I would like to prove
P ==> P
by case distinction, to understand the latter.
lemma "P ⟹ P"
proof (cases P)
goal (2 subgoals):
1. P ⟹ P ⟹ P
2. P ⟹ ¬ P ⟹ P
I am not quite sure if I want these. I wanted to assume that P is true and then show P is true by assumption, then assume not P and prove not P by assumption. Like in a truth table.
The not P in the second subgoal seems strange, is that provable at all?
assume P then show P by assumption
Successful attempt to solve goal by exported rule:
(P) ⟹ P
next
goal (1 subgoal):
1. P ⟹ ¬ P ⟹ P
assume P assume "¬P" then show "¬P" by (rule HOL.FalseE)
This went completely bad.
How can I take P and not P as the cases?
P and not P already are your cases. If you write "cases P", Isabelle copys the current goal and adds P to the assumptions of the first and ¬ P to the assumption of the second new subgoal. The right-hand side of the goals is not affected by the cases method if used in this way.
In your case, you don't have to prove the ¬ P in the second subgoal, but you may use it as the additional assumption, introduced by the case destinction.
Obviously you can't prove P from ¬ P in the second subgoal. Luckily, the global assumption P is still there, so that both cases still prove P from P, which is as trviial as it already is without the case destinction ;).
If you want to prove something by having Isabelle insert the possible values of a variable directly, you could try:
lemma "P ⟹ P"
proof (induct P)
goal (2 subgoals):
1. True ⟹ True
2. False ⟹ False
Related
So I'm trying to perform a simple proof using cardinalities. It looks like:
⟦(A::nat set) ∩ B = {}⟧ ⟹ (card (A ∪ B) = card A + card B)
Which seems to makes sense, but for some reason blast hangs, the rest of the provers fail to apply, and sledgehammer times out. Is there a gap in what I think I know about cardinalities? If not, how can I prove this lemma?
Thanks in advance!
I believe that the lemma you are trying to prove does not appropriately consider the case of infinite sets.
In Isabelle/HOL, infinite cardinalities are represented by zero. As we can see by the following lemma.
lemma "¬(finite A) ⟹ card A = 0"
by simp
If we consider the case of an infinite set, A, and a set of one element, B, then assume the intersection, A ∩ B is an empty set.
We are left with:
card (A ∪ B) = 0 as their union will also be infinite.
card A = 0
card B = 1
So we can see that in this case, the lemma does not hold.
The lemma can be corrected by asserting both sets are finite:
lemma
"⟦finite A; finite B; ((A::nat set) ∩ B) = {}⟧ ⟹ (card (A ∪ B) = card A + card B)"
by (simp add: card_Un_disjoint)
Which is essentially the same as the card_Un_disjoint used by the proof:
lemma card_Un_disjoint: "finite A ⟹ finite B ⟹ A ∩ B = {} ⟹ card (A ∪ B) = card A + card B"
using card_Un_Int [of A B] by simp
I just come up with this question. As written in the book of Logic in Computer Science, one of the important equivalence of LTL is this:
Fp=TUp. And the T means no constraints.
Yet what if I replace the T with (not p)? Does Fp=(not p)Up hold? Since in this case I actually put some constraints (not p) in the formula, but in the meantime there could be no state can satisfy (not p) and p together. And I tried with different LTL formula as p, and as long as p is satisfiable, then for every path with p, it must satisfy Fp and (not p)Up as well.
Does it means that I can rewrite F in this way or there is some counter example?
The short answer:
Yes, both formulas are equivalent and you can rewrite Fp also with (¬p)Up.
and a proof:
We can investigate the problem by looking at the definition of pUq (I think it's defined this way in the book Model Checking by Clarke, Grumberg, Peled).
A path s is a model for the formula (written s ⊨ pUq):
s ⊨ pUq <=> ∃k: s^k ⊨ q
∧ ∀i: 0<=i<k => s^i ⊨ q
(With s^i being the path s with the first i steps removed.)
We have (1):
s ⊨ (¬p)Up <=> ∃k: s^k ⊨ p
∧ ∀i: 0<=i<k => s^i ⊨ ¬p
and (2):
s ⊨ TUp <=> ∃k: s^k ⊨ p
∧ ∀i: 0<=i<k => s^i ⊨ true
<=> ∃k: s^k ⊨ p
We want to show (1) <=> (2) (I renamed the ks to k1 and k2 to avoid confusion):
∃k1: s^k1 ⊨ p
∧ ∀i: 0<=i<k1 => s^i ⊨ ¬p
<=>
∃k2: s^k2 ⊨ p
The direction (1) => (2) is trivial.
For (2) => (1) we have to show that from
∃k2: s^k2 ⊨ p
follows
∃k1: s^k1 ⊨ p ∧ ∀i: 0<=i<k1 => s^i ⊨ ¬p
We know that there exists a value for k1 (namely k2) such that s^k1 ⊨ p holds. But what about the second part? We can now just use for k1 the smallest value such that s^i ⊨ p holds. Then the second part is true, because if there would be an i such that s^i ⊨ not p does not hold, we know that s^i |= p holds. But in that case we would have choosen i for k1 because i is strictly smaller then k1.
So both formulas (1) and (2) are equivalent.
