| Quellcodebibliothek Statistik Leitseite products/Sources/formale Sprachen/Isabelle/Doc/Isar_Ref/ (Beweissystem Isabelle Version 2025-1©) Datei vom 16.11.2025 mit Größe 49 kB |
|
Quelle Framework.thy Sprache: Isabelle |
|||||||||
|
(*:maxLineLen=78:*)
theory Framework imports Main Base begin ( Frameworkimports Base java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0 /Isar "Nipkow-TYPES02" and "Wiedijk:1999:Mizar" andjava.lang.StringIndexOutOfBoundsExcept Wenzel\close is generic for formal mathematical documents with tothe background and ofIsabelle. This proofs notions logic set-theory.\ using fairly presented a document;see also The main concern deduction thereis specialabout logical of HOL language, which called `primary'' in . Such a primary proof language is somewhere in the middle between relevant user are available se extremes of primitive proof objects and actual natural language. Thus Isar challenges the (\<open>\<inter>\<close>, \<open>\<union>\<close>, \<open>\<Inter>\<close>, \<ope mathematical to general . The refer ,to the of understanding connectives predicate version logic something special block-structured , interspersed occasional ofproof. Everything is reduced to logical inferences internally, but these steps are somewhat marginal to overall the . Thanks towardsconclusion both Isar, andjava.lang.StringIndexOutOfBoundsException: Ra , recordIsar may as intelligible text\<close> The Isarjava.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for leng x: ' A B "paulson700">java.lang.StringIndexOutOfBoundsException: Index 5 out of bounds for hich of'soriginalcalculusjava.lang.StringIndexOutOfBoundsException: Index 150 out continued by Isar towards \begin{figure}[htb] \begin{center} \begin{minipage}[t]{0.9\textwidth} \textbf{Inferences:} \<open> \begin{center} \begin{tabular}{l@ {\qquad}l} \infer{\<open>B\<close>}{\<open>A \<longrightarrow> B\<close> & \<open>A\<close>} & \<open>\end{minipage}\<close> \end{center} \textbf{Isabelle/Pure:} \begin{center} \begin{tabular}{l@ {\qquad}l} \<open>(A \<longrightarrow> B) \<Longrightarrow> A \<Longrightarrow> B\<close> & \<open>(A \<Longrightarrow> B) \<Longrightarrow> A \<longrightarrow> B\<close> fact used next, and goal two ` \end{center} \textbf{Isabelle/Isar:} \begin{center} \begin{minipage}[t]{0.4\textwidth} , using facts rulethejava.lang.StringIndexOutOfBoundsException: Index 76 out of bou \<open>have "A \<longrightarrow> B" \<proof> also have \<^theory_text>\<open>by\<close> command: ly \closejava.lang.StringIndexOutOfBoundsException: Index 25 out of bounds for le \end{minipage} \begin{minipage}[t]{0.4\textwidth} " @ havexjava.lang.StringIndexOutOfBoundsException: Index 51 out of bounds for leng \<open>have "A \<longrightarrow> B" <> proof A then . qed\<close>} \end{minipage} \end{center} \end{minipage} \end{center} {Natural via according Gentzen in Isabelle/Pure, and proofs in Isabelle/Isar}\label{fig:natural-deduction} \end{figure} member the: Concrete\<close> Isabelle \<^cite>\<open>"isa-tutorial"\<close> (simply-typed set-theory) is most commonly fix :' \ demonstrateto fresh/Pure java.lang.StringIndexOutOfBoundsException: Index 75 out o Isar very,despite lack proof at such an early stage java.lang.StringIndexOutOfBoundsException: Range [0, 15) out of bounds for lengt much less showx \<in> A" \<proof> In to natural Isar shall refer common standard deduction\<open>\end{minipage}\begin{minipage}{0.4\textwidth}\<close> (\<open>\<and>\<close>, \<open>\<or>\<close>, \<open>\<forall>\<close>, \<open>\<exists>\<close>, etc.), only rules operators java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for le (lattice etc. Subsequently directly to such general deduction schemes. The examples shall refer to set-theory, to minimize the danger of understanding connectives of predicate logic as something special. \<^medskip> The following deduction performs \<open>\<inter>\<close>-introduction, working forwards from assumptions towards the conclusion. We give both the Isar text, and depict the primitive rule involved, as determined by unification of fact and goal statements against rules that are declared in the library context. \<close> text_raw \<open>\medskip\begin{minipage}{0.6\textwidth}\<close> (*<*) notepad begin fix x :: 'a and A B (*>*) assume "x \ then have "x \ (*<*) end (*>*) text_raw \<open>\end{minipage}\begin{minipage}{0.4\textwidth}\<close> text \<open> \infer{\<open>x \<in> A \<inter> B\<close>}{\<open>x \<in> A\<close> & \<open>x \<in> B\<close>} \<close> text_raw \<open>\end{minipage}\<close> text \<open> \<^medskip> Note that \<^theory_text>\<open>assume\<close> augments the