3 \def\isabellecontext{pure}%
12 \isacommand{theory}\isamarkupfalse%
14 \isakeyword{imports}\ CPure\isanewline
23 \isamarkupchapter{Basic language elements \label{ch:pure-syntax}%
27 \begin{isamarkuptext}%
28 Subsequently, we introduce the main part of Pure theory and proof
29 commands, together with fundamental proof methods and attributes.
30 \Chref{ch:gen-tools} describes further Isar elements provided by
31 generic tools and packages (such as the Simplifier) that are either
32 part of Pure Isabelle or pre-installed in most object logics.
33 \Chref{ch:logics} refers to object-logic specific elements (mainly
36 \medskip Isar commands may be either \emph{proper} document
37 constructors, or \emph{improper commands}. Some proof methods and
38 attributes introduced later are classified as improper as well.
39 Improper Isar language elements, which are subsequently marked by
40 ``\isa{\isactrlsup {\isacharasterisk}}'', are often helpful when developing proof
41 documents, while their use is discouraged for the final
42 human-readable outcome. Typical examples are diagnostic commands
43 that print terms or theorems according to the current context; other
44 commands emulate old-style tactical theorem proving.%
48 \isamarkupsection{Theory commands%
52 \isamarkupsubsection{Defining theories \label{sec:begin-thy}%
56 \begin{isamarkuptext}%
57 \begin{matharray}{rcl}
58 \indexdef{}{command}{header}\isa{\isacommand{header}} & : & \isarkeep{toplevel} \\
59 \indexdef{}{command}{theory}\isa{\isacommand{theory}} & : & \isartrans{toplevel}{theory} \\
60 \indexdef{}{command}{end}\isa{\isacommand{end}} & : & \isartrans{theory}{toplevel} \\
63 Isabelle/Isar theories are defined via theory, which contain both
64 specifications and proofs; occasionally definitional mechanisms also
65 require some explicit proof.
67 The first ``real'' command of any theory has to be \isa{\isacommand{theory}}, which starts a new theory based on the merge of existing
68 ones. Just preceding the \isa{\isacommand{theory}} keyword, there may be
69 an optional \isa{\isacommand{header}} declaration, which is relevant to
70 document preparation only; it acts very much like a special
71 pre-theory markup command (cf.\ \secref{sec:markup-thy} and
72 \secref{sec:markup-thy}). The \isa{\isacommand{end}} command concludes a
73 theory development; it has to be the very last command of any theory
74 file loaded in batch-mode.
79 'theory' name 'imports' (name +) uses? 'begin'
82 uses: 'uses' ((name | parname) +);
87 \item [\isa{\isacommand{header}}~\isa{text}] provides plain text
88 markup just preceding the formal beginning of a theory. In actual
89 document preparation the corresponding {\LaTeX} macro \verb|\isamarkupheader| may be redefined to produce chapter or section
90 headings. See also \secref{sec:markup-thy} and
91 \secref{sec:markup-prf} for further markup commands.
93 \item [\isa{\isacommand{theory}}~\isa{A\ {\isasymIMPORTS}\ B\isactrlsub {\isadigit{1}}\ {\isasymdots}\ B\isactrlsub n\ {\isasymBEGIN}}] starts a new theory \isa{A} based on the
94 merge of existing theories \isa{B\isactrlsub {\isadigit{1}}\ {\isasymdots}\ B\isactrlsub n}.
96 Due to inclusion of several ancestors, the overall theory structure
97 emerging in an Isabelle session forms a directed acyclic graph
98 (DAG). Isabelle's theory loader ensures that the sources
99 contributing to the development graph are always up-to-date.
100 Changed files are automatically reloaded when processing theory
103 The optional \indexdef{}{keyword}{uses}\isa{\isakeyword{uses}} specification declares additional
104 dependencies on extra files (usually ML sources). Files will be
105 loaded immediately (as ML), unless the name is put in parentheses,
106 which merely documents the dependency to be resolved later in the
107 text (typically via explicit \indexref{}{command}{use}\isa{\isacommand{use}} in the body text,
108 see \secref{sec:ML}).
110 \item [\isa{\isacommand{end}}] concludes the current theory definition or
117 \isamarkupsubsection{Markup commands \label{sec:markup-thy}%
121 \begin{isamarkuptext}%
122 \begin{matharray}{rcl}
123 \indexdef{}{command}{chapter}\isa{\isacommand{chapter}} & : & \isarkeep{local{\dsh}theory} \\
124 \indexdef{}{command}{section}\isa{\isacommand{section}} & : & \isarkeep{local{\dsh}theory} \\
125 \indexdef{}{command}{subsection}\isa{\isacommand{subsection}} & : & \isarkeep{local{\dsh}theory} \\
126 \indexdef{}{command}{subsubsection}\isa{\isacommand{subsubsection}} & : & \isarkeep{local{\dsh}theory} \\
127 \indexdef{}{command}{text}\isa{\isacommand{text}} & : & \isarkeep{local{\dsh}theory} \\
128 \indexdef{}{command}{text-raw}\isa{\isacommand{text{\isacharunderscore}raw}} & : & \isarkeep{local{\dsh}theory} \\
131 Apart from formal comments (see \secref{sec:comments}), markup
132 commands provide a structured way to insert text into the document
133 generated from a theory (see \cite{isabelle-sys} for more
134 information on Isabelle's document preparation tools).
137 ('chapter' | 'section' | 'subsection' | 'subsubsection' | 'text') target? text
145 \item [\isa{\isacommand{chapter}}, \isa{\isacommand{section}}, \isa{\isacommand{subsection}}, and \isa{\isacommand{subsubsection}}] mark chapter and
148 \item [\isa{\isacommand{text}}] specifies paragraphs of plain text.
150 \item [\isa{\isacommand{text{\isacharunderscore}raw}}] inserts {\LaTeX} source into the
151 output, without additional markup. Thus the full range of document
152 manipulations becomes available.
156 The \isa{text} argument of these markup commands (except for
157 \isa{\isacommand{text{\isacharunderscore}raw}}) may contain references to formal entities
158 (``antiquotations'', see also \secref{sec:antiq}). These are
159 interpreted in the present theory context, or the named \isa{target}.
161 Any of these markup elements corresponds to a {\LaTeX} command with
162 the name prefixed by \verb|\isamarkup|. For the sectioning
163 commands this is a plain macro with a single argument, e.g.\
164 \verb|\isamarkupchapter{|\isa{{\isasymdots}}\verb|}| for
165 \isa{\isacommand{chapter}}. The \isa{\isacommand{text}} markup results in a
166 {\LaTeX} environment \verb|\begin{isamarkuptext}|~\isa{{\isasymdots}}~\verb|\end{isamarkuptext}|, while \isa{\isacommand{text{\isacharunderscore}raw}}
167 causes the text to be inserted directly into the {\LaTeX} source.
169 \medskip Additional markup commands are available for proofs (see
170 \secref{sec:markup-prf}). Also note that the \indexref{}{command}{header}\isa{\isacommand{header}} declaration (see \secref{sec:begin-thy}) admits to insert
171 section markup just preceding the actual theory definition.%
175 \isamarkupsubsection{Type classes and sorts \label{sec:classes}%
179 \begin{isamarkuptext}%
180 \begin{matharray}{rcll}
181 \indexdef{}{command}{classes}\isa{\isacommand{classes}} & : & \isartrans{theory}{theory} \\
182 \indexdef{}{command}{classrel}\isa{\isacommand{classrel}} & : & \isartrans{theory}{theory} & (axiomatic!) \\
183 \indexdef{}{command}{defaultsort}\isa{\isacommand{defaultsort}} & : & \isartrans{theory}{theory} \\
184 \indexdef{}{command}{class-deps}\isa{\isacommand{class{\isacharunderscore}deps}} & : & \isarkeep{theory~|~proof} \\
188 'classes' (classdecl +)
190 'classrel' (nameref ('<' | subseteq) nameref + 'and')
198 \item [\isa{\isacommand{classes}}~\isa{c\ {\isasymsubseteq}\ c\isactrlsub {\isadigit{1}}{\isacharcomma}\ {\isasymdots}{\isacharcomma}\ c\isactrlsub n}]
199 declares class \isa{c} to be a subclass of existing classes \isa{c\isactrlsub {\isadigit{1}}{\isacharcomma}\ {\isasymdots}{\isacharcomma}\ c\isactrlsub n}. Cyclic class structures are not permitted.
201 \item [\isa{\isacommand{classrel}}~\isa{c\isactrlsub {\isadigit{1}}\ {\isasymsubseteq}\ c\isactrlsub {\isadigit{2}}}] states
202 subclass relations between existing classes \isa{c\isactrlsub {\isadigit{1}}} and
203 \isa{c\isactrlsub {\isadigit{2}}}. This is done axiomatically! The \indexref{}{command}{instance}\isa{\isacommand{instance}} command (see \secref{sec:axclass}) provides a way to
204 introduce proven class relations.
206 \item [\isa{\isacommand{defaultsort}}~\isa{s}] makes sort \isa{s} the
207 new default sort for any type variables given without sort
208 constraints. Usually, the default sort would be only changed when
209 defining a new object-logic.
211 \item [\isa{\isacommand{class{\isacharunderscore}deps}}] visualizes the subclass relation,
212 using Isabelle's graph browser tool (see also \cite{isabelle-sys}).
218 \isamarkupsubsection{Primitive types and type abbreviations \label{sec:types-pure}%
222 \begin{isamarkuptext}%
223 \begin{matharray}{rcll}
224 \indexdef{}{command}{types}\isa{\isacommand{types}} & : & \isartrans{theory}{theory} \\
225 \indexdef{}{command}{typedecl}\isa{\isacommand{typedecl}} & : & \isartrans{theory}{theory} \\
226 \indexdef{}{command}{nonterminals}\isa{\isacommand{nonterminals}} & : & \isartrans{theory}{theory} \\
227 \indexdef{}{command}{arities}\isa{\isacommand{arities}} & : & \isartrans{theory}{theory} & (axiomatic!) \\
231 'types' (typespec '=' type infix? +)
233 'typedecl' typespec infix?
235 'nonterminals' (name +)
237 'arities' (nameref '::' arity +)
243 \item [\isa{\isacommand{types}}~\isa{{\isacharparenleft}{\isasymalpha}\isactrlsub {\isadigit{1}}{\isacharcomma}\ {\isasymdots}{\isacharcomma}\ {\isasymalpha}\isactrlsub n{\isacharparenright}\ t\ {\isacharequal}\ {\isasymtau}}]
244 introduces \emph{type synonym} \isa{{\isacharparenleft}{\isasymalpha}\isactrlsub {\isadigit{1}}{\isacharcomma}\ {\isasymdots}{\isacharcomma}\ {\isasymalpha}\isactrlsub n{\isacharparenright}\ t}
245 for existing type \isa{{\isasymtau}}. Unlike actual type definitions, as
246 are available in Isabelle/HOL for example, type synonyms are just
247 purely syntactic abbreviations without any logical significance.
248 Internally, type synonyms are fully expanded.
250 \item [\isa{\isacommand{typedecl}}~\isa{{\isacharparenleft}{\isasymalpha}\isactrlsub {\isadigit{1}}{\isacharcomma}\ {\isasymdots}{\isacharcomma}\ {\isasymalpha}\isactrlsub n{\isacharparenright}\ t}]
251 declares a new type constructor \isa{t}, intended as an actual
252 logical type (of the object-logic, if available).
