Natural Deduction in ISABELLE: - ``Single-step proofs based on ...

<strong>Natural</strong> <strong>Deduction</strong> <strong>in</strong> <strong>ISABELLE</strong>: 

“S<strong>in</strong>gle-<strong>step</strong> <strong>proofs</strong> <strong>based</strong> on Sequent Notation ” 

Joaquín AGuado 1 

1 Informatics Theory Group (GdI) 

University of Bamberg 

joaqu<strong>in</strong>.aguado@wiai.uni-bamberg.de 

University of Sheffield, 

August 17, 2007 

J. AGuado (Informatics Theory Group) <strong>Natural</strong> <strong>Deduction</strong> <strong>in</strong> <strong>ISABELLE</strong> University of Bamberg 1 / 56

Outl<strong>in</strong>e 

1 MA-101: Logic 

Lecture (Vorlesung) 

Tutorial (Übung) 

Laboratory (Praktikum) 

2 The Gospel of Isabelle 

She who Rules, Unifies . . . 

And this is Her Resolution: 

Lift Up the Stone, and You will F<strong>in</strong>d Me There 

3 Isis Bella 

Variations on Resolution 

More Methods and Commands 

Examples 


Formal Logic 

Generally, a Logic is captured by a Formal System consist<strong>in</strong>g of two 

components: 

1 A Formal Language: 

A f<strong>in</strong>ite set of symbols which can be used for construct<strong>in</strong>g formulae 

(signature Σ, sorted family of variables X). 

A way of construct<strong>in</strong>g well-formed-formulas: Term Σ (X), Atom Σ (X) and 

Form Σ (X) (e.g., grammars, syntax rules). 

2 A Proof System: 

A particular set of rules. 

General pr<strong>in</strong>ciples on of how rules are grafted together to build trees 

(called derivations). 


The Language: A Signature for Lists 

ToyList 

Σ = (S, OP, REL) 

S = {a, list} 

OP = { nil : list, 

cons: a list 7→ list, 

app: list list 7→ list, 

rev: list 7→ list } 

REL = { is <strong>in</strong>: ha listi, 

sublist: hlist listi } 

X = {x : a, xs : list} 


The Language: FOL Syntax 

Well-Formed Terms (i.e., Term Σ(X)): 

x 2 X s 

(T1) 

x : s 

t 1 : s 1 t 2 : s 2 . . . t n : s n f : s 1 s 2 . . . s n → s 2 OP 

f(t 1 , t 2 , . . . , t n ) : s 

(T2) 

Well-Formed (Atomic) Formulas (i.e., Atom Σ(X)): 

(A1) 

> : hi 

(A1) 

: hi 

t 1 : s t 2 : s 

t 1 = t 2 : hi 

(A2) 

t 1 : s 1 t 2 : s 2 . . . t n : s n R : hs 1 s 2 . . . s n i 2 REL 

R(t 1 , t 2 , . . . , t n ) : hi 

Well-Formed Formulas (i.e., Form Σ(X)): 

(A3) 

ϕ : hi ψ : hi 

(ϕ ∧ ψ) : hi 

(F1) 


(ϕ ∨ ψ) : hi 

(F1) 


(ϕ → ψ) : hi 

(F1) 


(ϕ ↔ ψ) : hi 

(F1) 

ϕ : hi 

(¬ϕ) : hi 

(F2) 

x 2 X ϕ : hi 

(8x ϕ) : hi 

(F3) 

x 2 X ϕ : hi 

(9x ϕ) : hi 

(F3) 


The Language: A Well-Formed Formula 

x : a xs : list is <strong>in</strong> : ha listi 2 REL 

is <strong>in</strong>(x, xs) : hi 

(A 3 ) 

x : a 

xs : list 

rev : list 7→ list 2 OP 

(T 2 ) 

rev(xs) : list 

is <strong>in</strong>(x, rev(xs)) : hi 

is <strong>in</strong> : ha listi 2 REL 

(A 3 ) 

xs 2 X 

is <strong>in</strong>(x, xs) : hi is <strong>in</strong>(x, rev(xs)) : hi 

x 2 X is <strong>in</strong>(x, xs) → is <strong>in</strong>(x, rev(xs)) : hi 

9x is <strong>in</strong>(x, xs) → is <strong>in</strong>(x, rev(xs)) : hi 

8xs 9x is <strong>in</strong>(x, xs) → is <strong>in</strong>(x, rev(xs)) : hi 

(F 1 ) 

(F 3 ) 

(F 3 ) 


Semantics, Meta-logical Approach & Motivation 

Logic maybe formulated abstractly by its own sake, but it usually has an 

<strong>in</strong>tended <strong>in</strong>terpretation represent<strong>in</strong>g a description of some doma<strong>in</strong> of 

<strong>in</strong>terest (Semantics). 

