Theory Framework
theory Framework
  imports Main Base
begin
chapter ‹The Isabelle/Isar Framework \label{ch:isar-framework}›
text ‹
  Isabelle/Isar \<^cite>‹"Wenzel:1999:TPHOL" and "Wenzel-PhD" and
  "Nipkow-TYPES02" and "Wiedijk:1999:Mizar" and "Wenzel-Paulson:2006" and
  "Wenzel:2006:Festschrift"› is a generic framework for developing formal
  mathematical documents with full proof checking. Definitions, statements and
  proofs are organized as theories. A collection of theories sources may be
  presented as a printed document; see also \chref{ch:document-prep}.
  The main concern of Isar is the design of a human-readable structured proof
  language, which is called the ``primary proof format'' in Isar terminology.
  Such a primary proof language is somewhere in the middle between the
  extremes of primitive proof objects and actual natural language.
  Thus Isar challenges the traditional way of recording informal proofs in
  mathematical prose, as well as the common tendency to see fully formal
  proofs directly as objects of some logical calculus (e.g.\ ‹λ›-terms in a
  version of type theory). Technically, Isar is an interpreter of a simple
  block-structured language for describing the data flow of local facts and
  goals, interspersed with occasional invocations of proof methods. Everything
  is reduced to logical inferences internally, but these steps are somewhat
  marginal compared to the overall bookkeeping of the interpretation process.
  Thanks to careful design of the syntax and semantics of Isar language
  elements, a formal record of Isar commands may later appear as an
  intelligible text to the human reader.
  The Isar proof language has emerged from careful analysis of some inherent
  virtues of the logical framework Isabelle/Pure \<^cite>‹"paulson-found" and
  "paulson700"›, notably composition of higher-order natural deduction rules,
  which is a generalization of Gentzen's original calculus \<^cite>‹"Gentzen:1935"›. The approach of generic inference systems in Pure is
  continued by Isar towards actual proof texts. See also
  \figref{fig:natural-deduction}
  \begin{figure}[htb]
  \begin{center}
  \begin{minipage}[t]{0.9\textwidth}
  \textbf{Inferences:}
  \begin{center}
  \begin{tabular}{l@ {\qquad}l}
  \infer{‹B›}{‹A ⟶ B› & ‹A›} &
  \infer{‹A ⟶ B›}{\infer*{‹B›}{‹[A]›}} \\
  \end{tabular}
  \end{center}
  \textbf{Isabelle/Pure:}
  \begin{center}
  \begin{tabular}{l@ {\qquad}l}
  ‹(A ⟶ B) ⟹ A ⟹ B› &
  ‹(A ⟹ B) ⟹ A ⟶ B›
  \end{tabular}
  \end{center}
  \textbf{Isabelle/Isar:}
  \begin{center}
  \begin{minipage}[t]{0.4\textwidth}
  @{theory_text [display, indent = 2]
    ‹have "A ⟶ B" \<proof>
also have A \<proof>
finally have B .›}
  \end{minipage}
  \begin{minipage}[t]{0.4\textwidth}
  @{theory_text [display, indent = 2]
    ‹have "A ⟶ B"
proof
  assume A
  then show B \<proof>
qed›}
  \end{minipage}
  \end{center}
  \end{minipage}
  \end{center}
  \caption{Natural Deduction via inferences according to Gentzen, rules in
  Isabelle/Pure, and proofs in Isabelle/Isar}\label{fig:natural-deduction}
  \end{figure}
  ┉
  Concrete applications require another intermediate layer: an object-logic.
  Isabelle/HOL \<^cite>‹"isa-tutorial"› (simply-typed set-theory) is most
  commonly used; elementary examples are given in the directories
  🗀‹~~/src/Pure/Examples› and 🗀‹~~/src/HOL/Examples›. Some examples
  demonstrate how to start a fresh object-logic from Isabelle/Pure, and use
  Isar proofs from the very start, despite the lack of advanced proof tools at
  such an early stage (e.g.\ see
  🗏‹~~/src/Pure/Examples/Higher_Order_Logic.thy›). Isabelle/FOL \<^cite>‹"isabelle-logics"› and Isabelle/ZF \<^cite>‹"isabelle-ZF"› also work, but are
  much less developed.
  In order to illustrate natural deduction in Isar, we shall subsequently
  refer to the background theory and library of Isabelle/HOL. This includes
  common notions of predicate logic, naive set-theory etc.\ using fairly
  standard mathematical notation. From the perspective of generic natural
  deduction there is nothing special about the logical connectives of HOL
  (‹∧›, ‹∨›, ‹∀›, ‹∃›, etc.), only the resulting reasoning principles are
  relevant to the user. There are similar rules available for set-theory
  operators (‹∩›, ‹∪›, ‹⋂›, ‹⋃›, etc.), or any other theory developed in the
  library (lattice theory, topology etc.).
  Subsequently we briefly review fragments of Isar proof texts corresponding
  directly to such general deduction schemes. The examples shall refer to
  set-theory, to minimize the danger of understanding connectives of predicate
  logic as something special.
  ┉
  The following deduction performs ‹∩›-introduction, working forwards from
  assumptions towards the conclusion. We give both the Isar text, and depict
  the primitive rule involved, as determined by unification of fact and goal
  statements against rules that are declared in the library context.