254 \item [\isa{\isacommand{nonterminals}}~\isa{c}] declares type
255 constructors \isa{c} (without arguments) to act as purely
256 syntactic types, i.e.\ nonterminal symbols of Isabelle's inner
257 syntax of terms or types.
259 \item [\isa{\isacommand{arities}}~\isa{t\ {\isacharcolon}{\isacharcolon}\ {\isacharparenleft}s\isactrlsub {\isadigit{1}}{\isacharcomma}\ {\isasymdots}{\isacharcomma}\ s\isactrlsub n{\isacharparenright}\ s}] augments Isabelle's order-sorted signature of types by new type
260 constructor arities. This is done axiomatically! The \indexref{}{command}{instance}\isa{\isacommand{instance}} command (see \S\ref{sec:axclass}) provides a way to
261 introduce proven type arities.
267 \isamarkupsubsection{Primitive constants and definitions \label{sec:consts}%
271 \begin{isamarkuptext}%
272 Definitions essentially express abbreviations within the logic. The
273 simplest form of a definition is \isa{c\ {\isacharcolon}{\isacharcolon}\ {\isasymsigma}\ {\isasymequiv}\ t}, where \isa{c} is a newly declared constant. Isabelle also allows derived forms
274 where the arguments of \isa{c} appear on the left, abbreviating a
275 prefix of \isa{{\isasymlambda}}-abstractions, e.g.\ \isa{c\ {\isasymequiv}\ {\isasymlambda}x\ y{\isachardot}\ t} may be
276 written more conveniently as \isa{c\ x\ y\ {\isasymequiv}\ t}. Moreover,
277 definitions may be weakened by adding arbitrary pre-conditions:
278 \isa{A\ {\isasymLongrightarrow}\ c\ x\ y\ {\isasymequiv}\ t}.
280 \medskip The built-in well-formedness conditions for definitional
285 \item Arguments (on the left-hand side) must be distinct variables.
287 \item All variables on the right-hand side must also appear on the
290 \item All type variables on the right-hand side must also appear on
291 the left-hand side; this prohibits \isa{{\isadigit{0}}\ {\isacharcolon}{\isacharcolon}\ nat\ {\isasymequiv}\ length\ {\isacharparenleft}{\isacharbrackleft}{\isacharbrackright}\ {\isacharcolon}{\isacharcolon}\ {\isasymalpha}\ list{\isacharparenright}} for example.
293 \item The definition must not be recursive. Most object-logics
294 provide definitional principles that can be used to express
299 Overloading means that a constant being declared as \isa{c\ {\isacharcolon}{\isacharcolon}\ {\isasymalpha}\ decl} may be defined separately on type instances \isa{c\ {\isacharcolon}{\isacharcolon}\ {\isacharparenleft}{\isasymbeta}\isactrlsub {\isadigit{1}}{\isacharcomma}\ {\isasymdots}{\isacharcomma}\ {\isasymbeta}\isactrlsub n{\isacharparenright}\ t\ decl} for each type constructor \isa{t}. The right-hand side may mention overloaded constants
300 recursively at type instances corresponding to the immediate
301 argument types \isa{{\isasymbeta}\isactrlsub {\isadigit{1}}{\isacharcomma}\ {\isasymdots}{\isacharcomma}\ {\isasymbeta}\isactrlsub n}. Incomplete
302 specification patterns impose global constraints on all occurrences,
303 e.g.\ \isa{d\ {\isacharcolon}{\isacharcolon}\ {\isasymalpha}\ {\isasymtimes}\ {\isasymalpha}} on the left-hand side means that all
304 corresponding occurrences on some right-hand side need to be an
305 instance of this, general \isa{d\ {\isacharcolon}{\isacharcolon}\ {\isasymalpha}\ {\isasymtimes}\ {\isasymbeta}} will be disallowed.
307 \begin{matharray}{rcl}
308 \indexdef{}{command}{consts}\isa{\isacommand{consts}} & : & \isartrans{theory}{theory} \\
309 \indexdef{}{command}{defs}\isa{\isacommand{defs}} & : & \isartrans{theory}{theory} \\
310 \indexdef{}{command}{constdefs}\isa{\isacommand{constdefs}} & : & \isartrans{theory}{theory} \\
314 'consts' ((name '::' type mixfix?) +)
316 'defs' ('(' 'unchecked'? 'overloaded'? ')')? \\ (axmdecl prop +)
321 'constdefs' structs? (constdecl? constdef +)
324 structs: '(' 'structure' (vars + 'and') ')'
326 constdecl: ((name '::' type mixfix | name '::' type | name mixfix) 'where'?) | name 'where'
328 constdef: thmdecl? prop
334 \item [\isa{\isacommand{consts}}~\isa{c\ {\isacharcolon}{\isacharcolon}\ {\isasymsigma}}] declares constant
335 \isa{c} to have any instance of type scheme \isa{{\isasymsigma}}. The
336 optional mixfix annotations may attach concrete syntax to the
339 \item [\isa{\isacommand{defs}}~\isa{name{\isacharcolon}\ eqn}] introduces \isa{eqn}
340 as a definitional axiom for some existing constant.
342 The \isa{{\isacharparenleft}unchecked{\isacharparenright}} option disables global dependency checks
343 for this definition, which is occasionally useful for exotic
344 overloading. It is at the discretion of the user to avoid malformed
345 theory specifications!
347 The \isa{{\isacharparenleft}overloaded{\isacharparenright}} option declares definitions to be
348 potentially overloaded. Unless this option is given, a warning
349 message would be issued for any definitional equation with a more
350 special type than that of the corresponding constant declaration.
352 \item [\isa{\isacommand{constdefs}}] provides a streamlined combination of
353 constants declarations and definitions: type-inference takes care of
354 the most general typing of the given specification (the optional
355 type constraint may refer to type-inference dummies ``\verb|_|'' as usual). The resulting type declaration needs to agree with
356 that of the specification; overloading is \emph{not} supported here!
358 The constant name may be omitted altogether, if neither type nor
359 syntax declarations are given. The canonical name of the
360 definitional axiom for constant \isa{c} will be \isa{c{\isacharunderscore}def},
361 unless specified otherwise. Also note that the given list of
362 specifications is processed in a strictly sequential manner, with
363 type-checking being performed independently.
365 An optional initial context of \isa{{\isacharparenleft}structure{\isacharparenright}} declarations
366 admits use of indexed syntax, using the special symbol \verb|\<index>| (printed as ``\isa{{\isasymindex}}''). The latter concept is
367 particularly useful with locales (see also \S\ref{sec:locale}).
373 \isamarkupsubsection{Syntax and translations \label{sec:syn-trans}%
377 \begin{isamarkuptext}%
378 \begin{matharray}{rcl}
379 \indexdef{}{command}{syntax}\isa{\isacommand{syntax}} & : & \isartrans{theory}{theory} \\
380 \indexdef{}{command}{no-syntax}\isa{\isacommand{no{\isacharunderscore}syntax}} & : & \isartrans{theory}{theory} \\
381 \indexdef{}{command}{translations}\isa{\isacommand{translations}} & : & \isartrans{theory}{theory} \\
382 \indexdef{}{command}{no-translations}\isa{\isacommand{no{\isacharunderscore}translations}} & : & \isartrans{theory}{theory} \\
385 \railalias{rightleftharpoons}{\isasymrightleftharpoons}
386 \railterm{rightleftharpoons}
388 \railalias{rightharpoonup}{\isasymrightharpoonup}
389 \railterm{rightharpoonup}
391 \railalias{leftharpoondown}{\isasymleftharpoondown}
392 \railterm{leftharpoondown}
395 ('syntax' | 'no\_syntax') mode? (constdecl +)
397 ('translations' | 'no\_translations') (transpat ('==' | '=>' | '<=' | rightleftharpoons | rightharpoonup | leftharpoondown) transpat +)
400 mode: ('(' ( name | 'output' | name 'output' ) ')')
402 transpat: ('(' nameref ')')? string
408 \item [\isa{\isacommand{syntax}}~\isa{{\isacharparenleft}mode{\isacharparenright}\ decls}] is similar to
409 \isa{\isacommand{consts}}~\isa{decls}, except that the actual logical
410 signature extension is omitted. Thus the context free grammar of
411 Isabelle's inner syntax may be augmented in arbitrary ways,
412 independently of the logic. The \isa{mode} argument refers to the
413 print mode that the grammar rules belong; unless the \indexref{}{keyword}{output}\isa{\isakeyword{output}} indicator is given, all productions are added both to the
414 input and output grammar.
416 \item [\isa{\isacommand{no{\isacharunderscore}syntax}}~\isa{{\isacharparenleft}mode{\isacharparenright}\ decls}] removes
417 grammar declarations (and translations) resulting from \isa{decls}, which are interpreted in the same manner as for \isa{\isacommand{syntax}} above.
419 \item [\isa{\isacommand{translations}}~\isa{rules}] specifies syntactic
420 translation rules (i.e.\ macros): parse~/ print rules (\isa{{\isasymrightleftharpoons}}),
421 parse rules (\isa{{\isasymrightharpoonup}}), or print rules (\isa{{\isasymleftharpoondown}}).
422 Translation patterns may be prefixed by the syntactic category to be
423 used for parsing; the default is \isa{logic}.
425 \item [\isa{\isacommand{no{\isacharunderscore}translations}}~\isa{rules}] removes syntactic
426 translation rules, which are interpreted in the same manner as for
427 \isa{\isacommand{translations}} above.
433 \isamarkupsubsection{Axioms and theorems \label{sec:axms-thms}%
437 \begin{isamarkuptext}%
438 \begin{matharray}{rcll}
439 \indexdef{}{command}{axioms}\isa{\isacommand{axioms}} & : & \isartrans{theory}{theory} & (axiomatic!) \\
440 \indexdef{}{command}{lemmas}\isa{\isacommand{lemmas}} & : & \isarkeep{local{\dsh}theory} \\
441 \indexdef{}{command}{theorems}\isa{\isacommand{theorems}} & : & isarkeep{local{\dsh}theory} \\
445 'axioms' (axmdecl prop +)
447 ('lemmas' | 'theorems') target? (thmdef? thmrefs + 'and')
453 \item [\isa{\isacommand{axioms}}~\isa{a{\isacharcolon}\ {\isasymphi}}] introduces arbitrary
454 statements as axioms of the meta-logic. In fact, axioms are
455 ``axiomatic theorems'', and may be referred later just as any other
458 Axioms are usually only introduced when declaring new logical
459 systems. Everyday work is typically done the hard way, with proper
460 definitions and proven theorems.
462 \item [\isa{\isacommand{lemmas}}~\isa{a\ {\isacharequal}\ b\isactrlsub {\isadigit{1}}\ {\isasymdots}\ b\isactrlsub n}]
463 retrieves and stores existing facts in the theory context, or the
464 specified target context (see also \secref{sec:target}). Typical
465 applications would also involve attributes, to declare Simplifier
468 \item [\isa{\isacommand{theorems}}] is essentially the same as \isa{\isacommand{lemmas}}, but marks the result as a different kind of facts.
