src/ZF/Constructible/Satisfies_absolute.thy
author wenzelm
Mon Dec 04 22:54:31 2017 +0100 (21 months ago)
changeset 67131 85d10959c2e4
parent 61798 27f3c10b0b50
child 67443 3abf6a722518
permissions -rw-r--r--
tuned signature;
paulson@13494
     1
(*  Title:      ZF/Constructible/Satisfies_absolute.thy
paulson@13494
     2
    Author:     Lawrence C Paulson, Cambridge University Computer Laboratory
paulson@13494
     3
*)
paulson@13494
     4
wenzelm@60770
     5
section \<open>Absoluteness for the Satisfies Relation on Formulas\<close>
paulson@13496
     6
haftmann@16417
     7
theory Satisfies_absolute imports Datatype_absolute Rec_Separation begin 
paulson@13494
     8
paulson@13494
     9
wenzelm@60770
    10
subsection \<open>More Internalization\<close>
paulson@13496
    11
wenzelm@60770
    12
subsubsection\<open>The Formula @{term is_depth}, Internalized\<close>
paulson@13494
    13
paulson@13494
    14
(*    "is_depth(M,p,n) == 
paulson@13494
    15
       \<exists>sn[M]. \<exists>formula_n[M]. \<exists>formula_sn[M]. 
paulson@13494
    16
         2          1                0
paulson@13494
    17
        is_formula_N(M,n,formula_n) & p \<notin> formula_n &
paulson@13494
    18
        successor(M,n,sn) & is_formula_N(M,sn,formula_sn) & p \<in> formula_sn" *)
wenzelm@21404
    19
definition
wenzelm@21404
    20
  depth_fm :: "[i,i]=>i" where
paulson@13494
    21
  "depth_fm(p,n) == 
paulson@13494
    22
     Exists(Exists(Exists(
paulson@13494
    23
       And(formula_N_fm(n#+3,1),
paulson@13494
    24
         And(Neg(Member(p#+3,1)),
paulson@13494
    25
          And(succ_fm(n#+3,2),
paulson@13494
    26
           And(formula_N_fm(2,0), Member(p#+3,0))))))))"
paulson@13494
    27
paulson@13494
    28
lemma depth_fm_type [TC]:
paulson@13494
    29
 "[| x \<in> nat; y \<in> nat |] ==> depth_fm(x,y) \<in> formula"
paulson@13494
    30
by (simp add: depth_fm_def)
paulson@13494
    31
paulson@13494
    32
lemma sats_depth_fm [simp]:
paulson@13494
    33
   "[| x \<in> nat; y < length(env); env \<in> list(A)|]
paulson@46823
    34
    ==> sats(A, depth_fm(x,y), env) \<longleftrightarrow>
paulson@13807
    35
        is_depth(##A, nth(x,env), nth(y,env))"
paulson@13494
    36
apply (frule_tac x=y in lt_length_in_nat, assumption)  
paulson@13494
    37
apply (simp add: depth_fm_def is_depth_def) 
paulson@13494
    38
done
paulson@13494
    39
paulson@13494
    40
lemma depth_iff_sats:
paulson@13494
    41
      "[| nth(i,env) = x; nth(j,env) = y; 
paulson@13494
    42
          i \<in> nat; j < length(env); env \<in> list(A)|]
paulson@46823
    43
       ==> is_depth(##A, x, y) \<longleftrightarrow> sats(A, depth_fm(i,j), env)"
paulson@13494
    44
by (simp add: sats_depth_fm)
paulson@13494
    45
paulson@13494
    46
theorem depth_reflection:
paulson@13494
    47
     "REFLECTS[\<lambda>x. is_depth(L, f(x), g(x)),  
paulson@13807
    48
               \<lambda>i x. is_depth(##Lset(i), f(x), g(x))]"
paulson@13655
    49
apply (simp only: is_depth_def)
paulson@13494
    50
apply (intro FOL_reflections function_reflections formula_N_reflection) 
paulson@13494
    51
done
paulson@13494
    52
paulson@13494
    53
paulson@13494
    54
wenzelm@60770
    55
subsubsection\<open>The Operator @{term is_formula_case}\<close>
paulson@13494
    56
wenzelm@60770