A Meta-logic is a logic that is used to formalise syntax, proof system, 

semantics and meta-properties (soundness, completeness) of another logic 

called the object-logic. 

Here we will focus on the deductive mach<strong>in</strong>ery and implicitly assume 

syntax, semantics and meta-theorems. 

Mechanis<strong>in</strong>g Logical <strong>Deduction</strong> (Motivation) 

By formalis<strong>in</strong>g patterns of reason<strong>in</strong>g, it is possible for such reason<strong>in</strong>g to be 

checked or even carried out by a computer. 


Proof System: <strong>Natural</strong> <strong>Deduction</strong> 

Isabelle is a generic (<strong>in</strong>teractive) theorem prover designed around <strong>Natural</strong> 

<strong>Deduction</strong>. It has been <strong>in</strong>stantiated to support reason<strong>in</strong>g <strong>in</strong> several 

object-logics. 

<strong>Natural</strong> <strong>Deduction</strong> is an approach to Proof Theory that attempts to 

provide a formal model of logical reason<strong>in</strong>g as it “naturally” occurs. 

we make (temporary) assumptions. 

we derive new formulae by apply<strong>in</strong>g basic rules. 

there is a mechanism for discharg<strong>in</strong>g assumption. 

S<strong>in</strong>ce the logic’s syntax and the <strong>in</strong>ference rules are specified declaratively, 

this allows s<strong>in</strong>gle-<strong>step</strong> proof construction. 


Inference 

In Isabelle, <strong>proofs</strong> are constructed us<strong>in</strong>g <strong>in</strong>ference rules. The most familiar 

is (probably) modus ponens: 

P → Q 

Q 

P 

(mp) 

Derivations are trees, where the leaves are called assumptions. 

[A → (B → C)] [A] 

B → C 

C 

(mp) 

[B] 

(mp) 

<strong>Natural</strong> <strong>Deduction</strong> <strong>proofs</strong> build derivations under (possibly temporary) 

assumptions. A proof is a derivation with no open assumptions. 


Intuitionistic FOL Rules I 

¬P abbreviates P → 

P ↔ Q abbreviates (P → Q) ∧ (Q → P) 

P Q 

P ∧ Q 

(conjI) 

P ∧ Q 

(conjunct1) 

P 

P ∧ Q 


Q 

[P] 

[Q] 

P 

P ∨ Q 

(disjI1) 

Q 

P ∨ Q 

(disjI2) 

P ∨ Q 

. 

R 

R 

. 

R 

(disjE) 

[P] 

. 

Q 

P → Q 

(impI) 

P → Q 

Q 

P 

(mp) 

 

P 

(FalseE) 


Intuitionistic FOL Rules II (Includ<strong>in</strong>g Equality) 

[P] 

P 

8x.P 

(allI) 1 £ 

8x.P 

P[t/x] 

(spec) 

P[t/x] 

(exI) 

9x.P 

9x.P 

Q 

. 

Q 

(exE) 2 £ 

(refl) 

t = t 

t = u 

P[u/x] 

P[t/x] 

(subst) 

Eigenvariable conditions: 

1 £ : (8I) provided x is not free <strong>in</strong> any assumption on which P depends. 

2 £ : (9E) provided x is not free <strong>in</strong> Q or any assumption except P. 


Paper & Pencil 

Lemma 1 

(A ∧ (B ∧ C)) → (A ∧ C) 

Proof. 

[A ∧ (B ∧ C)] £ 

[A ∧ (B ∧ C)] £ (conjunct2) 

B ∧ C 


A 

C 

A ∧ C 

(A ∧ (B ∧ C)) £ → (A ∧ C) 



(impI) 


A “Theorem Checker” Dialog 

You 

lemma “A ∧ (B ∧ C) −→ A ∧ C” 

apply (rule impI) 

apply (rule conjI) 

apply (rule conjunct1) 

apply (assumption) 

apply (conjunct2) 

apply (conjunct2) 


done 

Isabelle 

1. A ∧ B ∧ C −→ A ∧ C 

1. A ∧ B ∧ C =⇒ A ∧ C 

1. A ∧ B ∧ C =⇒ A 

2. A ∧ B ∧ C =⇒ C 

1. A ∧ B ∧ C =⇒ A ∧ Q 2 

2. A ∧ B ∧ C =⇒ C 

1. A ∧ B ∧ C =⇒ C 

1. A ∧ B ∧ C =⇒ P 3 ∧ C 

1. A ∧ B ∧ C =⇒ P 4 ∧ P 3 ∧ C 

No more Goals . . . 


Derivability Judgment 

All assumptions <strong>in</strong> 

A → (B → C) 

B → C 

C 

A 

(mp) 

B 

(mp) 

are open. 