474 \isamarkupsubsection{Name spaces%
478 \begin{isamarkuptext}%
479 \begin{matharray}{rcl}
480 \indexdef{}{command}{global}\isa{\isacommand{global}} & : & \isartrans{theory}{theory} \\
481 \indexdef{}{command}{local}\isa{\isacommand{local}} & : & \isartrans{theory}{theory} \\
482 \indexdef{}{command}{hide}\isa{\isacommand{hide}} & : & \isartrans{theory}{theory} \\
486 'hide' ('(open)')? name (nameref + )
490 Isabelle organizes any kind of name declarations (of types,
491 constants, theorems etc.) by separate hierarchically structured name
492 spaces. Normally the user does not have to control the behavior of
493 name spaces by hand, yet the following commands provide some way to
498 \item [\isa{\isacommand{global}} and \isa{\isacommand{local}}] change the
499 current name declaration mode. Initially, theories start in
500 \isa{\isacommand{local}} mode, causing all names to be automatically
501 qualified by the theory name. Changing this to \isa{\isacommand{global}}
502 causes all names to be declared without the theory prefix, until
503 \isa{\isacommand{local}} is declared again.
505 Note that global names are prone to get hidden accidently later,
506 when qualified names of the same base name are introduced.
508 \item [\isa{\isacommand{hide}}~\isa{space\ names}] fully removes
509 declarations from a given name space (which may be \isa{class},
510 \isa{type}, \isa{const}, or \isa{fact}); with the \isa{{\isacharparenleft}open{\isacharparenright}} option, only the base name is hidden. Global
511 (unqualified) names may never be hidden.
513 Note that hiding name space accesses has no impact on logical
514 declarations -- they remain valid internally. Entities that are no
515 longer accessible to the user are printed with the special qualifier
516 ``\isa{{\isacharquery}{\isacharquery}}'' prefixed to the full internal name.
522 \isamarkupsubsection{Incorporating ML code \label{sec:ML}%
526 \begin{isamarkuptext}%
527 \begin{matharray}{rcl}
528 \indexdef{}{command}{use}\isa{\isacommand{use}} & : & \isarkeep{theory~|~local{\dsh}theory} \\
529 \indexdef{}{command}{ML}\isa{\isacommand{ML}} & : & \isarkeep{theory~|~local{\dsh}theory} \\
530 \indexdef{}{command}{ML-val}\isa{\isacommand{ML{\isacharunderscore}val}} & : & \isartrans{\cdot}{\cdot} \\
531 \indexdef{}{command}{ML-command}\isa{\isacommand{ML{\isacharunderscore}command}} & : & \isartrans{\cdot}{\cdot} \\
532 \indexdef{}{command}{setup}\isa{\isacommand{setup}} & : & \isartrans{theory}{theory} \\
533 \indexdef{}{command}{method-setup}\isa{\isacommand{method{\isacharunderscore}setup}} & : & \isartrans{theory}{theory} \\
539 ('ML' | 'ML\_val' | 'ML\_command' | 'setup') text
541 'method\_setup' name '=' text text
547 \item [\isa{\isacommand{use}}~\isa{file}] reads and executes ML
548 commands from \isa{file}. The current theory context is passed
549 down to the ML toplevel and may be modified, using \verb|Context.>>| or derived ML commands. The file name is checked with
550 the \indexref{}{keyword}{uses}\isa{\isakeyword{uses}} dependency declaration given in the theory
551 header (see also \secref{sec:begin-thy}).
553 \item [\isa{\isacommand{ML}}~\isa{text}] is similar to \isa{\isacommand{use}}, but executes ML commands directly from the given \isa{text}.
555 \item [\isa{\isacommand{ML{\isacharunderscore}val}} and \isa{\isacommand{ML{\isacharunderscore}command}}] are
556 diagnostic versions of \isa{\isacommand{ML}}, which means that the context
557 may not be updated. \isa{\isacommand{ML{\isacharunderscore}val}} echos the bindings produced
558 at the ML toplevel, but \isa{\isacommand{ML{\isacharunderscore}command}} is silent.
560 \item [\isa{\isacommand{setup}}~\isa{text}] changes the current theory
561 context by applying \isa{text}, which refers to an ML expression
562 of type \verb|theory -> theory|. This enables to initialize
563 any object-logic specific tools and packages written in ML, for
566 \item [\isa{\isacommand{method{\isacharunderscore}setup}}~\isa{name\ {\isacharequal}\ text\ description}]
567 defines a proof method in the current theory. The given \isa{text} has to be an ML expression of type \verb|Args.src ->|\isasep\isanewline%
568 \verb| Proof.context -> Proof.method|. Parsing concrete method syntax
569 from \verb|Args.src| input can be quite tedious in general. The
570 following simple examples are for methods without any explicit
571 arguments, or a list of theorems, respectively.
573 %FIXME proper antiquotations
576 Method.no_args (Method.METHOD (fn facts => foobar_tac))
577 Method.thms_args (fn thms => Method.METHOD (fn facts => foobar_tac))
578 Method.ctxt_args (fn ctxt => Method.METHOD (fn facts => foobar_tac))
579 Method.thms_ctxt_args (fn thms => fn ctxt =>
580 Method.METHOD (fn facts => foobar_tac))
584 Note that mere tactic emulations may ignore the \isa{facts}
585 parameter above. Proper proof methods would do something
586 appropriate with the list of current facts, though. Single-rule
587 methods usually do strict forward-chaining (e.g.\ by using \verb|Drule.multi_resolves|), while automatic ones just insert the facts
588 using \verb|Method.insert_tac| before applying the main tactic.
594 \isamarkupsubsection{Syntax translation functions%
598 \begin{isamarkuptext}%
599 \begin{matharray}{rcl}
600 \indexdef{}{command}{parse-ast-translation}\isa{\isacommand{parse{\isacharunderscore}ast{\isacharunderscore}translation}} & : & \isartrans{theory}{theory} \\
601 \indexdef{}{command}{parse-translation}\isa{\isacommand{parse{\isacharunderscore}translation}} & : & \isartrans{theory}{theory} \\
602 \indexdef{}{command}{print-translation}\isa{\isacommand{print{\isacharunderscore}translation}} & : & \isartrans{theory}{theory} \\
603 \indexdef{}{command}{typed-print-translation}\isa{\isacommand{typed{\isacharunderscore}print{\isacharunderscore}translation}} & : & \isartrans{theory}{theory} \\
604 \indexdef{}{command}{print-ast-translation}\isa{\isacommand{print{\isacharunderscore}ast{\isacharunderscore}translation}} & : & \isartrans{theory}{theory} \\
605 \indexdef{}{command}{token-translation}\isa{\isacommand{token{\isacharunderscore}translation}} & : & \isartrans{theory}{theory} \\
609 ( 'parse\_ast\_translation' | 'parse\_translation' | 'print\_translation' |
610 'typed\_print\_translation' | 'print\_ast\_translation' ) ('(advanced)')? text
613 'token\_translation' text
617 Syntax translation functions written in ML admit almost arbitrary
618 manipulations of Isabelle's inner syntax. Any of the above commands
619 have a single \railqtok{text} argument that refers to an ML
620 expression of appropriate type, which are as follows by default:
622 %FIXME proper antiquotations
624 val parse_ast_translation : (string * (ast list -> ast)) list
625 val parse_translation : (string * (term list -> term)) list
626 val print_translation : (string * (term list -> term)) list
627 val typed_print_translation :
628 (string * (bool -> typ -> term list -> term)) list
629 val print_ast_translation : (string * (ast list -> ast)) list
630 val token_translation :
631 (string * string * (string -> string * real)) list
634 If the \isa{{\isacharparenleft}advanced{\isacharparenright}} option is given, the corresponding
635 translation functions may depend on the current theory or proof
636 context. This allows to implement advanced syntax mechanisms, as
637 translations functions may refer to specific theory declarations or
638 auxiliary proof data.
640 See also \cite[\S8]{isabelle-ref} for more information on the
641 general concept of syntax transformations in Isabelle.
643 %FIXME proper antiquotations
645 val parse_ast_translation:
646 (string * (Context.generic -> ast list -> ast)) list
647 val parse_translation:
648 (string * (Context.generic -> term list -> term)) list
649 val print_translation:
650 (string * (Context.generic -> term list -> term)) list
651 val typed_print_translation:
652 (string * (Context.generic -> bool -> typ -> term list -> term)) list
653 val print_ast_translation:
654 (string * (Context.generic -> ast list -> ast)) list
659 \isamarkupsubsection{Oracles%
663 \begin{isamarkuptext}%
664 \begin{matharray}{rcl}
665 \indexdef{}{command}{oracle}\isa{\isacommand{oracle}} & : & \isartrans{theory}{theory} \\
668 The oracle interface promotes a given ML function \verb|theory -> T -> term| to \verb|theory -> T -> thm|, for some type
669 \verb|T| given by the user. This acts like an infinitary
670 specification of axioms -- there is no internal check of the
671 correctness of the results! The inference kernel records oracle
672 invocations within the internal derivation object of theorems, and
673 the pretty printer attaches ``\isa{{\isacharbrackleft}{\isacharbang}{\isacharbrackright}}'' to indicate results
674 that are not fully checked by Isabelle inferences.
677 'oracle' name '(' type ')' '=' text
683 \item [\isa{\isacommand{oracle}}~\isa{name\ {\isacharparenleft}type{\isacharparenright}\ {\isacharequal}\ text}] turns the
684 given ML expression \isa{text} of type \verb|{theory|\isasep\isanewline%
685 \verb| ->|~\isa{type}~\verb|-> term| into an ML function
686 \verb|name| of type \verb|{theory ->|~\isa{type}~\verb|-> thm|.
692 \isamarkupsection{Proof commands%
696 \begin{isamarkuptext}%
697 Proof commands perform transitions of Isar/VM machine
698 configurations, which are block-structured, consisting of a stack of
699 nodes with three main components: logical proof context, current
700 facts, and open goals. Isar/VM transitions are \emph{typed}
701 according to the following three different modes of operation:
705 \item [\isa{proof{\isacharparenleft}prove{\isacharparenright}}] means that a new goal has just been
706 stated that is now to be \emph{proven}; the next command may refine
707 it by some proof method, and enter a sub-proof to establish the
710 \item [\isa{proof{\isacharparenleft}state{\isacharparenright}}] is like a nested theory mode: the
711 context may be augmented by \emph{stating} additional assumptions,
712 intermediate results etc.
714 \item [\isa{proof{\isacharparenleft}chain{\isacharparenright}}] is intermediate between \isa{proof{\isacharparenleft}state{\isacharparenright}} and \isa{proof{\isacharparenleft}prove{\isacharparenright}}: existing facts (i.e.\
715 the contents of the special ``\indexref{}{fact}{this}\isa{this}'' register) have been
716 just picked up in order to be used when refining the goal claimed
721 The proof mode indicator may be read as a verb telling the writer
722 what kind of operation may be performed next. The corresponding
723 typings of proof commands restricts the shape of well-formed proof
724 texts to particular command sequences. So dynamic arrangements of
725 commands eventually turn out as static texts of a certain structure.
726 \Appref{ap:refcard} gives a simplified grammar of the overall
727 (extensible) language emerging that way.%
731 \isamarkupsubsection{Markup commands \label{sec:markup-prf}%
735 \begin{isamarkuptext}%
736 \begin{matharray}{rcl}
737 \indexdef{}{command}{sect}\isa{\isacommand{sect}} & : & \isartrans{proof}{proof} \\
738 \indexdef{}{command}{subsect}\isa{\isacommand{subsect}} & : & \isartrans{proof}{proof} \\
739 \indexdef{}{command}{subsubsect}\isa{\isacommand{subsubsect}} & : & \isartrans{proof}{proof} \\
740 \indexdef{}{command}{txt}\isa{\isacommand{txt}} & : & \isartrans{proof}{proof} \\
741 \indexdef{}{command}{txt-raw}\isa{\isacommand{txt{\isacharunderscore}raw}} & : & \isartrans{proof}{proof} \\
744 These markup commands for proof mode closely correspond to the ones
745 of theory mode (see \S\ref{sec:markup-thy}).
