src/ZF/Constructible/WFrec.thy
author wenzelm
Thu Dec 14 11:24:26 2017 +0100 (21 months ago)
changeset 67198 694f29a5433b
parent 61798 27f3c10b0b50
child 67443 3abf6a722518
permissions -rw-r--r--
merged
paulson@13505
     1
(*  Title:      ZF/Constructible/WFrec.thy
paulson@13505
     2
    Author:     Lawrence C Paulson, Cambridge University Computer Laboratory
paulson@13505
     3
*)
paulson@13505
     4
wenzelm@60770
     5
section\<open>Relativized Well-Founded Recursion\<close>
paulson@13306
     6
haftmann@16417
     7
theory WFrec imports Wellorderings begin
paulson@13223
     8
paulson@13223
     9
wenzelm@60770
    10
subsection\<open>General Lemmas\<close>
paulson@13506
    11
paulson@13254
    12
(*Many of these might be useful in WF.thy*)
paulson@13223
    13
paulson@13269
    14
lemma apply_recfun2:
paulson@13269
    15
    "[| is_recfun(r,a,H,f); <x,i>:f |] ==> i = H(x, restrict(f,r-``{x}))"
paulson@13269
    16
apply (frule apply_recfun) 
paulson@13269
    17
 apply (blast dest: is_recfun_type fun_is_rel) 
paulson@13269
    18
apply (simp add: function_apply_equality [OF _ is_recfun_imp_function])
paulson@13223
    19
done
paulson@13223
    20
wenzelm@61798
    21
text\<open>Expresses \<open>is_recfun\<close> as a recursion equation\<close>
paulson@13223
    22
lemma is_recfun_iff_equation:
paulson@46823
    23
     "is_recfun(r,a,H,f) \<longleftrightarrow>
wenzelm@32960
    24
           f \<in> r -`` {a} \<rightarrow> range(f) &
wenzelm@32960
    25
           (\<forall>x \<in> r-``{a}. f`x = H(x, restrict(f, r-``{x})))"  
paulson@13223
    26
apply (rule iffI) 
paulson@13223
    27
 apply (simp add: is_recfun_type apply_recfun Ball_def vimage_singleton_iff, 
paulson@13223
    28
        clarify)  
paulson@13223
    29
apply (simp add: is_recfun_def) 
paulson@13223
    30
apply (rule fun_extension) 
paulson@13223
    31
  apply assumption
paulson@13223
    32
 apply (fast intro: lam_type, simp) 
paulson@13223
    33
done
paulson@13223
    34
paulson@13245
    35
lemma is_recfun_imp_in_r: "[|is_recfun(r,a,H,f); \<langle>x,i\<rangle> \<in> f|] ==> \<langle>x, a\<rangle> \<in> r"
paulson@13269
    36
by (blast dest: is_recfun_type fun_is_rel)
paulson@13245
    37
paulson@13254
    38
lemma trans_Int_eq:
paulson@13254
    39
      "[| trans(r); <y,x> \<in> r |] ==> r -`` {x} \<inter> r -`` {y} = r -`` {y}"
paulson@13251
    40
by (blast intro: transD) 
paulson@13223
    41
paulson@13254
    42
lemma is_recfun_restrict_idem:
paulson@13254
    43
     "is_recfun(r,a,H,f) ==> restrict(f, r -`` {a}) = f"
paulson@13254
    44
apply (drule is_recfun_type)
paulson@13254
    45