›
text_raw ‹\medskip\begin{minipage}{0.6\textwidth}›
notepad
begin
    fix x :: 'a and A B
    assume "x ∈ A" and "x ∈ B"
    then have "x ∈ A ∩ B" ..
end
text_raw ‹\end{minipage}\begin{minipage}{0.4\textwidth}›
text ‹
  \infer{‹x ∈ A ∩ B›}{‹x ∈ A› & ‹x ∈ B›}
›
text_raw ‹\end{minipage}›
text ‹
  ┉
  Note that ⬚‹assume› augments the proof context, ⬚‹then› indicates that the
  current fact shall be used in the next step, and ⬚‹have› states an
  intermediate goal. The two dots ``⬚‹..›'' refer to a complete proof of this
  claim, using the indicated facts and a canonical rule from the context. We
  could have been more explicit here by spelling out the final proof step via
  the ⬚‹by› command:
›
notepad
begin
    fix x :: 'a and A B
    assume "x ∈ A" and "x ∈ B"
    then have "x ∈ A ∩ B" by (rule IntI)
end
text ‹
  The format of the ‹∩›-introduction rule represents the most basic inference,
  which proceeds from given premises to a conclusion, without any nested proof
  context involved.
  The next example performs backwards introduction of ‹⋂𝒜›, the intersection
  of all sets within a given set. This requires a nested proof of set
  membership within a local context, where ‹A› is an arbitrary-but-fixed
  member of the collection:
›
text_raw ‹\medskip\begin{minipage}{0.6\textwidth}›
notepad
begin
    fix x :: 'a and 𝒜
    have "x ∈ ⋂𝒜"
    proof
      fix A
      assume "A ∈ 𝒜"
      show "x ∈ A" \<proof>
    qed
end
text_raw ‹\end{minipage}\begin{minipage}{0.4\textwidth}›
text ‹
  \infer{‹x ∈ ⋂𝒜›}{\infer*{‹x ∈ A›}{‹[A][A ∈ 𝒜]›}}
›
text_raw ‹\end{minipage}›
text ‹
  ┉
  This Isar reasoning pattern again refers to the primitive rule depicted
  above. The system determines it in the ``⬚‹proof›'' step, which could have
  been spelled out more explicitly as ``⬚‹proof (rule InterI)›''. Note that
  the rule involves both a local parameter ‹A› and an assumption ‹A ∈ 𝒜› in
  the nested reasoning. Such compound rules typically demands a genuine
  subproof in Isar, working backwards rather than forwards as seen before. In
  the proof body we encounter the ⬚‹fix›-⬚‹assume›-⬚‹show› outline of nested
  subproofs that is typical for Isar. The final ⬚‹show› is like ⬚‹have›
  followed by an additional refinement of the enclosing claim, using the rule
  derived from the proof body.
  ┉
  The next example involves ‹⋃𝒜›, which can be characterized as the set of
  all ‹x› such that ‹∃A. x ∈ A ∧ A ∈ 𝒜›. The elimination rule for ‹x ∈ ⋃𝒜›
  does not mention ‹∃› and ‹∧› at all, but admits to obtain directly a local
  ‹A› such that ‹x ∈ A› and ‹A ∈ 𝒜› hold. This corresponds to the following
  Isar proof and inference rule, respectively:
›
text_raw ‹\medskip\begin{minipage}{0.6\textwidth}›
notepad
begin
    fix x :: 'a and 𝒜 C
    assume "x ∈ ⋃𝒜"
    then have C
    proof
      fix A
      assume "x ∈ A" and "A ∈ 𝒜"
      show C \<proof>
    qed
end
text_raw ‹\end{minipage}\begin{minipage}{0.4\textwidth}›
text ‹
  \infer{‹C›}{‹x ∈ ⋃𝒜› & \infer*{‹C›~}{‹[A][x ∈ A, A ∈ 𝒜]›}}
›
text_raw ‹\end{minipage}›
text ‹
  ┉
  Although the Isar proof follows the natural deduction rule closely, the text
  reads not as natural as anticipated. There is a double occurrence of an
  arbitrary conclusion ‹C›, which represents the final result, but is
  irrelevant for now. This issue arises for any elimination rule involving
  local parameters. Isar provides the derived language element ⬚‹obtain›,
  which is able to perform the same elimination proof more conveniently:
›
notepad
begin
    fix x :: 'a and 𝒜
    assume "x ∈ ⋃𝒜"
    then obtain A where "x ∈ A" and "A ∈ 𝒜" ..
end
text ‹
  Here we avoid to mention the final conclusion ‹C› and return to plain
  forward reasoning. The rule involved in the ``⬚‹..›'' proof is the same as
  before.
›
section ‹The Pure framework \label{sec:framework-pure}›
text ‹
  The Pure logic \<^cite>‹"paulson-found" and "paulson700"› is an intuitionistic
  fragment of higher-order logic \<^cite>‹"church40"›. In type-theoretic
  parlance, there are three levels of ‹λ›-calculus with corresponding arrows
  ‹⇒›/‹⋀›/‹⟹›:
  ┉
  \begin{tabular}{ll}
  ‹α ⇒ β› & syntactic function space (terms depending on terms) \\
  ‹⋀x. B(x)› & universal quantification (proofs depending on terms) \\
  ‹A ⟹ B› & implication (proofs depending on proofs) \\
  \end{tabular}
  ┉
  Here only the types of syntactic terms, and the propositions of proof terms
  have been shown. The ‹λ›-structure of proofs can be recorded as an optional
  feature of the Pure inference kernel \<^cite>‹"Berghofer-Nipkow:2000:TPHOL"›,
  but the formal system can never depend on them due to ∗‹proof irrelevance›.
  On top of this most primitive layer of proofs, Pure implements a generic
  calculus for nested natural deduction rules, similar to \<^cite>‹"Schroeder-Heister:1984"›. Here object-logic inferences are internalized as
  formulae over ‹⋀› and ‹⟹›. Combining such rule statements may involve
  higher-order unification \<^cite>‹"paulson-natural"›.