    57
text\<open>The arguments of @{term is_a} are always 2, 1, 0, and the formula
wenzelm@60770
    58
      will be enclosed by three quantifiers.\<close>
paulson@13494
    59
paulson@13494
    60
(* is_formula_case :: 
paulson@13494
    61
    "[i=>o, [i,i,i]=>o, [i,i,i]=>o, [i,i,i]=>o, [i,i]=>o, i, i] => o"
paulson@13494
    62
  "is_formula_case(M, is_a, is_b, is_c, is_d, v, z) == 
paulson@46823
    63
      (\<forall>x[M]. \<forall>y[M]. x\<in>nat \<longrightarrow> y\<in>nat \<longrightarrow> is_Member(M,x,y,v) \<longrightarrow> is_a(x,y,z)) &
paulson@46823
    64
      (\<forall>x[M]. \<forall>y[M]. x\<in>nat \<longrightarrow> y\<in>nat \<longrightarrow> is_Equal(M,x,y,v) \<longrightarrow> is_b(x,y,z)) &
paulson@46823
    65
      (\<forall>x[M]. \<forall>y[M]. x\<in>formula \<longrightarrow> y\<in>formula \<longrightarrow> 
paulson@46823
    66
                     is_Nand(M,x,y,v) \<longrightarrow> is_c(x,y,z)) &
paulson@46823
    67
      (\<forall>x[M]. x\<in>formula \<longrightarrow> is_Forall(M,x,v) \<longrightarrow> is_d(x,z))" *)
paulson@13494
    68
wenzelm@21404
    69
definition
wenzelm@21404
    70
  formula_case_fm :: "[i, i, i, i, i, i]=>i" where
wenzelm@21404
    71
  "formula_case_fm(is_a, is_b, is_c, is_d, v, z) == 
paulson@13494
    72
        And(Forall(Forall(Implies(finite_ordinal_fm(1), 
paulson@13494
    73
                           Implies(finite_ordinal_fm(0), 
paulson@13494
    74
                            Implies(Member_fm(1,0,v#+2), 
paulson@13494
    75
                             Forall(Implies(Equal(0,z#+3), is_a))))))),
paulson@13494
    76
        And(Forall(Forall(Implies(finite_ordinal_fm(1), 
paulson@13494
    77
                           Implies(finite_ordinal_fm(0), 
paulson@13494
    78
                            Implies(Equal_fm(1,0,v#+2), 
paulson@13494
    79
                             Forall(Implies(Equal(0,z#+3), is_b))))))),
paulson@13494
    80
        And(Forall(Forall(Implies(mem_formula_fm(1), 
paulson@13494
    81
                           Implies(mem_formula_fm(0), 
paulson@13494
    82
                            Implies(Nand_fm(1,0,v#+2), 
paulson@13494
    83
                             Forall(Implies(Equal(0,z#+3), is_c))))))),
paulson@13494
    84
        Forall(Implies(mem_formula_fm(0), 
paulson@13494
    85
                       Implies(Forall_fm(0,succ(v)), 
paulson@13494
    86
                             Forall(Implies(Equal(0,z#+2), is_d))))))))"
paulson@13494
    87
paulson@13494
    88
paulson@13494
    89
lemma is_formula_case_type [TC]:
paulson@13494
    90
     "[| is_a \<in> formula;  is_b \<in> formula;  is_c \<in> formula;  is_d \<in> formula;  
paulson@13494
    91
         x \<in> nat; y \<in> nat |] 
paulson@13494
    92
      ==> formula_case_fm(is_a, is_b, is_c, is_d, x, y) \<in> formula"
paulson@13494
    93
by (simp add: formula_case_fm_def)
paulson@13494
    94
paulson@13494
    95
lemma sats_formula_case_fm:
paulson@13494
    96
  assumes is_a_iff_sats: 
paulson@13494
    97
      "!!a0 a1 a2. 
paulson@13494
    98
        [|a0\<in>A; a1\<in>A; a2\<in>A|]  
paulson@46823
    99
        ==> ISA(a2, a1, a0) \<longleftrightarrow> sats(A, is_a, Cons(a0,Cons(a1,Cons(a2,env))))"
paulson@13494
   100
  and is_b_iff_sats: 
paulson@13494
   101
      "!!a0 a1 a2. 