apply (auto simp add: Pi_iff subset_Sigma_imp_relation restrict_idem)  
paulson@13254
    46
done
paulson@13254
    47
paulson@13254
    48
lemma is_recfun_cong_lemma:
paulson@13254
    49
  "[| is_recfun(r,a,H,f); r = r'; a = a'; f = f'; 
paulson@46823
    50
      !!x g. [| <x,a'> \<in> r'; relation(g); domain(g) \<subseteq> r' -``{x} |] 
paulson@13254
    51
             ==> H(x,g) = H'(x,g) |]
paulson@13254
    52
   ==> is_recfun(r',a',H',f')"
paulson@13254
    53
apply (simp add: is_recfun_def) 
paulson@13254
    54
apply (erule trans) 
paulson@13254
    55
apply (rule lam_cong) 
paulson@13254
    56
apply (simp_all add: vimage_singleton_iff Int_lower2)  
paulson@13254
    57
done
paulson@13254
    58
wenzelm@61798
    59
text\<open>For \<open>is_recfun\<close> we need only pay attention to functions
wenzelm@60770
    60
      whose domains are initial segments of @{term r}.\<close>
paulson@13254
    61
lemma is_recfun_cong:
paulson@13254
    62
  "[| r = r'; a = a'; f = f'; 
paulson@46823
    63
      !!x g. [| <x,a'> \<in> r'; relation(g); domain(g) \<subseteq> r' -``{x} |] 
paulson@13254
    64
             ==> H(x,g) = H'(x,g) |]
paulson@46823
    65
   ==> is_recfun(r,a,H,f) \<longleftrightarrow> is_recfun(r',a',H',f')"
paulson@13254
    66
apply (rule iffI)
wenzelm@60770
    67
txt\<open>Messy: fast and blast don't work for some reason\<close>
paulson@13254
    68
apply (erule is_recfun_cong_lemma, auto) 
paulson@13254
    69
apply (erule is_recfun_cong_lemma)
paulson@13254
    70
apply (blast intro: sym)+
paulson@13254
    71
done
paulson@13223
    72
wenzelm@60770
    73
subsection\<open>Reworking of the Recursion Theory Within @{term M}\<close>
paulson@13506
    74
paulson@13564
    75
lemma (in M_basic) is_recfun_separation':
paulson@13319
    76
    "[| f \<in> r -`` {a} \<rightarrow> range(f); g \<in> r -`` {b} \<rightarrow> range(g);
paulson@13319
    77
        M(r); M(f); M(g); M(a); M(b) |] 
paulson@13319
    78
     ==> separation(M, \<lambda>x. \<not> (\<langle>x, a\<rangle> \<in> r \<longrightarrow> \<langle>x, b\<rangle> \<in> r \<longrightarrow> f ` x = g ` x))"
paulson@13319
    79
apply (insert is_recfun_separation [of r f g a b]) 
paulson@13352
    80
apply (simp add: vimage_singleton_iff)
paulson@13319
    81
done
paulson@13223
    82
wenzelm@60770
    83
text\<open>Stated using @{term "trans(r)"} rather than
paulson@13223
    84
      @{term "transitive_rel(M,A,r)"} because the latter rewrites to
wenzelm@61798
    85
      the former anyway, by \<open>transitive_rel_abs\<close>.
paulson@13251
    86
      As always, theorems should be expressed in simplified form.
