\chapter{Basic Concepts}

 \section{Introduction}

 This is a tutorial on how to use Isabelle/HOL as a specification and

 verification system. Isabelle is a generic system for implementing logical

 formalisms, and Isabelle/HOL is the specialization of Isabelle for

 HOL, which abbreviates Higher-Order Logic. We introduce HOL step by step

 following the equation

 \[ \mbox{HOL} = \mbox{Functional Programming} + \mbox{Logic}. \]

 We assume that the reader is familiar with the basic concepts of both fields.

 For excellent introductions to functional programming consult the textbooks

 by Bird and Wadler~\cite{Bird-Wadler} or Paulson~\cite{Paulson-ML}.  Although

 this tutorial initially concentrates on functional programming, do not be

 misled: HOL can express most mathematical concepts, and functional

 programming is just one particularly simple and ubiquitous instance.

 A tutorial is by definition incomplete. To fully exploit the power of the

 system you need to consult the Isabelle Reference Manual~\cite{Isa-Ref-Man}

 for details about Isabelle and the HOL chapter of the Logics

 manual~\cite{Isa-Logics-Man} for details relating to HOL. Both manuals have a

 comprehensive index.

 \section{Theories, proofs and interaction}

 \label{sec:Basic:Theories}

 Working with Isabelle means creating two different kinds of documents:

 theories and proof scripts. Roughly speaking, a \bfindex{theory} is a named

 collection of types and functions, much like a module in a programming

 language or a specification in a specification language. In fact, theories in

 HOL can be either. Theories must reside in files with the suffix

 \texttt{.thy}. The general format of a theory file \texttt{T.thy} is

 \begin{ttbox}

 T = B\(@1\) + \(\cdots\) + B\(@n\) +

 \({<}declarations{>}\)

 end

 \end{ttbox}

 where \texttt{B}$@1$, \dots, \texttt{B}$@n$ are the names of existing

 theories that \texttt{T} is based on and ${<}declarations{>}$ stands for the

 newly introduced concepts (types, functions etc). The \texttt{B}$@i$ are the

 direct \textbf{parent theories}\indexbold{parent theory} of \texttt{T}.

 Everything defined in the parent theories (and their parents \dots) is

 automatically visible. To avoid name clashes, identifiers can be qualified by

 theory names as in \texttt{T.f} and \texttt{B.f}. HOL's theory library is

 available online at \verb$http://www.in.tum.de/~isabelle/library/HOL/$ and is

 recommended browsing.

 \begin{warn}

   HOL contains a theory \ttindexbold{Main}, the union of all the basic

   predefined theories like arithmetic, lists, sets, etc.\ (see the online

   library).  Unless you know what you are doing, always include \texttt{Main}

   as a direct or indirect parent theory of all your theories.

 \end{warn}

 This tutorial is concerned with introducing you to the different linguistic

 constructs that can fill ${<}declarations{>}$ in the above theory template.

 A complete grammar of the basic constructs is found in Appendix~A

 of~\cite{Isa-Ref-Man}, for reference in times of doubt.

 The tutorial is also concerned with showing you how to prove theorems about

 the concepts in a theory. This involves invoking predefined theorem proving

 commands. Because Isabelle is written in the programming language

 ML,\footnote{Many concepts in HOL and ML are similar. Make sure you do not

   confuse the two levels.} interacting with Isabelle means calling ML

 functions. Hence \bfindex{proof scripts} are sequences of calls to ML

 functions that perform specific theorem proving tasks. Nevertheless,

 familiarity with ML is absolutely not required.  All proof scripts for theory

 \texttt{T} (defined in file \texttt{T.thy}) should be contained in file

 \texttt{T.ML}. Theory and proof scripts are loaded (and checked!) by calling

 the ML function \ttindexbold{use_thy}:

 \begin{ttbox}

 use_thy "T";

 \end{ttbox}

 There are more advanced interfaces for Isabelle that hide the ML level from

 you and replace function calls by menu selection. There is even a special

 font with mathematical symbols. For details see the Isabelle home page.  This

 tutorial concentrates on the bare essentials and ignores such niceties.

 \section{Types, terms and formulae}

 \label{sec:TypesTermsForms}

 Embedded in the declarations of a theory are the types, terms and formulae of

 HOL. HOL is a typed logic whose type system resembles that of functional

 programming languages like ML or Haskell. Thus there are

 \begin{description}

 \item[base types,] in particular \ttindex{bool}, the type of truth values,

 and \ttindex{nat}, the type of natural numbers.

 \item[type constructors,] in particular \ttindex{list}, the type of

 lists, and \ttindex{set}, the type of sets. Type constructors are written

 postfix, e.g.\ \texttt{(nat)list} is the type of lists whose elements are

 natural numbers. Parentheses around single arguments can be dropped (as in

 \texttt{nat list}), multiple arguments are separated by commas (as in

 \texttt{(bool,nat)foo}).

