src/ZF/Constructible/WFrec.thy
author wenzelm
Tue Nov 07 19:40:13 2006 +0100 (2006-11-07)
changeset 21233 5a5c8ea5f66a
parent 16417 9bc16273c2d4
child 21404 eb85850d3eb7
permissions -rw-r--r--
tuned specifications;
paulson@13505
     1
(*  Title:      ZF/Constructible/WFrec.thy
paulson@13505
     2
    ID:         $Id$
paulson@13505
     3
    Author:     Lawrence C Paulson, Cambridge University Computer Laboratory
paulson@13505
     4
*)
paulson@13505
     5
paulson@13306
     6
header{*Relativized Well-Founded Recursion*}
paulson@13306
     7
haftmann@16417
     8
theory WFrec imports Wellorderings begin
paulson@13223
     9
paulson@13223
    10
paulson@13506
    11
subsection{*General Lemmas*}
paulson@13506
    12
paulson@13254
    13
(*Many of these might be useful in WF.thy*)
paulson@13223
    14
paulson@13269
    15
lemma apply_recfun2:
paulson@13269
    16
    "[| is_recfun(r,a,H,f); <x,i>:f |] ==> i = H(x, restrict(f,r-``{x}))"
paulson@13269
    17
apply (frule apply_recfun) 
paulson@13269
    18
 apply (blast dest: is_recfun_type fun_is_rel) 
paulson@13269
    19
apply (simp add: function_apply_equality [OF _ is_recfun_imp_function])
paulson@13223
    20
done
paulson@13223
    21
paulson@13223
    22
text{*Expresses @{text is_recfun} as a recursion equation*}
paulson@13223
    23
lemma is_recfun_iff_equation:
paulson@13223
    24
     "is_recfun(r,a,H,f) <->
paulson@13223
    25
	   f \<in> r -`` {a} \<rightarrow> range(f) &
paulson@13223
    26
	   (\<forall>x \<in> r-``{a}. f`x = H(x, restrict(f, r-``{x})))"  
paulson@13223
    27
apply (rule iffI) 
paulson@13223
    28
 apply (simp add: is_recfun_type apply_recfun Ball_def vimage_singleton_iff, 
paulson@13223
    29
        clarify)  
paulson@13223
    30
apply (simp add: is_recfun_def) 
paulson@13223
    31
apply (rule fun_extension) 
paulson@13223
    32
  apply assumption
paulson@13223
    33
 apply (fast intro: lam_type, simp) 
paulson@13223
    34
done
paulson@13223
    35
paulson@13245
    36
lemma is_recfun_imp_in_r: "[|is_recfun(r,a,H,f); \<langle>x,i\<rangle> \<in> f|] ==> \<langle>x, a\<rangle> \<in> r"
paulson@13269
    37
by (blast dest: is_recfun_type fun_is_rel)
paulson@13245
    38
paulson@13254
    39
lemma trans_Int_eq:
paulson@13254
    40
      "[| trans(r); <y,x> \<in> r |] ==> r -`` {x} \<inter> r -`` {y} = r -`` {y}"
paulson@13251
    41
by (blast intro: transD) 
paulson@13223
    42
paulson@13254
    43
lemma is_recfun_restrict_idem:
paulson@13254
    44
     "is_recfun(r,a,H,f) ==> restrict(f, r -`` {a}) = f"
paulson@13254
    45
apply (drule is_recfun_type)
paulson@13254
    46
apply (auto simp add: Pi_iff subset_Sigma_imp_relation restrict_idem)  
paulson@13254
    47
done
paulson@13254
    48
paulson@13254
    49
lemma is_recfun_cong_lemma:
paulson@13254
    50
  "[| is_recfun(r,a,H,f); r = r'; a = a'; f = f'; 
paulson@13254
    51
      !!x g. [| <x,a'> \<in> r'; relation(g); domain(g) <= r' -``{x} |] 
paulson@13254
    52
             ==> H(x,g) = H'(x,g) |]
paulson@13254
    53
   ==> is_recfun(r',a',H',f')"
paulson@13254
    54
apply (simp add: is_recfun_def) 
paulson@13254
    55
apply (erule trans) 
paulson@13254
    56
apply (rule lam_cong) 
paulson@13254
    57
apply (simp_all add: vimage_singleton_iff Int_lower2)  
paulson@13254
    58
done
paulson@13254
    59
paulson@13254
    60
text{*For @{text is_recfun} we need only pay attention to functions
paulson@13254
    61
      whose domains are initial segments of @{term r}.*}
paulson@13254
    62
lemma is_recfun_cong:
paulson@13254
    63
  "[| r = r'; a = a'; f = f'; 
