and "\<dots>",
+as shown below. *}
+lemma
+shows "f !! (m + n) = (f !! m) o (f !! n)"
+proof (induct n)
+case 0
+show "f !! (m + 0) = (f !! m) o (f !! 0)" by (simp add: comp_def)
+next
+case (Suc n)
+have ih: "f !! (m + n) = (f !! m) o (f !! n)" by fact
+have "f !! (m + (Suc n)) = f !! (Suc (m + n))" by simp
+also have "\<dots> = f !! (m + n) o f" by simp
+also have "\<dots> = (f !! m) o (f !! n) o f" using ih by simp
+also have "\<dots> = (f !! m) o ((f !! n) o f)" by (simp add: o_assoc)
+also have "\<dots> = (f !! m) o (f !! (Suc n))" by simp
+finally show "f !! (m + (Suc n)) = f !! m o (f !! (Suc n))" by simp
+qed
+text {*
+This type of equational reasoning also extends to relations.
+For this consider the following power function and the auxiliary
+fact about less-equal and multiplication. *}
+fun
+pow :: "nat \<Rightarrow> nat \<Rightarrow> nat" ("_ \<up> _")
+where
+"m \<up> 0 = 1"
+| "m \<up> (Suc n) = m * (m \<up> n)"
+lemma aux:
+fixes a b c::"nat"
+assumes a: "a \<le> b"
+shows " (c * a) \<le> (c * b)"
+using a by (auto)
+text {*
+With this you can easily implement the following proof
+which is straight taken out of Velleman's "How To Prove It".
+*}
+lemma
+shows "1 + n * x \<le> (1 + x) \<up> n"
+proof (induct n)
+case 0
+show "1 + 0 * x \<le> (1 + x) \<up> 0" by simp
+next
+case (Suc n)
+have ih: "1 + n * x \<le> (1 + x) \<up> n" by fact
+have "1 + (Suc n) * x \<le> 1 + x + (n * x) + (n * x * x)" by (simp)
+also have "\<dots> = (1 + x) * (1 + n * x)" by simp
+also have "\<dots> \<le> (1 + x) * ((1 + x) \<up> n)" using ih aux by blast
+also have "\<dots> = (1 + x) \<up> (Suc n)" by simp
+finally show "1 + (Suc n) * x \<le> (1 + x) \<up> (Suc n)" by simp
+qed
+text {*
+What Velleman actually wants to prove is a proper
+inequality. For this we can nest proofs.
+*}
+lemma
+shows "n * x < (1 + x) \<up> n"
+proof -
+have "1 + n * x \<le> (1 + x) \<up> n"
+proof (induct n)
+case 0
+show "1 + 0 * x \<le> (1 + x) \<up> 0" by simp
+next
+case (Suc n)
+have ih: "1 + n * x \<le> (1 + x) \<up> n" by fact
+have "1 + (Suc n) * x \<le> 1 + x + (n * x) + (n * x * x)" by (simp)
+also have "\<dots> = (1 + x) * (1 + n * x)" by simp
+also have "\<dots> \<le> (1 + x) * ((1 + x) \<up> n)" using ih aux by blast
+also have "\<dots> = (1 + x) \<up> (Suc n)" by simp
+finally show "1 + (Suc n) * x \<le> (1 + x) \<up> (Suc n)" by simp
+qed
+then show "n * x < (1 + x) \<up> n" by simp
+qed
+end