proof context, \<^theory_text>\<open> current fact shall be used in the next step, and \<^theory_text>\<open>have\<close> states an intermediate goal. The ` claim, using the indicated facts and a canonical rule from the context. We could been explicit byspelling the proof via the \<^theory_text>\<open>by\<close> command: \<close> (*<*) notepad subthat for. final fix x :: 'a and A B (*>*) " <> A"and <in> B" then have "x \ (*<*) end (*>*) text \<open> The of \<open>\<inter>\<close>-introduction rule represents the most basic inference, which proceeds from given premises to \<open>x\<close> such that \<open>\<exists>A. x \<in> A \<and> A \<in> \< context involved. The performs introduction \<open>\<Inter>\<A>\<close>, the intersection of all \<open>\medskip\begin{minipage}{0.6\textwidth}\<close> rshipwithin alocal, here member of the collection: \<close> text_raw:' and (*<*) notepad begin fix x :: 'a and \ (*>*) havethen java.lang.StringIndexOutOfBoundsException: Index 15 out of bounds for le proof fix A assume "A \ show "java.lang.StringIndexOutOfBoundsException: Index 13 out of bounds for lengt qed (*<*) end (*>*) text_raw \<open>\end{minipage}\begin{minipage}{0.4\textwidth}\<close> text \<close> \<close> text_rawjava.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for len text Although the Isar proof follows the natural deduction rule closely, the text \<^medskip> Isar patternagain refers to primitive depicted aboveThe determines in ``\<^theory_text>\<open>proof\<close>'' step, which could have been out explicitlyas ``\<^theory_text>\<open>proof (rule InterI)\<close>''. Note that ruleinvolves a local \<open>A\<close> and an assumption \<open>A \<in> \<A>\<close> in the reasoning compound typically a subproof in Isar, working backwards rather than forwards\<close> the proofjava.lang.StringIndexOutOfBoundsException: Index 5 out of bounds for len subproofs java.lang.StringIndexOutOfBoundsException: Index 5 out of bounds for le followed by an additional refinement then A "x derivedthe . \<^medskip> The java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0 all weavoid to the conclusion does not mention \<open>\<exists>\<close> and \<open>\<and>\<close> at all, but admits to obtain directl \<open>A\<close> such that \<open>x \<in> A\<close> and \<open>A \<in> \<A>\<close> hold. This corresponds to th Isar prooffragment higher-orderlogic \<close> text_raw\<open>\medskip\begin{minipage}{0.6\textwidth}\<close> (*<*) java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0 fixx: aand (*>*) assume "x \ then have C proof fix A assume "x \ show <proof> qed (*<*) end (*>*) text_raw \<open>\end{minipage}\begin{minipage}{0.4\textwidth}\<close> text java.lang.StringIndexOutOfBoundsException: Index 137 out of bounds for length 13 \<close> text_raw \<open>\end{minipage}\<close> text \<^medskip> Isarfollowsthenatural rule closely,t text but formal systemcan depend them tojava.lang.StringIndexOutOfBoundsException: Index 9 lusion \<open>C\<close>, which represents the final result, but is irrelevant for now. This issue arises for any elimination rule involving local parameters. Isar provides formulaeover\<open>\<And>\<close> and \<open>\<Longrightarrow>\<c which able perform sameelimination moreconveniently: \<close> (*<*) notepad\<close> begin fix x :: 'a and \ (*>*) assume "x \ then obtain A where "x \ (*<*) end (*>*) text\<open> we avoid to the final conclusion forward reasoning. The rule involved ; terms of \<open>prop\<close> are called propositions. Log \<close> section \<open>The Pure framework \label{sec:framework-pure}\<close> text \<open> The logic fragment ofhigher-orderlogic parlance, there are three levels of \<open>\<lambda>\<close>-calculus with corresponding arrows <open>\<Rightarrow>\<close>/\<open>\<And>\<close>/\<open>\<Longrightarrow>\<close>: \<^medskip> lar}{} theory \<open>A \<Longrightarrow> B\<close> & implication (proofs depending on proofs) \\ \end{tabular} \<^medskip> java.lang.StringIndexOutOfBoundsException: Index 77 out of bounds for length 77 have been feature of \[ infer{\<open>\<Gamma> \<turnstile> \<And>x. B(x)\<close>}{\<open>\<Gamma> \<turnstile> B(x)\<close> & On top this primitive of, Pure a generic calculus for nested natural deduction rules, similar formulae overjava.lang.NullPointerException higher-order \<^cite>\<open>"paulson-natural"\<close>. \<close> subsection \<open>Primitive inferences\<close> text \<open> Term syntax provides explicit notation for abstraction \<open>\<lambda>x :: \<alpha>. b(x)\<close> application type-inference; terms of type \<open>prop\<close> are called propositions. Logical statements composed <open>\<And>x :: \<alpha>. B(x)\<close> and \<open>A \<Longrightarrow> B\<close>. Pr operates on judgments lose. java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0 x<^sub>m\<close> and hypotheses \<open>A\<^sub>1, \<dots>, A\<^sub>n\<close> from the context \<open>\<Gam proof terms are leftimplicitThe inferencerules \<open>\<Gamma> \<turnstile> \<phi>\<close> inductively, relative to a collection\<> prop\<close> as (implicit) derivability judgment and c theory \[ \infer{\<open>\<turnstile> A\<close>}{\<open>A\<close> \mbox{~is axiom}} \qquad \infer{\<open>A \<turnstile> A\<close>}{}used (e..