We can write A → (B → C), A, B ` C (derivability judgment) to assert 

that C can be derived <strong>in</strong> this proof system under the given assumptions 

A → (B → C), A, B. 

It is possible to make such derivability judgments the central object of a 

deduction system. The notation Γ ` A is called Sequent Notation. 


<strong>Natural</strong> <strong>Deduction</strong> Us<strong>in</strong>g Sequent Notation 

For the → /∧ fragment: 

A 2 Γ 

Γ ` A 

(assumption) 

Γ ` B 

A, Γ ` B 

(weaken) 

Γ ` A Γ ` B 

Γ ` A ∧ B 

(∧ I ) 

Γ ` A ∧ B 

Γ ` A 

(∧ EL ) 

Γ ` A ∧ B 

Γ ` B 

(∧ ER ) 

A, Γ ` B 

Γ ` A → B 

(→ I ) 

Γ ` A → B Γ ` A 

Γ ` B 

(→ E ) 

More rules can be derived. 


Ref<strong>in</strong>ement Style with Metavariables 

A ∧ (B ∧ C) 2 Γ 

A ∧ (B ∧ C) ` P 4 ∧ (P 3 ∧ C) 

A ∧ (B ∧ C) ` P 3 ∧ C 

A ∧ (B ∧ C) ` C 


(∧ ER ) 

(∧ ER ) 

A ∧ (B ∧ C) 2 Γ 


A ∧ (B ∧ C) ` A ∧ Q 2 

(∧ EL ) 

A ∧ (B ∧ C) ` A 

A ∧ (B ∧ C) ` A A ∧ (B ∧ C) ` C 

A ∧ (B ∧ C) ` A ∧ C 

` A ∧ (B ∧ C) −→ A ∧ C 

(∧ I ) 

(→ I ) 

Solution for Q 2 (B ∧ C) and P 3 B and P 4 A. 


Meta-Logic 

The Isabelle’s meta-level connectives are implication, the universal 

quantifier, and equality: 

The implication φ =⇒ ψ means ‘φ implies ψ’, and express logical 

entailment. 

The quantification V x.φ means ‘φ is true for all x’, and express 

generality <strong>in</strong> rules and axiom schemes. 

The equality a b means ‘a equals b’, for express<strong>in</strong>g def<strong>in</strong>itions. 

Isabelle also provides schematic variables (unknowns) for unification. 

Logically, these are free variables. But while ord<strong>in</strong>ary variables rema<strong>in</strong> 

fixed, unification may <strong>in</strong>stantiate the schematic variables (i.e., they can be 

replaced by arbitrary formulas). 


Object-Level Rules as Meta-Level Axioms I 

[P; Q] =⇒ P ∧ Q 


P ∧ Q =⇒ P P ∧ Q =⇒ Q (conjunct1, 2) 

[P ∨ Q; P =⇒ R; Q =⇒ R] =⇒ R 

(disjE) 

P =⇒ P ∨ Q Q =⇒ P ∨ Q (disjI1, 2) 

(P =⇒ Q) =⇒ P −→ Q 

[P −→ Q; P] =⇒ Q 

(impI) 

(mp) 

False =⇒ P 

(FalseE) 


Object-Level Rules as Meta-Level Axioms II 

(^ x. P x) =⇒ 8x. P x (allI) 

(8x. P x) =⇒ P x 

(spec) 

P x =⇒ 9x. P x (exI) 

[9x. P x; 

^ 

x. P x −→ Q] =⇒ Q (exE) 

[s = t; P s] =⇒ P t 

(subst) 

The object-level quantifier (8) is def<strong>in</strong>ed us<strong>in</strong>g V . But, it is not required 

to have meta-level counterparts of all the connectives of the object-logic! 


Unification 

Unification refers to the process of mak<strong>in</strong>g two terms identical 

(possibly) by substitut<strong>in</strong>g their schematic variables by terms. 

Unification is equation solv<strong>in</strong>g: 

The simplest case is when the two terms are already the same. 

Next simplest is pattern-match<strong>in</strong>g which replaces variables <strong>in</strong> one of 

the terms. 

In the most complex case, variables <strong>in</strong> both terms are replaced. 

Unification supports quantifier reason<strong>in</strong>g by allow<strong>in</strong>g the schematic 

variables to be <strong>in</strong>stantiate later, possibly <strong>in</strong> stages. 

Higher-Order Unification (HU) is equation solv<strong>in</strong>g for typed 

λ-terms. 