paulson@13254
    64
      !!x g. [| <x,a'> \<in> r'; relation(g); domain(g) <= r' -``{x} |] 
paulson@13254
    65
             ==> H(x,g) = H'(x,g) |]
paulson@13254
    66
   ==> is_recfun(r,a,H,f) <-> is_recfun(r',a',H',f')"
paulson@13254
    67
apply (rule iffI)
paulson@13254
    68
txt{*Messy: fast and blast don't work for some reason*}
paulson@13254
    69
apply (erule is_recfun_cong_lemma, auto) 
paulson@13254
    70
apply (erule is_recfun_cong_lemma)
paulson@13254
    71
apply (blast intro: sym)+
paulson@13254
    72
done
paulson@13223
    73
paulson@13506
    74
subsection{*Reworking of the Recursion Theory Within @{term M}*}
paulson@13506
    75
paulson@13564
    76
lemma (in M_basic) is_recfun_separation':
paulson@13319
    77
    "[| f \<in> r -`` {a} \<rightarrow> range(f); g \<in> r -`` {b} \<rightarrow> range(g);
paulson@13319
    78
        M(r); M(f); M(g); M(a); M(b) |] 
paulson@13319
    79
     ==> separation(M, \<lambda>x. \<not> (\<langle>x, a\<rangle> \<in> r \<longrightarrow> \<langle>x, b\<rangle> \<in> r \<longrightarrow> f ` x = g ` x))"
paulson@13319
    80
apply (insert is_recfun_separation [of r f g a b]) 
paulson@13352
    81
apply (simp add: vimage_singleton_iff)
paulson@13319
    82
done
paulson@13223
    83
paulson@13251
    84
text{*Stated using @{term "trans(r)"} rather than
paulson@13223
    85
      @{term "transitive_rel(M,A,r)"} because the latter rewrites to
paulson@13223
    86
      the former anyway, by @{text transitive_rel_abs}.
paulson@13251
    87
      As always, theorems should be expressed in simplified form.
paulson@13251
    88
      The last three M-premises are redundant because of @{term "M(r)"}, 
paulson@13251
    89
      but without them we'd have to undertake
paulson@13251
    90
      more work to set up the induction formula.*}
paulson@13564
    91
lemma (in M_basic) is_recfun_equal [rule_format]: 
paulson@13223
    92
    "[|is_recfun(r,a,H,f);  is_recfun(r,b,H,g);  
paulson@13251
    93
       wellfounded(M,r);  trans(r);
paulson@13251
    94
       M(f); M(g); M(r); M(x); M(a); M(b) |] 
paulson@13223
    95
     ==> <x,a> \<in> r --> <x,b> \<in> r --> f`x=g`x"
paulson@13339
    96
apply (frule_tac f=f in is_recfun_type) 
paulson@13339
    97
apply (frule_tac f=g in is_recfun_type) 
paulson@13223
    98
apply (simp add: is_recfun_def)
paulson@13254
    99
apply (erule_tac a=x in wellfounded_induct, assumption+)
paulson@13251
   100
txt{*Separation to justify the induction*}
paulson@13319
   101
 apply (blast intro: is_recfun_separation') 
paulson@13251
   102
txt{*Now the inductive argument itself*}
paulson@13254
   103
apply clarify 
paulson@13223
   104
apply (erule ssubst)+
paulson@13223
   105
apply (simp (no_asm_simp) add: vimage_singleton_iff restrict_def)
paulson@13223
   106
apply (rename_tac x1)
paulson@13223
   107
apply (rule_tac t="%z. H(x1,z)" in subst_context) 
paulson@13721
   108
apply (subgoal_tac "\<forall>y \<in> r-``{x1}. ALL z. <y,z>\<in>f <-> <y,z>\<in>g")
paulson@13251
   109
 apply (blast intro: transD) 
paulson@13223
   110
apply (simp add: apply_iff) 
paulson@13251
   111
apply (blast intro: transD sym) 
paulson@13223
   112
done
paulson@13223
   113
paulson@13564
   114
lemma (in M_basic) is_recfun_cut: 
paulson@13223
   115
    "[|is_recfun(r,a,H,f);  is_recfun(r,b,H,g);  
paulson@13251
   116
       wellfounded(M,r); trans(r); 
paulson@13251
   117
       M(f); M(g); M(r); <b,a> \<in> r |]   
paulson@13223
   118
      ==> restrict(f, r-``{b}) = g"
paulson@13339
   119
apply (frule_tac f=f in is_recfun_type) 
paulson@13223