748 ('sect' | 'subsect' | 'subsubsect' | 'txt' | 'txt\_raw') text
754 \isamarkupsubsection{Context elements \label{sec:proof-context}%
758 \begin{isamarkuptext}%
759 \begin{matharray}{rcl}
760 \indexdef{}{command}{fix}\isa{\isacommand{fix}} & : & \isartrans{proof(state)}{proof(state)} \\
761 \indexdef{}{command}{assume}\isa{\isacommand{assume}} & : & \isartrans{proof(state)}{proof(state)} \\
762 \indexdef{}{command}{presume}\isa{\isacommand{presume}} & : & \isartrans{proof(state)}{proof(state)} \\
763 \indexdef{}{command}{def}\isa{\isacommand{def}} & : & \isartrans{proof(state)}{proof(state)} \\
766 The logical proof context consists of fixed variables and
767 assumptions. The former closely correspond to Skolem constants, or
768 meta-level universal quantification as provided by the Isabelle/Pure
769 logical framework. Introducing some \emph{arbitrary, but fixed}
770 variable via ``\isa{\isacommand{fix}}~\isa{x} results in a local value
771 that may be used in the subsequent proof as any other variable or
772 constant. Furthermore, any result \isa{{\isasymturnstile}\ {\isasymphi}{\isacharbrackleft}x{\isacharbrackright}} exported from
773 the context will be universally closed wrt.\ \isa{x} at the
774 outermost level: \isa{{\isasymturnstile}\ {\isasymAnd}x{\isachardot}\ {\isasymphi}{\isacharbrackleft}x{\isacharbrackright}} (this is expressed in normal
775 form using Isabelle's meta-variables).
777 Similarly, introducing some assumption \isa{{\isasymchi}} has two effects.
778 On the one hand, a local theorem is created that may be used as a
779 fact in subsequent proof steps. On the other hand, any result
780 \isa{{\isasymchi}\ {\isasymturnstile}\ {\isasymphi}} exported from the context becomes conditional wrt.\
781 the assumption: \isa{{\isasymturnstile}\ {\isasymchi}\ {\isasymLongrightarrow}\ {\isasymphi}}. Thus, solving an enclosing goal
782 using such a result would basically introduce a new subgoal stemming
783 from the assumption. How this situation is handled depends on the
784 version of assumption command used: while \isa{\isacommand{assume}}
785 insists on solving the subgoal by unification with some premise of
786 the goal, \isa{\isacommand{presume}} leaves the subgoal unchanged in order
787 to be proved later by the user.
789 Local definitions, introduced by ``\isa{\isacommand{def}}~\isa{x\ {\isasymequiv}\ t}'', are achieved by combining ``\isa{\isacommand{fix}}~\isa{x}'' with
790 another version of assumption that causes any hypothetical equation
791 \isa{x\ {\isasymequiv}\ t} to be eliminated by the reflexivity rule. Thus,
792 exporting some result \isa{x\ {\isasymequiv}\ t\ {\isasymturnstile}\ {\isasymphi}{\isacharbrackleft}x{\isacharbrackright}} yields \isa{{\isasymturnstile}\ {\isasymphi}{\isacharbrackleft}t{\isacharbrackright}}.
794 \railalias{equiv}{\isasymequiv}
800 ('assume' | 'presume') (props + 'and')
804 def: thmdecl? \\ name ('==' | equiv) term termpat?
810 \item [\isa{\isacommand{fix}}~\isa{x}] introduces a local variable
811 \isa{x} that is \emph{arbitrary, but fixed.}
813 \item [\isa{\isacommand{assume}}~\isa{a{\isacharcolon}\ {\isasymphi}} and \isa{\isacommand{presume}}~\isa{a{\isacharcolon}\ {\isasymphi}}] introduce a local fact \isa{{\isasymphi}\ {\isasymturnstile}\ {\isasymphi}} by
814 assumption. Subsequent results applied to an enclosing goal (e.g.\
815 by \indexref{}{command}{show}\isa{\isacommand{show}}) are handled as follows: \isa{\isacommand{assume}} expects to be able to unify with existing premises in the
816 goal, while \isa{\isacommand{presume}} leaves \isa{{\isasymphi}} as new subgoals.
818 Several lists of assumptions may be given (separated by
819 \indexref{}{keyword}{and}\isa{\isakeyword{and}}; the resulting list of current facts consists
820 of all of these concatenated.
822 \item [\isa{\isacommand{def}}~\isa{x\ {\isasymequiv}\ t}] introduces a local
823 (non-polymorphic) definition. In results exported from the context,
824 \isa{x} is replaced by \isa{t}. Basically, ``\isa{\isacommand{def}}~\isa{x\ {\isasymequiv}\ t}'' abbreviates ``\isa{\isacommand{fix}}~\isa{x}~\isa{\isacommand{assume}}~\isa{x\ {\isasymequiv}\ t}'', with the resulting
825 hypothetical equation solved by reflexivity.
827 The default name for the definitional equation is \isa{x{\isacharunderscore}def}.
828 Several simultaneous definitions may be given at the same time.
832 The special name \indexref{}{fact}{prems}\isa{prems} refers to all assumptions of the
833 current context as a list of theorems. This feature should be used
834 with great care! It is better avoided in final proof texts.%
838 \isamarkupsubsection{Facts and forward chaining%
842 \begin{isamarkuptext}%
843 \begin{matharray}{rcl}
844 \indexdef{}{command}{note}\isa{\isacommand{note}} & : & \isartrans{proof(state)}{proof(state)} \\
845 \indexdef{}{command}{then}\isa{\isacommand{then}} & : & \isartrans{proof(state)}{proof(chain)} \\
846 \indexdef{}{command}{from}\isa{\isacommand{from}} & : & \isartrans{proof(state)}{proof(chain)} \\
847 \indexdef{}{command}{with}\isa{\isacommand{with}} & : & \isartrans{proof(state)}{proof(chain)} \\
848 \indexdef{}{command}{using}\isa{\isacommand{using}} & : & \isartrans{proof(prove)}{proof(prove)} \\
849 \indexdef{}{command}{unfolding}\isa{\isacommand{unfolding}} & : & \isartrans{proof(prove)}{proof(prove)} \\
852 New facts are established either by assumption or proof of local
853 statements. Any fact will usually be involved in further proofs,
854 either as explicit arguments of proof methods, or when forward
855 chaining towards the next goal via \isa{\isacommand{then}} (and variants);
856 \isa{\isacommand{from}} and \isa{\isacommand{with}} are composite forms
857 involving \isa{\isacommand{note}}. The \isa{\isacommand{using}} elements
858 augments the collection of used facts \emph{after} a goal has been
859 stated. Note that the special theorem name \indexref{}{fact}{this}\isa{this} refers
860 to the most recently established facts, but only \emph{before}
861 issuing a follow-up claim.
864 'note' (thmdef? thmrefs + 'and')
866 ('from' | 'with' | 'using' | 'unfolding') (thmrefs + 'and')
872 \item [\isa{\isacommand{note}}~\isa{a\ {\isacharequal}\ b\isactrlsub {\isadigit{1}}\ {\isasymdots}\ b\isactrlsub n}]
873 recalls existing facts \isa{b\isactrlsub {\isadigit{1}}{\isacharcomma}\ {\isasymdots}{\isacharcomma}\ b\isactrlsub n}, binding
874 the result as \isa{a}. Note that attributes may be involved as
875 well, both on the left and right hand sides.
877 \item [\isa{\isacommand{then}}] indicates forward chaining by the current
878 facts in order to establish the goal to be claimed next. The
879 initial proof method invoked to refine that will be offered the
880 facts to do ``anything appropriate'' (see also
881 \secref{sec:proof-steps}). For example, method \indexref{}{method}{rule}\isa{rule}
882 (see \secref{sec:pure-meth-att}) would typically do an elimination
883 rather than an introduction. Automatic methods usually insert the
884 facts into the goal state before operation. This provides a simple
885 scheme to control relevance of facts in automated proof search.
887 \item [\isa{\isacommand{from}}~\isa{b}] abbreviates ``\isa{\isacommand{note}}~\isa{b}~\isa{\isacommand{then}}''; thus \isa{\isacommand{then}} is
888 equivalent to ``\isa{\isacommand{from}}~\isa{this}''.
890 \item [\isa{\isacommand{with}}~\isa{b\isactrlsub {\isadigit{1}}\ {\isasymdots}\ b\isactrlsub n}]
891 abbreviates ``\isa{\isacommand{from}}~\isa{b\isactrlsub {\isadigit{1}}\ {\isasymdots}\ b\isactrlsub n\ {\isasymAND}\ this}''; thus the forward chaining is from earlier facts together
892 with the current ones.
894 \item [\isa{\isacommand{using}}~\isa{b\isactrlsub {\isadigit{1}}\ {\isasymdots}\ b\isactrlsub n}] augments
895 the facts being currently indicated for use by a subsequent
896 refinement step (such as \indexref{}{command}{apply}\isa{\isacommand{apply}} or \indexref{}{command}{proof}\isa{\isacommand{proof}}).
898 \item [\isa{\isacommand{unfolding}}~\isa{b\isactrlsub {\isadigit{1}}\ {\isasymdots}\ b\isactrlsub n}] is
899 structurally similar to \isa{\isacommand{using}}, but unfolds definitional
900 equations \isa{b\isactrlsub {\isadigit{1}}{\isacharcomma}\ {\isasymdots}\ b\isactrlsub n} throughout the goal state
905 Forward chaining with an empty list of theorems is the same as not
906 chaining at all. Thus ``\isa{\isacommand{from}}~\isa{nothing}'' has no
907 effect apart from entering \isa{prove{\isacharparenleft}chain{\isacharparenright}} mode, since
908 \indexref{}{fact}{nothing}\isa{nothing} is bound to the empty list of theorems.
910 Basic proof methods (such as \indexref{}{method}{rule}\isa{rule}) expect multiple
911 facts to be given in their proper order, corresponding to a prefix
912 of the premises of the rule involved. Note that positions may be
913 easily skipped using something like \isa{\isacommand{from}}~\isa{{\isacharunderscore}\ {\isasymAND}\ a\ {\isasymAND}\ b}, for example. This involves the trivial rule
914 \isa{PROP\ {\isasympsi}\ {\isasymLongrightarrow}\ PROP\ {\isasympsi}}, which is bound in Isabelle/Pure as
915 ``\indexref{}{fact}{-}\isa{{\isacharunderscore}}'' (underscore).
917 Automated methods (such as \isa{simp} or \isa{auto}) just
918 insert any given facts before their usual operation. Depending on
919 the kind of procedure involved, the order of facts is less
924 \isamarkupsubsection{Goal statements \label{sec:goals}%
928 \begin{isamarkuptext}%
929 \begin{matharray}{rcl}
930 \isarcmd{lemma} & : & \isartrans{local{\dsh}theory}{proof(prove)} \\
931 \isarcmd{theorem} & : & \isartrans{local{\dsh}theory}{proof(prove)} \\
932 \isarcmd{corollary} & : & \isartrans{local{\dsh}theory}{proof(prove)} \\
933 \isarcmd{have} & : & \isartrans{proof(state) ~|~ proof(chain)}{proof(prove)} \\
934 \isarcmd{show} & : & \isartrans{proof(state) ~|~ proof(chain)}{proof(prove)} \\
935 \isarcmd{hence} & : & \isartrans{proof(state)}{proof(prove)} \\
936 \isarcmd{thus} & : & \isartrans{proof(state)}{proof(prove)} \\
937 \isarcmd{print_statement}^* & : & \isarkeep{theory~|~proof} \\
940 From a theory context, proof mode is entered by an initial goal
941 command such as \isa{\isacommand{lemma}}, \isa{\isacommand{theorem}}, or
942 \isa{\isacommand{corollary}}. Within a proof, new claims may be
943 introduced locally as well; four variants are available here to
944 indicate whether forward chaining of facts should be performed
945 initially (via \indexref{}{command}{then}\isa{\isacommand{then}}), and whether the final result
946 is meant to solve some pending goal.