Higher-Order Unification: Imitation 

Isabelle uses Huet’s Search Procedure (HSP) which solves equations by 

Imitation and Projection. For example, to solve the equation: 

P(t) αβη g(u 1 , . . . , u k ) (1) 

Imitation makes P apply the lead<strong>in</strong>g symbol of the right-hand side. So, 

to solve equation (1), HSP guesses: 

P λx. g(h 1 (x), . . . , h k (x)) 

Now, assum<strong>in</strong>g there are no other occurrences of P, equation (1) 

simplifies to the set of equations: h 1 (t) αβη u 1 . . . h k (t) αβη u k . 

If the processes solves these equations <strong>in</strong>stantiat<strong>in</strong>g h 1 , . . . , h k , then it 

yields an <strong>in</strong>stantiation for P. 


Higher-Order Unification: Projection 

Projection makes P apply one of its argument. So, to solve equation: 

P(t) αβη g(u 1 , . . . , u k ) (1) 

If t expects m arguments and delivers a result of suitable type, HSP 

guesses: 

P λx. x(h 1 (x), . . . , h m (x)) 

Assum<strong>in</strong>g there are no other occurrences of P, equation (1) simplifies to 

the equation: 

t(h 1 (t), . . . , h m (t)) αβη g(u 1 , . . . , u k ) 


HSP Features 

1 Equations with no functions unknowns are solved us<strong>in</strong>g first-order 

unification, extended to treat bound variables. 

2 An occurrence of the term P(x, y, z), where the arguments are 

dist<strong>in</strong>ct bound variables, causes no difficulties. Its projections can only 

match the correspond<strong>in</strong>g variables. 

3 Even an equation such as P(a) αβη a + a is all right. It has four 

solutions, but Isabelle evaluates them lazily, try<strong>in</strong>g projection before 

imitation: 

P αβη λx. x + x, P αβη λx. a + x, P αβη λx. x + a, and 

P αβη λx. a + a. 

4 Equations such as P(x, y) αβη t and P(g(x)) αβη t admit vast 

number of unifiers, and must be avoided. 


Proof by Resolution 

Resolution is the basic mechanism for transform<strong>in</strong>g proof states <strong>in</strong> 

Isabelle <strong>in</strong> order to construct a proof. It is convenient for derive simple 

rules and for reason<strong>in</strong>g forward from facts. 

Forward proof work by unify<strong>in</strong>g theorems with the premises of a rule, 

deriv<strong>in</strong>g a new theorem. 

Resolution, <strong>in</strong> particular, is convenient for backward proof. 

Intuitively 

Backward proof works by unify<strong>in</strong>g a goal with the conclusion of a rule, 

whose premises become new subgoals. 

So, we start with a goal and ref<strong>in</strong>e it to progressively simpler subgoals until 

all have been solved. 


Theorems (Rules and Proof States) for Resolution 

Isabelle works with meta-level theorems of the form [φ 1 ; . . . φ n ] =⇒ φ. 

We can view this as the <strong>Natural</strong> <strong>Deduction</strong>’s rule with premises 

φ 1 , . . . , φ n and conclusion φ. Also, it can be viewed as the proof state 

with subgoals φ 1 , . . . , φ n and ma<strong>in</strong> goal φ. 

Let [ψ 1 ; . . . ; ψ m ] =⇒ ψ and [φ 1 ; . . . ; φ n ] =⇒ φ be two Isabelle theorems. 

If ψ and φ i have a higher-order unifier, then there is some substitution s 

such that (ψ)s αβη (φ i )s. In short, 

Def<strong>in</strong>ition 2 (Resolution) 

[ψ 1 ; . . . ; ψ m ] =⇒ ψ [φ 1 ; . . . ; φ i ; . . . ; φ n ] =⇒ φ 

((ψ)s αβη (φ i )s) 

([φ 1 ; . . . ; φ i−1 ; ψ 1 ; . . . ; ψ m ; . . . φ n ] =⇒ φ)s 


Backward Proof 

To prove the formula φ, take φ =⇒ φ as the <strong>in</strong>itial proof state. This 

assertion is, trivially, a theorem. 

At a later stage <strong>in</strong> the (backward) proof, a typical proof state is 

[φ 1 ; . . . ; φ n ] =⇒ φ. This is a theorem, ensur<strong>in</strong>g that the subgoals 

φ 1 , . . . , φ n imply φ. 

If n = 0 then we have proved φ outright. Otherwise, to ref<strong>in</strong>e subgoal φ i 

of a proof state by a rule [ψ 1 ; . . . ; ψ m ] =⇒ ψ perform resolution. 

In this form, the subgoal φ i is replaced by m new subgoals (the rule’s 

<strong>in</strong>stantiated premises). 

If some unknowns are left un-<strong>in</strong>stantiated, they become new unknowns <strong>in</strong> 

the (new) proof state. 


