Dening and using dedu

tive systems with Isabelle

F. Miguel Dion
sio, Paula Gouveia, Jo~
ao Mar os

ffmd,mpg,jmar osgmath.ist.utl.pt
Center for Logi and Computation, Department of Mathemati s, IST
Lisbon, Portugal

There are several omputerized tools to automati ally and/or intera tively prove theorems of given dedu -
tive systems. In general, su h tools deal with only one spe i dedu tive system or a small lass thereof
(for example, Otter deals with lassi al rst-order logi with equality, NUPRL deals with intuitionisti
type theory, ModLeanTAP deals with a range of propositional modal logi s). The software Isabelle is
a generi theorem-proving environment that allows for the denition and use of dedu tive systems for
many dierent logi s. The dedu tion rules may be spe ied in dierent formats: natural dedu tion rules,
Hilbert-style axioms and rules, sequent-style rules, tableau rules, et . In this way, using Isabelle, it is
possible to dene and experiment with dierent logi s, sin e the user may implement the dedu tion rules
she sees t.
Obviously, some initial training is needed for the task of using Isabelle in order to dene and experiment
with new logi s. However, it is our experien e that only a few main on epts are, in fa t, essential. The
authors have been involved in tea hing a logi ourse for undergraduate students. The system Isabelle
was used for representation and use of natural dedu tion systems for propositional, rst-order and modal
logi s. Students learned how to dene logi s and how to prove theorems and he k inferen es in those
logi s. From what they learned in one semester, most students were able to su essfully deliver the nal
assignment that in luded the denition of a (new) hybrid logi , involving quantiers and modalities. This
tea hing experien e is reported in this paper, where you will nd the basi on epts needed to dene and
experiment with a logi in Isabelle.

1 Introdu tion
At the moment, there is a sizable number of models of logi software available, and seemingly
there is still a strong impulse at the logi ommunity to go and design their own personalized
proof assistant, for their own preferred dedu tive systems. Some of the already existing logi
software are highly exible, and are intended as generi environments for doing a number of
a tivities you would like the omputer to help you with: doing intera tive proofs, writing some
formally veried mathemati s, writing and he king formal spe i ations of all sorts, and, why
not, doing some me hanized reasoning, that old dream of Leibniz.
Su h highly exible models of logi software have a strong potentiality still largely to be
unleashed in their use in omputer-based learning and their integration to the standard set
of tea hing strategies and resour es. Used as laboratories for experimentation with abstra t
entities, the right software an turn a omputer into a sort of `bubble hamber' where ideas an
be tested and improved |or reje ted. Moreover, in the provo ative words of Edward Feigenbaum
(Glei k, 1987), omputers an also help us in ` reating intuition' about ertain subje ts. This
outlook onverts the omputer into a genuine tool for doing philosophi al and mathemati al
resear h.
We had a simple goal in mind: To use the omputer to tea h logi to undergraduate students.
Our main aim, however, was not (only) to tea h the students about this and that dedu tive

1
system, but to provide them with some expertise on using an extensively ustomizable tool in
whi h they would be able to dene and work with their own logi s, if that be the ase. After
some prospe ting and experimentation with the existing proof assistants, Isabelle alled our
attention. This is a software with an awful lot of logi built-in in its design and implementation.
We are talking about a logi al framework whose meta-logi is Intuitionisti Higher-Order Logi
with three main omponents: (i) a meta-impli ation that an be used in laying down the obje t-
logi rules (see se tion 2.2) of the spe i obje t-logi being thereby represented and that takes
are of the appli ation of those rules and the dis harge of assumptions; (ii) a meta-universal
quanti ation that an be used in laying down a number of obje t-language quantiers (see
se tion 2.6); (iii) a meta-equality that an be used in laying down abbreviations as rewrite
rules (see se tion 2.3). We are talking about a me hanizable theorem prover (see se tion 2.5)
where: (i) obje t-logi formulas are -terms disambiguated by way of a priority grammar (see
se tion 2.1); (ii) rules of the obje t-language are represented not as fun tions but as formulas
of the underlying higher-order logi ; (iii) the ombination and appli ation of those rules is
performed by way of a uniform method of inferen e | higher-order resolution; (iv) ta ti s are
implemented independently of the obje t-logi being represented (see se tion 2.4). We are talking
about a simply typed environment where obje t-language formulas an be heavily stru tured
(see se tions 2.7 and 3), and very pre ise spe i ations an be met with.
Finally, it should be noted that Isabelle is written over ML (Paulson, 1996), a fun tional
programming language that an ome to help at any point where even more expressivity is
needed. ML was designed pre isely to serve as an implementation language for theorem provers.
This paper is not about the logi behind Isabelle (for that you may onsult the appropriate
handbooks), but about how Isabelle an be used to look ahead into a number of new user-dened
logi s. We will not be worried here about proving properties about our obje t-logi s, but about
how these very logi s an be dened, hanged, and used. To that intent, the following se tions
will systemati ally illustrate the use of Isabelle in entirely pedestrian terms.

2 Dening logi s in Isabelle

The system Isabelle (Nipkow, Paulson and Wenzel, 2002) has been developed by Lawren e C.
Paulson (Univ. of Cambridge, UK) and Tobias Nipkow (Te hni al Univ. of Muni h, DE) and
is freely available on the web at http://www. l. am.a .uk/Resear h/HVG/Isabelle/. The relevant
referen es about this system are also available on that site. For other me hanized reasoning
systems see http://www-formal.stanford.edu/ lt/ARS/systems.html, where an extensive ommented
list is available.
Isabelle is a generi theorem-proving environment that allows for the representation and
use of dedu tive systems for many dierent logi s. In the following we brie y des ribe the
basi on epts needed to dene and experiment with a logi . We begin with simple examples
on erning lassi al propositional logi . In parti ular we will refer to natural dedu tion, Hilbert-
and sequent-style systems for this logi (Troelstra and S hwi htenberg, 1996). More involved
examples will be presented later on.