 \item[function types,] denoted by \ttindexbold{=>}. In HOL

 \texttt{=>} represents {\em total} functions only. As is customary,

 \texttt{$\tau@1$ => $\tau@2$ => $\tau@3$} means

 \texttt{$\tau@1$ => ($\tau@2$ => $\tau@3$)}. Isabelle also supports the

 notation \texttt{[$\tau@1,\dots,\tau@n$] => $\tau$} which abbreviates

 \texttt{$\tau@1$ => $\cdots$ => $\tau@n$ => $\tau$}.

 \item[type variables,] denoted by \texttt{'a}, \texttt{'b} etc, just like in

 ML. They give rise to polymorphic types like \texttt{'a => 'a}, the type of the

 identity function.

 \end{description}

 \begin{warn}

   Types are extremely important because they prevent us from writing

   nonsense.  Isabelle insists that all terms and formulae must be well-typed

   and will print an error message if a type mismatch is encountered. To

   reduce the amount of explicit type information that needs to be provided by

   the user, Isabelle infers the type of all variables automatically (this is

   called \bfindex{type inference}) and keeps quiet about it. Occasionally

   this may lead to misunderstandings between you and the system. If anything

   strange happens, we recommend to set the flag \ttindexbold{show_types} that

   tells Isabelle to display type information that is usually suppressed:

   simply type

 \begin{ttbox}

 set show_types;

 \end{ttbox}

 \noindent

 at the ML-level. This can be reversed by \texttt{reset show_types;}.

 \end{warn}

 \textbf{Terms}\indexbold{term}

 are formed as in functional programming by applying functions to

 arguments. If \texttt{f} is a function of type \texttt{$\tau@1$ => $\tau@2$}

 and \texttt{t} is a term of type $\tau@1$ then \texttt{f~t} is a term of type

 $\tau@2$. HOL also supports infix functions like \texttt{+} and some basic

 constructs from functional programming:

 \begin{description}

 \item[\texttt{if $b$ then $t@1$ else $t@2$}]\indexbold{*if}

 means what you think it means and requires that

 $b$ is of type \texttt{bool} and $t@1$ and $t@2$ are of the same type.

 \item[\texttt{let $x$ = $t$ in $u$}]\indexbold{*let}

 is equivalent to $u$ where all occurrences of $x$ have been replaced by

 $t$. For example,

 \texttt{let x = 0 in x+x} means \texttt{0+0}. Multiple bindings are separated

 by semicolons: \texttt{let $x@1$ = $t@1$; \dots; $x@n$ = $t@n$ in $u$}.

 \item[\texttt{case $e$ of $c@1$ => $e@1$ | \dots | $c@n$ => $e@n$}]

 \indexbold{*case}

 evaluates to $e@i$ if $e$ is of the form

 $c@i$. See~\S\ref{sec:case-expressions} for details.

 \end{description}

 Terms may also contain $\lambda$-abstractions. For example, $\lambda

 x. x+1$ is the function that takes an argument $x$ and returns $x+1$. In

 Isabelle we write \texttt{\%x.~x+1}.\index{==>@{\tt\%}|bold}

 Instead of \texttt{\%x.~\%y.~\%z.~t} we can write \texttt{\%x~y~z.~t}.

 \textbf{Formulae}\indexbold{formula}

 are terms of type \texttt{bool}. There are the basic

 constants \ttindexbold{True} and \ttindexbold{False} and the usual logical

 connectives (in decreasing order of priority):

 \verb$~$\index{$HOL1@{\ttnot}|bold} (`not'),

 \texttt{\&}\index{$HOL2@{\tt\&}|bold} (`and'),

 \texttt{|}\index{$HOL2@{\ttor}|bold} (`or') and

 \texttt{-->}\index{$HOL2@{\tt-->}|bold} (`implies'),

 all of which (except the unary \verb$~$) associate to the right. In

 particular \texttt{A --> B --> C} means \texttt{A --> (B --> C)} and is thus

 logically equivalent with \texttt{A \& B --> C}

 (which is \texttt{(A \& B) --> C}).

 Equality is available in the form of the infix function

 \texttt{=} of type \texttt{'a => 'a => bool}. Thus \texttt{$t@1$ = $t@2$} is

 a formula provided $t@1$ and $t@2$ are terms of the same type. In case $t@1$

 and $t@2$ are of type \texttt{bool}, \texttt{=} acts as if-and-only-if.

 The syntax for quantifiers is

 \texttt{!~$x$.$\,P$}\index{$HOLQ@{\ttall}|bold} (`for all $x$') and

 \texttt{?~$x$.$\,P$}\index{$HOLQ@{\tt?}|bold} (`exists $x$').

 There is even \texttt{?!~$x$.$\,P$}\index{$HOLQ@{\ttuniquex}|bold}, which

 means that there exists exactly one $x$ that satisfies $P$. Instead of

 \texttt{!} and \texttt{?} you may also write \texttt{ALL} and \texttt{EX}.

