Automated Reasoning. Lecture 9: Isar A Language for Structured Proofs

Size: px

Start display at page:

Download "Automated Reasoning. Lecture 9: Isar A Language for Structured Proofs"

Denis Williams
6 years ago
Views:

1 Automated Reasoning Lecture 9: Isar A Language for Structured Proofs Jacques Fleuriot jdf@inf.ed.ac.uk Acknowledgement: Tobias Nipkow kindly provided the slides for this lecture

2 Apply scripts unreadable

3 Apply scripts unreadable hard to maintain

4 Apply scripts unreadable hard to maintain do not scale

5 Apply scripts unreadable hard to maintain do not scale No structure!

6 Apply scripts versus Isar proofs Apply script = assembly language program

7 Apply scripts versus Isar proofs Apply script = assembly language program Isar proof = structured program with comments

8 Apply scripts versus Isar proofs Apply script = assembly language program Isar proof = structured program with comments But: apply still useful for proof exploration

9 A typical Isar proof proof assume formula 0 have formula 1 by simp. have formula n by blast show formula n+1 by... qed

10 A typical Isar proof proof assume formula 0 have formula 1 by simp. have formula n by blast show formula n+1 by... qed proves formula 0 = formula n+1

11 Isar core syntax proof = proof [method] step qed by method

12 Isar core syntax proof = proof [method] step qed by method method = (simp... ) (blast... ) (induction... )

13 Isar core syntax proof = proof [method] step qed by method method = (simp... ) (blast... ) (induction... ) step = fix variables ( ) assume prop (= ) [from fact + ] (have show) prop proof

14 Isar core syntax proof = proof [method] step qed by method method = (simp... ) (blast... ) (induction... ) step = fix variables ( ) assume prop (= ) [from fact + ] (have show) prop proof prop = [name:] formula

15 Isar core syntax proof = proof [method] step qed by method method = (simp... ) (blast... ) (induction... ) step = fix variables ( ) assume prop (= ) [from fact + ] (have show) prop proof prop = [name:] formula fact = name

16 Example: Cantor s theorem lemma surj(f :: a a set)

17 Example: Cantor s theorem lemma surj(f :: a a set) proof

18 Example: Cantor s theorem lemma surj(f :: a a set) proof default proof: assume surj, show False

19 Example: Cantor s theorem lemma surj(f :: a a set) proof default proof: assume surj, show False assume a: surj f

20 Example: Cantor s theorem lemma surj(f :: a a set) proof default proof: assume surj, show False assume a: surj f from a have b: A. a. A = f a

21 Example: Cantor s theorem lemma surj(f :: a a set) proof default proof: assume surj, show False assume a: surj f from a have b: A. a. A = f a by(simp add: surj_def)

22 Example: Cantor s theorem lemma surj(f :: a a set) proof default proof: assume surj, show False assume a: surj f from a have b: A. a. A = f a by(simp add: surj_def) from b have c: a. {x. x / f x} = f a

23 Example: Cantor s theorem lemma surj(f :: a a set) proof default proof: assume surj, show False assume a: surj f from a have b: A. a. A = f a by(simp add: surj_def) from b have c: a. {x. x / f x} = f a by blast

24 Example: Cantor s theorem lemma surj(f :: a a set) proof default proof: assume surj, show False assume a: surj f from a have b: A. a. A = f a by(simp add: surj_def) from b have c: a. {x. x / f x} = f a by blast from c show False

25 Example: Cantor s theorem lemma surj(f :: a a set) proof default proof: assume surj, show False assume a: surj f from a have b: A. a. A = f a by(simp add: surj_def) from b have c: a. {x. x / f x} = f a by blast from c show False by blast

26 Example: Cantor s theorem lemma surj(f :: a a set) proof default proof: assume surj, show False assume a: surj f from a have b: A. a. A = f a by(simp add: surj_def) from b have c: a. {x. x / f x} = f a by blast from c show False by blast qed

27 Abbreviations this = the previous proposition proved or assumed then = from this thus = then show hence = then have

28 using and with (have show) prop using facts

29 using and with (have show) prop using facts = from facts (have show) prop

30 using and with (have show) prop using facts = from facts (have show) prop with facts = from facts this