948 Goals may consist of multiple statements, resulting in a list of
949 facts eventually. A pending multi-goal is internally represented as
950 a meta-level conjunction (printed as \isa{{\isacharampersand}{\isacharampersand}}), which is usually
951 split into the corresponding number of sub-goals prior to an initial
952 method application, via \indexref{}{command}{proof}\isa{\isacommand{proof}}
953 (\secref{sec:proof-steps}) or \indexref{}{command}{apply}\isa{\isacommand{apply}}
954 (\secref{sec:tactic-commands}). The \indexref{}{method}{induct}\isa{induct} method
955 covered in \secref{sec:cases-induct} acts on multiple claims
958 Claims at the theory level may be either in short or long form. A
959 short goal merely consists of several simultaneous propositions
960 (often just one). A long goal includes an explicit context
961 specification for the subsequent conclusion, involving local
962 parameters and assumptions. Here the role of each part of the
963 statement is explicitly marked by separate keywords (see also
964 \secref{sec:locale}); the local assumptions being introduced here
965 are available as \indexref{}{fact}{assms}\isa{assms} in the proof. Moreover, there
966 are two kinds of conclusions: \indexdef{}{element}{shows}\isa{shows} states several
967 simultaneous propositions (essentially a big conjunction), while
968 \indexdef{}{element}{obtains}\isa{obtains} claims several simultaneous simultaneous
969 contexts of (essentially a big disjunction of eliminated parameters
970 and assumptions, cf.\ \secref{sec:obtain}).
973 ('lemma' | 'theorem' | 'corollary') target? (goal | longgoal)
975 ('have' | 'show' | 'hence' | 'thus') goal
977 'print\_statement' modes? thmrefs
980 goal: (props + 'and')
982 longgoal: thmdecl? (contextelem *) conclusion
984 conclusion: 'shows' goal | 'obtains' (parname? case + '|')
986 case: (vars + 'and') 'where' (props + 'and')
992 \item [\isa{\isacommand{lemma}}~\isa{a{\isacharcolon}\ {\isasymphi}}] enters proof mode with
993 \isa{{\isasymphi}} as main goal, eventually resulting in some fact \isa{{\isasymturnstile}\ {\isasymphi}} to be put back into the target context. An additional
994 \railnonterm{context} specification may build up an initial proof
995 context for the subsequent claim; this includes local definitions
996 and syntax as well, see the definition of \isa{contextelem} in
999 \item [\isa{\isacommand{theorem}}~\isa{a{\isacharcolon}\ {\isasymphi}} and \isa{\isacommand{corollary}}~\isa{a{\isacharcolon}\ {\isasymphi}}] are essentially the same as \isa{\isacommand{lemma}}~\isa{a{\isacharcolon}\ {\isasymphi}}, but the facts are internally marked as
1000 being of a different kind. This discrimination acts like a formal
1003 \item [\isa{\isacommand{have}}~\isa{a{\isacharcolon}\ {\isasymphi}}] claims a local goal,
1004 eventually resulting in a fact within the current logical context.
1005 This operation is completely independent of any pending sub-goals of
1006 an enclosing goal statements, so \isa{\isacommand{have}} may be freely
1007 used for experimental exploration of potential results within a
1010 \item [\isa{\isacommand{show}}~\isa{a{\isacharcolon}\ {\isasymphi}}] is like \isa{\isacommand{have}}~\isa{a{\isacharcolon}\ {\isasymphi}} plus a second stage to refine some pending
1011 sub-goal for each one of the finished result, after having been
1012 exported into the corresponding context (at the head of the
1013 sub-proof of this \isa{\isacommand{show}} command).
1015 To accommodate interactive debugging, resulting rules are printed
1016 before being applied internally. Even more, interactive execution
1017 of \isa{\isacommand{show}} predicts potential failure and displays the
1018 resulting error as a warning beforehand. Watch out for the
1021 %FIXME proper antiquitation
1023 Problem! Local statement will fail to solve any pending goal
1026 \item [\isa{\isacommand{hence}}] abbreviates ``\isa{\isacommand{then}}~\isa{\isacommand{have}}'', i.e.\ claims a local goal to be proven by forward
1027 chaining the current facts. Note that \isa{\isacommand{hence}} is also
1028 equivalent to ``\isa{\isacommand{from}}~\isa{this}~\isa{\isacommand{have}}''.
1030 \item [\isa{\isacommand{thus}}] abbreviates ``\isa{\isacommand{then}}~\isa{\isacommand{show}}''. Note that \isa{\isacommand{thus}} is also equivalent to
1031 ``\isa{\isacommand{from}}~\isa{this}~\isa{\isacommand{show}}''.
1033 \item [\isa{\isacommand{print{\isacharunderscore}statement}}~\isa{a}] prints facts from the
1034 current theory or proof context in long statement form, according to
1035 the syntax for \isa{\isacommand{lemma}} given above.
1039 Any goal statement causes some term abbreviations (such as
1040 \indexref{}{variable}{?thesis}\isa{{\isacharquery}thesis}) to be bound automatically, see also
1041 \secref{sec:term-abbrev}. Furthermore, the local context of a
1042 (non-atomic) goal is provided via the \indexref{}{case}{rule-context}\isa{rule{\isacharunderscore}context} case.
1044 The optional case names of \indexref{}{element}{obtains}\isa{obtains} have a twofold
1045 meaning: (1) during the of this claim they refer to the the local
1046 context introductions, (2) the resulting rule is annotated
1047 accordingly to support symbolic case splits when used with the
1048 \indexref{}{method}{cases}\isa{cases} method (cf. \secref{sec:cases-induct}).
1053 Isabelle/Isar suffers theory-level goal statements to contain
1054 \emph{unbound schematic variables}, although this does not conform
1055 to the aim of human-readable proof documents! The main problem
1056 with schematic goals is that the actual outcome is usually hard to
1057 predict, depending on the behavior of the proof methods applied
1058 during the course of reasoning. Note that most semi-automated
1059 methods heavily depend on several kinds of implicit rule
1060 declarations within the current theory context. As this would
1061 also result in non-compositional checking of sub-proofs,
1062 \emph{local goals} are not allowed to be schematic at all.
1063 Nevertheless, schematic goals do have their use in Prolog-style
1064 interactive synthesis of proven results, usually by stepwise
1065 refinement via emulation of traditional Isabelle tactic scripts
1066 (see also \secref{sec:tactic-commands}). In any case, users
1067 should know what they are doing.
1069 \end{isamarkuptext}%
1072 \isamarkupsubsection{Initial and terminal proof steps \label{sec:proof-steps}%
1076 \begin{isamarkuptext}%
1077 \begin{matharray}{rcl}
1078 \indexdef{}{command}{proof}\isa{\isacommand{proof}} & : & \isartrans{proof(prove)}{proof(state)} \\
1079 \indexdef{}{command}{qed}\isa{\isacommand{qed}} & : & \isartrans{proof(state)}{proof(state) ~|~ theory} \\
1080 \indexdef{}{command}{by}\isa{\isacommand{by}} & : & \isartrans{proof(prove)}{proof(state) ~|~ theory} \\
1081 \indexdef{}{command}{..}\isa{\isacommand{{\isachardot}{\isachardot}}} & : & \isartrans{proof(prove)}{proof(state) ~|~ theory} \\
1082 \indexdef{}{command}{.}\isa{\isacommand{{\isachardot}}} & : & \isartrans{proof(prove)}{proof(state) ~|~ theory} \\
1083 \indexdef{}{command}{sorry}\isa{\isacommand{sorry}} & : & \isartrans{proof(prove)}{proof(state) ~|~ theory} \\
1086 Arbitrary goal refinement via tactics is considered harmful.
1087 Structured proof composition in Isar admits proof methods to be
1088 invoked in two places only.
1092 \item An \emph{initial} refinement step \indexref{}{command}{proof}\isa{\isacommand{proof}}~\isa{m\isactrlsub {\isadigit{1}}} reduces a newly stated goal to a number
1093 of sub-goals that are to be solved later. Facts are passed to
1094 \isa{m\isactrlsub {\isadigit{1}}} for forward chaining, if so indicated by \isa{proof{\isacharparenleft}chain{\isacharparenright}} mode.
1096 \item A \emph{terminal} conclusion step \indexref{}{command}{qed}\isa{\isacommand{qed}}~\isa{m\isactrlsub {\isadigit{2}}} is intended to solve remaining goals. No facts are
1097 passed to \isa{m\isactrlsub {\isadigit{2}}}.
1101 The only other (proper) way to affect pending goals in a proof body
1102 is by \indexref{}{command}{show}\isa{\isacommand{show}}, which involves an explicit statement of
1103 what is to be solved eventually. Thus we avoid the fundamental
1104 problem of unstructured tactic scripts that consist of numerous
1105 consecutive goal transformations, with invisible effects.
1107 \medskip As a general rule of thumb for good proof style, initial
1108 proof methods should either solve the goal completely, or constitute
1109 some well-understood reduction to new sub-goals. Arbitrary
1110 automatic proof tools that are prone leave a large number of badly
1111 structured sub-goals are no help in continuing the proof document in
1112 an intelligible manner.
1114 Unless given explicitly by the user, the default initial method is
1115 ``\indexref{}{method}{rule}\isa{rule}'', which applies a single standard elimination
1116 or introduction rule according to the topmost symbol involved.
1117 There is no separate default terminal method. Any remaining goals
1118 are always solved by assumption in the very last step.
1127 ('.' | '..' | 'sorry')
1133 \item [\isa{\isacommand{proof}}~\isa{m\isactrlsub {\isadigit{1}}}] refines the goal by
1134 proof method \isa{m\isactrlsub {\isadigit{1}}}; facts for forward chaining are
1135 passed if so indicated by \isa{proof{\isacharparenleft}chain{\isacharparenright}} mode.
1137 \item [\isa{\isacommand{qed}}~\isa{m\isactrlsub {\isadigit{2}}}] refines any remaining
1138 goals by proof method \isa{m\isactrlsub {\isadigit{2}}} and concludes the
1139 sub-proof by assumption. If the goal had been \isa{show} (or
1140 \isa{thus}), some pending sub-goal is solved as well by the rule
1141 resulting from the result \emph{exported} into the enclosing goal
1142 context. Thus \isa{qed} may fail for two reasons: either \isa{m\isactrlsub {\isadigit{2}}} fails, or the resulting rule does not fit to any
1143 pending goal\footnote{This includes any additional ``strong''
1144 assumptions as introduced by \isa{assume}.} of the enclosing
1145 context. Debugging such a situation might involve temporarily
1146 changing \isa{\isacommand{show}} into \isa{\isacommand{have}}, or weakening the
1147 local context by replacing occurrences of \isa{\isacommand{assume}} by
1148 \isa{\isacommand{presume}}.