Beh<strong>in</strong>d the Scenes (Unification) 

You 

lemma “A ∧ (B ∧ C) −→ A ∧ C” 

Isabelle 

1. A ∧ B ∧ C −→ A ∧ C 


(P =⇒ Q) =⇒ P −→ Q 

A ∧ B ∧ C −→ A ∧ C =⇒ A ∧ B ∧ C −→ A ∧ C 

(impI) 

(state1) 

Substitution s for (P −→ Q)s αβη ( A ∧ B ∧ C −→ A ∧ C)s 

Solution P A ∧ B ∧ C and Q A ∧ C 


Beh<strong>in</strong>d the Scenes (Resolution) 

You 

lemma “A ∧ (B ∧ C) −→ A ∧ C” 


Isabelle 

1. A ∧ B ∧ C −→ A ∧ C 

1. A ∧ B ∧ C =⇒ A ∧ C 

(P =⇒ Q) =⇒ P −→ Q A ∧ B ∧ C −→ A ∧ C =⇒ A ∧ B ∧ C −→ A ∧ C 

((P =⇒ Q) =⇒ A ∧ B ∧ C −→ A ∧ C)s 

But ((P =⇒ Q) =⇒ A ∧ B ∧ C −→ A ∧ C)s after substitution becomes: 

(A ∧ B ∧ C =⇒ A ∧ C) =⇒ A ∧ B ∧ C −→ A ∧ C (state2) 


Lift<strong>in</strong>g a Rule <strong>in</strong>to a Context 

The rules impI and allI may seem unsuitable for resolution. 

They have non-atomic premises, namely P =⇒ Q and V x. P x, while 

the conclusions of all the rules are atomic. 

Isabelle gets round this problem, through a meta-<strong>in</strong>ference called Lift<strong>in</strong>g. 

Def<strong>in</strong>ition 3 (Lift<strong>in</strong>g over Assumptions) 

[φ 1 ; . . . ; φ n ] =⇒ φ 

[θ =⇒ φ 1 ; . . . ; θ =⇒ φ n ] =⇒ (θ =⇒ φ) 

Lift<strong>in</strong>g over θ =⇒ is clearly sound. 

Typically, the θ i are assumptions <strong>in</strong> a <strong>Natural</strong> <strong>Deduction</strong> proof; lift<strong>in</strong>g 

copies them <strong>in</strong>to a rule’s premises and conclusion. 


Lift<strong>in</strong>g Over Assumptions 

In our proof example, Isabelle is now display<strong>in</strong>g: A ∧ B ∧ C =⇒ A ∧ C 

and the proof state is: 

(A ∧ B ∧ C =⇒ A ∧ C) =⇒ A ∧ B ∧ C −→ A ∧ C 

We want to apply [P; Q] =⇒ P ∧ Q. But for this, the rule must be 

lifted over assumption A ∧ B ∧ C, as follows: 

Lift<strong>in</strong>g over A ∧ B ∧ C =⇒ 

[P; Q] =⇒ P ∧ Q 

[A ∧ B ∧ C =⇒ P; A ∧ B ∧ C =⇒ Q] =⇒ (A ∧ B ∧ C =⇒ P ∧ Q) 


The Next Step <strong>in</strong> the Proof 

Us<strong>in</strong>g the follow<strong>in</strong>g nomenclature for l<strong>in</strong>ear notation: 

D 11 

D 1 D 2 

D 

D : [A ∧ B ∧ C =⇒ A; A ∧ B ∧ C =⇒ C] =⇒ A ∧ B ∧ C −→ A ∧ C 

D 1 : [A ∧ B ∧ C =⇒ P; A ∧ B ∧ C =⇒ Q] =⇒ (A ∧ B ∧ C =⇒ P ∧ Q) 

D 11 : [P; Q] =⇒ P ∧ Q 

D 2 : (A ∧ B ∧ C =⇒ A ∧ C) =⇒ A ∧ B ∧ C −→ A ∧ C 

From the lifted rule (D 1 ) and proof state (D 2 ). 

For (A ∧ B ∧ C =⇒ P ∧ Q αβη A ∧ B ∧ C =⇒ A ∧ C)s, we use s: P A 

and Q C. 

Then by resolution, and after substitution we get a new state (D). 


Lift<strong>in</strong>g Over Parameters 

An analogous form of Lift<strong>in</strong>g handles premises of the form V x . . . . Here, 

lift<strong>in</strong>g prefixes an object-rule’s premises and conclusion with V x . . . . At 

the same time lift<strong>in</strong>g <strong>in</strong>troduces a dependence upon x. 

It replaces each unknown P <strong>in</strong> the rule by P 0 x, where P 0 is a new 

unknown (by subscript<strong>in</strong>g) of suitable type (necessarily a function type). 