31 Structured lemma statement lemma fixes f :: a a set assumes s: surj f shows False

32 Structured lemma statement lemma fixes f :: a a set assumes s: surj f shows False proof -

33 Structured lemma statement lemma fixes f :: a a set assumes s: surj f shows False proof - no automatic proof step

34 Structured lemma statement lemma fixes f :: a a set assumes s: surj f shows False proof - no automatic proof step have a. {x. x / f x} = f a using s by(auto simp: surj_def)

35 Structured lemma statement lemma fixes f :: a a set assumes s: surj f shows False proof - no automatic proof step have a. {x. x / f x} = f a using s by(auto simp: surj_def) thus False by blast qed

36 Structured lemma statement lemma fixes f :: a a set assumes s: surj f shows False proof - no automatic proof step have a. {x. x / f x} = f a using s by(auto simp: surj_def) thus False by blast qed Proves surj f = False

37 Structured lemma statement lemma fixes f :: a a set assumes s: surj f shows False proof - no automatic proof step have a. {x. x / f x} = f a using s by(auto simp: surj_def) thus False by blast qed Proves surj f = False but surj f becomes local fact s in proof.

38 The essence of structured proofs Assumptions and intermediate facts can be named and referred to explicitly and selectively

39 Structured lemma statements fixes x :: τ 1 and y :: τ 2 assumes a: P and b: Q shows R

40 Structured lemma statements fixes x :: τ 1 and y :: τ 2 assumes a: P and b: Q shows R fixes and assumes sections optional

41 Structured lemma statements fixes x :: τ 1 and y :: τ 2 assumes a: P and b: Q shows R fixes and assumes sections optional shows optional if no fixes and assumes

42 Proof patterns: Case distinction show R proof cases assume P. show R... next assume P. show R... qed

43 Proof patterns: Case distinction show R proof cases assume P. show R... next assume P. show R... qed have P Q... then show R proof assume P. show R... next assume Q. show R... qed

44 Proof patterns: Contradiction show P proof assume P. show False... qed

45 Proof patterns: Contradiction show P proof assume P. show False... qed show P proof (rule ccontr) assume P. show False... qed

46 Proof patterns: show P Q proof assume P. show Q... next assume Q. show P... qed

47 Proof patterns: and introduction show x. P(x) proof fix x local fixed variable show P(x)... qed

48 Proof patterns: and introduction show x. P(x) proof fix x local fixed variable show P(x)... qed show x. P(x) proof. show P(witness)... qed

49 Proof patterns: elimination: obtain

50 Proof patterns: elimination: obtain have x. P(x) then obtain x where p: P(x) by blast. x fixed local variable

51 Proof patterns: elimination: obtain have x. P(x) then obtain x where p: P(x) by blast. x fixed local variable Works for one or more x

52 obtain example lemma surj(f :: a a set) proof assume surj f hence a. {x. x / f x} = f a by(auto simp: surj_def)

53 obtain example lemma surj(f :: a a set) proof assume surj f hence a. {x. x / f x} = f a by(auto simp: surj_def) then obtain a where {x. x / f x} = f a by blast

54 obtain example lemma surj(f :: a a set) proof assume surj f hence a. {x. x / f x} = f a by(auto simp: surj_def) then obtain a where {x. x / f x} = f a by blast hence a / f a a f a by blast

55 obtain example lemma surj(f :: a a set) proof assume surj f hence a. {x. x / f x} = f a by(auto simp: surj_def) then obtain a where {x. x / f x} = f a by blast hence a / f a a f a by blast thus False by blast qed

56 Proof patterns: Set equality and subset show A = B proof show A B... next show B A... qed

57 Proof patterns: Set equality and subset show A = B proof show A B... next show B A... qed show A B proof fix x assume x A. show x B... qed

58 Example: pattern matching show formula 1 formula 2 (is?l?r)

59 Example: pattern matching show formula 1 formula 2 proof assume?l. show?r next assume?r. show?l qed (is?l?r)

60 ?thesis show formula proof -. show?thesis qed

61 ?thesis show formula (is?thesis) proof -. show?thesis qed

62 ?thesis show formula (is?thesis) proof -. show?thesis qed Every show implicitly defines?thesis

63 let Introducing local abbreviations in proofs: let?t = "some-big-term". have "?t "