1150 \item [\isa{\isacommand{by}}~\isa{m\isactrlsub {\isadigit{1}}\ m\isactrlsub {\isadigit{2}}}] is a
1151 \emph{terminal proof}\index{proof!terminal}; it abbreviates
1152 \isa{\isacommand{proof}}~\isa{m\isactrlsub {\isadigit{1}}}~\isa{qed}~\isa{m\isactrlsub {\isadigit{2}}}, but with backtracking across both methods. Debugging
1153 an unsuccessful \isa{\isacommand{by}}~\isa{m\isactrlsub {\isadigit{1}}\ m\isactrlsub {\isadigit{2}}}
1154 command can be done by expanding its definition; in many cases
1155 \isa{\isacommand{proof}}~\isa{m\isactrlsub {\isadigit{1}}} (or even \isa{apply}~\isa{m\isactrlsub {\isadigit{1}}}) is already sufficient to see the
1158 \item [``\isa{\isacommand{{\isachardot}{\isachardot}}}''] is a \emph{default
1159 proof}\index{proof!default}; it abbreviates \isa{\isacommand{by}}~\isa{rule}.
1161 \item [``\isa{\isacommand{{\isachardot}}}''] is a \emph{trivial
1162 proof}\index{proof!trivial}; it abbreviates \isa{\isacommand{by}}~\isa{this}.
1164 \item [\isa{\isacommand{sorry}}] is a \emph{fake proof}\index{proof!fake}
1165 pretending to solve the pending claim without further ado. This
1166 only works in interactive development, or if the \verb|quick_and_dirty| flag is enabled (in ML). Facts emerging from fake
1167 proofs are not the real thing. Internally, each theorem container
1168 is tainted by an oracle invocation, which is indicated as ``\isa{{\isacharbrackleft}{\isacharbang}{\isacharbrackright}}'' in the printed result.
1170 The most important application of \isa{\isacommand{sorry}} is to support
1171 experimentation and top-down proof development.
1174 \end{isamarkuptext}%
1177 \isamarkupsubsection{Fundamental methods and attributes \label{sec:pure-meth-att}%
1181 \begin{isamarkuptext}%
1182 The following proof methods and attributes refer to basic logical
1183 operations of Isar. Further methods and attributes are provided by
1184 several generic and object-logic specific tools and packages (see
1185 \chref{ch:gen-tools} and \chref{ch:logics}).
1187 \begin{matharray}{rcl}
1188 \indexdef{}{method}{-}\isa{{\isacharminus}} & : & \isarmeth \\
1189 \indexdef{}{method}{fact}\isa{fact} & : & \isarmeth \\
1190 \indexdef{}{method}{assumption}\isa{assumption} & : & \isarmeth \\
1191 \indexdef{}{method}{this}\isa{this} & : & \isarmeth \\
1192 \indexdef{}{method}{rule}\isa{rule} & : & \isarmeth \\
1193 \indexdef{}{method}{iprover}\isa{iprover} & : & \isarmeth \\[0.5ex]
1194 \indexdef{}{attribute}{intro}\isa{intro} & : & \isaratt \\
1195 \indexdef{}{attribute}{elim}\isa{elim} & : & \isaratt \\
1196 \indexdef{}{attribute}{dest}\isa{dest} & : & \isaratt \\
1197 \indexdef{}{attribute}{rule}\isa{rule} & : & \isaratt \\[0.5ex]
1198 \indexdef{}{attribute}{OF}\isa{OF} & : & \isaratt \\
1199 \indexdef{}{attribute}{of}\isa{of} & : & \isaratt \\
1200 \indexdef{}{attribute}{where}\isa{where} & : & \isaratt \\
1208 'iprover' ('!' ?) (rulemod *)
1210 rulemod: ('intro' | 'elim' | 'dest') ((('!' | () | '?') nat?) | 'del') ':' thmrefs
1212 ('intro' | 'elim' | 'dest') ('!' | () | '?') nat?
1218 'of' insts ('concl' ':' insts)?
1220 'where' ((name | var | typefree | typevar) '=' (type | term) * 'and')
1226 \item [``\isa{{\isacharminus}}''] does nothing but insert the forward
1227 chaining facts as premises into the goal. Note that command
1228 \indexref{}{command}{proof}\isa{\isacommand{proof}} without any method actually performs a single
1229 reduction step using the \indexref{}{method}{rule}\isa{rule} method; thus a plain
1230 \emph{do-nothing} proof step would be ``\isa{\isacommand{proof}}~\isa{{\isacharminus}}'' rather than \isa{\isacommand{proof}} alone.
1232 \item [\isa{fact}~\isa{a\isactrlsub {\isadigit{1}}\ {\isasymdots}\ a\isactrlsub n}] composes
1233 some fact from \isa{a\isactrlsub {\isadigit{1}}{\isacharcomma}\ {\isasymdots}{\isacharcomma}\ a\isactrlsub n} (or implicitly from
1234 the current proof context) modulo unification of schematic type and
1235 term variables. The rule structure is not taken into account, i.e.\
1236 meta-level implication is considered atomic. This is the same
1237 principle underlying literal facts (cf.\ \secref{sec:syn-att}):
1238 ``\isa{\isacommand{have}}~\isa{{\isasymphi}}~\isa{\isacommand{by}}~\isa{fact}'' is
1239 equivalent to ``\isa{\isacommand{note}}~\verb|`|\isa{{\isasymphi}}\verb|`|'' provided that \isa{{\isasymturnstile}\ {\isasymphi}} is an instance of some known
1240 \isa{{\isasymturnstile}\ {\isasymphi}} in the proof context.
1242 \item [\isa{assumption}] solves some goal by a single assumption
1243 step. All given facts are guaranteed to participate in the
1244 refinement; this means there may be only 0 or 1 in the first place.
1245 Recall that \isa{\isacommand{qed}} (\secref{sec:proof-steps}) already
1246 concludes any remaining sub-goals by assumption, so structured
1247 proofs usually need not quote the \isa{assumption} method at
1250 \item [\isa{this}] applies all of the current facts directly as
1251 rules. Recall that ``\isa{\isacommand{{\isachardot}}}'' (dot) abbreviates ``\isa{\isacommand{by}}~\isa{this}''.
1253 \item [\isa{rule}~\isa{a\isactrlsub {\isadigit{1}}\ {\isasymdots}\ a\isactrlsub n}] applies some
1254 rule given as argument in backward manner; facts are used to reduce
1255 the rule before applying it to the goal. Thus \isa{rule}
1256 without facts is plain introduction, while with facts it becomes
1259 When no arguments are given, the \isa{rule} method tries to pick
1260 appropriate rules automatically, as declared in the current context
1261 using the \isa{intro}, \isa{elim}, \isa{dest}
1262 attributes (see below). This is the default behavior of \isa{\isacommand{proof}} and ``\isa{\isacommand{{\isachardot}{\isachardot}}}'' (double-dot) steps (see
1263 \secref{sec:proof-steps}).
1265 \item [\isa{iprover}] performs intuitionistic proof search,
1266 depending on specifically declared rules from the context, or given
1267 as explicit arguments. Chained facts are inserted into the goal
1268 before commencing proof search; ``\isa{iprover}\isa{{\isacharbang}}''
1269 means to include the current \isa{prems} as well.
1271 Rules need to be classified as \isa{intro}, \isa{elim}, or \isa{dest}; here the ``\isa{{\isacharbang}} indicator refers
1272 to ``safe'' rules, which may be applied aggressively (without
1273 considering back-tracking later). Rules declared with ``\isa{{\isacharquery}}'' are ignored in proof search (the single-step \isa{rule}
1274 method still observes these). An explicit weight annotation may be
1275 given as well; otherwise the number of rule premises will be taken
1278 \item [\isa{intro}, \isa{elim}, and \isa{dest}]
1279 declare introduction, elimination, and destruct rules, to be used
1280 with the \isa{rule} and \isa{iprover} methods. Note that
1281 the latter will ignore rules declared with ``\isa{{\isacharquery}}'', while
1282 ``\isa{{\isacharbang}}'' are used most aggressively.
1284 The classical reasoner (see \secref{sec:classical}) introduces its
1285 own variants of these attributes; use qualified names to access the
1286 present versions of Isabelle/Pure, i.e.\ \isa{Pure{\isachardot}intro}.
1288 \item [\isa{rule}~\isa{del}] undeclares introduction,
1289 elimination, or destruct rules.
1291 \item [\isa{OF}~\isa{a\isactrlsub {\isadigit{1}}\ {\isasymdots}\ a\isactrlsub n}] applies some
1292 theorem to all of the given rules \isa{a\isactrlsub {\isadigit{1}}{\isacharcomma}\ {\isasymdots}{\isacharcomma}\ a\isactrlsub n}
1293 (in parallel). This corresponds to the \verb|op MRS| operation in
1294 ML, but note the reversed order. Positions may be effectively
1295 skipped by including ``\verb|_|'' (underscore) as argument.
1297 \item [\isa{of}~\isa{t\isactrlsub {\isadigit{1}}\ {\isasymdots}\ t\isactrlsub n}] performs
1298 positional instantiation of term variables. The terms \isa{t\isactrlsub {\isadigit{1}}{\isacharcomma}\ {\isasymdots}{\isacharcomma}\ t\isactrlsub n} are substituted for any schematic
1299 variables occurring in a theorem from left to right; ``\verb|_|'' (underscore) indicates to skip a position. Arguments following
1300 a ``\isa{\isakeyword{concl}}\isa{{\isacharcolon}}'' specification refer to positions
1301 of the conclusion of a rule.
1303 \item [\isa{where}~\isa{x\isactrlsub {\isadigit{1}}\ {\isacharequal}\ t\isactrlsub {\isadigit{1}}\ {\isasymAND}\ {\isasymdots}\ {\isasymAND}\ x\isactrlsub n\ {\isacharequal}\ t\isactrlsub n}] performs named instantiation of
1304 schematic type and term variables occurring in a theorem. Schematic
1305 variables have to be specified on the left-hand side (e.g.\ \isa{{\isacharquery}x{\isadigit{1}}{\isachardot}{\isadigit{3}}}). The question mark may be omitted if the variable name is
1306 a plain identifier without index. As type instantiations are
1307 inferred from term instantiations, explicit type instantiations are
1311 \end{isamarkuptext}%
1314 \isamarkupsubsection{Term abbreviations \label{sec:term-abbrev}%
1318 \begin{isamarkuptext}%
1319 \begin{matharray}{rcl}
1320 \indexdef{}{command}{let}\isa{\isacommand{let}} & : & \isartrans{proof(state)}{proof(state)} \\
1321 \indexdef{}{keyword}{is}\isa{\isakeyword{is}} & : & syntax \\
1324 Abbreviations may be either bound by explicit \isa{\isacommand{let}}\isa{p\ {\isasymequiv}\ t} statements, or by annotating assumptions or goal statements
1325 with a list of patterns ``\isa{{\isasymIS}\ p\isactrlsub {\isadigit{1}}\ {\isasymdots}\ p\isactrlsub n}''.
1326 In both cases, higher-order matching is invoked to bind
1327 extra-logical term variables, which may be either named schematic
1328 variables of the form \isa{{\isacharquery}x}, or nameless dummies ``\isa{{\isacharunderscore}}'' (underscore). Note that in the \isa{\isacommand{let}} form the
1329 patterns occur on the left-hand side, while the \isa{\isakeyword{is}}
1330 patterns are in postfix position.