   120
apply (rule fun_extension) 
paulson@13251
   121
apply (blast intro: transD restrict_type2) 
paulson@13223
   122
apply (erule is_recfun_type, simp) 
paulson@13251
   123
apply (blast intro: is_recfun_equal transD dest: transM) 
paulson@13223
   124
done
paulson@13223
   125
paulson@13564
   126
lemma (in M_basic) is_recfun_functional:
paulson@13223
   127
     "[|is_recfun(r,a,H,f);  is_recfun(r,a,H,g);  
paulson@13268
   128
       wellfounded(M,r); trans(r); M(f); M(g); M(r) |] ==> f=g"
paulson@13223
   129
apply (rule fun_extension)
paulson@13223
   130
apply (erule is_recfun_type)+
paulson@13251
   131
apply (blast intro!: is_recfun_equal dest: transM) 
paulson@13254
   132
done 
paulson@13223
   133
wenzelm@13295
   134
text{*Tells us that @{text is_recfun} can (in principle) be relativized.*}
paulson@13564
   135
lemma (in M_basic) is_recfun_relativize:
paulson@13254
   136
  "[| M(r); M(f); \<forall>x[M]. \<forall>g[M]. function(g) --> M(H(x,g)) |] 
paulson@13251
   137
   ==> is_recfun(r,a,H,f) <->
paulson@13254
   138
       (\<forall>z[M]. z \<in> f <-> 
paulson@13254
   139
        (\<exists>x[M]. <x,a> \<in> r & z = <x, H(x, restrict(f, r-``{x}))>))";
paulson@13254
   140
apply (simp add: is_recfun_def lam_def)
paulson@13223
   141
apply (safe intro!: equalityI) 
paulson@13254
   142
   apply (drule equalityD1 [THEN subsetD], assumption) 
paulson@13254
   143
   apply (blast dest: pair_components_in_M) 
paulson@13254
   144
  apply (blast elim!: equalityE dest: pair_components_in_M)
paulson@13615
   145
 apply (frule transM, assumption) 
paulson@13223
   146
 apply simp  
paulson@13223
   147
 apply blast
paulson@13254
   148
apply (subgoal_tac "is_function(M,f)")
paulson@13254
   149
 txt{*We use @{term "is_function"} rather than @{term "function"} because
paulson@13254
   150
      the subgoal's easier to prove with relativized quantifiers!*}
paulson@13254
   151
 prefer 2 apply (simp add: is_function_def) 
paulson@13223
   152
apply (frule pair_components_in_M, assumption) 
paulson@13254
   153
apply (simp add: is_recfun_imp_function function_restrictI) 
paulson@13223
   154
done
paulson@13223
   155
paulson@13564
   156
lemma (in M_basic) is_recfun_restrict:
paulson@13251
   157
     "[| wellfounded(M,r); trans(r); is_recfun(r,x,H,f); \<langle>y,x\<rangle> \<in> r; 
paulson@13251
   158
       M(r); M(f); 
paulson@13254
   159
       \<forall>x[M]. \<forall>g[M]. function(g) --> M(H(x,g)) |]
paulson@13223
   160
       ==> is_recfun(r, y, H, restrict(f, r -`` {y}))"
paulson@13223
   161
apply (frule pair_components_in_M, assumption, clarify) 
paulson@13254
   162
apply (simp (no_asm_simp) add: is_recfun_relativize restrict_iff
paulson@13254
   163
           trans_Int_eq)
paulson@13223
   164
apply safe
paulson@13223
   165
  apply (simp_all add: vimage_singleton_iff is_recfun_type [THEN apply_iff]) 
paulson@13223
   166
  apply (frule_tac x=xa in pair_components_in_M, assumption)
paulson@13251
   167
  apply (frule_tac x=xa in apply_recfun, blast intro: transD)  
paulson@13247
   168
  apply (simp add: is_recfun_type [THEN apply_iff] 
paulson@13251
   169
                   is_recfun_imp_function function_restrictI)
paulson@13251
   170
apply (blast intro: apply_recfun dest: transD)
paulson@13223
   171
done
paulson@13223
   172
 
paulson@13564
   173
lemma (in M_basic) restrict_Y_lemma:
paulson@13251
   174
   "[| wellfounded(M,r); trans(r); M(r);
paulson@13254
   175
       \<forall>x[M]. \<forall>g[M]. function(g) --> M(H(x,g));  M(Y);
paulson@13299
   176
       \<forall>b[M]. 