My problem: Define two sets P and Q of words (that is, two problems) such that:
P is undecidable and not semidecidable, Q is undecidable and semidecidable and P ⊂ Q
One example of such sets:
Define Q as the set of turing machines, which halt on empty input. Define P as the set of turing machines, which halt on every input.
Clearly P ⊂ Q and P is undecidable and not semidecidable, but Q is undecidable and semidecidable.
Unless I'm mistaken, there is no proof for
∀ {A : Set} → ¬ (¬ A) → A
in Agda.
This means you cannot use proofs by contradiction.
Many Maths textbooks use those kinds of proofs, so I was wondering: is it always possible to find an alternative constructive proof? Could you write, e.g., an Algebra textbook using only constructive logic?
In case the answer is no. Does this mean constructive logic is in some sense less powerful then classical logic?
Indeed, double negation elimination (and other statements which are logically equivalent to that) cannot be proven in Agda.
-- Law of excluded middle
lem : ∀ {p} {P : Set p} → P ⊎ ¬ P
-- Double negation elimination
dne : ∀ {p} {P : Set p} → ¬ ¬ P → P
-- Peirce's law
peirce : ∀ {p q} {P : Set p} {Q : Set q} →
((P → Q) → P) → P
(If you want, you can show that these are indeed logically equivalent, it's an interesting exercise). But this is a consequence we cannot avoid - one of the important things about constructive logic is that proofs have a computational context. However, assuming law of excluded middle basically kills any computational context.
Consider for example the following proposition:
end-state? : Turing → Set
end-state? t = ...
simulate_for_steps : Turing → ℕ → Turing
simulate t for n steps = ...
Terminates : Turing → Set
Terminates machine = Σ ℕ λ n →
end-state? (simulate machine for n steps)
So, a Turing machine terminates if there exists a number n such that after n steps, the machine is in an end state. Sounds reasonable, right? What happens when we add excluded middle in the mix?
terminates? : Turing → Bool
terminates? t with lem {P = Terminates t}
... | inj₁ _ = true
... | inj₂ _ = false
If we have excluded middle, then any proposition is decidable. Which also means that we can decide whether a Turing machine terminates or not and we've solved the halting problem. So we can either have computability or classical logic, but not both! While excluded middle and other equivalent statements help us with proofs, it comes at the cost of computational meaning of the program.
So yes, in this sense, constructive logic is less powerful than classical. However, we can simulate classical logic via double negation translation. Notice that doubly negated versions of the previous principles hold in Agda:
¬¬dne : ∀ {p} {P : Set p} → ¬ ¬ (¬ ¬ P → P)
¬¬dne f = f λ g → ⊥-elim (g (f ∘ const))
¬¬lem : ∀ {p} {P : Set p} → ¬ ¬ (P ⊎ ¬ P)
¬¬lem f = f (inj₂ (f ∘ inj₁))
If we were in classical logic, you would then use double negation elimination to get the original statements. There's even a monad dedicated to this transformation, take a look at the double negation monad in the Relation.Nullary.Negation module (in the standard library).
What this means is that we can selectively use the classical logic. From certain point of view, constructive logic is more powerful than classical precisely because of this. In classical logic, you cannot opt out of these statements, they just are there. On the other hand, constructive logic doesn't force you to use these, but if you need them, you can "enable" them in this way.
Another statement which cannot be proven in Agda is function extensionality. But unlike with classical statements, this one is desirable in constructive logics.
ext : ∀ {a b} {A : Set a} {B : A → Set b}
(f g : ∀ x → B x) → (∀ x → f x ≡ g x) → f ≡ g
However, this doesn't mean that it doesn't hold in constructive logic. It's just a property of the theory on which Agda is based (which is mostly intensional type theory with axiom K), there are other flavors of type theory where this statement holds, for example the usual formulations of extensional type theory or Conor McBride's and Thorsten Altenkirch's observational type theory.
I am fairly new to Coq and am trying out sample lemmas from Ruth and Ryan. The proof using natural deduction is pretty trivial, and this is what I want to prove using Coq.
assume p -> q.
assume ~q.
assume p.
q.
False.
therefore ~p.
therefore ~q -> ~p.
therefore (p -> q) => ~q => ~p.
I am stuck at the line 3 assume p.
Can someone please tell me if there is an one-to-one mapping from natural deduction to Coq keywords?
NNPP is useless !
Theorem easy : forall p q:Prop, (p->q)->(~q->~p).
Proof. intros. intro. apply H0. apply H. exact H1. Qed.
You can start your proof like this:
Section CONTRA.
Variables P Q : Prop.
Hypothesis PimpQ : P -> Q.
Hypothesis notQ : ~Q.
Hypothesis Ptrue : P.
Theorem contra : False.
Proof.
Here is the environment at that point:
1 subgoal
P : Prop
Q : Prop
PimpQ : P -> Q
notQ : ~ Q
Ptrue : P
============================
False
You should be able to continue the proof. It will be a bit more verbose than your proof (on line 4 you just wrote q, here you will have to prove it by combining PimpQ and Ptrue. It should be fairly trivial though... :)
Not that difficult, actually.
Just played around, introduced a double negation, and things fell flat automatically. This is how the proof looks like.
Theorem T1 : (~q->~p)->(p->q).
Proof.
intros.
apply NNPP.
intro.
apply H in H1.
contradiction.
Qed.
Ta daaaa!