›
subsection ‹Primitive inferences›
text ‹
  Term syntax provides explicit notation for abstraction ‹λx :: α. b(x)› and
  application ‹b a›, while types are usually implicit thanks to
  type-inference; terms of type ‹prop› are called propositions. Logical
  statements are composed via ‹⋀x :: α. B(x)› and ‹A ⟹ B›. Primitive reasoning
  operates on judgments of the form ‹Γ ⊢ φ›, with standard introduction and
  elimination rules for ‹⋀› and ‹⟹› that refer to fixed parameters ‹x⇩1, …,
  x⇩m› and hypotheses ‹A⇩1, …, A⇩n› from the context ‹Γ›; the corresponding
  proof terms are left implicit. The subsequent inference rules define ‹Γ ⊢ φ›
  inductively, relative to a collection of axioms from the implicit background
  theory:
  \[
  \infer{‹⊢ A›}{‹A› \mbox{~is axiom}}
  \qquad
  \infer{‹A ⊢ A›}{}
  \]
  \[
  \infer{‹Γ ⊢ ⋀x. B(x)›}{‹Γ ⊢ B(x)› & ‹x ∉ Γ›}
  \qquad
  \infer{‹Γ ⊢ B(a)›}{‹Γ ⊢ ⋀x. B(x)›}
  \]
  \[
  \infer{‹Γ - A ⊢ A ⟹ B›}{‹Γ ⊢ B›}
  \qquad
  \infer{‹Γ⇩1 ∪ Γ⇩2 ⊢ B›}{‹Γ⇩1 ⊢ A ⟹ B› & ‹Γ⇩2 ⊢ A›}
  \]
  Furthermore, Pure provides a built-in equality ‹≡ :: α ⇒ α ⇒ prop› with
  axioms for reflexivity, substitution, extensionality, and ‹αβη›-conversion
  on ‹λ›-terms.
  ┉
  An object-logic introduces another layer on top of Pure, e.g.\ with types
  ‹i› for individuals and ‹o› for propositions, term constants ‹Trueprop :: o
  ⇒ prop› as (implicit) derivability judgment and connectives like ‹∧ :: o ⇒ o
  ⇒ o› or ‹∀ :: (i ⇒ o) ⇒ o›, and axioms for object-level rules such as
  ‹conjI: A ⟹ B ⟹ A ∧ B› or ‹allI: (⋀x. B x) ⟹ ∀x. B x›. Derived object rules
  are represented as theorems of Pure. After the initial object-logic setup,
  further axiomatizations are usually avoided: definitional principles are
  used instead (e.g.\ ⬚‹definition›, ⬚‹inductive›, ⬚‹fun›, ⬚‹function›).
›
subsection ‹Reasoning with rules \label{sec:framework-resolution}›
text ‹
  Primitive inferences mostly serve foundational purposes. The main reasoning
  mechanisms of Pure operate on nested natural deduction rules expressed as
  formulae, using ‹⋀› to bind local parameters and ‹⟹› to express entailment.
  Multiple parameters and premises are represented by repeating these
  connectives in a right-associative manner.
  Thanks to the Pure theorem \<^prop>‹(A ⟹ (⋀x. B x)) ≡ (⋀x. A ⟹ B x)› the
  connectives ‹⋀› and ‹⟹› commute. So we may assume w.l.o.g.\ that rule
  statements always observe the normal form where quantifiers are pulled in
  front of implications at each level of nesting. This means that any Pure
  proposition may be presented as a ∗‹Hereditary Harrop Formula› \<^cite>‹"Miller:1991"› which is of the form ‹⋀x⇩1 … x⇩m. H⇩1 ⟹ … H⇩n ⟹ A› for ‹m, n
  ≥ 0›, and ‹A› atomic, and ‹H⇩1, …, H⇩n› being recursively of the same
  format. Following the convention that outermost quantifiers are implicit,
  Horn clauses ‹A⇩1 ⟹ … A⇩n ⟹ A› are a special case of this.
  For example, the ‹∩›-introduction rule encountered before is represented as
  a Pure theorem as follows:
  \[
  ‹IntI:›~\<^prop>‹x ∈ A ⟹ x ∈ B ⟹ x ∈ A ∩ B›
  \]
  This is a plain Horn clause, since no further nesting on the left is
  involved. The general ‹⋂›-introduction corresponds to a Hereditary Harrop
  Formula with one additional level of nesting:
  \[
  ‹InterI:›~\<^prop>‹(⋀A. A ∈ 𝒜 ⟹ x ∈ A) ⟹ x ∈ ⋂𝒜›
  \]
  ┉
  Goals are also represented as rules: ‹A⇩1 ⟹ … A⇩n ⟹ C› states that the
  subgoals ‹A⇩1, …, A⇩n› entail the result ‹C›; for ‹n = 0› the goal is
  finished. To allow ‹C› being a rule statement itself, there is an internal
  protective marker ‹# :: prop ⇒ prop›, which is defined as identity and
  hidden from the user. We initialize and finish goal states as follows:
  \[
  \begin{array}{c@ {\qquad}c}
  \infer[(@{inference_def init})]{‹C ⟹ #C›}{} &
  \infer[(@{inference_def finish})]{‹C›}{‹#C›}
  \end{array}
  \]
  Goal states are refined in intermediate proof steps until a finished form is
  achieved. Here the two main reasoning principles are @{inference
  resolution}, for back-chaining a rule against a subgoal (replacing it by
  zero or more subgoals), and @{inference assumption}, for solving a subgoal
  (finding a short-circuit with local assumptions). Below ‹\<^vec>x› stands
  for ‹x⇩1, …, x⇩n› (for ‹n ≥ 0›).