paulson@13494
   102
        [|a0\<in>A; a1\<in>A; a2\<in>A|]  
paulson@46823
   103
        ==> ISB(a2, a1, a0) \<longleftrightarrow> sats(A, is_b, Cons(a0,Cons(a1,Cons(a2,env))))"
paulson@13494
   104
  and is_c_iff_sats: 
paulson@13494
   105
      "!!a0 a1 a2. 
paulson@13494
   106
        [|a0\<in>A; a1\<in>A; a2\<in>A|]  
paulson@46823
   107
        ==> ISC(a2, a1, a0) \<longleftrightarrow> sats(A, is_c, Cons(a0,Cons(a1,Cons(a2,env))))"
paulson@13494
   108
  and is_d_iff_sats: 
paulson@13494
   109
      "!!a0 a1. 
paulson@13494
   110
        [|a0\<in>A; a1\<in>A|]  
paulson@46823
   111
        ==> ISD(a1, a0) \<longleftrightarrow> sats(A, is_d, Cons(a0,Cons(a1,env)))"
paulson@13494
   112
  shows 
paulson@13494
   113
      "[|x \<in> nat; y < length(env); env \<in> list(A)|]
paulson@46823
   114
       ==> sats(A, formula_case_fm(is_a,is_b,is_c,is_d,x,y), env) \<longleftrightarrow>
paulson@13807
   115
           is_formula_case(##A, ISA, ISB, ISC, ISD, nth(x,env), nth(y,env))"
paulson@13494
   116
apply (frule_tac x=y in lt_length_in_nat, assumption)  
paulson@13494
   117
apply (simp add: formula_case_fm_def is_formula_case_def 
paulson@13494
   118
                 is_a_iff_sats [THEN iff_sym] is_b_iff_sats [THEN iff_sym]
paulson@13494
   119
                 is_c_iff_sats [THEN iff_sym] is_d_iff_sats [THEN iff_sym])
paulson@13494
   120
done
paulson@13494
   121
paulson@13494
   122
lemma formula_case_iff_sats:
paulson@13494
   123
  assumes is_a_iff_sats: 
paulson@13494
   124
      "!!a0 a1 a2. 
paulson@13494
   125
        [|a0\<in>A; a1\<in>A; a2\<in>A|]  
paulson@46823
   126
        ==> ISA(a2, a1, a0) \<longleftrightarrow> sats(A, is_a, Cons(a0,Cons(a1,Cons(a2,env))))"
paulson@13494
   127
  and is_b_iff_sats: 
paulson@13494
   128
      "!!a0 a1 a2. 
paulson@13494
   129
        [|a0\<in>A; a1\<in>A; a2\<in>A|]  
paulson@46823
   130
        ==> ISB(a2, a1, a0) \<longleftrightarrow> sats(A, is_b, Cons(a0,Cons(a1,Cons(a2,env))))"
paulson@13494
   131
  and is_c_iff_sats: 
paulson@13494
   132
      "!!a0 a1 a2. 
paulson@13494
   133
        [|a0\<in>A; a1\<in>A; a2\<in>A|]  
paulson@46823
   134
        ==> ISC(a2, a1, a0) \<longleftrightarrow> sats(A, is_c, Cons(a0,Cons(a1,Cons(a2,env))))"
paulson@13494
   135
  and is_d_iff_sats: 
paulson@13494
   136
      "!!a0 a1. 