1332 Polymorphism of term bindings is handled in Hindley-Milner style,
1333 similar to ML. Type variables referring to local assumptions or
1334 open goal statements are \emph{fixed}, while those of finished
1335 results or bound by \isa{\isacommand{let}} may occur in \emph{arbitrary}
1336 instances later. Even though actual polymorphism should be rarely
1337 used in practice, this mechanism is essential to achieve proper
1338 incremental type-inference, as the user proceeds to build up the
1339 Isar proof text from left to right.
1341 \medskip Term abbreviations are quite different from local
1342 definitions as introduced via \isa{\isacommand{def}} (see
1343 \secref{sec:proof-context}). The latter are visible within the
1344 logic as actual equations, while abbreviations disappear during the
1345 input process just after type checking. Also note that \isa{\isacommand{def}} does not support polymorphism.
1348 'let' ((term + 'and') '=' term + 'and')
1352 The syntax of \isa{\isakeyword{is}} patterns follows \railnonterm{termpat}
1353 or \railnonterm{proppat} (see \secref{sec:term-decls}).
1357 \item [\isa{\isacommand{let}}~\isa{p\isactrlsub {\isadigit{1}}\ {\isacharequal}\ t\isactrlsub {\isadigit{1}}\ {\isasymAND}\ {\isasymdots}p\isactrlsub n\ {\isacharequal}\ t\isactrlsub n}] binds any text variables in patterns
1358 \isa{p\isactrlsub {\isadigit{1}}{\isacharcomma}\ {\isasymdots}{\isacharcomma}\ p\isactrlsub n} by simultaneous higher-order
1359 matching against terms \isa{t\isactrlsub {\isadigit{1}}{\isacharcomma}\ {\isasymdots}{\isacharcomma}\ t\isactrlsub n}.
1361 \item [\isa{{\isacharparenleft}{\isasymIS}\ p\isactrlsub {\isadigit{1}}\ {\isasymdots}\ p\isactrlsub n{\isacharparenright}}] resembles \isa{\isacommand{let}}, but matches \isa{p\isactrlsub {\isadigit{1}}{\isacharcomma}\ {\isasymdots}{\isacharcomma}\ p\isactrlsub n} against the
1362 preceding statement. Also note that \isa{\isakeyword{is}} is not a
1363 separate command, but part of others (such as \isa{\isacommand{assume}},
1364 \isa{\isacommand{have}} etc.).
1368 Some \emph{implicit} term abbreviations\index{term abbreviations}
1369 for goals and facts are available as well. For any open goal,
1370 \indexref{}{variable}{thesis}\isa{thesis} refers to its object-level statement,
1371 abstracted over any meta-level parameters (if present). Likewise,
1372 \indexref{}{variable}{this}\isa{this} is bound for fact statements resulting from
1373 assumptions or finished goals. In case \isa{this} refers to
1374 an object-logic statement that is an application \isa{f\ t}, then
1375 \isa{t} is bound to the special text variable ``\isa{{\isasymdots}}''
1376 (three dots). The canonical application of this convenience are
1377 calculational proofs (see \secref{sec:calculation}).%
1378 \end{isamarkuptext}%
1381 \isamarkupsubsection{Block structure%
1385 \begin{isamarkuptext}%
1386 \begin{matharray}{rcl}
1387 \indexdef{}{command}{next}\isa{\isacommand{next}} & : & \isartrans{proof(state)}{proof(state)} \\
1388 \indexdef{}{command}{\{}\isa{\isacommand{{\isacharbraceleft}}} & : & \isartrans{proof(state)}{proof(state)} \\
1389 \indexdef{}{command}{\}}\isa{\isacommand{{\isacharbraceright}}} & : & \isartrans{proof(state)}{proof(state)} \\
1392 While Isar is inherently block-structured, opening and closing
1393 blocks is mostly handled rather casually, with little explicit
1394 user-intervention. Any local goal statement automatically opens
1395 \emph{two} internal blocks, which are closed again when concluding
1396 the sub-proof (by \isa{\isacommand{qed}} etc.). Sections of different
1397 context within a sub-proof may be switched via \isa{\isacommand{next}},
1398 which is just a single block-close followed by block-open again.
1399 The effect of \isa{\isacommand{next}} is to reset the local proof context;
1400 there is no goal focus involved here!
1402 For slightly more advanced applications, there are explicit block
1403 parentheses as well. These typically achieve a stronger forward
1408 \item [\isa{\isacommand{next}}] switches to a fresh block within a
1409 sub-proof, resetting the local context to the initial one.
1411 \item [\isa{\isacommand{{\isacharbraceleft}}} and \isa{\isacommand{{\isacharbraceright}}}] explicitly open and close
1412 blocks. Any current facts pass through ``\isa{\isacommand{{\isacharbraceleft}}}''
1413 unchanged, while ``\isa{\isacommand{{\isacharbraceright}}}'' causes any result to be
1414 \emph{exported} into the enclosing context. Thus fixed variables
1415 are generalized, assumptions discharged, and local definitions
1416 unfolded (cf.\ \secref{sec:proof-context}). There is no difference
1417 of \isa{\isacommand{assume}} and \isa{\isacommand{presume}} in this mode of
1418 forward reasoning --- in contrast to plain backward reasoning with
1419 the result exported at \isa{\isacommand{show}} time.
1422 \end{isamarkuptext}%
1425 \isamarkupsubsection{Emulating tactic scripts \label{sec:tactic-commands}%
1429 \begin{isamarkuptext}%
1430 The Isar provides separate commands to accommodate tactic-style
1431 proof scripts within the same system. While being outside the
1432 orthodox Isar proof language, these might come in handy for
1433 interactive exploration and debugging, or even actual tactical proof
1434 within new-style theories (to benefit from document preparation, for
1435 example). See also \secref{sec:tactics} for actual tactics, that
1436 have been encapsulated as proof methods. Proper proof methods may
1437 be used in scripts, too.
1439 \begin{matharray}{rcl}
1440 \indexdef{}{command}{apply}\isa{\isacommand{apply}}^* & : & \isartrans{proof(prove)}{proof(prove)} \\
1441 \indexdef{}{command}{apply-end}\isa{\isacommand{apply{\isacharunderscore}end}}^* & : & \isartrans{proof(state)}{proof(state)} \\
1442 \indexdef{}{command}{done}\isa{\isacommand{done}}^* & : & \isartrans{proof(prove)}{proof(state)} \\
1443 \indexdef{}{command}{defer}\isa{\isacommand{defer}}^* & : & \isartrans{proof}{proof} \\
1444 \indexdef{}{command}{prefer}\isa{\isacommand{prefer}}^* & : & \isartrans{proof}{proof} \\
1445 \indexdef{}{command}{back}\isa{\isacommand{back}}^* & : & \isartrans{proof}{proof} \\
1449 ( 'apply' | 'apply\_end' ) method
1459 \item [\isa{\isacommand{apply}}~\isa{m}] applies proof method \isa{m}
1460 in initial position, but unlike \isa{\isacommand{proof}} it retains
1461 ``\isa{proof{\isacharparenleft}prove{\isacharparenright}}'' mode. Thus consecutive method
1462 applications may be given just as in tactic scripts.
1464 Facts are passed to \isa{m} as indicated by the goal's
1465 forward-chain mode, and are \emph{consumed} afterwards. Thus any
1466 further \isa{\isacommand{apply}} command would always work in a purely
1469 \item [\isa{\isacommand{apply{\isacharunderscore}end}}~\isa{m}] applies proof method
1470 \isa{m} as if in terminal position. Basically, this simulates a
1471 multi-step tactic script for \isa{\isacommand{qed}}, but may be given
1472 anywhere within the proof body.
1474 No facts are passed to \isa{m} here. Furthermore, the static
1475 context is that of the enclosing goal (as for actual \isa{\isacommand{qed}}). Thus the proof method may not refer to any assumptions
1476 introduced in the current body, for example.
1478 \item [\isa{\isacommand{done}}] completes a proof script, provided that
1479 the current goal state is solved completely. Note that actual
1480 structured proof commands (e.g.\ ``\isa{\isacommand{{\isachardot}}}'' or \isa{\isacommand{sorry}}) may be used to conclude proof scripts as well.
1482 \item [\isa{\isacommand{defer}}~\isa{n} and \isa{\isacommand{prefer}}~\isa{n}] shuffle the list of pending goals: \isa{\isacommand{defer}} puts off
1483 sub-goal \isa{n} to the end of the list (\isa{n\ {\isacharequal}\ {\isadigit{1}}} by
1484 default), while \isa{\isacommand{prefer}} brings sub-goal \isa{n} to the
1487 \item [\isa{\isacommand{back}}] does back-tracking over the result
1488 sequence of the latest proof command. Basically, any proof command
1489 may return multiple results.
1493 Any proper Isar proof method may be used with tactic script commands
1494 such as \isa{\isacommand{apply}}. A few additional emulations of actual
1495 tactics are provided as well; these would be never used in actual
1496 structured proofs, of course.%
1497 \end{isamarkuptext}%
1500 \isamarkupsubsection{Meta-linguistic features%
1504 \begin{isamarkuptext}%
1505 \begin{matharray}{rcl}
1506 \indexdef{}{command}{oops}\isa{\isacommand{oops}} & : & \isartrans{proof}{theory} \\
1509 The \isa{\isacommand{oops}} command discontinues the current proof
1510 attempt, while considering the partial proof text as properly
1511 processed. This is conceptually quite different from ``faking''
1512 actual proofs via \indexref{}{command}{sorry}\isa{\isacommand{sorry}} (see
1513 \secref{sec:proof-steps}): \isa{\isacommand{oops}} does not observe the
1514 proof structure at all, but goes back right to the theory level.
1515 Furthermore, \isa{\isacommand{oops}} does not produce any result theorem
1516 --- there is no intended claim to be able to complete the proof
1519 A typical application of \isa{\isacommand{oops}} is to explain Isar proofs
1520 \emph{within} the system itself, in conjunction with the document
1521 preparation tools of Isabelle described in \cite{isabelle-sys}.
1522 Thus partial or even wrong proof attempts can be discussed in a
1523 logically sound manner. Note that the Isabelle {\LaTeX} macros can
1524 be easily adapted to print something like ``\isa{{\isasymdots}}'' instead of
1525 the keyword ``\isa{\isacommand{oops}}''.
1527 \medskip The \isa{\isacommand{oops}} command is undo-able, unlike
1528 \indexref{}{command}{kill}\isa{\isacommand{kill}} (see \secref{sec:history}). The effect is to
1529 get back to the theory just before the opening of the proof.%
1530 \end{isamarkuptext}%
1533 \isamarkupsection{Other commands%
1537 \isamarkupsubsection{Diagnostics%
1541 \begin{isamarkuptext}%
1542 \begin{matharray}{rcl}
1543 \isarcmd{pr}^* & : & \isarkeep{\cdot} \\
1544 \isarcmd{thm}^* & : & \isarkeep{theory~|~proof} \\
1545 \isarcmd{term}^* & : & \isarkeep{theory~|~proof} \\
1546 \isarcmd{prop}^* & : & \isarkeep{theory~|~proof} \\
1547 \isarcmd{typ}^* & : & \isarkeep{theory~|~proof} \\
1548 \isarcmd{prf}^* & : & \isarkeep{theory~|~proof} \\
1549 \isarcmd{full_prf}^* & : & \isarkeep{theory~|~proof} \\
1552 These diagnostic commands assist interactive development. Note that
1553 \isa{\isacommand{undo}} does not apply here, the theory or proof
1554 configuration is not changed.