  \[
  \infer[(@{inference_def resolution})]
  {‹(⋀\<^vec>x. \<^vec>H \<^vec>x ⟹ \<^vec>A (\<^vec>a \<^vec>x))\<vartheta> ⟹ C\<vartheta>›}
  {\begin{tabular}{rl}
    ‹rule:› &
    ‹\<^vec>A \<^vec>a ⟹ B \<^vec>a› \\
    ‹goal:› &
    ‹(⋀\<^vec>x. \<^vec>H \<^vec>x ⟹ B' \<^vec>x) ⟹ C› \\
    ‹goal unifier:› &
    ‹(λ\<^vec>x. B (\<^vec>a \<^vec>x))\<vartheta> = B'\<vartheta>› \\
   \end{tabular}}
  \]
  ┉
  \[
  \infer[(@{inference_def assumption})]{‹C\<vartheta>›}
  {\begin{tabular}{rl}
    ‹goal:› &
    ‹(⋀\<^vec>x. \<^vec>H \<^vec>x ⟹ A \<^vec>x) ⟹ C› \\
    ‹assm unifier:› & ‹A\<vartheta> = H⇩i\<vartheta>›~~\mbox{for some~‹H⇩i›} \\
   \end{tabular}}
  \]
  The following trace illustrates goal-oriented reasoning in
  Isabelle/Pure:
  {\footnotesize
  ┉
  \begin{tabular}{r@ {\quad}l}
  ‹(A ∧ B ⟹ B ∧ A) ⟹ #(A ∧ B ⟹ B ∧ A)› & ‹(init)› \\
  ‹(A ∧ B ⟹ B) ⟹ (A ∧ B ⟹ A) ⟹ #…› & ‹(resolution B ⟹ A ⟹ B ∧ A)› \\
  ‹(A ∧ B ⟹ A ∧ B) ⟹ (A ∧ B ⟹ A) ⟹ #…› & ‹(resolution A ∧ B ⟹ B)› \\
  ‹(A ∧ B ⟹ A) ⟹ #…› & ‹(assumption)› \\
  ‹(A ∧ B ⟹ A ∧ B) ⟹ #…› & ‹(resolution A ∧ B ⟹ A)› \\
  ‹#…› & ‹(assumption)› \\
  ‹A ∧ B ⟹ B ∧ A› & ‹(finish)› \\
  \end{tabular}
  ┉
  }
  Compositions of @{inference assumption} after @{inference resolution} occurs
  quite often, typically in elimination steps. Traditional Isabelle tactics
  accommodate this by a combined @{inference_def elim_resolution} principle.
  In contrast, Isar uses a combined refinement rule as follows:\footnote{For
  simplicity and clarity, the presentation ignores ∗‹weak premises› as
  introduced via ⬚‹presume› or ⬚‹show … when›.}
  {\small
  \[
  \infer[(@{inference refinement})]
  {‹C\<vartheta>›}
  {\begin{tabular}{rl}
    ‹subgoal:› &
    ‹(⋀\<^vec>x. \<^vec>H \<^vec>x ⟹ B' \<^vec>x) ⟹ C› \\
    ‹subproof:› &
    ‹\<^vec>G \<^vec>a ⟹ B \<^vec>a› \quad for schematic ‹\<^vec>a› \\
    ‹concl unifier:› &
    ‹(λ\<^vec>x. B (\<^vec>a \<^vec>x))\<vartheta> = B'\<vartheta>› \\
    ‹assm unifiers:› &
    ‹(λ\<^vec>x. G⇩j (\<^vec>a \<^vec>x))\<vartheta> = H⇩i\<vartheta>› \quad for each ‹G⇩j› some ‹H⇩i› \\
   \end{tabular}}
  \]}
  Here the ‹subproof› rule stems from the main ⬚‹fix›-⬚‹assume›-⬚‹show›
  outline of Isar (cf.\ \secref{sec:framework-subproof}): each assumption
  indicated in the text results in a marked premise ‹G› above. Consequently,
  ⬚‹fix›-⬚‹assume›-⬚‹show› enables to fit the result of a subproof quite
  robustly into a pending subgoal, while maintaining a good measure of
  flexibility: the subproof only needs to fit modulo unification, and its
  assumptions may be a proper subset of the subgoal premises (see
  \secref{sec:framework-subproof}).
›
section ‹The Isar proof language \label{sec:framework-isar}›
text ‹
  Structured proofs are presented as high-level expressions for composing
  entities of Pure (propositions, facts, and goals). The Isar proof language
  allows to organize reasoning within the underlying rule calculus of Pure,
  but Isar is not another logical calculus. Isar merely imposes certain
  structure and policies on Pure inferences. The main grammar of the Isar
  proof language is given in \figref{fig:isar-syntax}.
