(*<*)
theory Lecture2
imports Main LaTeXsugar OptionalSugar
begin
(*>*)

section "The Isar proof language"

text{*

  This section describes the basics of the Isar proof language.

*}

subsection "Overview of Isar's syntax (simplified)"

text{*

  A lemma (or theorem) starts with a label, followed by some premises
  and a conclusion. The premises are introduced with the 'assumes'
  keyword and separated by 'and'. Each premise may be labeled
  so that it can be referred to in the proof. The conclusion
  is introduced with the 'shows' keyword. If there are no premises,
  then the 'assumes' and 'shows' keywords can be left out.

  The following is a simplified grammar for Isar proofs.

  \begin{verbatim}
  proof ::= 'proof' method statement* 'qed'
          |  'by' method
  statement ::= 'fix' variable+
              |  'assume' proposition+
              |  ('from' fact+)? 'have' proposition+ proof
              |  ('from' fact+)? 'show' proposition+ proof
  proposition ::= (label':')? string
  fact ::= label
  method ::= '-' | 'this' | 'rule' fact | 'simp' | 'blast' | 'auto' 
           | 'induct' variable | ...
  \end{verbatim}

  The \textbf{show} statement establishes the conclusion of the proof,
  whereas the \textbf{have} statement is for establishing intermediate
  results.

*}

subsection "Propositional reasoning"

text{* 

  The first example will demonstrate the use
  of the \textit{congI} rule to prove a conjunction (a logical 'and').
  The \textit{congI} rule is shown below. The horizontal
  bar is used to separate the premises from the conclusion.
  
\begin{equation}\notag
  (\textit{conjI})\;@{thm [mode=Rule] conjI [no_vars]}
\end{equation}

  The rule can equivalently be rendered in English
  as follows.

\begin{equation}\notag
  (\textit{conjI})\;@{thm [mode=IfThen] conjI [no_vars]}
\end{equation}

  \noindent In the following example we use
  the \textit{conjI} rule twice. Each time we
  supply the necessary premises using the \textbf{from}
  clause and make sure to specify the premises in the
  expected order.

*}

lemma conj2: assumes p: P and q: "Q" shows "P \<and> (Q \<and> P)"
proof -
  from q p have qp: "Q \<and> P" by (rule conjI)
  from p qp show "P \<and> (Q \<and> P)" by (rule conjI)
qed

text{*

  The above proof is an example of \emph{forward reasoning}.
  We start with basic facts, like P and Q, and work up
  towards proving the conclusion.

  Isabelle also supports \emph{backward reasoning}, where
  the focus is on decomposing the goal (the conclusion)
  into smaller subgoals. The following is a proof of
  the same proposition as above, but this time using
  backward reasoning. We can apply the \textit{conjI} rule
  in reverse by using it as an argument to the \textbf{proof}
  form. The proposition you are trying to prove should
  match the conclusion of the rule. The resulting
  proof state will have a subgoal for each premise
  of the rule. Each subgoal is proved with a \textbf{show}
  statement, and the sub-proofs are separated with \textbf{next}.
  The *goals* window shows the list of subgoals.

*}

lemma assumes p: "P" and q: "Q" shows "P \<and> (Q \<and> P)"
proof (rule conjI)
  from p show "P" by this
next
  show "Q \<and> P"
  proof (rule conjI)
    from q show "Q" by this
  next
    from p show "P" by this
  qed
qed

text{* 
  The \textit{this} method resolves the goal using the current facts (in
  the \textbf{from} clause).

  The next example demonstrates how to prove an implication 
  and make use of conjunctions using the following rules.

\begin{equation}
  (\textit{impI})\;@{thm [mode=Rule] impI [no_vars]}\qquad
  (\textit{conjunct1})\;@{thm [mode=Rule] conjunct1 [no_vars]}\qquad
  (\textit{conjunct2})\;@{thm [mode=Rule] conjunct2 [no_vars]}
  \notag 
\end{equation}

  \noindent The following proof uses a mixture of forward
   and backward reasoning.
   The choice between forward or backward reasoning depends
   on what you are trying to prove. Use whichever style seems
   more natural for the situation.

*}
lemma "(0::nat) < a \<and> a < b \<longrightarrow> a * a < b * b"
proof (rule impI)
  assume x: "0 < a \<and> a < b"
  from x have za: "0 < a" by (rule conjunct1)
  from x have ab: "a < b" by (rule conjunct2)
  from za ab have aa: "a*a < a*b" by simp
  from ab have bb: "a*b < b*b" by simp
  from aa bb show "a*a < b*b" by (rule less_trans)
qed

text{* Modes ponens *}
lemma assumes ab: "A \<longrightarrow> B" and a: "A" shows "B"
  by (rule mp)
  
text{* Disjunction introduction *}
lemma assumes a: "A" shows "A \<or> B"
  by (rule disjI1)

lemma assumes b: "B" shows "A \<or> B"
  by (rule disjI2)

text{*
  Reasoning by cases.
*}

lemma assumes ab: "x=1 \<or> x=2" shows "x > (0::nat)"
  using ab
proof (rule disjE)
  assume x1: "x = 1"
  from x1 show "0 < x" by simp
next
  assume x2: "x = 2"
  from x2 show "0 < x" by simp
qed

text{*

  See the manual ``Isabelle's Logics: HOL'' section 2.2 for a
  complete list of the inference rules.