paulson@13251
    87
      The last three M-premises are redundant because of @{term "M(r)"}, 
paulson@13251
    88
      but without them we'd have to undertake
wenzelm@60770
    89
      more work to set up the induction formula.\<close>
paulson@13564
    90
lemma (in M_basic) is_recfun_equal [rule_format]: 
paulson@13223
    91
    "[|is_recfun(r,a,H,f);  is_recfun(r,b,H,g);  
paulson@13251
    92
       wellfounded(M,r);  trans(r);
paulson@13251
    93
       M(f); M(g); M(r); M(x); M(a); M(b) |] 
paulson@46823
    94
     ==> <x,a> \<in> r \<longrightarrow> <x,b> \<in> r \<longrightarrow> f`x=g`x"
paulson@13339
    95
apply (frule_tac f=f in is_recfun_type) 
paulson@13339
    96
apply (frule_tac f=g in is_recfun_type) 
paulson@13223
    97
apply (simp add: is_recfun_def)
paulson@13254
    98
apply (erule_tac a=x in wellfounded_induct, assumption+)
wenzelm@60770
    99
txt\<open>Separation to justify the induction\<close>
paulson@13319
   100
 apply (blast intro: is_recfun_separation') 
wenzelm@60770
   101
txt\<open>Now the inductive argument itself\<close>
paulson@13254
   102
apply clarify 
paulson@13223
   103
apply (erule ssubst)+
paulson@13223
   104
apply (simp (no_asm_simp) add: vimage_singleton_iff restrict_def)
paulson@13223
   105
apply (rename_tac x1)
paulson@13223
   106
apply (rule_tac t="%z. H(x1,z)" in subst_context) 
paulson@46823
   107
apply (subgoal_tac "\<forall>y \<in> r-``{x1}. \<forall>z. <y,z>\<in>f \<longleftrightarrow> <y,z>\<in>g")
paulson@13251
   108
 apply (blast intro: transD) 
paulson@13223
   109
apply (simp add: apply_iff) 
paulson@13251
   110
apply (blast intro: transD sym) 
paulson@13223
   111
done
paulson@13223
   112
paulson@13564
   113
lemma (in M_basic) is_recfun_cut: 
paulson@13223
   114
    "[|is_recfun(r,a,H,f);  is_recfun(r,b,H,g);  
paulson@13251
   115
       wellfounded(M,r); trans(r); 
paulson@13251
   116
       M(f); M(g); M(r); <b,a> \<in> r |]   
paulson@13223
   117
      ==> restrict(f, r-``{b}) = g"
paulson@13339
   118
apply (frule_tac f=f in is_recfun_type) 
paulson@13223
   119
apply (rule fun_extension) 
paulson@13251
   120
apply (blast intro: transD restrict_type2) 
paulson@13223
   121
apply (erule is_recfun_type, simp) 
paulson@13251
   122
apply (blast intro: is_recfun_equal transD dest: transM) 
paulson@13223
   123
done
paulson@13223
   124
paulson@13564
   125
lemma (in M_basic) is_recfun_functional:
paulson@13223
   126
     "[|is_recfun(r,a,H,f);  is_recfun(r,a,H,g);  
paulson@13268
   127
       wellfounded(M,r); trans(r); M(f); M(g); M(r) |] ==> f=g"
paulson@13223
   128
apply (rule fun_extension)
paulson@13223
   129
apply (erule is_recfun_type)+
paulson@13251
   130
apply (blast intro!: is_recfun_equal dest: transM) 
paulson@13254
   131
done 
paulson@13223
   132
wenzelm@61798
   133
text\<open>Tells us that \<open>is_recfun\<close> can (in principle) be relativized.\<close>
paulson@13564
   134
lemma (in M_basic) is_recfun_relativize:
paulson@46823
   135
  "[| M(r); M(f); \<forall>x[M]. \<forall>g[M]. function(g) \<longrightarrow> M(H(x,g)) |] 
paulson@46823
   136
   ==> is_recfun(r,a,H,f) \<longleftrightarrow>
paulson@46823
   137
       (\<forall>z[M]. z \<in> f \<longleftrightarrow> 
wenzelm@58860
   138
        (\<exists>x[M]. <x,a> \<in> r & z = <x, H(x, restrict(f, r-``{x}))>))"
paulson@13254
   139
apply (simp add: is_recfun_def lam_def)
paulson@13223
   140
apply (safe intro!: equalityI) 
paulson@13254
   141
   apply (drule equalityD1 [THEN subsetD], assumption) 
paulson@13254
   142
   apply (blast dest: pair_components_in_M) 
paulson@13254
   143
  apply (blast elim!: equalityE dest: pair_components_in_M)
paulson@13615
   144
 apply (frule transM, assumption) 
paulson@13223
   145
 apply simp  
paulson@13223
   146
 apply blast
paulson@13254
   147
apply (subgoal_tac "is_function(M,f)")
wenzelm@60770
   148