2.1 Language
The denition of the language and dedu tive system of a given logi onstitutes a theory of
Isabelle's meta-logi . Ea h theory must be spe ied in one le (with extension .thy).
Conne tives are internally represented using - al ulus and, therefore, understood as fun -
tions that for given argument formulas return a new formula. For example, onj(A,B) represents
the onjun tion of A and B. In this way onj is a fun tion that, given two argument formulas,

2
returns another a formula. The denition of this fun tion is onj::[o,o℄ >o, where o is the type
=

of formulas. The more usual notation A&B may also be used (and is internally translated to
onj(A,B)). Isabelle's ode and notation for this onne tive is:

onj :: [o, o℄ => o (" & " [36,35℄ 35)

The values [36,35℄ 35 spe ify (using a priority grammar) the priority of onjun tion (with
respe t to other onne tives) and also that it is right-asso iative. In a priority grammar, prior-
ities are assigned to o urren es of non-terminal symbols in a produ tion, e.g. A35 A36 A35 ) ^
(that orresponds to the priorities in rule onj above). Terminal symbols are assigned priority
1 . Derivations are as usual, with the dieren e that the o urren e of a non-terminal symbol
an only be substituted using produ tions whose left-hand symbol has greater or equal priority.
^
For example, in A36 A35 only A35 an be substituted using A35 ) ^
A36 A35 resulting in
A 36^ A ^
36 A . This pro ess disambiguates the grammar and, in this example, justies that
35

onjun tion is right-asso iative. Other onne tives are dealt with in a similar way and the as-
signment of dierent priorities to dierent onne tives sets its pre eden e. For example, the fa t
that onjun tion has pre eden e over disjun tion is oded by disj::[o,o℄ >o (" | " [31,30℄ 30).
=

2.2 Meta-logi and obje t propositional logi s

Isabelle provides the logi Pure, a higher-order intuitionisti logi , as the framework for dening
new logi s. The logi Pure is alled the meta-logi . Ea h new logi is alled an obje t-logi .
The dedu tion rules of ea h new logi must be oded in the meta-logi , using meta-impli ation.
Consider, for example, a natural dedu tion elimination rule for onjun tion:
D
'1 ^ '2
||||

'1

This rule is represented by the metaformula P&Q > P where meta-impli ation ( >) has
== ==

the intuitive meaning that the onsequent an be proved provided that the ante edent has been
proved. On the other hand, the metaformula P >(Q >P&Q) means that P&Q an be proved
== ==

provided that both P and Q have been proved. It an also be written as [jP;Qj℄ > P&Q and it is
==

a representation of the introdu tion rule for onjun tion.

2.3 Example theories

The previous on epts are enough for dening, for example, a natural dedu tion system for
lassi al propositional logi , or a Hilbert system for the same logi . We begin by displaying the
theory PROPOSITIONAL, representing a natural dedu tion system for propositional logi . Note that:
(i) this theory is an extension of Pure; (ii) the type o of formulas has to be de lared; (iii) Isabelle
must re ognize the obje t-language formulas (that have type o) as atomi metaformulas (that
have type prop) and this is a hieved by de laring a fun tion (Trueprop) that assigns to ea h obje t
formula its orresponding metaformula (in fa t, itself); (iv) rules must have names; (v) abbrevi-
ations may be dened as rewrite rules, using Isabelle's built-in meta-equality rules. The fun tion
Trueprop has a strong semanti intuition behind it: it provides a way of internalizing Tarski's
truth-predi ate, so as to allow for the talk about the truth of the obje t-language formulas at
the meta-logi al level.

3
PROPOSITIONAL = Pure +
types
o
arities
o :: logi
onsts
Trueprop :: o => prop ("( )" 5)

(* Conne tives *)
verum, falsum :: o
neg :: o => o (" " [40℄ 40)
onj :: [o, o℄ => o (" & " [36,35℄ 35)
disj :: [o, o℄ => o (" | " [31,30℄ 30)
imp :: [o, o℄ => o (" --> " [26,25℄ 25)
iff :: [o, o℄ => o (" <-> " [26,25℄ 25)

rules (* Natural dedu tion rules *)

onjI "[| P; Q |℄ ==> P&Q"
onjEr "P&Q ==> P"
onjEl "P&Q ==> Q"
disjIr "P ==> P|Q"
disjIl "Q ==> P|Q"
disjE "[| P|Q; P ==> R; Q ==> R |℄ ==> R"
impI "(P ==> Q) ==> P-->Q"
impE "[| P-->Q; P |℄ ==> Q"
abs "((P --> falsum) ==> falsum) ==> P"

(* Abbreviations *)
verum def "verum == falsum-->falsum"
neg def "P == P-->falsum"
iff def "P<->Q == (P-->Q) & (Q-->P)"
end

The theory Hilbert.thy that odes a Hilbert system for this logi an be written in a similar way.
We omit the denition of the language (for simpli ity we onsider only impli ation and falsum
as primitive onne tives) and present a set of suitable axiom s hemas and the a ompanying
inferen e rule.

Hilbert = Pure +
...
rules
ax1 "A --> (B --> A)" (* Axioms *)
ax2 "(A-->(B-->C))-->((A-->B)-->(A-->C))"
ax3 "falsum-->A"
ax4 "((A-->falsum)-->falsum)-->A"
mp "[|A-->B;A|℄==>B" (* Rule *)
...

4
2.4 Using theories
In general, proofs in Isabelle are ba kward proofs, meaning that the user starts by stating the goal
and applies the inferen e rules ba kwards (from the on lusion to the premises). Ea h premise
onstitutes a new subgoal to be proved. The proof ends when no further subgoals remain to
be proved. The initial goal an be either a formula (e.g. A-->(B-->A)) or a metaformula (e.g. [|
A&B; B-->C |℄ ==> C). In the rst ase the goal orresponds to a theorem and in the se ond to a
derived rule of the dedu tive system.
Synta ti equation solving is alled uni ation and the pro edure to nd solutions is alled
resolution. The on ept of uni ation is fundamental to understanding how rules an be applied
to a (sub)goal. Rules are represented (internally) as s hema metaformulas. For example the
rule onjI, i.e. [| P;Q |℄ ==> P&Q, is, in fa t, represented as [| ?P;?Q |℄ ==> ?P&?Q. The variables
?P and ?Q are s hema variables, that is, variables that may be instantiated by any formula. This
represents the fa t that this rule an be applied to any formula of the form ?P&?Q. In order
to he k whether a given formula F has that form, an equation has to be solved, namely the
equation ?P&?Q=F. The equation ?P&?Q=A&(B-->C) has the solution ?P=A and ?Q=B-->C. In this way,
the me hanism underlying the appli ation of a rule to a goal orresponds to the uni ation of the
on lusion of the rule with the goal. New subgoals appear orresponding to the premises of the
rule (where appropriate s hema variables have been repla ed by the orresponding solution of
the equation). In the following example we establish [| A; C |℄ ==> A & (B-->C) using the theory
PROPOSITIONAL.

