Next: PGIP & PGML Schema Up: Sample Proof Previous: Human-written Contents

Proof using Igloo

Now we prove equation A.1 in Igloo. Before getting started on the proof, a small amount of housekeeping needs to be performed: connect to the Isabelle Server, and select the theories to work with.

**Figure A.1:** Igloo's main window
For the moment, this window is largely unused, except to connect to the Isabelle Server (figure A.2), start a new theory, or quit Igloo.

**Figure A.2:** Initiating a connection to the Isabelle Server
$\includegraphics[width=5in]{02_connect.eps}$ To connect to the Isabelle Server, the user selects Connect from the Proof Engine menu.

**Figure A.3:** Successful connection to the Isabelle Server
$\includegraphics[width=5in]{03_connected.eps}$ Once the connection is successful, the user is notified via the status bar.

**Figure A.4:** Begin a new theory
$\includegraphics[width=5in]{04_new_theory.eps}$ Next, the user can define new theories. To get started, they select New Theory from the Theory menu.

**Figure A.5:** Naming a new theory
$\includegraphics[width=5in]{05_theory_name.eps}$ To specify a theorem to be proven, Isabelle requires a name and a list of theories to extend.

**Figure A.6:** Naming theories to inherit
$\includegraphics[width=5in]{06_inherit_theories.eps}$ Most proofs can make good use of previously proven theorems. In order to do this, we tell Isabelle which theories our new theory should inherit. This requires that the user have some knowledge of Isabelle's theories. This is a restriction due to the current implementation of PGIP. For proposed amendments that would remove these limitations, see §5.1.

**Figure A.7:** Igloo's proof window
$\includegraphics[width=5in]{07_proof_window.eps}$ Now the user is presented with Igloo's Proof Window. All theorems for this particular theory will be proved from this window. For a detailed description of what each component does, see page .

**Figure A.8:** Start a new theorem
$\includegraphics[width=5in]{08_create_new_theorem.eps}$ To begin proving a theorem, the user selects New Theorem from the Theory menu.

**Figure A.9:** Naming the new theorem
$\includegraphics[width=5in]{09_name_theorem.eps}$ To begin proving a theorem, Isabelle requires a name and a specification (we have chosen ``sum of naturals''), figure A.10 shows the specification.

**Figure A.10:** Defining a new theorem
$\includegraphics[width=5in]{10_theorem_specification.eps}$ Note that the user is currently expected to know how to specify theorems in Isabelle. This indicates a weak point of the current PGIP interface.

**Figure A.11:** Initial proof state
$\includegraphics[width=5in]{11_theorem_step0.eps}$ The result from defining the name and specification of the theorem, is a proof state, which Isabelle calls Step 0.

**Figure A.12:** Initial subgoals
$\includegraphics[width=5in]{12_theorem_step0-2.eps}$ By expanding the node for the proof state, the user is able to see the current subgoals that need to be proven. Since this is the initial proof state, the goal that needs to be proven is the theorem itself.

**Figure A.13:** Apply induction to a subgoal
$\includegraphics[width=5in]{13_theorem_step0-3.eps}$ As in the human-written proof, we decide to apply mathematical induction, and split the proof into a base case and an inductive case. To do this, the user right-clicks on the subgoal they wish to induct on, and selects induct from the apply tactic submenu. The tactics that are available are currently hard coded into Igloo, this is another feature that PGIP could provide.

**Figure A.14:** Second proof state
$\includegraphics[width=5in]{14_theorem_step1-1.eps}$ The result of applying this tactic is a new proof state.

**Figure A.15:** Theorem split into base and inductive cases
$\includegraphics[width=5in]{15_theorem_step1-2.eps}$ By expanding the proof state, we can see the two subgoals. The first subgoal is the base case, the second is the inductive case.

**Figure A.16:** Simplify the base case
$\includegraphics[width=5in]{16_theorem_step1-3.eps}$ Again, as in the human-written proof, we attempt to prove the base case of the induction, this time by the simp tactic, which rewrites subterms in the hope of making the term simpler.

**Figure A.17:** Second proof state
$\includegraphics[width=5in]{17_theorem_step2-0.eps}$

**Figure A.18:** Removing an earlier proof state from the display
$\includegraphics[width=5in]{18_theorem_step2-1.eps}$ Since the previous proof state is the only one we are interested in, we can close the initial proof state.

**Figure A.19:** Inductive subgoal remains
$\includegraphics[width=5in]{19_theorem_step2-2.eps}$ Expanding the most recent proof state, we can see that the base case has been proven, and we are only left with the inductive case to prove.

**Figure A.20:** Simplifying the inductive case
$\includegraphics[width=5in]{20_theorem_step2-3.eps}$ Next, we attempt to prove the inductive case by simplification.

**Figure A.21:** Third proof state
$\includegraphics[width=5in]{21_theorem_step3-0.eps}$

**Figure A.22:** A complete proof
$\includegraphics[width=5in]{22_theorem_step3-1.eps}$ The next proof state is expanded to reveal no subgoals. This means the proof is now complete.

Next: PGIP & PGML Schema Up: Sample Proof Previous: Human-written Contents

2003-11-08