  \begin{figure}[htb]
  \begin{center}
  \begin{tabular}{rcl}
    ‹main› & ‹=› & ⬚‹notepad begin "statement⇧*" end› \\
    & ‹|› & ⬚‹theorem name: props if name: props for vars› \\
    & ‹|› & ⬚‹theorem name:› \\
    & & \quad⬚‹fixes vars› \\
    & & \quad⬚‹assumes name: props› \\
    & & \quad⬚‹shows name: props "proof"› \\
    & ‹|› & ⬚‹theorem name:› \\
    & & \quad⬚‹fixes vars› \\
    & & \quad⬚‹assumes name: props› \\
    & & \quad⬚‹obtains (name) clause "❙|" … "proof"› \\
    ‹proof› & ‹=› & ⬚‹"refinement⇧* proper_proof"› \\
    ‹refinement› & ‹=› &  ⬚‹apply method› \\
    & ‹|› & ⬚‹supply name = thms› \\
    & ‹|› & ⬚‹subgoal premises name for vars "proof"› \\
    & ‹|› & ⬚‹using thms› \\
    & ‹|› & ⬚‹unfolding thms› \\
    ‹proper_proof› & ‹=› & ⬚‹proof "method⇧?" "statement⇧*" qed "method⇧?"› \\
    & ‹|› & ⬚‹by method method›~~~‹|›~~~⬚‹..›~~~‹|›~~~⬚‹.›~~~‹|›~~~⬚‹sorry›~~~‹|›~~~⬚‹done› \\
    ‹statement› & ‹=› & ⬚‹{ "statement⇧*" }›~~~‹|›~~~⬚‹next› \\
    & ‹|› & ⬚‹note name = thms› \\
    & ‹|› & ⬚‹let "term" = "term"› \\
    & ‹|› & ⬚‹write name  (mixfix)› \\
    & ‹|› & ⬚‹fix vars› \\
    & ‹|› & ⬚‹assume name: props if props for vars› \\
    & ‹|› & ⬚‹presume name: props if props for vars› \\
    & ‹|› & ⬚‹define clause› \\
    & ‹|› & ⬚‹case name: "case"› \\
    & ‹|› & ⬚‹then"⇧?" goal› \\
    & ‹|› & ⬚‹from thms goal› \\
    & ‹|› & ⬚‹with thms goal› \\
    & ‹|› & ⬚‹also›~~~‹|›~~~⬚‹finally goal› \\
    & ‹|› & ⬚‹moreover›~~~‹|›~~~⬚‹ultimately goal› \\
    ‹goal› & ‹=› & ⬚‹have name: props if name: props for vars "proof"› \\
    & ‹|› & ⬚‹show name: props if name: props for vars "proof"› \\
    & ‹|› & ⬚‹show name: props when name: props for vars "proof"› \\
    & ‹|› & ⬚‹consider (name) clause "❙|" … "proof"› \\
    & ‹|› & ⬚‹obtain (name) clause "proof"› \\
    ‹clause› & ‹=› & ⬚‹vars where name: props if props for vars› \\
  \end{tabular}
  \end{center}
  \caption{Main grammar of the Isar proof language}\label{fig:isar-syntax}
  \end{figure}
  The construction of the Isar proof language proceeds in a bottom-up fashion,
  as an exercise in purity and minimalism. The grammar in
  \appref{ap:main-grammar} describes the primitive parts of the core language
  (category ‹proof›), which is embedded into the main outer theory syntax via
  elements that require a proof (e.g.\ ⬚‹theorem›, ⬚‹lemma›, ⬚‹function›,
  ⬚‹termination›).
  The syntax for terms and propositions is inherited from Pure (and the
  object-logic). A ‹pattern› is a ‹term› with schematic variables, to be bound
  by higher-order matching. Simultaneous propositions or facts may be
  separated by the ⬚‹and› keyword.
  ┉
  Facts may be referenced by name or proposition. For example, the result of
  ``⬚‹have a: A \<proof>›'' becomes accessible both via the name ‹a› and the
  literal proposition ‹‹A››. Moreover, fact expressions may involve attributes
  that modify either the theorem or the background context. For example, the
  expression ``‹a [OF b]›'' refers to the composition of two facts according
  to the @{inference resolution} inference of
  \secref{sec:framework-resolution}, while ``‹a [intro]›'' declares a fact as
  introduction rule in the context.
  The special fact called ``@{fact this}'' always refers to the last result,
  as produced by ⬚‹note›, ⬚‹assume›, ⬚‹have›, or ⬚‹show›. Since ⬚‹note› occurs
  frequently together with ⬚‹then›, there are some abbreviations:
  ┉
  \begin{tabular}{rcl}
    ⬚‹from a› & ‹≡› & ⬚‹note a then› \\
    ⬚‹with a› & ‹≡› & ⬚‹from a and this› \\
  \end{tabular}
  ┉
  The ‹method› category is essentially a parameter of the Isar language and
  may be populated later. The command ⬚‹method_setup› allows to define proof
  methods semantically in Isabelle/ML. The Eisbach language allows to define
  proof methods symbolically, as recursive expressions over existing methods
  \<^cite>‹"Matichuk-et-al:2014"›; see also 🗀‹~~/src/HOL/Eisbach›.
  Methods use the facts indicated by ⬚‹then› or ⬚‹using›, and then operate on
  the goal state. Some basic methods are predefined in Pure: ``@{method "-"}''
  leaves the goal unchanged, ``@{method this}'' applies the facts as rules to
  the goal, ``@{method (Pure) "rule"}'' applies the facts to another rule and
  the result to the goal (both ``@{method this}'' and ``@{method (Pure)
  rule}'' refer to @{inference resolution} of
  \secref{sec:framework-resolution}). The secondary arguments to ``@{method
  (Pure) rule}'' may be specified explicitly as in ``‹(rule a)›'', or picked
  from the context. In the latter case, the system first tries rules declared
  as @{attribute (Pure) elim} or @{attribute (Pure) dest}, followed by those
  declared as @{attribute (Pure) intro}.
  The default method for ⬚‹proof› is ``@{method standard}'' (which subsumes
  @{method rule} with arguments picked from the context), for ⬚‹qed› it is
  ``@{method "succeed"}''. Further abbreviations for terminal proof steps are
  ``⬚‹by method⇩1 method⇩2›'' for ``⬚‹proof method⇩1 qed method⇩2›'', and
  ``⬚‹..›'' for ``⬚‹by standard›, and ``⬚‹.›'' for ``⬚‹by this›''. The command
  ``⬚‹unfolding facts›'' operates directly on the goal by applying equalities.