paulson@13223
   177
	   b \<in> Y <->
paulson@13299
   178
	   (\<exists>x[M]. <x,a1> \<in> r &
paulson@13299
   179
            (\<exists>y[M]. b = \<langle>x,y\<rangle> & (\<exists>g[M]. is_recfun(r,x,H,g) \<and> y = H(x,g))));
paulson@13299
   180
          \<langle>x,a1\<rangle> \<in> r; is_recfun(r,x,H,f); M(f) |]
paulson@13223
   181
       ==> restrict(Y, r -`` {x}) = f"
paulson@13251
   182
apply (subgoal_tac "\<forall>y \<in> r-``{x}. \<forall>z. <y,z>:Y <-> <y,z>:f") 
paulson@13251
   183
 apply (simp (no_asm_simp) add: restrict_def) 
paulson@13254
   184
 apply (thin_tac "rall(M,?P)")+  --{*essential for efficiency*}
paulson@13251
   185
 apply (frule is_recfun_type [THEN fun_is_rel], blast)
paulson@13223
   186
apply (frule pair_components_in_M, assumption, clarify) 
paulson@13223
   187
apply (rule iffI)
paulson@13505
   188
 apply (frule_tac y="<y,z>" in transM, assumption)
paulson@13223
   189
 apply (clarsimp simp add: vimage_singleton_iff is_recfun_type [THEN apply_iff]
paulson@13223
   190
			   apply_recfun is_recfun_cut) 
paulson@13223
   191
txt{*Opposite inclusion: something in f, show in Y*}
paulson@13293
   192
apply (frule_tac y="<y,z>" in transM, assumption)  
paulson@13293
   193
apply (simp add: vimage_singleton_iff) 
paulson@13293
   194
apply (rule conjI) 
paulson@13293
   195
 apply (blast dest: transD) 
paulson@13268
   196
apply (rule_tac x="restrict(f, r -`` {y})" in rexI) 
paulson@13268
   197
apply (simp_all add: is_recfun_restrict
paulson@13268
   198
                     apply_recfun is_recfun_type [THEN apply_iff]) 
paulson@13223
   199
done
paulson@13223
   200
paulson@13245
   201
text{*For typical applications of Replacement for recursive definitions*}
paulson@13564
   202
lemma (in M_basic) univalent_is_recfun:
paulson@13251
   203
     "[|wellfounded(M,r); trans(r); M(r)|]
paulson@13268
   204
      ==> univalent (M, A, \<lambda>x p. 
paulson@13293
   205
              \<exists>y[M]. p = \<langle>x,y\<rangle> & (\<exists>f[M]. is_recfun(r,x,H,f) & y = H(x,f)))"
paulson@13245
   206
apply (simp add: univalent_def) 
paulson@13245
   207
apply (blast dest: is_recfun_functional) 
paulson@13245
   208
done
paulson@13245
   209
paulson@13299
   210
paulson@13223
   211
text{*Proof of the inductive step for @{text exists_is_recfun}, since
paulson@13223
   212
      we must prove two versions.*}
paulson@13564
   213
lemma (in M_basic) exists_is_recfun_indstep:
paulson@13268
   214
    "[|\<forall>y. \<langle>y, a1\<rangle> \<in> r --> (\<exists>f[M]. is_recfun(r, y, H, f)); 
paulson@13251
   215
       wellfounded(M,r); trans(r); M(r); M(a1);
paulson@13268
   216
       strong_replacement(M, \<lambda>x z. 