 txt\<open>We use @{term "is_function"} rather than @{term "function"} because
wenzelm@60770
   149
      the subgoal's easier to prove with relativized quantifiers!\<close>
paulson@13254
   150
 prefer 2 apply (simp add: is_function_def) 
paulson@13223
   151
apply (frule pair_components_in_M, assumption) 
paulson@13254
   152
apply (simp add: is_recfun_imp_function function_restrictI) 
paulson@13223
   153
done
paulson@13223
   154
paulson@13564
   155
lemma (in M_basic) is_recfun_restrict:
paulson@13251
   156
     "[| wellfounded(M,r); trans(r); is_recfun(r,x,H,f); \<langle>y,x\<rangle> \<in> r; 
paulson@13251
   157
       M(r); M(f); 
paulson@46823
   158
       \<forall>x[M]. \<forall>g[M]. function(g) \<longrightarrow> M(H(x,g)) |]
paulson@13223
   159
       ==> is_recfun(r, y, H, restrict(f, r -`` {y}))"
paulson@13223
   160
apply (frule pair_components_in_M, assumption, clarify) 
paulson@13254
   161
apply (simp (no_asm_simp) add: is_recfun_relativize restrict_iff
paulson@13254
   162
           trans_Int_eq)
paulson@13223
   163
apply safe
paulson@13223
   164
  apply (simp_all add: vimage_singleton_iff is_recfun_type [THEN apply_iff]) 
paulson@13223
   165
  apply (frule_tac x=xa in pair_components_in_M, assumption)
paulson@13251
   166
  apply (frule_tac x=xa in apply_recfun, blast intro: transD)  
paulson@13247
   167
  apply (simp add: is_recfun_type [THEN apply_iff] 
paulson@13251
   168
                   is_recfun_imp_function function_restrictI)
paulson@13251
   169
apply (blast intro: apply_recfun dest: transD)
paulson@13223
   170
done
paulson@13223
   171
 
paulson@13564
   172
lemma (in M_basic) restrict_Y_lemma:
paulson@13251
   173
   "[| wellfounded(M,r); trans(r); M(r);
paulson@46823
   174
       \<forall>x[M]. \<forall>g[M]. function(g) \<longrightarrow> M(H(x,g));  M(Y);
paulson@13299
   175
       \<forall>b[M]. 
paulson@46823
   176
           b \<in> Y \<longleftrightarrow>
wenzelm@32960
   177
           (\<exists>x[M]. <x,a1> \<in> r &
paulson@13299
   178
            (\<exists>y[M]. b = \<langle>x,y\<rangle> & (\<exists>g[M]. is_recfun(r,x,H,g) \<and> y = H(x,g))));
paulson@13299
   179
          \<langle>x,a1\<rangle> \<in> r; is_recfun(r,x,H,f); M(f) |]
paulson@13223
   180
       ==> restrict(Y, r -`` {x}) = f"
paulson@46823
   181
apply (subgoal_tac "\<forall>y \<in> r-``{x}. \<forall>z. <y,z>:Y \<longleftrightarrow> <y,z>:f") 
paulson@13251
   182
 apply (simp (no_asm_simp) add: restrict_def) 
wenzelm@61798
   183
 apply (thin_tac "rall(M,P)" for P)+  \<comment>\<open>essential for efficiency\<close>
paulson@13251
   184
 apply (frule is_recfun_type [THEN fun_is_rel], blast)
paulson@13223
   185
apply (frule pair_components_in_M, assumption, clarify) 
paulson@13223
   186
apply (rule iffI)
paulson@13505
   187
 apply (frule_tac y="<y,z>" in transM, assumption)
paulson@13223
   188
 apply (clarsimp simp add: vimage_singleton_iff is_recfun_type [THEN apply_iff]
wenzelm@32960
   189
                           apply_recfun is_recfun_cut) 
wenzelm@60770
   190
txt\<open>Opposite inclusion: something in f, show in Y\<close>
paulson@13293
   191
apply (frule_tac y="<y,z>" in transM, assumption)  
paulson@13293
   192
apply (simp add: vimage_singleton_iff) 
paulson@13293
   193
apply (rule conjI) 
paulson@13293
   194
 apply (blast dest: transD) 
paulson@13268
   195
apply (rule_tac x="restrict(f, r -`` {y})" in rexI) 
paulson@13268
   196
apply (simp_all add: is_recfun_restrict
paulson@13268
   197
                     apply_recfun is_recfun_type [THEN apply_iff]) 
paulson@13223
   198
done
paulson@13223
   199
wenzelm@60770
   200
text\<open>For typical applications of Replacement for recursive definitions\<close>
paulson@13564
   201
lemma (in M_basic) univalent_is_recfun:
paulson@13251
   202
     "[|wellfounded(M,r); trans(r); M(r)|]
paulson@13268
   203
      ==> univalent (M, A, \<lambda>x p. 