  ┉
  Block structure can be indicated explicitly by ``⬚‹{ … }›'', although the
  body of a subproof ``⬚‹proof … qed›'' already provides implicit nesting. In
  both situations, ⬚‹next› jumps into the next section of a block, i.e.\ it
  acts like closing an implicit block scope and opening another one. There is
  no direct connection to subgoals here!
  The commands ⬚‹fix› and ⬚‹assume› build up a local context (see
  \secref{sec:framework-context}), while ⬚‹show› refines a pending subgoal by
  the rule resulting from a nested subproof (see
  \secref{sec:framework-subproof}). Further derived concepts will support
  calculational reasoning (see \secref{sec:framework-calc}).
›
subsection ‹Context elements \label{sec:framework-context}›
text ‹
  In judgments ‹Γ ⊢ φ› of the primitive framework, ‹Γ› essentially acts like a
  proof context. Isar elaborates this idea towards a more advanced concept,
  with additional information for type-inference, term abbreviations, local
  facts, hypotheses etc.
  The element ⬚‹fix x :: α› declares a local parameter, i.e.\ an
  arbitrary-but-fixed entity of a given type; in results exported from the
  context, ‹x› may become anything. The ⬚‹assume «inference»› element provides
  a general interface to hypotheses: ⬚‹assume «inference» A› produces ‹A ⊢ A›
  locally, while the included inference tells how to discharge ‹A› from
  results ‹A ⊢ B› later on. There is no surface syntax for ‹«inference»›,
  i.e.\ it may only occur internally when derived commands are defined in ML.
  The default inference for ⬚‹assume› is @{inference export} as given below.
  The derived element ⬚‹define x where "x ≡ a"› is defined as ⬚‹fix x assume
  «expand» x ≡ a›, with the subsequent inference @{inference expand}.
  \[
  \infer[(@{inference_def export})]{‹\<strut>Γ - A ⊢ A ⟹ B›}{‹\<strut>Γ ⊢ B›}
  \qquad
  \infer[(@{inference_def expand})]{‹\<strut>Γ - (x ≡ a) ⊢ B a›}{‹\<strut>Γ ⊢ B x›}
  \]
  ┉
  The most interesting derived context element in Isar is ⬚‹obtain› \<^cite>‹‹\S5.3› in "Wenzel-PhD"›, which supports generalized elimination steps in a
  purely forward manner. The ⬚‹obtain› command takes a specification of
  parameters ‹\<^vec>x› and assumptions ‹\<^vec>A› to be added to the context,
  together with a proof of a case rule stating that this extension is
  conservative (i.e.\ may be removed from closed results later on):
  ┉
  \begin{tabular}{l}
  ⬚‹⟨facts⟩ obtain "\<^vec>x" where "\<^vec>A" "\<^vec>x" \<proof> ≡› \\[0.5ex]
  \quad ⬚‹have "case": "⋀thesis. (⋀\<^vec>x. \<^vec>A \<^vec>x ⟹ thesis) ⟹ thesis"› \\
  \quad ⬚‹proof -› \\
  \qquad ⬚‹fix thesis› \\
  \qquad ⬚‹assume [intro]: "⋀\<^vec>x. \<^vec>A \<^vec>x ⟹ thesis"› \\
  \qquad ⬚‹show thesis using ⟨facts⟩ \<proof>› \\
  \quad ⬚‹qed› \\
  \quad ⬚‹fix "\<^vec>x" assume «elimination "case"» "\<^vec>A \<^vec>x"› \\
  \end{tabular}
  ┉
  \[
  \infer[(@{inference elimination})]{‹Γ ⊢ B›}{
    \begin{tabular}{rl}
    ‹case:› &
    ‹Γ ⊢ ⋀thesis. (⋀\<^vec>x. \<^vec>A \<^vec>x ⟹ thesis) ⟹ thesis› \\[0.2ex]
    ‹result:› &
    ‹Γ ∪ \<^vec>A \<^vec>y ⊢ B› \\[0.2ex]
    \end{tabular}}
  \]
  Here the name ``‹thesis›'' is a specific convention for an
  arbitrary-but-fixed proposition; in the primitive natural deduction rules
  shown before we have occasionally used ‹C›. The whole statement of
  ``⬚‹obtain x where A x›'' can be read as a claim that ‹A x› may be assumed
  for some arbitrary-but-fixed ‹x›. Also note that ``⬚‹obtain A and B›''
  without parameters is similar to ``⬚‹have A and B›'', but the latter
  involves multiple subgoals that need to be proven separately.
  ┉
  The subsequent Isar proof texts explain all context elements introduced
  above using the formal proof language itself. After finishing a local proof
  within a block, the exported result is indicated via ⬚‹note›.
›
theorem True
proof
  text_raw ‹\begin{minipage}[t]{0.45\textwidth}›
  {
    fix x
    have "B x" \<proof>
  }
  note ‹⋀x. B x›
  text_raw ‹\end{minipage}\quad\begin{minipage}[t]{0.45\textwidth}›next
  {
    assume A
    have B \<proof>
  }
  note ‹A ⟹ B›
  text_raw ‹\end{minipage}\\[3ex]\begin{minipage}[t]{0.45\textwidth}›next
  {
    define x where "x ≡ a"
    have "B x" \<proof>
  }
  note ‹B a›
  text_raw ‹\end{minipage}\quad\begin{minipage}[t]{0.45\textwidth}›next
  {
    obtain x where "A x" \<proof>
    have B \<proof>
  }
  note ‹B›
  text_raw ‹\end{minipage}›
qed
text ‹
  ━
  This explains the meaning of Isar context elements without, without goal
  states getting in the way.