1557 'pr' modes? nat? (',' nat)?
1559 'thm' modes? thmrefs
1567 'prf' modes? thmrefs?
1569 'full\_prf' modes? thmrefs?
1572 modes: '(' (name + ) ')'
1578 \item [\isa{\isacommand{pr}}~\isa{goals{\isacharcomma}\ prems}] prints the current
1579 proof state (if present), including the proof context, current facts
1580 and goals. The optional limit arguments affect the number of goals
1581 and premises to be displayed, which is initially 10 for both.
1582 Omitting limit values leaves the current setting unchanged.
1584 \item [\isa{\isacommand{thm}}~\isa{a\isactrlsub {\isadigit{1}}\ {\isasymdots}\ a\isactrlsub n}] retrieves
1585 theorems from the current theory or proof context. Note that any
1586 attributes included in the theorem specifications are applied to a
1587 temporary context derived from the current theory or proof; the
1588 result is discarded, i.e.\ attributes involved in \isa{a\isactrlsub {\isadigit{1}}{\isacharcomma}\ {\isasymdots}{\isacharcomma}\ a\isactrlsub n} do not have any permanent effect.
1590 \item [\isa{\isacommand{term}}~\isa{t} and \isa{\isacommand{prop}}~\isa{{\isasymphi}}]
1591 read, type-check and print terms or propositions according to the
1592 current theory or proof context; the inferred type of \isa{t} is
1593 output as well. Note that these commands are also useful in
1594 inspecting the current environment of term abbreviations.
1596 \item [\isa{\isacommand{typ}}~\isa{{\isasymtau}}] reads and prints types of the
1597 meta-logic according to the current theory or proof context.
1599 \item [\isa{\isacommand{prf}}] displays the (compact) proof term of the
1600 current proof state (if present), or of the given theorems. Note
1601 that this requires proof terms to be switched on for the current
1602 object logic (see the ``Proof terms'' section of the Isabelle
1603 reference manual for information on how to do this).
1605 \item [\isa{\isacommand{full{\isacharunderscore}prf}}] is like \isa{\isacommand{prf}}, but displays
1606 the full proof term, i.e.\ also displays information omitted in the
1607 compact proof term, which is denoted by ``\verb|_|''
1612 All of the diagnostic commands above admit a list of \isa{modes}
1613 to be specified, which is appended to the current print mode (see
1614 also \cite{isabelle-ref}). Thus the output behavior may be modified
1615 according particular print mode features. For example, \isa{\isacommand{pr}}~\isa{{\isacharparenleft}latex\ xsymbols\ symbols{\isacharparenright}} would print the current
1616 proof state with mathematical symbols and special characters
1617 represented in {\LaTeX} source, according to the Isabelle style
1618 \cite{isabelle-sys}.
1620 Note that antiquotations (cf.\ \secref{sec:antiq}) provide a more
1621 systematic way to include formal items into the printed text
1623 \end{isamarkuptext}%
1626 \isamarkupsubsection{Inspecting the context%
1630 \begin{isamarkuptext}%
1631 \begin{matharray}{rcl}
1632 \indexdef{}{command}{print-commands}\isa{\isacommand{print{\isacharunderscore}commands}}^* & : & \isarkeep{\cdot} \\
1633 \indexdef{}{command}{print-theory}\isa{\isacommand{print{\isacharunderscore}theory}}^* & : & \isarkeep{theory~|~proof} \\
1634 \indexdef{}{command}{print-syntax}\isa{\isacommand{print{\isacharunderscore}syntax}}^* & : & \isarkeep{theory~|~proof} \\
1635 \indexdef{}{command}{print-methods}\isa{\isacommand{print{\isacharunderscore}methods}}^* & : & \isarkeep{theory~|~proof} \\
1636 \indexdef{}{command}{print-attributes}\isa{\isacommand{print{\isacharunderscore}attributes}}^* & : & \isarkeep{theory~|~proof} \\
1637 \indexdef{}{command}{print-theorems}\isa{\isacommand{print{\isacharunderscore}theorems}}^* & : & \isarkeep{theory~|~proof} \\
1638 \indexdef{}{command}{find-theorems}\isa{\isacommand{find{\isacharunderscore}theorems}}^* & : & \isarkeep{theory~|~proof} \\
1639 \indexdef{}{command}{thms-deps}\isa{\isacommand{thms{\isacharunderscore}deps}}^* & : & \isarkeep{theory~|~proof} \\
1640 \indexdef{}{command}{print-facts}\isa{\isacommand{print{\isacharunderscore}facts}}^* & : & \isarkeep{proof} \\
1641 \indexdef{}{command}{print-binds}\isa{\isacommand{print{\isacharunderscore}binds}}^* & : & \isarkeep{proof} \\
1645 'print\_theory' ( '!'?)
1648 'find\_theorems' (('(' (nat)? ('with\_dups')? ')')?) (criterion *)
1650 criterion: ('-'?) ('name' ':' nameref | 'intro' | 'elim' | 'dest' |
1651 'simp' ':' term | term)
1657 These commands print certain parts of the theory and proof context.
1658 Note that there are some further ones available, such as for the set
1659 of rules declared for simplifications.
1663 \item [\isa{\isacommand{print{\isacharunderscore}commands}}] prints Isabelle's outer theory
1664 syntax, including keywords and command.
1666 \item [\isa{\isacommand{print{\isacharunderscore}theory}}] prints the main logical content of
1667 the theory context; the ``\isa{{\isacharbang}}'' option indicates extra
1670 \item [\isa{\isacommand{print{\isacharunderscore}syntax}}] prints the inner syntax of types
1671 and terms, depending on the current context. The output can be very
1672 verbose, including grammar tables and syntax translation rules. See
1673 \cite[\S7, \S8]{isabelle-ref} for further information on Isabelle's
1676 \item [\isa{\isacommand{print{\isacharunderscore}methods}}] prints all proof methods
1677 available in the current theory context.
1679 \item [\isa{\isacommand{print{\isacharunderscore}attributes}}] prints all attributes
1680 available in the current theory context.
1682 \item [\isa{\isacommand{print{\isacharunderscore}theorems}}] prints theorems resulting from
1685 \item [\isa{\isacommand{find{\isacharunderscore}theorems}}~\isa{criteria}] retrieves facts
1686 from the theory or proof context matching all of given search
1687 criteria. The criterion \isa{name{\isacharcolon}\ p} selects all theorems
1688 whose fully qualified name matches pattern \isa{p}, which may
1689 contain ``\isa{{\isacharasterisk}}'' wildcards. The criteria \isa{intro},
1690 \isa{elim}, and \isa{dest} select theorems that match the
1691 current goal as introduction, elimination or destruction rules,
1692 respectively. The criterion \isa{simp{\isacharcolon}\ t} selects all rewrite
1693 rules whose left-hand side matches the given term. The criterion
1694 term \isa{t} selects all theorems that contain the pattern \isa{t} -- as usual, patterns may contain occurrences of the dummy
1695 ``\verb|_|'', schematic variables, and type constraints.
1697 Criteria can be preceded by ``\isa{{\isacharminus}}'' to select theorems that
1698 do \emph{not} match. Note that giving the empty list of criteria
1699 yields \emph{all} currently known facts. An optional limit for the
1700 number of printed facts may be given; the default is 40. By
1701 default, duplicates are removed from the search result. Use
1702 \isa{\isakeyword{with{\isacharunderscore}dups}} to display duplicates.
1704 \item [\isa{\isacommand{thm{\isacharunderscore}deps}}~\isa{a\isactrlsub {\isadigit{1}}\ {\isasymdots}\ a\isactrlsub n}]
1705 visualizes dependencies of facts, using Isabelle's graph browser
1706 tool (see also \cite{isabelle-sys}).
1708 \item [\isa{\isacommand{print{\isacharunderscore}facts}}] prints all local facts of the
1709 current context, both named and unnamed ones.
1711 \item [\isa{\isacommand{print{\isacharunderscore}binds}}] prints all term abbreviations
1712 present in the context.
1715 \end{isamarkuptext}%
1718 \isamarkupsubsection{History commands \label{sec:history}%
1722 \begin{isamarkuptext}%
1723 \begin{matharray}{rcl}
1724 \indexdef{}{command}{undo}\isa{\isacommand{undo}}^{{ * }{ * }} & : & \isarkeep{\cdot} \\
1725 \indexdef{}{command}{redo}\isa{\isacommand{redo}}^{{ * }{ * }} & : & \isarkeep{\cdot} \\
1726 \indexdef{}{command}{kill}\isa{\isacommand{kill}}^{{ * }{ * }} & : & \isarkeep{\cdot} \\
1729 The Isabelle/Isar top-level maintains a two-stage history, for
1730 theory and proof state transformation. Basically, any command can
1731 be undone using \isa{\isacommand{undo}}, excluding mere diagnostic
1732 elements. Its effect may be revoked via \isa{\isacommand{redo}}, unless
1733 the corresponding \isa{\isacommand{undo}} step has crossed the beginning
1734 of a proof or theory. The \isa{\isacommand{kill}} command aborts the
1735 current history node altogether, discontinuing a proof or even the
1736 whole theory. This operation is \emph{not} undo-able.
1739 History commands should never be used with user interfaces such as
1740 Proof~General \cite{proofgeneral,Aspinall:TACAS:2000}, which takes
1741 care of stepping forth and back itself. Interfering by manual
1742 \isa{\isacommand{undo}}, \isa{\isacommand{redo}}, or even \isa{\isacommand{kill}}
1743 commands would quickly result in utter confusion.
1745 \end{isamarkuptext}%
1748 \isamarkupsubsection{System operations%
1752 \begin{isamarkuptext}%
1753 \begin{matharray}{rcl}
1754 \indexdef{}{command}{cd}\isa{\isacommand{cd}}^* & : & \isarkeep{\cdot} \\
1755 \indexdef{}{command}{pwd}\isa{\isacommand{pwd}}^* & : & \isarkeep{\cdot} \\
1756 \indexdef{}{command}{use-thy}\isa{\isacommand{use{\isacharunderscore}thy}}^* & : & \isarkeep{\cdot} \\
1757 \indexdef{}{command}{display-drafts}\isa{\isacommand{display{\isacharunderscore}drafts}}^* & : & \isarkeep{\cdot} \\
1758 \indexdef{}{command}{print-drafts}\isa{\isacommand{print{\isacharunderscore}drafts}}^* & : & \isarkeep{\cdot} \\
1762 ('cd' | 'use\_thy' | 'update\_thy') name
1764 ('display\_drafts' | 'print\_drafts') (name +)
1770 \item [\isa{\isacommand{cd}}~\isa{path}] changes the current directory
1771 of the Isabelle process.
1773 \item [\isa{\isacommand{pwd}}] prints the current working directory.
1775 \item [\isa{\isacommand{use{\isacharunderscore}thy}}~\isa{A}] preload theory \isa{A}.
1776 These system commands are scarcely used when working interactively,
1777 since loading of theories is done automatically as required.
1779 \item [\isa{\isacommand{display{\isacharunderscore}drafts}}~\isa{paths} and \isa{\isacommand{print{\isacharunderscore}drafts}}~\isa{paths}] perform simple output of a given list
1780 of raw source files. Only those symbols that do not require
1781 additional {\LaTeX} packages are displayed properly, everything else
1785 \end{isamarkuptext}%
1793 \isacommand{end}\isamarkupfalse%
1803 %%% Local Variables:
1805 %%% TeX-master: "root"