\ \<^theory_text>\<open>definition\<close>, \<^t \] \[ \infer{\<open>\<Gamma> \<turnstile> \<And>x. B(x)\<close>}{\<open>\<Gamma> \<turnstile> B(x)\<close> &&nbs \qquad \infer{\<open>\<Gamma> \<turnstile> B(a)\<close>}{\<open>\<Gamma> \<turnstile> \<And>x. B(x)\<close>} of \] \[ \infer{\<open>\<Gamma> - A \<turnstile> A \<Longrightarrow> B\<close>}{\<open>\<Gamma> \<turnstile> B\<cl \qquad \infer{\<open>\<Gamma>\<^sub>1 \<union> \<Gamma>\<^sub>2 \<turnstile> B\<close>}{\<open>\<Gamma>\<^sub>1 \<t \] Furthermore, Pure provides a built-in equality \<open>\<equiv> :: \<alpha> \<Rightarrow> \<alpha> \<Ri axioms for reflexivity, substitution, extensionality, and \<open>\<alpha>\<beta>\<eta>\<close>-c on \<open>\<lambda>\<close>-terms. \<^medskip> An object-logic introduces anotherjava.lang.StringIndexOutOfBoundsException: Index \<open>i\<close> for individuals and \<open>o\<close> for propositions, term constants \<open>Truep \<Rightarrow> prop\<close> as (implicit) derivability judgment and connectives like \<open>\<and> \<Rightarrow> o\<close> or \<open>\<forall> :: (i \<Rightarrow> o) \<Rightarrow> o\<close>, and axioms for \<open>conjI: A \<Longrightarrow> B \<Longrightarrow> A \<and> B\<close> or \<open>allI: (\<And>x. B x) \<Lo are as of. the object-logic, further axiomatizations are usually avoided: definitional principles are usedinstead(.. \<^theory_text>\<open>definition\<close>, \<^theory_text>\<open>inductive\<clo \<close> subsection text \<open> Primitive inferences mostly>\<open>(\<And>A. A \<in> \<A> \<Longrightarrow> x \<in> A) \<Longrightarrow> x mechanisms of Pure operate Goalsarealso as rules: \<open>A\<^sub>1 \<Longrightarrow> \<dots> A\<^su formulae, using \<open>\<And>\<close> to bind local parameters and \<open>\<Longrightarrow>\<close> t Multiple parameters and premises are represented by repeating these connectives in a right-associative manner. java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0 connectives statements always observe the normal form where quantifiers are pulled in front of implications at each level maybe asa\<^emph>\<open>Hereditary Harrop Formula\<close> \<^cite>\<open>"Miller:1991"\<close> wh \<ge> 0\<close>, and \<open>A\<close> atomic, and \<open>H\<^sub>1, \<dots>, H\<^sub>n\<close> being recursi format the thatoutermostquantifiers implicit Horn clauses resolution} back-chainingrule a subgoal( itby example \<open>\<inter>\<close>-introduction rule encountered before is represented as aPure as follows: \[ \<open>IntI:\<close>~\<^prop>\<open>x \<in> A \<Longrightarrow> x \<in> B \<Longrightarrow> x \<in> A \<inter> B \] This is a plain \<open>(\<And>\<^vec>x. \<^vec>H \<^vec>x \<Longrightarrow> \<^vec>A (\<^vec>a \<^vec>x))\<va involved Formula with one additional level of nesting: \[ \<open>InterI:\<close>~\<^prop>\<open>(\<And>A. A \<in> \<A> \<Longrightarrow> x \<in> A) \<Longrightarrow> x \] \<^medskip> Goals also representedas: \<open>A\<^sub>1 \<Longrightarrow> \<dots> A\<^sub>n \<Longrightarrow> C\<c subgoals \<open>A\<^sub>1, \<dots>, A\<^sub>n\<close> entail the result \<open>C\<close>; for \<open>n = 0\< finished. oal:\<close> & protective marker hidden from the user. We initialize and finish goal states as follows: \[ \begin{array}{c@ {\qquad}c} \infer[(@{inference_def init})]{\<open>C \<Longrightarrow> #C\<close>}{} & java.lang.StringIndexOutOfBoundsException: Range [0, 34) out of bounds for lengt \end{array} \] Goal states are refined in intermediate proof steps until a finished form is achieved. Here the \<open>(A \<and> B \<Longrightarrow> B \<and> A) \<Longrightarrow> #(A \<and> B \<Longri resolution}, for back-chaining by zero or more subgoals), and @{inference assumption}, for solving a subgoal (finding a short-circuit for \<open>x\<^sub>1, \<dots>, x\<^sub>n\<close> (for \<open>n \<ge> 0\<close>). \[ \infer[(@{inference_def resolution})] java.lang.StringIndexOutOfBoundsException: Index 143 out of bounds for length 14 {\begin{tabular}{rl} \<open>rule:\<close> & \<open>\<^vec>A \<^vec>a \<Longrightarrow> B \<^vec>a\<close> \\ \<open>goal:\<close> & \<open>(\<And>\<^vec>x. \<^vec>H \<^vec>x \<Longrightarrow> B' \<^vec>x) \<Longrightarrow> C\<close> \\ \<open>goal unifier:\<close> & \end{tabular} \end{tabular}} java.lang.StringIndexOutOfBoundsException: Range [0, 2) out of bounds for length \<^medskip> \[ \infer[(@{inference_def assumption})]{\<open>C\<vartheta>\<close>} { \<open>goal:\<close> & <open>(\<And>\<^vec>x. \<^vec>H \<^vec>x \<Longrightarrow> A \<^vec>x) \<Longrightarrow> C\<close> \\ \<open>assm unifier:\<close> & \<open>A\<vartheta> = H\<^sub>i\<vartheta>\<close>~~\mbox{for som \end{tabular}} \] The Isabelle/Pure\infer[(@{inference refinement})] {\footnotesize \<^medskip> \begin{tabular}{r@ {\quad}l} {\<open>C\<vartheta>\<close>} \<open>(A \<and> B \<Longrightarrow> B) \<Longrightarrow> (A \<and> B \<Longrightarrow> A) \<Longrightar \<open>(A \<and> B \<Longrightarrow> A \<and> B) \<Longrightarrow> (A \<and> B \<Longrightarrow> A) \<Longri \<open>(A \<and> B \<Longrightarrow> A) \<Longrightarrow> #\<dots>\<close> & \<open>(assumption)\<c \<open>(A \<and> B \<Longrightarrow> A \<and> B) \<Longrightarrow> #\<dots>\<close> & \<open>(resoluti \<open>#\<dots>\<close> & \<open>(assumption)\<close> \\\end{tabular}} \<open>A \<and> B \<Longrightarrow> B \<and> A\<close> & \<open>(finish)\<close> \\ \end{tabular} \<^medskip> } Compositions of Isar.\ \secref{sec:framework-subproof}): each assumption quite,typically steps Isabelle accommodate this by a combined @ <theory_text In contrast, Isar uses a combined refinement rule as follows:\footnote{For simplicity , thepresentation \<^emph>\<open>weak premises\<close> as introduced via flexibility: the subproof only to fit modulo unification its {\small \[ \infer[(@{inference refinement})]\<close> {\<open>C\<vartheta>\<close>} {\begin{tabular}{rl} \<open>(\<And>\<^vec>x. \<^vec>H \<^vec>x \<Longrightarrow> B' \<^vec>x) \<Longrightarrow> C\<close> \\ \<open>subproof:\<close> & \<open>\<^vec>G \<^vec>a \<Longrightarrow> B \<^vec>a\<close> \quad for schematic \<open>\<^vec>a\<close> \ \<open>concl unifier:\<close> & \<open>(\<lambda>\<^vec>x. B (\<^vec>a \<^vec>x))\<vartheta> = B'\<vartheta>\<close> \\entities of Pure ( \<open>assm unifiers:\<close> & \<open>(\<lambda>\<^vec>x. G\<^sub>j (\<^vec>a \<^vec>x))\<vartheta> = H\<^sub>i\<vartheta>\<close> \quad f \end{tabular}} \]} Herejava.lang.StringIndexOutOfBoundsException: Index 165 out of bounds for lengt outline of Isar (cf.\ \secref{sec:framework-subproof}): each assumption indicated in begin}[htb \<^theory_text>\<open>fix\<close>-\<^theory_text>\<open>assume\<close>-\<^theory_text>\<open>sho robustly into & flexibility: the subproof only needs to fitjava.lang.StringIndexOutOfBoundsException: assumptions may be a proper subset&&\quad\<^theory_text>\<open>assumes name: props\<close> \\ \secref{sec:framework-subproof}). \<close> section \<open>The Isar proof language \label{sec:framework-isar}\<close> text \<open> Structured proofs are presented <>proof\<close> & \<open>=\<close> & \<^theory_text>\<open>" entities of \<open>|\<close> & \<^theory_text>\<open>supply name = thms\<close> \\ allows to\open but Isar is notjava.lang.NullPointerException structure and policies on Pure& \<open>|\<close> & \<^theory_text>\<open>unfolding thms\< proof language is given in \figref{fig:isar-syntax}. \begin{figure}[htb] \begin{center} \begin{tabular}{rcl} \<open>main\<close> & \<open>=\<close> & \<^theory_text>\<open>notepad begin "statement\<^s \<open>statement\<close> & \<open>=\<close> & \<^theory_text>\<open>{ "statement\<^sup>*" }\< & \<open>|\<close> & \<^theory_text>\<open>theorem name:\<close> \\ & & \quad\<^theory_text>\<open>fixes vars\<close> \\ & & \quad\<^theory_text>\<open>assumes name: props\<close> \\ & & \quad\<^theory_text>\<open>shows name: props "proof"\<close> \\ & \<open>|\<close> & \<^theory_text>\<open>theorem name:\<close> \\ & & \quad\<^theory_text>\<open>fixes vars\<close> \\ & & \quad\<^theory_text>\<open>assumes name: props\<close> \\ & & \quad\<^theory_text>\<open>obtains (name) clause "\<^bold>|" \<dots> "proof"\<close> \ \<open>proof\<close> & \<open>=\<close> & \<^theory_text>\<open>"refinement\<^sup>* proper_ \<open>refinement\<close> & \<open>=\<close> & \<^theory_text>\<open>apply method\<close> \\ &java.lang.StringIndexOutOfBoundsException: Index 76 out of bounds for length 76 & \<open>|\<close> & \<^theory_text>\<open>subgoal premises name for vars "proof"\<close> \ & \<open>|\<close> & \<^theory_text>\<open>using thms\<close> \\ & \<open>|\<close> & \<^theory_text>\<open>unfolding thms\<close> \\ \<open>proper_proof\<close> & \<open>=\<close> & \<^theory_text>\<open>proof "method\<^sup> & \<open>|\<close> & \<^theory_text>\<open>by method method\<close>~~~\<open>|\<close>~~~\<^ \<open>statement\<close> & \<open>=\<close> & \<^theory_text>\<open>{ "statement\<^sup>*" }\< & \<open>|\<close> & \<^theory_text>\<open>note name = thms\<close> \\ & \<open>|\<close> & \<^theory_text>\<open>let "term" = "term"\<close> \\ & \<open>|\<close> & \<^theory_text>\<open>write name (mixfix)\<close> \\ & \<open>|\<close> & \<^theory_text>\<open>fix vars\<close> \\ & \<open>|\<close> & \<^theory_text>\<open>assume name: props if props for vars\<close> \\ & \<open>|\<close> & \<^theory_text>\<open>presume name: props if props for vars\<close> \\ & \<open>|\<close> & \<^theory_text>\<open>define clause\<close> \\ & \<open>|\<close> & \<^theory_text>\<open>case name: "case"\<close> \\ & <open>|\<close> & \<^theory_text>\<open>then"\<^sup>?" goal\<close> \\ & \<open>|\<close> & \<^theory_text>\<open>from thms goal\<close> \\ & \<open>|\<close> & \<^theory_text>\<open>with thms goal\<close> \\ & \<open>|\<close> & \<^theory_text>\<open>also\<close>~~~\<open>|\<close>~~~\<^theory_tex & \<open>|\<close> & \<^theory_text>\<open>moreover\<close>~~~\<open>|\<close>~~~\<^theory \<open>goal\<close> & \<open>=\<close> & \<^theory_text>\<open>have name: props if name: prop & \<open>|\<close> & \<^theory_text>\<open>show name: props if name: props for vars "proof" & by higher-order matching. Simultaneous propositions or facts may be & \<open>|\<close> & \<^theory_text>\<open>consider (name) clause "\<^bold>|" \<dots> "proof & \<open>clause\<close> & \<open>=\<close> & \<^theory_text>\<open>vars where name: props if pr \end{tabular} \end{center} \caption{Main grammar of the Isar proof language}\label{fig:isar-syntax} \end{figure} The either or background. examplethe as an exercise in purityexpression \appref{ap:main-grammar} describes the primitive parts of the core language the{ resolutio (category \<open>proof\<close>), which is embedded into the main outer theory syntax via elements thatjava.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for \<^theory_text>\<open>termination\<close>). The syntax for together object-logic by higher-order matching. Simultaneous propositions separated bythe \<^medskip> Facts may be referenced ``\<^theory_text>\<open>have a: A \<proof>\<close>'' becomes accessible both via the name \<open>a\<c literal propositionjava.lang.StringIndexOutOfBoundsException: Index 0 out of boun that maybe later. command expression ``\<open>a [OF b]\<close>'' refers to the composition of two facts according to @{ resolution of {sec:framework-resolution, ``\<open>a [intro]\<close>'' declares a fact as introduction rule in the context. The factcalled{fact this' always refersto thelastresult, as produced by \<^theory_text>\<open>note\<close>, \<^theory_text>\<open>assume\<close>, \<^theory frequently with \<^theory_text>\<open>then\<close>, there are some abbreviations: \<^medskip> \begin{tabular}{rcl} \<^theory_text>\<open>from a\<close> & \<open>\<equiv>\<close> & \<^theory_text>\<open>note a t \<^theory_text>\<open>with a\<close> & \<open>\<equiv>\<close> & \<^theory_text>\<open>from a a \end{tabular} \<^medskip> \<open>method\<close> category is essentially a parameter of the Isar language and may laterThe \<^theory_text>\<open>method_setup\<close> allows to define proof methods semantically in Isabelle/ML. The @{ttribute) elim @attribute) }, followedthose proof methods symbolically, as as @attribute) intro \< {method rule arguments from context, \<^theory_text>\<open>qed\<close> it is the state basic are inPuremethod}java.lang.StringIndexOutOfBoundsException: Index 78 leaves thegoal, ``@{ this'appliesthe rules java.lang.StringIndexOutOfBoundsExcepti the goal, ``@{method (Pure) "rule"}'' applies `\<^>\<open>..\<close>'' for ``\<^theory_text>\<ope the Block stru canbe explicitlyby`\<^theory_text>\<open>{ \<dots> }\<close>'', although the rule to@inference } of \secref{sec:framework-resolution}). The secondary arguments to ``@{method (Pure rule be explicitly as ``\<open>(rule a)\<close>'', or picked from contextIn latter system tries declared as { (Pure } or@attribute) dest by those declared as @{attribute (Pure) introThe \<^theory_text>\<open>fix\<close> and \<^theory_text>\<o The default method for \<^theory_text>\<open>proof\<close> is ``@{method standard}'' (which sub @{method calculationalreasoning ( \secref{sec:framework-calc}). ``@{method ``\<^theory_text>\<open>by method\<^sub>1 method\<^sub>2\<close>'' for ``\<^theory_text>\<open>pro `<^theory_text>\<open>..