> Goal "[| A;C |℄ ==> A&(B-->C)";

Level 0 (1 subgoal)
[| A; C |℄ ==> A&(B-->C)
1. [| A; C |℄ ==> A&(B-->C)
val it = [℄ : Thm.thm list

> by (resolve ta [ onjI℄ 1);

Level 1 (2 subgoals)
[| A; C |℄ ==> A&(B-->C)
1. [| A; C |℄ ==> A
2. [| A; C |℄ ==> B-->C
val it = () : unit

> by (assume ta 1);

Level 2 (1 subgoal)
[| A; C |℄ ==> A&(B-->C)
1. [| A; C |℄ ==> B-->C
val it = () : unit

> by (resolve ta [impI℄ 1);

Level 3 (1 subgoal)
[| A; C |℄ ==> A&(B-->C)
1. [| A; C; B |℄ ==> C
val it = () : unit

> by (assume ta 1);

Level 4
[| A; C |℄ ==> A&(B-->C)
No subgoals!

5
The ommand by (resolve ta [ onjI℄ number ) applies the rule onjI to the subgoal identied
by number (similarly for by (resolve ta [impI℄ number )). Some subgoals do not need rules to be
proved sin e they are premises or uniable with premises. These are proved using by (assume ta
number ). In general, (sub)goals are proved by applying a ta ti . The most important ta ti s are
the previously referred ta ti s of resolution and assumption, the ta ti resolve ta [rule ℄ number
and the ta ti assume ta number . Moreover, rta abbreviates resolve ta and ata abbreviates
assume ta . Also, br rule i abbreviates by (rta [rule ℄ i ) and ba i abbreviates by (ata i ).
The variable it ontains the value of the presently evaluated expression. We will omit the
orresponding output line whenever it is not relevant.
It is worth noti ing that by establishing [| A; C |℄ ==> A&(B-->C) one has established a derived
rule of the urrent dedu tive system. This rule an be used in other proofs. For that purpose
a name has to be assigned to it using qed "newName";. Afterwards one may use by (resolve ta
[newName℄ number ) to apply the new rule to a subgoal. The rule will only be available in the
urrent session. A simple way of making new rules available in all sessions is to write down their
proofs in a le with extension ML, named after the urrent theory, in this ase PROPOSITIONAL.ML.
It is also possible to prove more omplex metaformulas. For example the metaformula
[|[|P==>Q;P|℄==>R; P==>Q; P|℄==>R is a rule having other rules (e.g. [|P==>Q;P|℄==>R) as premises.
Su h rules may be taken as primitive rules in extensions of natural dedu tion systems like
those proposed in S hroeder-Heister (1984). Whenever the ante edent ontains non-atomi
metaformulas the result of Goal is the list of metarules asso iated to the premises.
> Goal "[|[|P==>Q;P|℄==>R; P==>Q; P|℄==>R";
Level 0 (1 subgoal)
R
1. R
val it = ["[| P ==> Q; P |℄ ==> R" [.℄, "P ==> Q" [.℄, "P" [.℄℄ : Thm.thm list

Note that the goal to be established is simply R and there are three metarules, ea h one asso iated
with a orresponding premise. These an also be re overed with premises(). Ea h metarule states
that ea h premise is derivable from itself and is of the form [Pr℄ Pr (with the on lusion to the
right). The previous output hides the metaformulas within [℄ (to see them use set show hyps;).
It is useful to assign a name to ea h metarule in the list, so that an be referred to later on.
This an be a hieved using val [pr1,pr2,pr3℄ = premises(); that assigns to the rst element of
the list the name pr1, to the se ond the name pr2 and to the third pr3. This an also be a hieved
dire tly by using
> val [pr1,pr2,pr3℄=Goal "[|[|P==>Q;P|℄==>R; P==>Q; P|℄==>R";
Level 0 (1 subgoal)
R
1. R
val pr1 = "[| P ==> Q; P |℄ ==> R" [.℄ : Thm.thm
val pr2 = "P ==> Q" [.℄ : Thm.thm
val pr3 = "P" [.℄ : Thm.thm

The proof is as expe ted, noting that the names of the premises are used.
> br pr1 1;
Level 1 (2 subgoals)
R
1. P ==> Q

6
2. P
> br pr2 1;
Level 2 (2 subgoals)
R
1. P ==> P
2. P
> ba 1;
Level 3 (1 subgoal)
R
1. P
> br pr3 1;
Level 4
R
No subgoals!

To establish a goal involving abbreviations, e.g. P<->P, the abbreviated expressions must be
rewritten (using the onvenient rewrite rules, in this ase neg def and iff def). One way of doing
this is by using the ommand Goalw [def1,def2,...℄ metaformula that rewrites the abbreviations
in metaformula using the denitions in the argument list:
> Goalw [neg def,iff def℄ "P <-> P";
Level 0 (1 subgoal)
 P<->P
1. (((P-->falsum)-->falsum)-->P)&(P-->(P-->falsum)-->falsum)

The proof an now be done as usual.