In short: 

Def<strong>in</strong>ition 4 (Lift<strong>in</strong>g over Parameters) 

[φ 1 ; . . . ; φ n ] =⇒ φ 

[ V x. φ x 1 ; . . . ;V x. φ x n] =⇒ V x. φ x 

where φ x stands for the result of lift<strong>in</strong>g unknowns over x <strong>in</strong> φ. It is not 

hard to see that this meta-<strong>in</strong>ference is sound. 


A Quantifier Proof: For All Introduction 

You 

8x. P x −→ P x ∨ Q y 

Isabelle 

8x. P x −→ P x ∨ Q y =⇒ 8x. P x −→ P x ∨ Q y 

answers: 8x. P x −→ P x ∨ Q y 

You 

apply (rule allI) 

( V x. P x) =⇒ 8x. P x 

( V x. P x) =⇒ 8x. P x 8x. P x −→ P x ∨ Qy =⇒ 8x. P x −→ P x ∨ Q y 

(( V x. P x) =⇒ 8x. P x −→ P x ∨ Qy)s 


A Quantifier Proof: Lift<strong>in</strong>g Over Parameters 

Isabelle 

V x. P x −→ P x ∨ Q y =⇒ 8x. P x −→ P x ∨ Q y 

answers: V x. P x −→ P x ∨ Q y 

You 

apply (rule impI) (P =⇒ Q) =⇒ P −→ Q 

And then . . . 

Lift<strong>in</strong>g over V x 

(P =⇒ Q) =⇒ P −→ Q 

( V x. P 0 x =⇒ Q 0 x) =⇒ V x. P 0 x −→ Q 0 x 


A Quantifier Proof: Unification 

D 

: ( V x. P x =⇒ P x ∨ Q y) =⇒ 8x. P x −→ P x ∨ Q y 

D 1 : ( V x. P 0 x =⇒ Q 0 x) =⇒ V x. P 0 x −→ Q 0 x 

D 11 : (P =⇒ Q) =⇒ P −→ Q 

D 2 

V 

: x. P x −→ P x ∨ Q y =⇒ 8x. P x −→ P x ∨ Q y 

V x. P 

0 

x −→ Q 

0 

x 

 

αβη 

V x. P x −→ P x ∨ Q y 

P 0 

x αβη P x 

Q 0 x αβη P x ∨ Q y: 


A Quantifier Proof: Disjunction Introduction 

Isabelle 

( V x. P x =⇒ P x ∨ Q y)=⇒ 8x. P x −→ P x ∨ Q y 

answers: V x. P x =⇒ P x ∨ Q y 

You 

apply (rule disjI1) P =⇒ P ∨ Q 

Isabelle 

Lift<strong>in</strong>g over: V x. P x =⇒ 

Produces: ( V x. P x =⇒ P 0 x) =⇒ ( V x. P x =⇒ P 0 x ∨ Q 0 x) 

( V x. P x =⇒ P x)=⇒ 8x. P x −→ P x ∨ Q y 

answers: V x. P x =⇒ P x 


And then by Assumption . . . 

In the course of a proof, parameters x 1 , . . . , x m and assumptions 

accumulate form<strong>in</strong>g a context for each subgoal (<strong>in</strong> normal form): 

V 

x1 , . . . , x m [φ 1 ; . . . ; φ k ] =⇒ φ 

It says that φ follows from φ 1 , . . . , φ k for arbitrary x 1 , . . . , x m . This is 

trivially true if φ equals of any of φ 1 , . . . , φ k , or is unifiable with any of 

them . 

Isabelle 

answers: V x. P x =⇒ P x 

You 




Rule Application Methods (Tactics): rule & assumption 

Tactics perform backward proof. A tactic is a function that takes a proof 

state and returns a sequence (lazy list) of possible successor states. Basic 

tactics execute a meta-rule on a given subgoal. 

Method rule R 

Ord<strong>in</strong>ary resolution attempts to reduce the current subgoal φ i by unify<strong>in</strong>g 

it with the conclusion of the rule R : [ψ 1 ; . . . ; ψ m ] =⇒ ψ. The subgoal is 

then replaced by m new subgoals <strong>in</strong>stances of the premises of the rule. 

Method assumption 

If the goal φ i is of the form [ϕ 1 ; . . . ; ϕ k ] =⇒ ϕ. The assumption method 

tries to unify ϕ with ϕ j for some (1 j k). This models proof by 

assumption <strong>in</strong> <strong>Natural</strong> <strong>Deduction</strong>. 


Example: rule with Sequent Notation 

Isabelle 

answers: [A −→ C; B −→ C] =⇒ A ∨ B −→ C 

Γ, P ` Q 

Γ ` P −→ Q 

(rule impI) 

[A −→ C; B −→ C; A ∨ B] ` C 

[A −→ C; B −→ C] ` A ∨ B −→ C 

(rule impI) 

Isabelle 

answers: [A −→ C; B −→ C; A ∨ B] =⇒ C 


Rule Application Methods (Tactics): erule 

In pr<strong>in</strong>ciple, resolution and assumption suffice to prove all theorems. 