paulson@13293
   204
              \<exists>y[M]. p = \<langle>x,y\<rangle> & (\<exists>f[M]. is_recfun(r,x,H,f) & y = H(x,f)))"
paulson@13245
   205
apply (simp add: univalent_def) 
paulson@13245
   206
apply (blast dest: is_recfun_functional) 
paulson@13245
   207
done
paulson@13245
   208
paulson@13299
   209
wenzelm@61798
   210
text\<open>Proof of the inductive step for \<open>exists_is_recfun\<close>, since
wenzelm@60770
   211
      we must prove two versions.\<close>
paulson@13564
   212
lemma (in M_basic) exists_is_recfun_indstep:
paulson@46823
   213
    "[|\<forall>y. \<langle>y, a1\<rangle> \<in> r \<longrightarrow> (\<exists>f[M]. is_recfun(r, y, H, f)); 
paulson@13251
   214
       wellfounded(M,r); trans(r); M(r); M(a1);
paulson@13268
   215
       strong_replacement(M, \<lambda>x z. 
paulson@13268
   216
              \<exists>y[M]. \<exists>g[M]. pair(M,x,y,z) & is_recfun(r,x,H,g) & y = H(x,g)); 
paulson@46823
   217
       \<forall>x[M]. \<forall>g[M]. function(g) \<longrightarrow> M(H(x,g))|]   
paulson@13268
   218
      ==> \<exists>f[M]. is_recfun(r,a1,H,f)"
paulson@13223
   219
apply (drule_tac A="r-``{a1}" in strong_replacementD)
paulson@13251
   220
  apply blast 
wenzelm@60770
   221
 txt\<open>Discharge the "univalent" obligation of Replacement\<close>
paulson@13251
   222
 apply (simp add: univalent_is_recfun) 
wenzelm@61798
   223
txt\<open>Show that the constructed object satisfies \<open>is_recfun\<close>\<close> 
paulson@13223
   224
apply clarify 
paulson@13268
   225
apply (rule_tac x=Y in rexI)  
wenzelm@60770
   226
txt\<open>Unfold only the top-level occurrence of @{term is_recfun}\<close>
paulson@13254
   227
apply (simp (no_asm_simp) add: is_recfun_relativize [of concl: _ a1])
wenzelm@60770
   228
txt\<open>The big iff-formula defining @{term Y} is now redundant\<close>
paulson@13254
   229
apply safe 
paulson@13299
   230
 apply (simp add: vimage_singleton_iff restrict_Y_lemma [of r H _ a1]) 
wenzelm@60770
   231
txt\<open>one more case\<close>
paulson@13254
   232
apply (simp (no_asm_simp) add: Bex_def vimage_singleton_iff)
paulson@13223
   233
apply (drule_tac x1=x in spec [THEN mp], assumption, clarify) 
paulson@13268
   234
apply (rename_tac f) 
paulson@13268
   235
apply (rule_tac x=f in rexI) 
paulson@13293
   236
apply (simp_all add: restrict_Y_lemma [of r H])
wenzelm@60770
   237
txt\<open>FIXME: should not be needed!\<close>
paulson@13299
   238
apply (subst restrict_Y_lemma [of r H])
paulson@13299
   239
apply (simp add: vimage_singleton_iff)+
paulson@13299
   240
apply blast+
paulson@13223
   241
done
paulson@13223
   242
wenzelm@60770
   243
text\<open>Relativized version, when we have the (currently weaker) premise
wenzelm@60770
   244
      @{term "wellfounded(M,r)"}\<close>
paulson@13564
   245
lemma (in M_basic) wellfounded_exists_is_recfun:
paulson@13251
   246
    "[|wellfounded(M,r);  trans(r);  
paulson@13268
   247
       separation(M, \<lambda>x. ~ (\<exists>f[M]. is_recfun(r, x, H, f)));
paulson@13268
   248
       strong_replacement(M, \<lambda>x z. 