2.5 Sequents and automated dedu tion

Sequent al ulus an provide an easy de ision pro edure for validity (in lassi al propositional
logi ). All one has to do is to repeatedly apply the rules to the goal sequent.
Sequents are represented in Isabelle by pairs of lists of formulas. For example,
A, B-->C |- D, E&F

denotes a sequent with ante edent A,B-->C and onsequent D, E&F. Variables prexed by $ are
list variables. The sequent
"$H, P, $G |- $E, P, $F"

represents an axiom s hema and

"[| $H, $G |- $E, P; $H, Q, $G |- $E |℄ ==> $H, P-->Q, $G |- $E"

odes the left-introdu tion rule for impli ation. Lists and sequents are provided by the the-
ory Sequents.thy available in Isabelle's distribution. The following theory SPROP.thy denes the
sequent al ulus for lassi al propositional logi by providing the syntax of formulas and the
sequent rules.
SPROP = Sequents +
onsts
Trueprop :: "two seqi"
"Trueprop" :: "two seqe" ("(( )/ |- ( ))" [6,6℄ 5)

7
(* Conne tives *)
falsum,verum :: o
neg :: o => o (" " [40℄ 40)
onj :: [o, o℄ => o (" & " [36,35℄ 35)
disj :: [o, o℄ => o (" | " [31,30℄ 30)
imp :: [o, o℄ => o (" --> " [26,25℄ 25)
iff :: [o, o℄ => o (" <-> " [26,25℄ 25)

rules (* Sequent Rules*)

axS "$H, P, $G |- $E, P, $F"
falsumL "$H, falsum, $G |- $E"
onjR "[| $H|- $E, P, $F; $H|- $E, Q, $F |℄ ==> $H|- $E, P&Q, $F"
onjL "$H, P, Q, $G |- $E ==> $H, P & Q, $G |- $E"
disjR "$H |- $E, P, Q, $F ==> $H |- $E, P|Q, $F"
disjL "[| $H, P, $G |- $E; $H, Q, $G |- $E |℄ ==> $H, P|Q, $G |- $E"
impR "$H, P |- $E, Q, $F ==> $H |- $E, P-->Q, $F"
impL "[| $H,$G |- $E,P; $H, Q, $G |- $E |℄ ==> $H, P-->Q, $G |- $E"

(* Abbreviations *)
verum def "verum == falsum-->falsum"
iff def "P<->Q == (P-->Q) & (Q-->P)"
neg def "P == P-->falsum"
end

ML
val parse translation = [("Trueprop",Sequents.two seq tr "Trueprop")℄;
val print translation = [("Trueprop",Sequents.two seq tr' "Trueprop")℄;

The reason for the use of both Trueprop and Trueprop is that there are, in fa t, two dierent repre-
sentations of lists, the one referred above (and alled the external representation) and a fun tional
representation of lists ( alled the internal representation). Trueprop(A,B), also written A|-B, is a
sequent where the lists involved are written in the external representation. Trueprop(alpha,beta)
is the sequent where the lists involved are written in the internal representation. The two lines
in ML ode at the end of the above theory provide fun tions that translate between the two
representations of sequents.
In order to use this theory (with use thy) the system must load the theory Sequents:

> isabelle Sequents

...
use thy "SPROP";

Before illustrating the use of this theory with an example, we present the notion of ta ti al.
Ta ti als are forms of ombining ta ti s. Useful ta ti als are the iterative ombinator of ta -
ti s REPEAT and the alternative ombinator ORELSE. The ta ti REPEAT ta ti orresponds to the
repeated appli ation of the argument ta ti until it fails. The ta ti ta ti 1 ORELSE ta ti 2 or-
responds to ta ti 1 alone when the appli ation of ta ti 1 su eeds. Otherwise it orresponds
to ta ti 2 alone. Ta ti als are useful in intera tive proofs and they are the fundamental tools
in developing automati proving te hniques.
The proof of |-(A-->(B-->C))-->((A-->B)-->(A-->C)) begins with three appli ations of resolu-
tion with impR to the rst subgoal. These three steps may be simplied by using REPEAT (rta
impR 1).

8
> Goal "|- (A-->(B-->C))-->((A-->B)-->(A-->C))";
Level 0 (1 subgoal)
|- (A --> B --> C) --> (A --> B) --> A --> C
1. |- (A --> B --> C) --> (A --> B) --> A --> C

> by (REPEAT (rta impR 1));

Level 1 (1 subgoal)
|- (A --> B --> C) --> (A --> B) --> A --> C
1. A --> B --> C, A --> B, A |- C

The next two steps are easy to follow.

> br impL 1;
Level 2 (2 subgoals)
|- (A --> B --> C) --> (A --> B) --> A --> C
1. A --> B, A |- C, A
2. B --> C, A --> B, A |- C

> br axS 1;
Level 3 (1 subgoal)
|- (A --> B --> C) --> (A --> B) --> A --> C
1. B --> C, A --> B, A |- C

The nal steps are by resolution with either axS or impL.

> by (REPEAT ((rta axS 1) ORELSE (rta impE 1)));

Level 4
|- (A --> B --> C) --> (A --> B) --> A --> C
No subgoals!

It may be helpful to exhibit parentheses making formulas more readable. The ommand set
show bra kets; sets the orresponding ag to true.

> set show bra kets; Goal "|- (A-->(B-->C))-->((A-->B)-->(A-->C))";

Level 0 (1 subgoal)
( |- ((A --> (B --> C)) --> ((A --> B) --> (A --> C))))
1. ( |- ((A --> (B --> C)) --> ((A --> B) --> (A --> C))))

As referred above, sequent al ulus provides a de ision pro edure for validity (in lassi al propo-
sitional logi ). In fa t, ea h (ba kward) appli ation of the rules de reases the omplexity of the
formulas involved in the sequent. In the end, subgoals onsist of axioms or sequents without
onne tives that en ode a ounter-example for the original goal.
With this de ision pro edure in mind, one an easily write down a ta ti that su eeds
whenever the original goal is a valid sequent and fails otherwise. First one has to dene a
ta ti that orresponds to the appli ation of some rule. This ta ti should try the rules in
some order until it nds one that unies. In this dedu tive system, the order of appli ation of
rules is irrelevant. It is more eÆ ient to prefer rules that eliminate subgoals or introdu e less
new subgoals over other rules. One possible hoi e is to try appli ation of rules in this order:
axS,falsumL,impR, onjL,disjR,impL, onjR,disjL. The ta ti

(rta axS 1) ORELSE ... ORELSE (rta disjL 1)

9
applies the axiom or some rule to the rst subgoal and fails only if none is appli able. Repeated
appli ation of this ta ti is a hieved by
REPEAT ((rta axS 1) ORELSE ... ORELSE (rta disjL 1)).