 Nested quantifications can be abbreviated:

 \texttt{!$x~y~z$.$\,P$} means \texttt{!$x$.~!$y$.~!$z$.$\,P$}.

 Despite type inference, it is sometimes necessary to attach explicit

 \bfindex{type constraints} to a term.  The syntax is \texttt{$t$::$\tau$} as

 in \texttt{x < (y::nat)}. Note that \texttt{::} binds weakly and should

 therefore be enclosed in parentheses: \texttt{x < y::nat} is ill-typed

 because it is interpreted as \texttt{(x < y)::nat}. The main reason for type

 constraints are overloaded functions like \texttt{+}, \texttt{*} and

 \texttt{<}. (See \S\ref{sec:TypeClasses} for a full discussion of

 overloading.)

 \begin{warn}

 In general, HOL's concrete syntax tries to follow the conventions of

 functional programming and mathematics. Below we list the main rules that you

 should be familiar with to avoid certain syntactic traps. A particular

 problem for novices can be the priority of operators. If you are unsure, use

 more rather than fewer parentheses. In those cases where Isabelle echoes your

 input, you can see which parentheses are dropped---they were superfluous. If

 you are unsure how to interpret Isabelle's output because you don't know

 where the (dropped) parentheses go, set (and possibly reset) the flag

 \ttindexbold{show_brackets}:

 \begin{ttbox}

 set show_brackets; \(\dots\); reset show_brackets;

 \end{ttbox}

 \end{warn}

 \begin{itemize}

 \item

 Remember that \texttt{f t u} means \texttt{(f t) u} and not \texttt{f(t u)}!

 \item

 Isabelle allows infix functions like \texttt{+}. The prefix form of function

 application binds more strongly than anything else and hence \texttt{f~x + y}

 means \texttt{(f~x)~+~y} and not \texttt{f(x+y)}.

 \item

 Remember that in HOL if-and-only-if is expressed using equality.  But equality

 has a high priority, as befitting a  relation, while if-and-only-if typically

 has the lowest priority.  Thus, \verb$~ ~ P = P$ means \verb$~ ~(P = P)$ and

 not \verb$(~ ~P) = P$. When using \texttt{=} to mean logical equivalence,

 enclose both operands in parentheses, as in \texttt{(A \& B) = (B \& A)}.

 \item

 Constructs with an opening but without a closing delimiter bind very weakly

 and should therefore be enclosed in parentheses if they appear in subterms, as

 in \texttt{f = (\%x.~x)}. This includes

 \ttindex{if}, \ttindex{let}, \ttindex{case}, \verb$%$ and quantifiers.

 \item

 Never write \texttt{\%x.x} or \texttt{!x.x=x} because \texttt{x.x} is always

 read as a single qualified identifier that refers to an item \texttt{x} in

 theory \texttt{x}. Write \texttt{\%x.~x} and \texttt{!x.~x=x} instead.

 \end{itemize}

 \section{Variables}

 \label{sec:variables}

 Isabelle distinguishes free and bound variables just as is customary. Bound

 variables are automatically renamed to avoid clashes with free variables. In

 addition, Isabelle has a third kind of variable, called a \bfindex{schematic

   variable} or \bfindex{unknown}, which starts with a \texttt{?}.  Logically,

 an unknown is a free variable. But it may be instantiated by another term

 during the proof process. For example, the mathematical theorem $x = x$ is

 represented in Isabelle as \texttt{?x = ?x}, which means that Isabelle can

 instantiate it arbitrarily. This is in contrast to ordinary variables, which

 remain fixed. The programming language Prolog calls unknowns {\em logical\/}

 variables.

 Most of the time you can and should ignore unknowns and work with ordinary

 variables. Just don't be surprised that after you have finished the

 proof of a theorem, Isabelle will turn your free variables into unknowns: it

 merely indicates that Isabelle will automatically instantiate those unknowns

 suitably when the theorem is used in some other proof.

 \begin{warn}

   The existential quantifier \texttt{?}\index{$HOLQ@{\tt?}} needs to be

   followed by a space. Otherwise \texttt{?x} is interpreted as a schematic

   variable.

 \end{warn}

 \section{Getting started}

 Assuming you have installed Isabelle, you start it by typing \texttt{isabelle

   HOL} in a shell window.\footnote{Since you will always want to use HOL when

   studying this tutorial, you can set the shell variable

   \texttt{ISABELLE_LOGIC} to \texttt{HOL} once and for all and simply execute

   \texttt{isabelle}.} This presents you with Isabelle's most basic ASCII

 interface. In addition you need to open an editor window to create theories

 (\texttt{.thy} files) and proof scripts (\texttt{.ML} files). While you are

 developing a proof, we recommend to type each proof command into the ML-file

 first and then enter it into Isabelle by copy-and-paste, thus ensuring that

 you have a complete record of your proof.