›
subsection ‹Structured statements \label{sec:framework-stmt}›
text ‹
  The syntax of top-level theorem statements is defined as follows:
  ┉
  \begin{tabular}{rcl}
  ‹statement› & ‹≡› & ⬚‹name: props and …› \\
  & ‹|› & ‹context⇧* conclusion› \\[0.5ex]
  ‹context› & ‹≡› & ⬚‹fixes vars and …› \\
  & ‹|› & ⬚‹assumes name: props and …› \\
  ‹conclusion› & ‹≡› & ⬚‹shows name: props and …› \\
  & ‹|› & ⬚‹obtains vars and … where name: props and …› \\
  & & \quad ‹\<BBAR> …› \\
  \end{tabular}
  ┉
  A simple statement consists of named propositions. The full form admits
  local context elements followed by the actual conclusions, such as ``⬚‹fixes
  x assumes A x shows B x›''. The final result emerges as a Pure rule after
  discharging the context: \<^prop>‹⋀x. A x ⟹ B x›.
  The ⬚‹obtains› variant is another abbreviation defined below; unlike
  ⬚‹obtain› (cf.\ \secref{sec:framework-context}) there may be several
  ``cases'' separated by ``‹\<BBAR>›'', each consisting of several parameters
  (‹vars›) and several premises (‹props›). This specifies multi-branch
  elimination rules.
  ┉
  \begin{tabular}{l}
  ⬚‹obtains "\<^vec>x" where "\<^vec>A" "\<^vec>x"  "\<BBAR>"  …  ≡› \\[0.5ex]
  \quad ⬚‹fixes thesis› \\
  \quad ⬚‹assumes [intro]: "⋀\<^vec>x. \<^vec>A \<^vec>x ⟹ thesis"  and  …› \\
  \quad ⬚‹shows thesis› \\
  \end{tabular}
  ┉
  Presenting structured statements in such an ``open'' format usually
  simplifies the subsequent proof, because the outer structure of the problem
  is already laid out directly. E.g.\ consider the following canonical
  patterns for ⬚‹shows› and ⬚‹obtains›, respectively:
›
text_raw ‹\begin{minipage}{0.5\textwidth}›
  theorem
    fixes x and y
    assumes "A x" and "B y"
    shows "C x y"
  proof -
    from ‹A x› and ‹B y›
    show "C x y" \<proof>
  qed
text_raw ‹\end{minipage}\begin{minipage}{0.5\textwidth}›
  theorem
    obtains x and y
    where "A x" and "B y"
  proof -
    have "A a" and "B b" \<proof>
    then show thesis ..
  qed
text_raw ‹\end{minipage}›
text ‹
  ┉
  Here local facts ‹‹A x›› and ‹‹B y›› are referenced immediately; there is no
  need to decompose the logical rule structure again. In the second proof the
  final ``⬚‹then show thesis ..›'' involves the local rule case ‹⋀x y. A x ⟹ B
  y ⟹ thesis› for the particular instance of terms ‹a› and ‹b› produced in the
  body.
›
subsection ‹Structured proof refinement \label{sec:framework-subproof}›
text ‹
  By breaking up the grammar for the Isar proof language, we may understand a
  proof text as a linear sequence of individual proof commands. These are
  interpreted as transitions of the Isar virtual machine (Isar/VM), which
  operates on a block-structured configuration in single steps. This allows
  users to write proof texts in an incremental manner, and inspect
  intermediate configurations for debugging.
  The basic idea is analogous to evaluating algebraic expressions on a stack
  machine: ‹(a + b) ⋅ c› then corresponds to a sequence of single transitions
  for each symbol ‹(, a, +, b, ), ⋅, c›. In Isar the algebraic values are
  facts or goals, and the operations are inferences.
  ┉
  The Isar/VM state maintains a stack of nodes, each node contains the local
  proof context, the linguistic mode, and a pending goal (optional). The mode
  determines the type of transition that may be performed next, it essentially
  alternates between forward and backward reasoning, with an intermediate
  stage for chained facts (see \figref{fig:isar-vm}).