paulson@13268
   217
              \<exists>y[M]. \<exists>g[M]. pair(M,x,y,z) & is_recfun(r,x,H,g) & y = H(x,g)); 
paulson@13254
   218
       \<forall>x[M]. \<forall>g[M]. function(g) --> M(H(x,g))|]   
paulson@13268
   219
      ==> \<exists>f[M]. is_recfun(r,a1,H,f)"
paulson@13223
   220
apply (drule_tac A="r-``{a1}" in strong_replacementD)
paulson@13251
   221
  apply blast 
paulson@13223
   222
 txt{*Discharge the "univalent" obligation of Replacement*}
paulson@13251
   223
 apply (simp add: univalent_is_recfun) 
paulson@13223
   224
txt{*Show that the constructed object satisfies @{text is_recfun}*} 
paulson@13223
   225
apply clarify 
paulson@13268
   226
apply (rule_tac x=Y in rexI)  
paulson@13254
   227
txt{*Unfold only the top-level occurrence of @{term is_recfun}*}
paulson@13254
   228
apply (simp (no_asm_simp) add: is_recfun_relativize [of concl: _ a1])
paulson@13268
   229
txt{*The big iff-formula defining @{term Y} is now redundant*}
paulson@13254
   230
apply safe 
paulson@13299
   231
 apply (simp add: vimage_singleton_iff restrict_Y_lemma [of r H _ a1]) 
paulson@13223
   232
txt{*one more case*}
paulson@13254
   233
apply (simp (no_asm_simp) add: Bex_def vimage_singleton_iff)
paulson@13223
   234
apply (drule_tac x1=x in spec [THEN mp], assumption, clarify) 
paulson@13268
   235
apply (rename_tac f) 
paulson@13268
   236
apply (rule_tac x=f in rexI) 
paulson@13293
   237
apply (simp_all add: restrict_Y_lemma [of r H])
paulson@13299
   238
txt{*FIXME: should not be needed!*}
paulson@13299
   239
apply (subst restrict_Y_lemma [of r H])
paulson@13299
   240
apply (simp add: vimage_singleton_iff)+
paulson@13299
   241
apply blast+
paulson@13223
   242
done
paulson@13223
   243
paulson@13223
   244
text{*Relativized version, when we have the (currently weaker) premise
paulson@13251
   245
      @{term "wellfounded(M,r)"}*}
paulson@13564
   246
lemma (in M_basic) wellfounded_exists_is_recfun:
paulson@13251
   247
    "[|wellfounded(M,r);  trans(r);  
paulson@13268
   248
       separation(M, \<lambda>x. ~ (\<exists>f[M]. is_recfun(r, x, H, f)));
paulson@13268
   249
       strong_replacement(M, \<lambda>x z. 
paulson@13268
   250
          \<exists>y[M]. \<exists>g[M]. pair(M,x,y,z) & is_recfun(r,x,H,g) & y = H(x,g)); 
paulson@13251
   251
       M(r);  M(a);  
paulson@13254
   252
       \<forall>x[M]. \<forall>g[M]. function(g) --> M(H(x,g)) |]   
paulson@13268
   253
      ==> \<exists>f[M]. is_recfun(r,a,H,f)"
paulson@13251
   254
apply (rule wellfounded_induct, assumption+, clarify)
paulson@13223
   255
apply (rule exists_is_recfun_indstep, assumption+)
paulson@13223
   256
done
paulson@13223
   257
paulson@13564
   258
lemma (in M_basic) wf_exists_is_recfun [rule_format]:
paulson@13268
   259
    "[|wf(r);  trans(r);  M(r);  
paulson@13268
   260
       strong_replacement(M, \<lambda>x z. 
paulson@13268
   261
         \<exists>y[M]. \<exists>g[M]. pair(M,x,y,z) & is_recfun(r,x,H,g) & y = H(x,g)); 
paulson@13254
   262
       \<forall>x[M]. \<forall>g[M]. function(g) --> M(H(x,g)) |]   
paulson@13268
   263
      ==> M(a) --> (\<exists>f[M]. is_recfun(r,a,H,f))"
paulson@13251
   264
apply (rule wf_induct, assumption+)
paulson@13251
   265
apply (frule wf_imp_relativized)
paulson@13251
   266
apply (intro impI)
paulson@13268
   267
apply (rule exists_is_recfun_indstep) 
paulson@13268
   268
      apply (blast dest: transM del: rev_rallE, assumption+)
paulson@13223
   269
done
paulson@13223
   270
paulson@13506
   271
paulson@13506
   272
subsection{*Relativization of the ZF Predicate @{term is_recfun}*}
paulson@13506
   273
wenzelm@21233
   274
definition
paulson@13353
   275
  M_is_recfun :: "[i=>o, [i,i,i]=>o, i, i, i] => o"
paulson@13352
   276
   "M_is_recfun(M,MH,r,a,f) == 
paulson@13254
   277
     \<forall>z[M]. z \<in> f <-> 
paulson@13254
   278
            (\<exists>x[M]. \<exists>y[M]. \<exists>xa[M]. \<exists>sx[M]. \<exists>r_sx[M]. \<exists>f_r_sx[M]. 