Given a valid sequent, the appli ation of this ta ti su eeds, sin e the rst subgoal is repeatedly
simplied until an instan e of the axiom axS is obtained and eliminated. At this point, if there
are further subgoals, the se ond be omes the rst and this pro ess goes on until no subgoal is
left. If the original sequent is not valid, the ta ti fails in the rst subgoal onsisting of a sequent
without onne tives that is not an axiom. In this ase more subgoals an be left unworked. In
the following example the original sequent is valid. The above ta ti is given the name ta Seq1.
> val ta Seq1= REPEAT ((rta axS 1) ORELSE ... ORELSE (rta disjL 1));
> Goal " |- (A --> B --> C) --> (A --> B) --> A --> C";
Level 0 (1 subgoal)
|- (A --> B --> C) --> (A --> B) --> A --> C
1. |- (A --> B --> C) --> (A --> B) --> A --> C
> by ta Seq1;
Level 1
|- (A --> B --> C) --> (A --> B) --> A --> C
No subgoals!

The next example orresponds to a sequent that is not valid.

> Goal "|- (A --> D --> C) --> (A --> B) --> A --> E";
Level 0 (1 subgoal)
|- (A --> D --> C) --> (A --> B) --> A --> E
1. |- (A --> D --> C) --> (A --> B) --> A --> E
> by ta Seq1;
Level 1 (2 subgoals)
|- (A --> D --> C) --> (A --> B) --> A --> E
1. B, A |- E, D
2. C, A --> B, A |- E

It is not diÆ ult to improve the previous ta ti to also work out the remaining subgoals. In
this way, for invalid sequents, the remaining subgoals will en ode the ounter-examples. For
that purpose one simply has to rewrite the previous ta ti in su h a way that it an be applied
to subgoals other than the rst. The rst step is to dene a fun tion that, to ea h subgoal
i asso iates the ta ti (rta axS i) ORELSE ... ORELSE (rta disjL i). This is a hieved by val
ta Seqfun = fn i => (rta axS i) ORELSE ... ORELSE (rta disjL i).
In the previous ommand the intended fun tion (fn i => (rta axS i) ...) is given the name
ta Seqfun. Finally, the improved ta ti is given by REPEAT FIRST ta Seqfun that repeatedly applies
ta Seqfun to ea h subgoal (starting with the rst). When no further appli ations of ta Seqfun
are possible, the next subgoal is worked out. For onvenien e, the name ta Seq is given to
REPEAT FIRST ta Seqfun. Note that the behavior of the new ta ti on valid sequents is the same
as the old ta ti . We illustrate the new ta ti using the previous (invalid) sequent.
> Goal "|- (A --> D --> C) --> (A --> B) --> A --> E";
Level 0 (1 subgoal)
|- (A --> D --> C) --> (A --> B) --> A --> E
1. |- (A --> D --> C) --> (A --> B) --> A --> E

10
> by ta Seq;
Level 1 (2 subgoals)
|- (A --> D --> C) --> (A --> B) --> A --> E
1. B, A |- E, D
2. C, B, A |- E

2.6 Meta-universal quanti ation and rst-order logi

Until now, dierent dedu tive systems for lassi al propositional logi have been presented. For
the predi ative version one needs terms, predi ates and quantiers. Terms belong to a type
dierent from that of formulas and an be built in the usual way using variables and fun tion
symbols. Both formulas and terms are - al ulus terms, i.e. -abstra tion and -appli ation are
also available. Predi ates are represented as fun tions that, to ea h term, asso iate a formula.
For example, x:P (x) asso iates to ea h term x the formula P (x). The -term x:P (x) is
written %x. P(x). Quantiers are represented as fun tions that asso iate a formula to a -term.
For example, all(%x. P(x)) is a universally quantied formula. An alternative syntax (and a
priority value) an be stated by (binder "ALL " 10). This means that ALL x. P(x) will abbreviate
all(%x. P(x)).
For the purpose of dening propositional systems only meta-impli ation was needed. In the
predi ative ontext the introdu tion and elimination rules for quantiers need the meta-universal
quanti ation (of the built-in logi Pure). The metaformula !!x. P(x) means that P(t) is true for
any arbitrary term t. In parti ular, the generalization (introdu tion) rule is represented by the
metaformula (!!x. P(x))==>ALL x. P(x) and is represented internally by (!!x. ?P(x))==>ALL x. ?P(x).
The rule an be read as follows: In order to prove ALL x. P(x) one has to prove P(x) for arbitrary
x. The elimination rule for the universal quantier is (ALL x. P(x))==>P(t) and is represented
internally by (ALL x. ?P(x))==>?P(?t). The substitution of x by t in P orresponds, in the ontext
of - al ulus, to -appli ation. Possible problems related to substitutions are dealt with by
appli ation of -redu tion (variable renaming) and  -redu tion (fun tion appli ation).
Next we present the theory representing lassi al rst-order logi .
CLASSIC = PROPOSITIONAL +
lasses
term < logi

onsts (* Quantifier fun tions *)

all :: ('a::term => o) => o (binder "ALL " 10)
ex :: ('a::term => o) => o (binder "EX " 10)

rules (* Quantifiers *)
allI "(!!x. P(x)) ==> (ALL x. P(x))"
allE "(ALL x. P(x)) ==> P(t)"
exI "P(t) ==> (EX x. P(x))"
exE "[| EX x. P(x); !!x. (P(x) ==> R) |℄ ==> R"
end

The theory uses the onne tives and rules of lassi al propositional logi and adds quantied
formulas and their rules. It is noteworthy that term is not a type but a lass to whi h any term
type must belong. For instan e, noting that 'a is a variable ranging over types, the fun tion all
:: ('a::term=>o)=>o is a fun tion that asso iates a formula to a predi ate (on its turn, a fun tion
that asso iates a formula to a term). Finally, in rule exE, the fa t that R does not depend on
x odes the ondition that x annot o ur free in R. In the next example we want to establish