*}

subsection "Isar shortcuts"

text{*

  Isar has lots of shortcuts.

  \begin{tabular}{l}
  'this' refers to the fact proved by the previous statement.\\
  'then' = 'from this'\\
  'hence' = 'then have'\\
  'thus' = 'then show'\\
  'with' fact+ = 'from' fact+ 'and' 'this'\\
  '.' = 'by this'\\
  '..' = 'by' rule     where Isabelle guesses the rule
  \end{tabular}

*}


text{*

   A sequence of facts that will be used as premises
   in a statement can be grouped using 'moreover'
   and then fed into the statement using 'ultimately'.
   The order of the facts matters. 

*}

lemma "A \<and> B \<longrightarrow> B \<and> A"
proof (rule impI)
  assume ab: "A \<and> B"
  hence "B" by (rule conjunct2)
  moreover from ab have "A" ..
  ultimately show "B \<and> A" by (rule conjI)
qed

text{*

   Equational reasoning is made more succinct with
   the combination of 'also' and 'finally'.

*}

lemma assumes ab: "a = b" and bc: "b = c" and c_d: "c = d"
  shows "a = d"
proof -
  have "a = b" by (rule ab)
  also have "\<dots> = c" by (rule bc)
  also have "\<dots> = d" by (rule c_d)
  finally show "a = d" .
qed


subsection "Universal and existential quantifiers"

lemma
  assumes a: "\<forall> x. P \<longrightarrow> Q x"
  shows "P \<longrightarrow> (\<forall> y. Q y)"
proof (rule impI)
  assume p: "P"
  show "\<forall> y. Q y"
  proof (rule allI)
    fix y
    from a have pq: "P \<longrightarrow> Q y" by (rule allE)
    from pq p show "Q y" by (rule mp)
  qed
qed
    
text{*

  Isabelle's elimination rule for existentials (exE)
  is a little funky to understand, but Isar provides a nice
  'obtain' form that makes it straightforward to use existentials.

*}

lemma
  assumes e: "\<exists> x. P \<and> Q(x)"
  shows "P \<and> (\<exists> x. Q(x))"
proof (rule conjI)
  from e obtain x where p: "P" and q: "Q(x)" by blast
  from p show "P" .
next
  from e obtain y where p: "P" and q: "Q(y)" by blast
  from q show "\<exists> z. Q(z)" by (rule exI)
qed

constdefs divisible_by :: "nat \<Rightarrow> nat \<Rightarrow> bool" ("_ | _" [80,80] 80)
  "x | y \<equiv> \<exists> k. x = k * y"

lemma divisible_by_trans: 
  assumes ab: "a | (b::nat)" and bc: "b | (c::nat)"
  shows "a | (c::nat)"
proof -
  from ab obtain k1 where ak1b: "a = k1 * b" using divisible_by_def by auto
  from bc obtain k2 where bk2c: "b = k2 * c" using divisible_by_def by auto
  from ak1b bk2c have "a = (k1 * k2) * c" by auto
  hence "\<exists> k. a = k * c" by (rule exI)
  thus "a | c" by (simp add: divisible_by_def)
qed

lemma divisible_by_modz: "(a | b) = (a mod b = 0)" 
  using divisible_by_def by auto

subsubsection "Exercises"

text{*
  Show that division by a positive natural commutes over addition
  for natural numbers when the numbers being added are evenly
  divisible by the denominator. Hint: you may need to use a lemma from
  Isabelle's Nat theory.
*}


subsection "Case analysis of datatypes"

text{*

  If you have a value of a datatype, it must have come from
  one of the constructors for the datatype. Isabelle provides
  a \textit{cases} rule that generates a subgoal, replaces
  the value that you chose for case analysis with one
  of the constructors.

  As an example we'll use case analysis to prove a
  simple property of the \textit{drop} function from
  Isabelle's List theory. The \textit{drop} function is just the tail
  function \textit{tl} applied $n$ times.
  For reference, the following is the definition of \textit{drop}.

\begin{equation}
\begin{array}{lcl}
@{thm_style lhs drop_Nil [no_vars]} &=& @{thm_style rhs drop_Nil [no_vars]} \\
@{thm_style lhs drop_Cons [no_vars]} &=& @{thm_style rhs drop_Cons [no_vars]} 
\end{array}\notag
\end{equation}

*}

lemma "drop (n + 1) xs = drop n (tl xs)"
proof (cases xs)
  assume "xs = []" 
  thus "drop (n + 1) xs = drop n (tl xs)" by simp
next
  fix a list assume "xs = a # list"
  thus "drop (n + 1) xs = drop n (tl xs)" by simp
qed


subsection "Notes"

text{*

The book ``How to Prove It''~\cite{Velleman:1994ys} has lots of good
examples and advice concerning logical reasoning and proofs.  Some of
the examples from this section (and later ones) were adapted from that
book.

*}


(*<*)
end
(*>*)
(*  LocalWords:  LaTeXsugar OptionalSugar un notI simp notE qed impI FalseE rc
 *)
(*  LocalWords:  iffI sc rs conjI Isabelle iffD allI pq allE mp Isabelle's exE
 *)
(*  LocalWords:  existentials funky Isar exI constdefs nat bool def ab bc xs ys
 *)
(*  LocalWords:  consts primrec itrev IH datatype EmptyT NodeT NilF ConsF thm
 *)
(*  LocalWords:  vars notag tac binop expr Const Var App textit eval env ILoad
 *)
(*  LocalWords:  IApply instr IConst IApp Þ'v hd tl comp Õvs HOL
 *)