However, specialised forms of resolution are helpful for work<strong>in</strong>g with some 

classes of rules. 

Method erule R 

Consider the rule R : [ψ 1 ; . . . ; ψ m ] =⇒ ψ and subgoal φ i of the form 

[ϕ 1 ; . . . ; ϕ k ] =⇒ ϕ. Then erule would try simultaneously: (i) to reduce 

the goal φ i as with ord<strong>in</strong>ary resolution, and (ii) to solve the first premise 

ψ 1 of the rule R by assumption, with some assumption ϕ j of φ i . 

The subgoal is then replaced by m − 1 new subgoals <strong>in</strong>stances of the 

premises of the rule ψ 2 ; . . . ; ψ m where the match<strong>in</strong>g assumption ϕ j has 

been deleted. 


Example: erule with Sequent Notation 

Isabelle 

answers: [A −→ C; B −→ C; A ∨ B] =⇒ C 

Γ ` P ∨ Q Γ, P ` R Γ, Q ` R 

Γ ` R 

(rule disjE) 

Γ, P ` R Γ, Q ` R 

Γ, P ∨ Q ` R 

(erule disjE) 

[A −→ C; B −→ C; A] ` C [A −→ C; B −→ C; B] ` C 

[A −→ C; B −→ C; A ∨ B] ` C 

(erule disjE) 


Two K<strong>in</strong>ds of Elim<strong>in</strong>ation 

There are two k<strong>in</strong>ds of elim<strong>in</strong>ation rule. The rules, conjunct1, 

conjunct2, mp and spec extract the conclusion from the major premise. 

They are easy to use <strong>in</strong> forward proof (destruction rules). 

The rules disjE, FalseE and exE work by discharg<strong>in</strong>g assumptions. In 

<strong>Natural</strong> <strong>Deduction</strong> this is the most general form of elim<strong>in</strong>ation rule. 

To facilitate the use of destruction rules <strong>in</strong> a backward proof, Isabelle 

provides a means of transform<strong>in</strong>g them as follows: 

ψ 1 . . . ψ m (destruction) 

ψ 

ψ 1 . . . ψ m 

[ψ] 

. 

ϕ 

ϕ 

(elim<strong>in</strong>ation) 


Rule Application Methods (Tactics): drule & erule 

Method drule R 

This method comb<strong>in</strong>es the above transformation with elim-resolution (i.e., 

erule). 

In other words, it applies a destruction rule to some assumption of the 

goal. 

Method frule R 

Sometimes a (universal) formula has to be kept so that it can be used 

aga<strong>in</strong>. Then we use frule. 

This method is like drule except that the match<strong>in</strong>g assumption is not 

deleted, <strong>in</strong>stead it is copied. 


Next Step <strong>in</strong> the Example: rule 

Let us cont<strong>in</strong>ue our previous example, and explore various alternatives for 

it. 

Isabelle 

answers: [A −→ C; B −→ C; A] =⇒ C 

with rule 

Γ ` P −→ Q 

Γ ` Q 

Γ ` P 

(rule mp) 

[A −→ C; B −→ C; A] ` P −→ C [A −→ C; B −→ C; A] ` P 

[A −→ C; B −→ C; A] ` C 

(rule mp) 


Next Step <strong>in</strong> the Example: erule & Transformation 

Isabelle 


with erule 

Γ ` P 

Γ, P −→ Q ` Q 

(erule mp) 

[B −→ C; A] ` A 

[A −→ C; B −→ C; A] ` C 

(erule mp) 

Transformation 

Γ ` P −→ Q 

Γ ` Q 

Γ ` P 

(dest. mp) 

Γ ` P −→ Q Γ ` P Γ, Q ` R 

Γ ` R 

(elim. mp) 


Next Step <strong>in</strong> the Example: drule & frule 

Isabelle 


with drule 

Γ ` P Γ, Q ` R 

Γ, P −→ Q ` R 

(drule mp) 

[B −→ C; A] ` A [B −→ C; A; C] ` C 

[A −→ C; B −→ C; A] ` C 

(rule mp) 

with frule 

[A −→ C; B −→ C; A] ` A [A −→ C; B −→ C; A; C] ` C 

[A −→ C; B −→ C; A] ` C 

(frule mp) 


Proof Search 

Commands 

The by command executes an apply command and then tries to prove all 

rema<strong>in</strong><strong>in</strong>g subgoals by assumption. S<strong>in</strong>ce (if successful) it ends the proof, 

it also replaces the done symbol. 

The back command tries an alternative proof state successor of the 

current proof state (e.g., different unifiers). 