11
[| ALL x. Q(f(x)); ALL x. (P(x)-->Q(x)) |℄ ==> ALL x. Q(f(g(x))) using the theory CLASSIC. It seems
easy, at rst glan e, sin e the on lusion follows from the rst premise. We rst apply rule allI
and then rule allE.
> Goal "[| ALL x. Q(f(x)); ALL x. (P(x)-->Q(x)) |℄ ==> ALL x. Q(f(g(x)))";
Level 0 (1 subgoal)
[|ALL x. Q(f(x)); ALL x. P(x)-->Q(x)|℄ ==> ALL x. Q(f(g(x)))
1. [| ALL x. Q(f(x)); ALL x. P(x)-->Q(x) |℄ ==> ALL x. Q(f(g(x)))
> br allI 1;
Level 1 (1 subgoal)
[| ALL x. Q(f(x)); ALL x. P(x)-->Q(x) |℄ ==> ALL x. Q(f(g(x)))
1. !!y. [| ALL x. Q(f(x)); ALL x. P(x)-->Q(x) |℄ ==> Q(f(g(y)))
> br allE 1;
Level 2 (1 subgoal)
[| ALL x. Q(f(x)); ALL x. P(x)-->Q(x) |℄ ==> ALL x. Q(f(g(x)))
1. !!y. [| ALL x. Q(f(x)); ALL x. P(x)-->Q(x) |℄ ==> ALL x. Q(x)
> ba 1;
** by: ta ti failed Ex eption- ERROR raised

When applying allE, the uni ation of its on lusion %P. %t. P(t) with Q(f(g(y))) has more than
one solution. Isabelle displays rst the result of  -redu ing %P. %t. P(t) into %t. Q(t) and the latter
into Q(f(g(y)). In this ase, however, this is not the suitable solution sin e ALL x. Q(x) does not
unify with the hypothesis ALL x. Q(f(x)). Isabelle's unifying pro edure is lever in produ ing all
possible solutions (and in rst-order logi there an be an innite number of them) by using lazy
evaluation (evaluation on demand). To demand Isabelle to onsider another solution we use the
ommand ba k().
> ba k();
Level 2 (1 subgoal)
[| ALL x. Q(f(x)); ALL x. P(x)-->Q(x) |℄ ==> ALL x. Q(f(g(x)))
1. !!y. [| ALL x. Q(f(x)); ALL x. P(x)-->Q(x) |℄ ==> ALL x. Q(f(x))
> ba 1;
Level 3
[| ALL x. Q(f(x)); ALL x. P(x)-->Q(x) |℄ ==> ALL x. Q(f(g(x)))
No subgoals!

The  -redu tion of %P. %t. P(t) into %t. Q(f(t)) and the latter into Q(f(g(y)) is now onsidered.
The rest of the proof is straightforward.
An alternative approa h uses the ta ti res inst ta [("v1 ","f1 "),...,"vn ","fn ")℄ rule number ,
that orresponds to the use of resolution with rule to the subgoal identied by number for ing
the s hema variable v1 to be instantiated into f1 . . . and vn into fn . In this ase we an use
res inst ta just after the appli ation of the rule allI:

...
> by (res inst ta [("t","g(y)")℄ allE 1);
Level 2 (1 subgoal)
[| ALL x. Q(f(x)); ALL x. P(x)-->Q(x) |℄ ==> ALL x. Q(f(g(x)))
1. !!y. [| ALL x. Q(f(x)); ALL x. P(x)-->Q(x) |℄ ==> ALL x. Q(f(x))

The last step of the proof is as before, using ba 1.

12
2.7 Labeled modal logi s
The theories previously des ribed are losely related to similar theories provided by Isabelle's
distribution. Although theories for modal logi s (in luding sequent al ulus) are also available in
that distribution we hoose to present theories based on labeled dedu tion, as in Vigano (2000).
Labeled dedu tion internalizes semanti notions in the obje t-language and dedu tive system.
Dedu tive systems for normal modal logi s an thus be ome modular in the sense that they
are obtained simply by adding suitable rules (representing the properties of the a essibility
relation) to the dedu tive system of modal logi K . With labeled dedu tion as the hoi e of
formalization for our modal languages we an es ape the traditional diÆ ulties that surfa e
when the orresponding logi al systems are represented, as advan ed in (Paulson, 1990).
Formulas are obtained by prexing a term (usually a variable) to a modal formula. For
instan e, x : ( ! ) is a formula. Informally, this formula means that ( ! ) holds
in the world denoted by x. These are alled generalized modal formulas. Formulas x Rel y state
that the world denoted by y is a essible from the world denoted by x and are alled relational
modal formulas. More generally, they may also involve terms as in t1 Rel t2 . By the present
_ 8
onstru tion, strings su h as (x : ) (y : ) and ( x)(x Rel x) are not formulas of K |but
they will be formulas of the hybrid logi presented in the next se tion.
The theory for the minimal normal modal logi K is presented below. There are three types
of synta ti entities involved in that theory: tm for terms (that prex modal formulas), sbf for
modal (sub)formulas and o for formulas. The latter are either generalized formulas (built with
gf) or relational formulas (built with rf). The rules for  ([℄) and  (<>) are similar to the rules
for the universal and the existential quantiers. For instan e, the rule boxI (introdu tion of )
asserts that x:[℄P follows from the proof that P holds in y for arbitrary y related to x. We omit
most of the propositional fragment as straightforward.

K = Pure +
lasses
term < logi
types
tm (* the type of terms for labels *)
sbf (* the type of modal subformulas *)
o (* the type of formulas *)
arities
tm :: term
sbf :: logi
o :: logi
onsts (* Formula Generators *)
gf :: [tm,sbf℄ => o (" : " [0,0℄ 10)
rf :: [tm,tm℄ => o (" Rel " [0,0℄ 10)
Trueprop :: o => prop ("( )" 5)
(* Modal (sub)formulas *)
and :: [sbf, sbf℄ => sbf (" & " [36,35℄ 35)
...
box :: sbf => sbf ("[℄ " [40℄ 40)
dia :: sbf => sbf ("<> " [40℄ 40)
rules
(* Propositional *)
onjI "[| x:P; x:Q |℄ ==> x:P&Q"