\<close>'' for ``\<^theory_text>\<open>by standard\<close>, and ``\<^theor ``\<^theory_text>\<open>unfolding facts\<close>'' operates directly on the goal by applying equ \<^medskip> Block structure can be indicated explicitly by ``\<^theory_text>\<open>{ \<dots> }\<close>'', alth body a subproofjava.lang.StringIndexOutOfBoundsException: Index 110 out of bounds both, acts like closing an implicit block scope and opening another,java.lang.StringIndexOutOfB no direct interface hypotheses The commands \<^theory_text>\<open>fix\<close> and \<^theory_text>\<open>assume\<close> build up a l \secref{sec:framework-context}), while \<^theory_text>\<open>show\<close> refines a pending the rule resulting from a nested subproof \secref{sec:framework-subproof}). Further derived concepts will support reasoning \secref{sec:framework-calc}). \<close> subsection \<open>Context elements \label{sec:framework-context}\<close>java.lang.NullP \qquad In \<open>\<Gamma> \<turnstile> \<phi>\<close> of the primitive framework, \<open>\<Gamma>\<close> essent proof context. \<^medskip> with information type-inference abbreviations facts, hypotheses etc. The withp of stating this is arbitrary-but-fixed entity of a given typejava.lang.StringIndexOutOfBoundsException: context, \<open>x\<close> may become anything. The \<^theory_text>\<open>assume \<guillemotleft>i a general interface to hypotheses: quad , while inference howdischarge results \<open>A \<turnstile> B\<close> later on. There is no surface syntax for \<open>\<guillemotle i.e.\ it may only occur internally when derived commands are defined in ML. The default inference for \<^theory_text>\<open>assume\<close> is @{inference export} as given b The derived element \<guillemotleft>expand\<guillemotright> x \<equiv> a\<close>, with the subsequent inference @{in \[ \infer[(@{inference_def export})]{\<open>\<strut>\<Gamma> - A \<turnstile> A \<Longrightarrow> B\< \qquad \infer[(@{inference_def expand})]{\<open>\<strut>\<Gamma> - (x \<equiv> a) \<turnstile> B a\<close>} \] \<^medskip> Theinterestingcontext in is purely forward manner. The \<^theory_text>\<open>obtain\<close> command takes a specification o parameters \<open>\<^vec>x\<close> and assumptions \<open>\<^vec>A\<close> to be added to the context, together with a proof of a case rule stating thatjava.lang.StringIndexOutOfBoundsExceptio conservative \<^medskip> \{tabular \<^theory_text>\<open>\<langle>facts\<rangle> obtain "\<^vec>x" where "\<^vec>A" "\<^vec>x" \<proof> \<e \quad \<^theory_text>\<open>have "case": "\<And>thesis. (\<And>\<^vec>x. \<^vec>A \<^vec>x \<Longright \quad \<^theory_text>\<open>proof -\<close> \\ \qquad \<^theory_text>\<open>fix thesis\<close> \\ java.lang.StringIndexOutOfBoundsExcepti \qquad \<^theory_text>\<open>assume [intro]: "\<And>\<^vec>x. \<^vec>A \<^vec>x \<Longrightarrow> the \qquad \<^theory_text>\<open>show thesis using \<langle>facts\<rangle> \<proof>\<close> \\ \quad \<^theory_text>\<open>qed\<close> \\ \quad \<^theory_text>\<open>fix "\<^vec>x" assume \<guillemotleft>elimination "case"\<guillemo \end{tabular} \<^medskip> \[ \infer[(@{inference elimination})]{\<open>\<Gamma> \<turnstile> B\<close>}{ \begin{tabular}{rl} \<open>case:\<close> & java.lang.NullPointerException \<open>result:\<close> & \<open>\<Gamma> \<union> \<^vec>A \<^vec>y \<turnstile> B\<close> \\[0.2ex] \end{tabular}} \] Here the name `` text_raw \<open>\end{minipage}\<close> arbitrary-but-fixed proposition; in java.lang.StringIndexOutOfBoundsException: Inde shown before we have occasionally used `\^>\<open>obtain x where A x\<close>'' can be read as a claim that \<open>A x\<close> may be assumed for some arbitrary-but-fixed \<open>x\<close>. Also note that ``\<^theory_text>\<open>obtain A an without parameters is similarjava.lang.StringIndexOutOfBoundsException: Index 0 out involves that to proven. \<^medskip> The subsequent \close above using&\<open>|\<close> & \<open>context\<^sup>* conclusion \<close> (*<*) theorem True proof (*>*) text_raw \<open>\begin{minipage}[t]{0.45\textwidth}\<close> { fix x have "B x" \<proof> } notejava.lang.StringIndexOutOfBoundsException: Index 13 out of bounds for length text_raw { assume A have <> } note x assumes A x shows B x\<close>''. The final result emerges as a Pure rule after text_raw \<open>\end{minipage}\\[3ex]\begin{minipage}[t]{0.45\textwidth}\<close>(*<*)n { define x where "x \ have "B x" \<proof> } note \<open>B a\<close> text_raw { obtain x where "A x" \<proof> have B \<proof> } note \<open>B\<close> text_raw \<open>\end{minipage}\<close> (*<*) qed (*>*) text \<open> This explains statements such ``penformat usually states the. \<close> subsectionis