The undo command returns to the previous proof state. 

Methods 

The <strong>in</strong>tro method repeatedly applies the given <strong>in</strong>troduction rules. 

The elim method repeatedly applies elim<strong>in</strong>ation rules. 


Mak<strong>in</strong>g Bigger Steps 

Example 5 (impI OF impI) 





Alternatives 

Us<strong>in</strong>g by 


by (rule impI) 

A −→ (B −→ A) 

A =⇒ B −→ A 

[A; B] =⇒ A 

No subgoals! 

Us<strong>in</strong>g <strong>in</strong>tro 

apply (<strong>in</strong>tro impI) 




Explicit Substitution 

Some methods apply a rule while constra<strong>in</strong><strong>in</strong>g some of its variables. The 

general form is: 

Instantiat<strong>in</strong>g Variables 

rule tac v 1 = t 1 and . . . and v k = t k <strong>in</strong> R 

This behaves like rule R, while <strong>in</strong>stantiat<strong>in</strong>g variables v 1 , . . . , v k as 

specified. 

Note that for the tactics we have seen, there are variants of them: 

erule tac, 

drule tac and 

frule tac. 


Work<strong>in</strong>g with Quantifiers I 

For all, Exists 

lemma “forall-exists”: “(8x. p(x)) −→ (9x. p(x))” 

goal: (8x. p x) −→ (9x. p x) 

Γ, P ` Q 

Γ ` P −→ Q 

(rule impI) 

goal: 8x. p x =⇒ 9x. p x 

Γ ` P[t/x] 

Γ ` 9x. P x 

(rule exI) 

goal: 8x. p x =⇒ p x 1 


Work<strong>in</strong>g with Quantifiers II 

For all, Exists 

Alternatively, rule tac x = t <strong>in</strong> exI will result <strong>in</strong>: 

goal: 8x. p x =⇒ p t 

Γ ` 8x. P x 

Γ ` P[t/x] 

(rule spec) 

Γ, 8x. P x ` P[t/x] 

(erule spec) 

No subgoals! 


Work<strong>in</strong>g with Negation I 

Contrapositive 

goal: [¬(P −→ Q); ¬(R −→ Q)] =⇒ R 

[¬Q; ¬P =⇒ Q] =⇒ P 

(contrapos np) 

Γ ` ¬Q Γ, ¬P ` Q 

Γ ` P 

(rule contrapos np) 

goal: 1. [¬(P −→ Q); ¬(R −→ Q)] =⇒ ¬Q 

2. [¬(P −→ Q); ¬(R −→ Q); ¬R] =⇒ Q 


Work<strong>in</strong>g with Negation II 


goal: [¬(P −→ Q); ¬(R −→ Q)] =⇒ R 

Γ, ¬P ` Q 

Γ, ¬Q ` P 

(erule contrapos np) 

[¬(R −→ Q); ¬R] ` P −→ Q 

[¬(P −→ Q); ¬(R −→ Q)] ` R 


[¬(P −→ Q); ¬R] ` R −→ Q 

[¬(P −→ Q); ¬(R −→ Q)] ` R 



Work<strong>in</strong>g with Negation III 


goal: [¬(P −→ Q); ¬(R −→ Q)] =⇒ R 

Γ, ¬P ` Q 

Γ, ¬Q ` P 


Alternatively, erule tac Q = "R −→ Q" <strong>in</strong> contrapos np will produce the 

same effect. 

goal: [¬(P −→ Q); ¬R] =⇒ R −→ Q 

And then apply (rule impI) will result: 

goal: [¬(P −→ Q); ¬R; R] =⇒ Q 


Work<strong>in</strong>g with Negation IV 

Negation Elim<strong>in</strong>ation 

goal: [¬(P −→ Q); ¬R; R] =⇒ Q 

[¬P; P] =⇒ R 

(notE) 

Γ ` ¬P Γ ` P 

Γ ` R 

(rule notE) 

Γ ` P 

Γ, ¬P ` R 

(erule notE) 

by (erule notE) 


What is Next 

It is difficult to prove theorems us<strong>in</strong>g the methods we have studied 

(i.e., the proof can be very long). 

Proof sequences realise their full potential with Tacticals. These are 

operators for comb<strong>in</strong><strong>in</strong>g Tactics. DFS, BFS and Best-FS (heuristics) 

return their outcomes as sequences. 

Moreover, Isabelle provides enough atomation to tackle substantial 

examples. The Classical Reasoner is a family of tools that perform 

such <strong>proofs</strong> automatically. 

The most important is the blast method, which basically is a generic 

tableaux prover <strong>in</strong>tegrated with Isabelle (reasoner).

Natural Deduction in ISABELLE: - ``Single-step proofs based on ...

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?