13
...
(* Modal Operators *)
boxI "(!!y. (x Rel y ==> y:P)) ==> x:[℄P"
boxE "[| x:[℄P; x Rel y|℄ ==> y:P"
diaI "[| x Rel y; y:P|℄ ==> x:<>P"
diaE "[| x:<>P; (!!y. [|x Rel y; y:P|℄==> z:Q)|℄==> z:Q"
(* Abbreviations *)
verum def "x:verum == x:falsum-->falsum"
neg def "x:P == x:P-->falsum"
iff def "x:P<->Q == x:(P-->Q) & (Q-->P)"

The theory for KT an be obtained from the theory for K by adding the axiom (a rule with
no premises) of re exivity (x Rel x). The theory for KB adds to the theory for K the rule of
symmetry (x Rel y ==> y Rel x), and the theory for S 5 adds to the theory for K both the axiom
of re exivity and the rule of symmetry, together with the rule of transitivity ([|x Rel y; y Rel
z|℄ ==> x Rel z). Many other modal systems an be formalized in a similar way. To dene more
omplex systems su h as the normal modal logi of on uen e, one might make use of terms in
the labels. In this ase, we add to the theory for K a Skolem fun tion as a new onstru tor of
the form h :: [tm,tm,tm℄ => tm, and we add also the rules [|x Rel y; x Rel z|℄ ==> y Rel h(x,y,z)
and [|x Rel y; x Rel z|℄ ==> z Rel h(x,y,z).

3 A hybrid logi
The issues addressed before are part of the syllabus of a ourse in logi for undergraduate
students in Mathemati s and in Computer S ien e, in luding the logi s previously referred. The
nal assignment in luded the denition of a theory in Isabelle representing the hybrid logi
des ribed in the following. To learn more about hybrid languages, see Bla kburn and Seligman
(1998).

The hybrid logi to be dened, using only Pure, is a labeled modal logi where quanti ation
8
over worlds is allowed. Formulas like x(x Rel x) !8 x(x :  ! x : ) an be written in the
logi . In this logi the atomi formulas are generalized modal formulas and relational modal
formulas, dened as in se tion 2.7. However, falsum, negation, disjun tion and  are the only
onne tives herein onsidered as primitive for the onstru tion of the atomi formulas (verum,
onjun tion, impli ation, equivalen e and  are taken as abbreviations). The set of formulas
is obtained by losing the latter set of atomi formulas with negation, disjun tion and the
universal quantier ( onjun tion, impli ation, equivalen e and the existential quantier are
8
taken as abbreviations). In parti ular, strings su h as ( x) and (x : ) will not onstitute
formulas of the present language. Note that the propositional onne tives o ur in formulas
_
and also within atomi formulas. For example, in the atomi formula x : ( ), disjun tion
involves two modal subformulas whereas in the (non-atomi ) formula (x : ) (x : ) _
it involves two formulas of the hybrid logi . The intended interpretation assigns to both
formulas the same meaning (justi ation: ( _ ) is true at the world x if and only if either
 is true at x or is true at x) and the dedu tive system must be able to prove them
equivalent. Moreover, the derived rules for all symbols dened by abbreviation should be
made available by the student.

Most students were able to su essfully deliver the orresponding Isabelle theory. One pos-
sible solution, using natural dedu tion, follows. In this solution we use polymorphism to dene

14
the onne tives that are ommon to the two dierent types of `formulas', the modal subfor-
mulas and the formulas themselves. For example, not::('a::logi ) => 'a denes a polymorphi
operation not that takes any type of lass logi and returns a value of that type. In our ase
we have two possible types, namely sbf (for modal subformulas) and o (for formulas). In this
way not::('a::logi ) => 'a simultaneously denes the two fun tions ( onne tives) not::sbf =>
sbf and not::o => o. In general, one has to provide introdu tion and elimination rules for both
onne tives. However, our solution provides rules only for not::o => o and provides further rules
to transform subformulas into formulas and vi e-versa (when appli able). For example, in order
to on lude x:P one may rst on lude (x:P) and then apply the rule that transforms it into
x:P. The new rules for negation are negOut "x:(P) ==> (x:P)" and negIn "(x:P) ==> x:(P)".
By using su h transformation rules the introdu tion and elimination rules for not::sbf => sbf
an be derived in this system. Similar onsiderations apply to other onne tives.
HYBRID = Pure +
lasses
term < logi
default
term
types
tm (* the type of terms for labels *)
sbf (* the type of modal subformulas *)
o (* the type of formulas *)
arities
tm :: term
sbf :: logi
o :: logi
onsts
(* Formula Generators *)
labf :: [tm,sbf℄ => o (" : " [0,0℄ 45)
relf :: [tm,tm℄ => o (" Rel " [0,0℄ 45)
Trueprop :: o => prop ("( )" 5)
(* For modal subformulas only *)
verum, falsum :: sbf
box :: sbf => sbf ("[℄ " [50℄ 50)
dia :: sbf => sbf ("<> " [50℄ 50)
(* Quantifiers (for formulas only) *)
all :: ('a => o) => o (binder "ALL " 10)
ex :: ('a => o) => o (binder "EX " 10)
(* Conne tives for both modal subformulas and formulas *)
not :: 'a::logi => 'a (" " [40℄ 40)
and :: ['a::logi , 'a℄ => 'a (" & " [36,35℄ 35)
or :: ['a::logi , 'a℄ => 'a (" | " [31,30℄ 30)
imp :: ['a::logi , 'a℄ => 'a (" --> " [26,25℄ 25)
iff :: ['a::logi , 'a℄ => 'a (" <-> " [26,25℄ 25)
rules
(* Conne tives *)
abs "(P ==> y:falsum) ==> P"
negE "[| P; P |℄ ==> Q"
negI "(P ==> y:falsum) ==> P"

15
negOut "x:(P) ==> (x:P)"
negIn "(x:P) ==> x:(P)"
disjIr "P ==> P|Q"
disjIl "Q ==> P|Q"
disjE "[| P|Q; P ==> R; Q ==> R |℄ ==> R"
disjOut "x:(P|Q) ==> (x:P)|(x:Q)"
disjIn "(x:P)|(x:Q) ==> x:(P|Q)"
(* Modal Operators *)
boxI "(!!y. (x Rel y ==> y:P)) ==> x:[℄P"
boxE "[| x:[℄P; x Rel y |℄ ==> y:P"
(* Quantifier *)
allI "(!!y. P(y)) ==> (ALL x. P(x))"
allE "(ALL x. P(x)) ==> P(z)"
(* Abbreviations *)
verum def "verum == falsum-->falsum"
onj def "P&Q == ((P)|(Q))"
imp def "P-->Q == (P)|Q"
iff def "P<->Q == (((P)|Q) | (P|(Q)))"
dia def "<>P == ([℄P)"
ex def "EX x. P(x) == (ALL x. P(x))"
end