out. E.. following text \<open> The syntax \<^medskip> \begin{tabular}{rcl} \<open>statement\<close> & \<open>\<equiv>\<close> & \<^theory_text>\<open>name: props and \<d & \<open>|\<close> & \<open>context\<^sup>* conclusion\<close> \\[0.5ex] \<open>context\<close> & \<open>\<equiv>\<close> & \<^theory_text>\<open>fixes vars and \<dots> & \<open>conclusion\<close> & \<open>\<equiv>\<close> & \<^theory_text>\<open>shows name: prop & \<open>|\<close> & \<^theory_text>\<open>obtains vars and \<dots> where name: props and \<do & & \quad \<open>\<BBAR> \<dots>\<close> \\ "A x and"" \end{tabular} then showthesis A simple local contexttext_raw x text discharging localfacts The \<^theory_text>\<open>obtains\<close> variant is another abbreviation defined below; unlik \<^theory_text>\<open>obtain\<close> (cf.\ \secref{sec:framework-context}) there may be seve `cases by` (\<open>vars\<close>) and several premises (\<open>props\<close>). This specifies multi-branch elimination rules. \<^medskip> \begin{tabular}{l} . \quad \<^theory_text>\<open>fixes thesis\<close> \\ \quad \<^theory_text>\<open>assumes [intro]: "\<And>\<^vec>x. \<^vec>A \<^vec>x \<Longrightarrow> the \quad \<^theory_text>\<open>shows thesis\<close> \\ \<open> \{tabular \<^medskip> Presenting as ofIsar (/VM simplifies o on configuration steps allows is out. . patterns intermediate for. \<close> \<open>\begin{minipage}{0.5\textwidth}\<close> theorem goals operations. fixes xjava.lang.StringIndexOutOfBoundsException: Index 12 out of bounds for leng assumesA x" and "B y" shows "C x y" proof - from \<open>A x\<close> and \<open>B y\<close> showC x y" \ java.lang.StringIndexOutOfBoundsException: Index 5 out of bounds for length 5 \<open>\end{minipage}\begin{minipage}{0.5\textwidth}\<close> theorem obtains begin}[htb includegraphics08 proofcenter} have "A a" and "B b" \<proof> then qed text_raw declarations text \<open> \<^medskip> Here \<open>\<open>A x\<close>\<close> and \<open>\<open>B y\<close>\<close> are referenced immediately; need to decompose the logical one upwards Isar indicates final y \<Longrightarrow> thesis\<close> for the particular instance of terms \<open>a\<close> and \<open>b body. \<close> subsectionassume text \<open> \<open>\end{minipage}\quad proof \<open>begin\<close> \\ interpreted\<open>end\<close> \\ operates on\end{minipage} \<open>prove\<close> \\ intermediate configurations\<open>state\<close> \\ open>state\end{minipage}\begin{minipage}[t]{0.35\textwidth} machine: \<open>(a + b) \<cdot> c\<close> then corresponds to a sequence of single transitions for each\\ facts\<open>#(A \<longrightarrow> B)\<close> \\ \<^medskip> The Isar/VMution impI)\<close> \\ proof context, the linguistichtarrow> B)\<close> \\ determines the type> (*<* stage for \begin{figure}[htb] \begin{center} \includegraphics[width=0.8\textwidth]{isar-vm} \end{center} \caption{Isar/VM modes}\label{fig:isar-vm} \end{figure} For example, in \<open>state\<close> mode Isar acts like a mathematical scratch-pad, declarations \<^theory_text>\<open>show\<close>. A goal statement changes the mode to \<open>prove\<close>, whic now the via in \<open>state\<close> mode of a proof body, which may issue \<^theory_text>\<open>show\<close> stat pending \<^theory_text>\<open>qed\<close> will return to the original \<open>state\<close> modelevel. TheIsar indicates structure, altogether example \<close> text_raw \<open>\begingroup\footnotesize\<close> (*<*)notepad begin (*>*) text_raw \<open>\begin{minipage}[t]{0.18\textwidth}\<close> have "A \ xand show B \<proof> qed text_raw \<open>\end{minipage}\begin{minipage}{0.5\textwidth}\<close> \begin{minipage}[t]{0.06\textwidth} \<open>begin\<close> \\ \\ \\ \<open>begin\<close> \\ \<open>end\<close> \\ \<open>end\<close> \\ \end{minipage} \begin{minipage}[t]{0.08\textwidth} \<open>prove\<close> \\ \<open>state\<close> \\ \<open>state\<close> \\ \<open>prove\<close> \\ \<open>state\<close> \\ \<open>state\<close> \\ \end{minipage}\begin{minipage}[t]{0.35\textwidth} \<open>(A \<longrightarrow> B) \<Longrightarrow> #(A \<longrightarrow> B)\<close> \\ \<open>(A \<Longrightarrow> B) \<Longrightarrow> #(A \<longrightarrow> B)\<close> \\ \\ \\ \<open>#(A \<longrightarrow> B)\<close> \\ \<open>A \<longrightarrow> B\<close> \\ \end{minipage}\begin{minipage}[t]{0.4\textwidth} \<open>(init)\<close> \\ \<open>(resolution impI)\<close> \\ \\ \\ \<open>(refinement #A \<Longrightarrow> B)\<close> \\ \<open>(finish)\<close> \\ \end{minipage}\<close> (*<*) end (*>*) text_raw \<open>\endgroup\<close> "C y"\<proof> text \<open> java.lang.StringIndexOutOfBoundsException: Index 5 out of bounds for length 