paulson@13254
   279
	       pair(M,x,y,z) & pair(M,x,a,xa) & upair(M,x,x,sx) &
paulson@13254
   280
               pre_image(M,r,sx,r_sx) & restriction(M,f,r_sx,f_r_sx) &
paulson@13348
   281
               xa \<in> r & MH(x, f_r_sx, y))"
paulson@13223
   282
paulson@13353
   283
  is_wfrec :: "[i=>o, [i,i,i]=>o, i, i, i] => o"
paulson@13353
   284
   "is_wfrec(M,MH,r,a,z) == 
paulson@13353
   285
      \<exists>f[M]. M_is_recfun(M,MH,r,a,f) & MH(a,f,z)"
paulson@13353
   286
paulson@13353
   287
  wfrec_replacement :: "[i=>o, [i,i,i]=>o, i] => o"
paulson@13353
   288
   "wfrec_replacement(M,MH,r) ==
paulson@13353
   289
        strong_replacement(M, 
paulson@13353
   290
             \<lambda>x z. \<exists>y[M]. pair(M,x,y,z) & is_wfrec(M,MH,r,x,y))"
paulson@13353
   291
paulson@13564
   292
lemma (in M_basic) is_recfun_abs:
paulson@13350
   293
     "[| \<forall>x[M]. \<forall>g[M]. function(g) --> M(H(x,g));  M(r); M(a); M(f); 
paulson@13634
   294
         relation2(M,MH,H) |] 
paulson@13352
   295
      ==> M_is_recfun(M,MH,r,a,f) <-> is_recfun(r,a,H,f)"
paulson@13634
   296
apply (simp add: M_is_recfun_def relation2_def is_recfun_relativize)
paulson@13254
   297
apply (rule rall_cong)
paulson@13254
   298
apply (blast dest: transM)
paulson@13223
   299
done
paulson@13223
   300
paulson@13223
   301
lemma M_is_recfun_cong [cong]:
paulson@13223
   302
     "[| r = r'; a = a'; f = f'; 
paulson@13348
   303
       !!x g y. [| M(x); M(g); M(y) |] ==> MH(x,g,y) <-> MH'(x,g,y) |]
paulson@13352
   304
      ==> M_is_recfun(M,MH,r,a,f) <-> M_is_recfun(M,MH',r',a',f')"
paulson@13223
   305
by (simp add: M_is_recfun_def) 
paulson@13223
   306
paulson@13564
   307
lemma (in M_basic) is_wfrec_abs:
paulson@13353
   308
     "[| \<forall>x[M]. \<forall>g[M]. function(g) --> M(H(x,g)); 
paulson@13634
   309
         relation2(M,MH,H);  M(r); M(a); M(z) |]
paulson@13353
   310
      ==> is_wfrec(M,MH,r,a,z) <-> 
paulson@13353
   311
          (\<exists>g[M]. is_recfun(r,a,H,g) & z = H(a,g))"
paulson@13634
   312
by (simp add: is_wfrec_def relation2_def is_recfun_abs)
paulson@13223
   313
paulson@13353
   314
text{*Relating @{term wfrec_replacement} to native constructs*}
paulson@13564
   315
lemma (in M_basic) wfrec_replacement':
paulson@13353
   316
  "[|wfrec_replacement(M,MH,r);
paulson@13353
   317
     \<forall>x[M]. \<forall>g[M]. function(g) --> M(H(x,g)); 
paulson@13634
   318
     relation2(M,MH,H);  M(r)|] 
paulson@13353
   319
   ==> strong_replacement(M, \<lambda>x z. \<exists>y[M]. 
paulson@13353
   320
                pair(M,x,y,z) & (\<exists>g[M]. is_recfun(r,x,H,g) & y = H(x,g)))"
paulson@13615
   321
by (simp add: wfrec_replacement_def is_wfrec_abs) 
paulson@13353
   322
paulson@13353
   323
lemma wfrec_replacement_cong [cong]:
paulson@13353
   324
     "[| !!x y z. [| M(x); M(y); M(z) |] ==> MH(x,y,z) <-> MH'(x,y,z);
paulson@13353
   325
         r=r' |] 
paulson@13353
   326
      ==> wfrec_replacement(M, %x y. MH(x,y), r) <-> 
paulson@13353
   327
          wfrec_replacement(M, %x y. MH'(x,y), r')" 
paulson@13353
   328
by (simp add: is_wfrec_def wfrec_replacement_def) 
paulson@13353
   329
paulson@13353
   330
paulson@13223
   331
end
paulson@13223
   332