Note a dieren e between the abbreviations of the theory HYBRID and those of the theory K, in
se tion 2.7. In the present theory, a onne tive like <-> an be used to generate both atomi
formulas (as in P<->Q) and formulas of the above hybrid logi (as in x Rel y <-> z:[℄P). Therefore,
the rewrite rules must now be laid down so as to apply to both situations.
We illustrate the theory with some examples. In the rst one we prove the derived rule
for the elimination of disjun tion of modal subformulas. Re all from se tion 2.4 that when the
ante edent ontains non-atomi metaformulas it is onvenient to asso iate a name to ea h of the
elements of the result of Goal.

> val [mt1,mt2,mt3℄= Goal "[|x:(P|Q); x:P==>y:R; x:Q==>y:R|℄==> y:R";

Level 0 (1 subgoal)
y:R
1. y:R
val mt1 = "x:P|Q" [.℄ : Thm.thm
val mt2 = "x:P ==> y:R" [.℄ : Thm.thm
val mt3 = "x:Q ==> y:R" [.℄ : Thm.thm
> br disjE 1;
Level 1 (3 subgoals)
y:R
1. ?P|?Q
2. ?P ==> y:R
3. ?Q ==> y:R
> br mt2 2; br mt3 3; ba 2; br disjOut 1; br mt1 1;
...
No subgoals!
> qed "disjmE";
val disjmE = "[| ?x:?P|?Q; ?x:?P ==> ?y:?R; ?x:?Q ==> ?y:?R |℄ ==> ?y:?R"

16
Other examples follow. Only the used rules are shown. In the very last example, we use the
ta ti rotate ta number steps , that orresponds to a left permutation of the subgoal identied
by number by a number of steps .

Goal "(x:(A&B))<->(x:A)&(x:B)";
br eqI 1; br onjOut 1; ba 1; br onjIn 1; ba 1;

Goal "(ALL x. (x:P))-->(ALL x. (x:[℄[℄P))";

br impI 1; br allI 1; br boxI 1; br boxI 1; br allE 1; ba 1;

Goal "ALL x. ((x Rel x) --> ((x:[℄P)-->(x:<>P)))";

br allI 1; br impI 1; br impI 1; br diaI 1; ba 1; br boxE 1; ba 1; ba 1;

Goal "(ALL x y. ((x Rel y) --> (y Rel x)))-->(ALL x. ((x:P)-->(x:[℄<>P)))";

br impI 1; br allI 1; br impI 1; br boxI 1; br diaI 1; br impE 1;
br allE 1; br allE 1; by (REPEAT (ata 1));

Goal "(ALL x y z. ((x Rel y) & (y Rel z) --> (x Rel z)))-->(ALL x. (x:([℄P-->[℄[℄P)))";
br impI 1; br allI 1; br impIn 1; br impI 1; br boxI 1; br boxI 1; br boxE 1;
ba 1; br impE 1; br onjI 2; by (rotate ta 2 2); by (rotate ta 3 3); ba 2; ba 2;
by (res inst ta [("z","yb")℄ allE 1); by (res inst ta [("z","ya")℄ allE 1);
by (res inst ta [("z","y")℄ allE 1); ba 1;

4 Con luding remarks

The system Isabelle is an appropriate tool for the denition and experimentation of new logi s.
The fundamental on epts underlying the denition of new Isabelle theories and their use are
not too diÆ ult to master. In this way, users an easily start to use the system for their
own purposes. We have presented the most important on epts, illustrated by examples that
undergraduate logi students are able to develop.
Obviously, there are other important features of Isabelle not des ribed herein. There are many
logi s and useful ta ti s already provided by the distribution. There is a growing open olle tion
of Isabelle proof libraries and examples at http://afp.sour eforge.net/. Moreover, proofs an be
developed in more user-friendly environments, in luding management of theories and standard
graphi al notation for onne tives and operators (see http://proofgeneral.inf.ed.a .uk/ for the
ProofGeneral tool and its support for Isabelle). The language Isar provides synta ti sugar for de-
veloping proofs and is now be oming standard. Isar's manual and other relevant do umentation
are freely available on-line at http://www. l. am.a .uk/Resear h/HVG/Isabelle/do s.html.

A knowledgements
This work was partially supported by FCT and FEDER, namely, via the Proje t FibLog
POCTI/MAT/372 39/2001 of CLC (Centro de Logi a e Computa ~ao). The third author is
partially supported by FCT grant SFRH / BD / 8825 / 2002.

Referen es
Bla kburn, P. and Seligman, J.: 1998, What are hybrid languages?, in M. Kra ht, M. de Rijke
and H. Wansing (eds), Advan es in Modal Logi , Volume 1, CSLI Publi ations, Stanford,
California, pp. 41{62.

17
Glei k, J.: 1987, Chaos, Making a New S ien e, Penguin Books, New York, NY.
Nipkow, T., Paulson, L. C. and Wenzel, M.: 2002, Isabelle/HOL, Vol. 2283 of Le ture Notes in
Computer S ien e, Springer-Verlag, Berlin. A proof assistant for higher-order logi .
Paulson, L. C.: 1990, Isabelle: The next 700 theorem provers, in P. Odifreddi (ed.), Logi and
Computer S ien e, A ademi Press, pp. 361{386.
Paulson, L. C.: 1996, ML for the Working Programmer, Cambridge Univ. Press. 2nd edition.
S hroeder-Heister, P.: 1984, A natural extension of natural dedu tion, The Journal of Symboli
Logi 49(4), 1284{1300.
Troelstra, A. and S hwi htenberg, H.: 1996, Basi Proof Theory, Cambridge Univ. Press.
Vigano, L.: 2000, Labelled Non-Classi al Logi s, Kluwer A ademi Publishers.

18