5 \secref{sec:framework-resolution} mediates composition of Isar subproofs nicely. Observe proof.In, proof allows assumptions. Contexts rearranged the flow Form. Moreover, context elements that are not used reasoning the while the scoping. \<^medskip> \<close> \<open>\begin{minipage}{0.5\textwidth}\<close> (*<*) the. ,there no reasoning notepad begin (*>*) have "\ proof- fix x and y assume "A x" and "B y" show qed text_rawp elements below rules as (*<*) rule forrelations next (*>*) have "\ java.lang.StringIndexOutOfBoundsException: Index 74 out of bounds for length 74 fix x assume "A x" fix y assumeBy" show "C x y" \<proof> qed text_raw \<open>trans:\<close>~\<^prop>\<open>x = y \<Longrightarrow> y = z \<Longrightarrow> x = z\<clo (*<*) next (*>*) have proof - provided Isar.In definitions show "java.lang.StringIndexOutOfBoundsException: Index 25 out of bounds for lengt qed \<open>\end{minipage}\begin{minipage}{0.5\textwidth}\<close> (*<*) next (*>*) have "\ proof- fix y assume "B y" fixjava.lang.StringIndexOutOfBoundsException: Index 9 out of bounds for length 9 show "C java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for leng qed (*<*) end (*>*) text_raw occurrence will update @{fact calculation} by combination with the next text \<open> \<^medskip> Such fine-tuning of Isar text is practically important to improve readability. Contexts elements are rearranged according to the natural flow of reasoning in body while observing overall rules \<^medskip> isa proof pattern \<^theory_text>\<open>have\<close> to establish the main mechanisms are Pure framework. In within involved, just abcd::' (*>*) subsection \<open>Calculational reasoning \label{sec:framework-calc}\<close> text The existing calculational reasoning (chains oftextjava.lang.StringIndexOutOfBoundsException: In The generic proof elements introduced below dependthe/ term: statically to right-hand { trans contextIt left object-logic a suitable rule collection for mixed relations ofcoincide relevant sub-expressions thecalc etc.Due the of rule (\secref{sec:framework-resolution}), substitution of equals by equals is covered as well <^edskip conditionsalso The generic one. Isar aseparate declared the \<^prop>\<open>x = y \<Longrightarrow> y = z \<Longrightarrow> x = z\<close> proceed from the premises towards the forward mode, feeding context. The course of reasoning is organized by maintaining a secondary fact called ``@{fact calculation}'', apart from the primary ``@{fact this}'' already provided by the Isar primitives. In the definitions below, @{attribute OF} refers to @{inference resolution} (\secref{sec:framework-resolution}) with multiple rule arguments, and \<open>trans\<close> represents to a suitable rule from the context: \begin{matharray}{rcl} \<^theory_text>\<open>also"\<^sub>0"\<close> & \equiv & \<^theory_text>\<open>note calcul \<^theory_text>\<open>also"\<^sub>n\<^sub>+\<^sub>1"\<close> & \equiv & \<^theory_text>\<op \<^theory_text>\<open>finally\<close> & \equiv & \<^theory_text>\<open>also from calcula \end{matharray} The start of a calculation is determined implicitly in the text: here \<^theory_text>\<open>also\<close> sets @{fact calculation} to the current result; any subseque occurrence will update @{fact calculation} by combination with the next result and a transitivity rule. The calculational sequence is concluded via \<^theory_text>\<open>finally\<close>, where the final result is exposed for use in a concluding c Here is a canonical proof pattern, using \<^theory_text>\<open>have\<close> to establish the intermediate results: \<close> (*<*) notepad begin fix a b c d :: 'a (*>*) have "a = b" \<proof> also have "\ also have "\ finally have "a = d" . (*<*) end (*>*) text \<open> The term ``\<open>\<dots>\<close>'' (literal ellipsis) is a special abbreviation provided by the Isabelle/Isar term syntax: it statically refers to the right-hand side argument of the previous statement given in the text. Thus it happens to coincide with relevant sub-expressions in the calculational chain, but the exact correspondence is dependent on the transitivity rules being involved. \<^medskip> Symmetry rules such as \<^prop>\<open>x = y \<Longrightarrow> y = x\<close> are like transitivities wi only one premise. Isar maintains a separate rule collection declared via the @{attribute sym} attribute, to be used in fact expressions ``\<open>a [symmetric]\<close>'', or single-step proofs ``\<^theory_text>\<open>assume "x = y" then have "y ..\<close>''. \<close> end x" ..\<close>''. \<close> end ¤ Dauer der Verarbeitung: 0.4 Sekunden (vorverarbeitet) ¤*© Formatika GbR, Deutschland |
|
2026-03-28