  \begin{figure}[htb]
  \begin{center}
  \includegraphics[width=0.8\textwidth]{isar-vm}
  \end{center}
  \caption{Isar/VM modes}\label{fig:isar-vm}
  \end{figure}
  For example, in ‹state› mode Isar acts like a mathematical scratch-pad,
  accepting declarations like ⬚‹fix›, ⬚‹assume›, and claims like ⬚‹have›,
  ⬚‹show›. A goal statement changes the mode to ‹prove›, which means that we
  may now refine the problem via ⬚‹unfolding› or ⬚‹proof›. Then we are again
  in ‹state› mode of a proof body, which may issue ⬚‹show› statements to solve
  pending subgoals. A concluding ⬚‹qed› will return to the original ‹state›
  mode one level upwards. The subsequent Isar/VM trace indicates block
  structure, linguistic mode, goal state, and inferences:
›
text_raw ‹\begingroup\footnotesize›
notepad begin
  text_raw ‹\begin{minipage}[t]{0.18\textwidth}›
  have "A ⟶ B"
  proof
    assume A
    show B
      \<proof>
  qed
  text_raw ‹\end{minipage}\quad
\begin{minipage}[t]{0.06\textwidth}
‹begin› \\
\\
\\
‹begin› \\
‹end› \\
‹end› \\
\end{minipage}
\begin{minipage}[t]{0.08\textwidth}
‹prove› \\
‹state› \\
‹state› \\
‹prove› \\
‹state› \\
‹state› \\
\end{minipage}\begin{minipage}[t]{0.35\textwidth}
‹(A ⟶ B) ⟹ #(A ⟶ B)› \\
‹(A ⟹ B) ⟹ #(A ⟶ B)› \\
\\
\\
‹#(A ⟶ B)› \\
‹A ⟶ B› \\
\end{minipage}\begin{minipage}[t]{0.4\textwidth}
‹(init)› \\
‹(resolution impI)› \\
\\
\\
‹(refinement #A ⟹ B)› \\
‹(finish)› \\
\end{minipage}›
end
text_raw ‹\endgroup›
text ‹
  Here the @{inference refinement} inference from
  \secref{sec:framework-resolution} mediates composition of Isar subproofs
  nicely. Observe that this principle incorporates some degree of freedom in
  proof composition. In particular, the proof body allows parameters and
  assumptions to be re-ordered, or commuted according to Hereditary Harrop
  Form. Moreover, context elements that are not used in a subproof may be
  omitted altogether. For example:
›
text_raw ‹\begin{minipage}{0.5\textwidth}›
notepad
begin
  have "⋀x y. A x ⟹ B y ⟹ C x y"
  proof -
    fix x and y
    assume "A x" and "B y"
    show "C x y" \<proof>
  qed
text_raw ‹\end{minipage}\begin{minipage}{0.5\textwidth}›
next
  have "⋀x y. A x ⟹ B y ⟹ C x y"
  proof -
    fix x assume "A x"
    fix y assume "B y"
    show "C x y" \<proof>
  qed
text_raw ‹\end{minipage}\\[3ex]\begin{minipage}{0.5\textwidth}›
next
  have "⋀x y. A x ⟹ B y ⟹ C x y"
  proof -
    fix y assume "B y"
    fix x assume "A x"
    show "C x y" \<proof>
  qed
text_raw ‹\end{minipage}\begin{minipage}{0.5\textwidth}›
next
  have "⋀x y. A x ⟹ B y ⟹ C x y"
  proof -
    fix y assume "B y"
    fix x
    show "C x y" \<proof>
  qed
end
text_raw ‹\end{minipage}›
text ‹
  ┉
  Such fine-tuning of Isar text is practically important to improve
  readability. Contexts elements are rearranged according to the natural flow
  of reasoning in the body, while still observing the overall scoping rules.
  ┉
  This illustrates the basic idea of structured proof processing in Isar. The
  main mechanisms are based on natural deduction rule composition within the
  Pure framework. In particular, there are no direct operations on goal states
  within the proof body. Moreover, there is no hidden automated reasoning
  involved, just plain unification.
›
subsection ‹Calculational reasoning \label{sec:framework-calc}›
text ‹
  The existing Isar infrastructure is sufficiently flexible to support
  calculational reasoning (chains of transitivity steps) as derived concept.
  The generic proof elements introduced below depend on rules declared as
  @{attribute trans} in the context. It is left to the object-logic to provide
  a suitable rule collection for mixed relations of ‹=›, ‹<›, ‹≤›, ‹⊂›, ‹⊆›
  etc. Due to the flexibility of rule composition
  (\secref{sec:framework-resolution}), substitution of equals by equals is
  covered as well, even substitution of inequalities involving monotonicity
  conditions; see also \<^cite>‹‹\S6› in "Wenzel-PhD"› and \<^cite>‹"Bauer-Wenzel:2001"›.
  The generic calculational mechanism is based on the observation that rules
  such as ‹trans:›~\<^prop>‹x = y ⟹ y = z ⟹ x = z› proceed from the premises
  towards the conclusion in a deterministic fashion. Thus we may reason in
  forward mode, feeding intermediate results into rules selected from the
  context. The course of reasoning is organized by maintaining a secondary
  fact called ``@{fact calculation}'', apart from the primary ``@{fact this}''
  already provided by the Isar primitives. In the definitions below,
  @{attribute OF} refers to @{inference resolution}
  (\secref{sec:framework-resolution}) with multiple rule arguments, and
  ‹trans› represents to a suitable rule from the context:
  \begin{matharray}{rcl}
    ⬚‹also"⇩0"› & \equiv & ⬚‹note calculation = this› \\
    ⬚‹also"⇩n⇩+⇩1"› & \equiv & ⬚‹note calculation = trans [OF calculation this]› \\[0.5ex]
    ⬚‹finally› & \equiv & ⬚‹also from calculation› \\
  \end{matharray}
  The start of a calculation is determined implicitly in the text: here
  ⬚‹also› sets @{fact calculation} to the current result; any subsequent
  occurrence will update @{fact calculation} by combination with the next
  result and a transitivity rule. The calculational sequence is concluded via
  ⬚‹finally›, where the final result is exposed for use in a concluding claim.
  Here is a canonical proof pattern, using ⬚‹have› to establish the
  intermediate results:
›
notepad
begin
  fix a b c d :: 'a
  have "a = b" \<proof>
  also have "… = c" \<proof>
  also have "… = d" \<proof>
  finally have "a = d" .
end
text ‹
  The term ``‹…›'' (literal ellipsis) is a special abbreviation provided by
  the Isabelle/Isar term syntax: it statically refers to the right-hand side
  argument of the previous statement given in the text. Thus it happens to
  coincide with relevant sub-expressions in the calculational chain, but the
  exact correspondence is dependent on the transitivity rules being involved.
  ┉
  Symmetry rules such as \<^prop>‹x = y ⟹ y = x› are like transitivities with
  only one premise. Isar maintains a separate rule collection declared via the
  @{attribute sym} attribute, to be used in fact expressions ``‹a
  [symmetric]›'', or single-step proofs ``⬚‹assume "x = y" then have "y = x"
  ..›''.
›
end