64 Quoting facts by value By name: have x0: x > 0. from x0

65 Quoting facts by value By name: have x0: x > 0. from x0 By value: have x > 0. from x>0

66 Quoting facts by value By name: have x0: x > 0. from x0 By value: have x > 0. from x>0 back quotes

67 Example lemma ( ys zs. xs = zs length ys = length zs) ( ys zs. xs = zs length ys = length zs + 1)

68 Example lemma ( ys zs. xs = zs length ys = length zs) ( ys zs. xs = zs length ys = length zs + 1) proof???

69 When automation fails Split proof up into smaller steps.

70 When automation fails Split proof up into smaller steps. Or explore by apply:

71 When automation fails Split proof up into smaller steps. Or explore by apply: have using

72 When automation fails Split proof up into smaller steps. Or explore by apply: have using apply - to make incoming facts part of proof state

73 When automation fails Split proof up into smaller steps. Or explore by apply: have using apply - apply auto to make incoming facts part of proof state or whatever

74 When automation fails Split proof up into smaller steps. Or explore by apply: have using apply - apply auto apply to make incoming facts part of proof state or whatever

75 When automation fails Split proof up into smaller steps. Or explore by apply: have using apply - apply auto apply to make incoming facts part of proof state or whatever At the end:

76 When automation fails Split proof up into smaller steps. Or explore by apply: have using apply - apply auto apply to make incoming facts part of proof state or whatever At the end: done

77 When automation fails Split proof up into smaller steps. Or explore by apply: have using apply - apply auto apply to make incoming facts part of proof state or whatever At the end: done Better: convert to structured proof

78 moreover ultimately have P 1... moreover have P 2... moreover. moreover have P n... ultimately have P...

79 moreover ultimately have P 1... moreover have P 2... moreover. moreover have P n... ultimately have P... have lab 1 : P 1... have lab 2 : P have lab n : P n... from lab 1 lab 2... have P... With names

80 Raw proof blocks { fix x 1... x n assume A 1... A m. have B }

81 Raw proof blocks { fix x 1... x n assume A 1... A m. have B } proves [[ A 1 ;... ; A m ]] = B

82 Raw proof blocks { fix x 1... x n assume A 1... A m. have B } proves [[ A 1 ;... ; A m ]] = B where all x i have been replaced by?x i.

83 Proof state and Isar text

84 Proof state and Isar text In general: proof method

85 Proof state and Isar text In general: proof method Applies method and generates subgoal(s): x1... x n [[ A 1 ;... ; A m ]] = B

86 Proof state and Isar text In general: proof method Applies method and generates subgoal(s): x1... x n [[ A 1 ;... ; A m ]] = B How to prove each subgoal:

87 Proof state and Isar text In general: proof method Applies method and generates subgoal(s): x1... x n [[ A 1 ;... ; A m ]] = B How to prove each subgoal: fix x 1... x n assume A 1... A m. show B

88 Proof state and Isar text In general: proof method Applies method and generates subgoal(s): x1... x n [[ A 1 ;... ; A m ]] = B How to prove each subgoal: fix x 1... x n assume A 1... A m. show B Separated by next

89 Datatype case analysis datatype t = C 1 τ

90 Datatype case analysis datatype t = C 1 τ proof (cases "term") case (C 1 x 1... x k ) x j next. qed

91 Datatype case analysis datatype t = C 1 τ proof (cases "term") case (C 1 x 1... x k ) x j next. qed where case (C i x 1... x k ) fix x 1... x k assume C i : }{{} label term = (C i x 1... x k ) }{{} formula

92 Structural induction for nat show P(n) proof (induction n) case 0. show?case next case (Suc n).. show?case qed

93 Structural induction for nat show P(n) proof (induction n) case 0 let?case = P(0). show?case next case (Suc n).. show?case qed

94 Structural induction for nat show P(n) proof (induction n) case 0 let?case = P(0). show?case next case (Suc n) fix n assume Suc: P(n). let?case = P(Suc n). show?case qed

95 Structural induction with = show A(n) = P(n) proof (induction n) case 0. show?case next case (Suc n)... show?case qed

96 Structural induction with = show A(n) = P(n) proof (induction n) case 0 assume 0: A(0). let?case = P(0) show?case next case (Suc n)... show?case qed

97 Structural induction with = show A(n) = P(n) proof (induction n) case 0 assume 0: A(0). let?case = P(0) show?case next case (Suc n) fix n.. assume Suc: A(n) = P(n) A(Suc n). let?case = P(Suc n) show?case qed