paulson@13268
   249
          \<exists>y[M]. \<exists>g[M]. pair(M,x,y,z) & is_recfun(r,x,H,g) & y = H(x,g)); 
paulson@13251
   250
       M(r);  M(a);  
paulson@46823
   251
       \<forall>x[M]. \<forall>g[M]. function(g) \<longrightarrow> M(H(x,g)) |]   
paulson@13268
   252
      ==> \<exists>f[M]. is_recfun(r,a,H,f)"
paulson@13251
   253
apply (rule wellfounded_induct, assumption+, clarify)
paulson@13223
   254
apply (rule exists_is_recfun_indstep, assumption+)
paulson@13223
   255
done
paulson@13223
   256
paulson@13564
   257
lemma (in M_basic) wf_exists_is_recfun [rule_format]:
paulson@13268
   258
    "[|wf(r);  trans(r);  M(r);  
paulson@13268
   259
       strong_replacement(M, \<lambda>x z. 
paulson@13268
   260
         \<exists>y[M]. \<exists>g[M]. pair(M,x,y,z) & is_recfun(r,x,H,g) & y = H(x,g)); 
paulson@46823
   261
       \<forall>x[M]. \<forall>g[M]. function(g) \<longrightarrow> M(H(x,g)) |]   
paulson@46823
   262
      ==> M(a) \<longrightarrow> (\<exists>f[M]. is_recfun(r,a,H,f))"
paulson@13251
   263
apply (rule wf_induct, assumption+)
paulson@13251
   264
apply (frule wf_imp_relativized)
paulson@13251
   265
apply (intro impI)
paulson@13268
   266
apply (rule exists_is_recfun_indstep) 
paulson@13268
   267
      apply (blast dest: transM del: rev_rallE, assumption+)
paulson@13223
   268
done
paulson@13223
   269
paulson@13506
   270
wenzelm@60770
   271
subsection\<open>Relativization of the ZF Predicate @{term is_recfun}\<close>
paulson@13506
   272
wenzelm@21233
   273
definition
wenzelm@21404
   274
  M_is_recfun :: "[i=>o, [i,i,i]=>o, i, i, i] => o" where
paulson@13352
   275
   "M_is_recfun(M,MH,r,a,f) == 
paulson@46823
   276
     \<forall>z[M]. z \<in> f \<longleftrightarrow> 
paulson@13254
   277
            (\<exists>x[M]. \<exists>y[M]. \<exists>xa[M]. \<exists>sx[M]. \<exists>r_sx[M]. \<exists>f_r_sx[M]. 
wenzelm@32960
   278
               pair(M,x,y,z) & pair(M,x,a,xa) & upair(M,x,x,sx) &
paulson@13254
   279
               pre_image(M,r,sx,r_sx) & restriction(M,f,r_sx,f_r_sx) &
paulson@13348
   280
               xa \<in> r & MH(x, f_r_sx, y))"
paulson@13223
   281
wenzelm@21404
   282
definition
wenzelm@21404
   283
  is_wfrec :: "[i=>o, [i,i,i]=>o, i, i, i] => o" where
paulson@13353
   284
   "is_wfrec(M,MH,r,a,z) == 
paulson@13353
   285
      \<exists>f[M]. M_is_recfun(M,MH,r,a,f) & MH(a,f,z)"
paulson@13353
   286
wenzelm@21404
   287
definition
wenzelm@21404
   288
  wfrec_replacement :: "[i=>o, [i,i,i]=>o, i] => o" where
paulson@13353
   289
   "wfrec_replacement(M,MH,r) ==
paulson@13353
   290
        strong_replacement(M, 
paulson@13353
   291
             \<lambda>x z. \<exists>y[M]. pair(M,x,y,z) & is_wfrec(M,MH,r,x,y))"
paulson@13353
   292
paulson@13564
   293
lemma (in M_basic) is_recfun_abs:
paulson@46823
   294
     "[| \<forall>x[M]. \<forall>g[M]. function(g) \<longrightarrow> M(H(x,g));  M(r); M(a); M(f); 
paulson@13634
   295
         relation2(M,MH,H) |] 
paulson@46823
   296
      ==> M_is_recfun(M,MH,r,a,f) \<longleftrightarrow> is_recfun(r,a,H,f)"
paulson@13634
   297
apply (simp add: M_is_recfun_def relation2_def is_recfun_relativize)
paulson@13254
   298
apply (rule rall_cong)
paulson@13254
   299
apply (blast dest: transM)
paulson@13223
   300
done
paulson@13223
   301
paulson@13223
   302
lemma M_is_recfun_cong [cong]:
paulson@13223
   303
     "[| r = r'; a = a'; f = f'; 
paulson@46823
   304
       !!x g y. [| M(x); M(g); M(y) |] ==> MH(x,g,y) \<longleftrightarrow> MH'(x,g,y) |]
paulson@46823
   305
      ==> M_is_recfun(M,MH,r,a,f) \<longleftrightarrow> M_is_recfun(M,MH',r',a',f')"
paulson@13223
   306
by (simp add: M_is_recfun_def) 
paulson@13223
   307
paulson@13564
   308
lemma (in M_basic) is_wfrec_abs:
paulson@46823
   309
     "[| \<forall>x[M]. \<forall>g[M]. function(g) \<longrightarrow> M(H(x,g)); 
paulson@13634
   310
         relation2(M,MH,H);  M(r); M(a); M(z) |]
paulson@46823
   311
      ==> is_wfrec(M,MH,r,a,z) \<longleftrightarrow> 
paulson@13353
   312
          (\<exists>g[M]. is_recfun(r,a,H,g) & z = H(a,g))"
paulson@13634
   313
by (simp add: is_wfrec_def relation2_def is_recfun_abs)
paulson@13223
   314
wenzelm@60770
   315
text\<open>Relating @{term wfrec_replacement} to native constructs\<close>
paulson@13564
   316
lemma (in M_basic) wfrec_replacement':
paulson@13353
   317
  "[|wfrec_replacement(M,MH,r);
paulson@46823
   318
     \<forall>x[M]. \<forall>g[M]. function(g) \<longrightarrow> M(H(x,g)); 
paulson@13634
   319
     relation2(M,MH,H);  M(r)|] 
paulson@13353
   320
   ==> strong_replacement(M, \<lambda>x z. \<exists>y[M]. 
paulson@13353
   321
                pair(M,x,y,z) & (\<exists>g[M]. is_recfun(r,x,H,g) & y = H(x,g)))"
paulson@13615
   322
by (simp add: wfrec_replacement_def is_wfrec_abs) 
paulson@13353
   323
paulson@13353
   324
lemma wfrec_replacement_cong [cong]:
paulson@46823
   325
     "[| !!x y z. [| M(x); M(y); M(z) |] ==> MH(x,y,z) \<longleftrightarrow> MH'(x,y,z);
paulson@13353
   326
         r=r' |] 
paulson@46823
   327
      ==> wfrec_replacement(M, %x y. MH(x,y), r) \<longleftrightarrow> 
paulson@13353
   328
          wfrec_replacement(M, %x y. MH'(x,y), r')" 
paulson@13353
   329
by (simp add: is_wfrec_def wfrec_replacement_def) 
paulson@13353
   330
paulson@13353
   331
paulson@13223
   332
end
paulson@13223
   333