98 Named assumptions In a proof of A 1 =... = A n = B by structural induction:

99 Named assumptions In a proof of A 1 =... = A n = B by structural induction: In the context of case C

100 Named assumptions In a proof of A 1 =... = A n = B by structural induction: In the context of case C we have C.IH the induction hypotheses

101 Named assumptions In a proof of A 1 =... = A n = B by structural induction: In the context of case C we have C.IH C.prems the induction hypotheses the premises A i

102 Named assumptions In a proof of A 1 =... = A n = B by structural induction: In the context of case C we have C.IH C.prems C the induction hypotheses the premises A i C.IH + C.prems

103 A remark on style case (Suc n) show?case is easy to write and maintain

104 A remark on style case (Suc n) show?case is easy to write and maintain fix n assume formula show formula is easier to read: all information is shown locally no contextual references (e.g.?case)

105 Rule induction inductive I :: τ σ bool where rule 1 :.... rule n :...

106 Rule induction inductive I :: τ σ bool where rule 1 :... show I x y = P x y. rule n :...

107 Rule induction inductive I :: τ σ bool where rule 1 :... show I x y = P x y proof (induction rule: I.induct). rule n :...

108 Rule induction inductive I :: τ σ bool where rule 1 :.... rule n :... show I x y = P x y proof (induction rule: I.induct) case rule 1 show?case next. next case rule n show?case qed

109 Fixing your own variable names case (rule i x 1... x k ) Renames the first k variables in rule i (from left to right) to x 1... x k.

110 Named assumptions In a proof of I... = A 1 =... = A n = B by rule induction on I... :

111 Named assumptions In a proof of I... = A 1 =... = A n = B by rule induction on I... : In the context of case R

112 Named assumptions In a proof of I... = A 1 =... = A n = B by rule induction on I... : In the context of case R we have R.IH the induction hypotheses

113 Named assumptions In a proof of I... = A 1 =... = A n = B by rule induction on I... : In the context of case R we have R.IH R.hyps the induction hypotheses the assumptions of rule R

114 Named assumptions In a proof of I... = A 1 =... = A n = B by rule induction on I... : In the context of case R we have R.IH R.hyps R.prems the induction hypotheses the assumptions of rule R the premises A i

115 Named assumptions In a proof of I... = A 1 =... = A n = B by rule induction on I... : In the context of case R we have R.IH R.hyps R.prems R the induction hypotheses the assumptions of rule R the premises A i R.IH + R.hyps + R.prems

116 Rule inversion inductive ev :: nat bool where ev0: ev 0 evss: ev n = ev(suc(suc n)) What can we deduce from ev n?

117 Rule inversion inductive ev :: nat bool where ev0: ev 0 evss: ev n = ev(suc(suc n)) What can we deduce from ev n? That it was proved by either ev0 or evss!

118 Rule inversion inductive ev :: nat bool where ev0: ev 0 evss: ev n = ev(suc(suc n)) What can we deduce from ev n? That it was proved by either ev0 or evss! ev n = n = 0 ( k. n = Suc (Suc k) ev k)

119 Rule inversion inductive ev :: nat bool where ev0: ev 0 evss: ev n = ev(suc(suc n)) What can we deduce from ev n? That it was proved by either ev0 or evss! ev n = n = 0 ( k. n = Suc (Suc k) ev k) Rule inversion = case distinction over rules

120 Rule inversion template from ev n have P proof cases case ev0 n = 0. show?thesis... next case (evss k). show?thesis... qed n = Suc (Suc k), ev k

121 Rule inversion template from ev n have P proof cases case ev0 n = 0. show?thesis... next case (evss k). show?thesis... qed Impossible cases disappear automatically n = Suc (Suc k), ev k

122 Summary Introduction to Isar and to some common proof patterns e.g. case distinction, contradiction, etc. Structured proofs are becoming the norm for Isabelle as they are more readable and easier to maintain. Mastering structured proof takes practice and it is usually better to have a clear proof plan beforehand. Useful resource: Isar quick reference manual (see AR web page). Reading: N&K (Concrete Semantics), Chapter 5.

Automated Reasoning Lecture 17: Inductive Proof (in Isabelle)

Automated Reasoning Lecture 17: Inductive Proof (in Isabelle) Jacques Fleuriot jdf@inf.ed.ac.uk Recap Previously: Unification and Rewriting This time: Proof by Induction (in Isabelle) Proof by Mathematical