paulson@13494
   137
        [|a0\<in>A; a1\<in>A|]  
paulson@46823
   138
        ==> ISD(a1, a0) \<longleftrightarrow> sats(A, is_d, Cons(a0,Cons(a1,env)))"
paulson@13494
   139
  shows 
paulson@13494
   140
      "[|nth(i,env) = x; nth(j,env) = y; 
paulson@13494
   141
      i \<in> nat; j < length(env); env \<in> list(A)|]
paulson@46823
   142
       ==> is_formula_case(##A, ISA, ISB, ISC, ISD, x, y) \<longleftrightarrow>
paulson@13494
   143
           sats(A, formula_case_fm(is_a,is_b,is_c,is_d,i,j), env)"
paulson@13494
   144
by (simp add: sats_formula_case_fm [OF is_a_iff_sats is_b_iff_sats 
paulson@13494
   145
                                       is_c_iff_sats is_d_iff_sats])
paulson@13494
   146
paulson@13494
   147
wenzelm@60770
   148
text\<open>The second argument of @{term is_a} gives it direct access to @{term x},
paulson@13494
   149
  which is essential for handling free variable references.  Treatment is
wenzelm@61798
   150
  based on that of \<open>is_nat_case_reflection\<close>.\<close>
paulson@13494
   151
theorem is_formula_case_reflection:
paulson@13494
   152
  assumes is_a_reflection:
paulson@13494
   153
    "!!h f g g'. REFLECTS[\<lambda>x. is_a(L, h(x), f(x), g(x), g'(x)),
paulson@13807
   154
                     \<lambda>i x. is_a(##Lset(i), h(x), f(x), g(x), g'(x))]"
paulson@13494
   155
  and is_b_reflection:
paulson@13494
   156
    "!!h f g g'. REFLECTS[\<lambda>x. is_b(L, h(x), f(x), g(x), g'(x)),
paulson@13807
   157
                     \<lambda>i x. is_b(##Lset(i), h(x), f(x), g(x), g'(x))]"
paulson@13494
   158
  and is_c_reflection:
paulson@13494
   159
    "!!h f g g'. REFLECTS[\<lambda>x. is_c(L, h(x), f(x), g(x), g'(x)),
paulson@13807
   160
                     \<lambda>i x. is_c(##Lset(i), h(x), f(x), g(x), g'(x))]"
paulson@13494
   161
  and is_d_reflection:
paulson@13494
   162
    "!!h f g g'. REFLECTS[\<lambda>x. is_d(L, h(x), f(x), g(x)),
paulson@13807
   163
                     \<lambda>i x. is_d(##Lset(i), h(x), f(x), g(x))]"
paulson@13494
   164
  shows "REFLECTS[\<lambda>x. is_formula_case(L, is_a(L,x), is_b(L,x), is_c(L,x), is_d(L,x), g(x), h(x)),
paulson@13807
   165
               \<lambda>i x. is_formula_case(##Lset(i), is_a(##Lset(i), x), is_b(##Lset(i), x), is_c(##Lset(i), x), is_d(##Lset(i), x), g(x), h(x))]"
paulson@13655
   166
apply (simp (no_asm_use) only: is_formula_case_def)
paulson@13494
   167
apply (intro FOL_reflections function_reflections finite_ordinal_reflection
paulson@13494
   168
         mem_formula_reflection
paulson@13494
   169
         Member_reflection Equal_reflection Nand_reflection Forall_reflection
paulson@13494
   170
         is_a_reflection is_b_reflection is_c_reflection is_d_reflection)
paulson@13494
   171
done
paulson@13494
   172
paulson@13494
   173
paulson@13494
   174
wenzelm@60770
   175
subsection \<open>Absoluteness for the Function @{term satisfies}\<close>
paulson@13494
   176
wenzelm@21233
   177
definition
wenzelm@21404
   178
  is_depth_apply :: "[i=>o,i,i,i] => o" where
wenzelm@61798
   179
   \<comment>\<open>Merely a useful abbreviation for the sequel.\<close>
wenzelm@21404
   180
  "is_depth_apply(M,h,p,z) ==
paulson@13494
   181
    \<exists>dp[M]. \<exists>sdp[M]. \<exists>hsdp[M]. 
wenzelm@32960
   182
        finite_ordinal(M,dp) & is_depth(M,p,dp) & successor(M,dp,sdp) &
wenzelm@32960
   183
        fun_apply(M,h,sdp,hsdp) & fun_apply(M,hsdp,p,z)"
paulson@13494
   184
paulson@13494
   185
lemma (in M_datatypes) is_depth_apply_abs [simp]:
paulson@13494
   186
     "[|M(h); p \<in> formula; M(z)|] 
paulson@46823
   187
      ==> is_depth_apply(M,h,p,z) \<longleftrightarrow> z = h ` succ(depth(p)) ` p"
paulson@13494
   188
by (simp add: is_depth_apply_def formula_into_M depth_type eq_commute)
paulson@13494
   189
paulson@13494
   190
paulson@13494
   191
wenzelm@60770
   192
text\<open>There is at present some redundancy between the relativizations in
wenzelm@61798
   193
 e.g. \<open>satisfies_is_a\<close> and those in e.g. \<open>Member_replacement\<close>.\<close>
paulson@13494
   194
wenzelm@60770
   195
text\<open>These constants let us instantiate the parameters @{term a}, @{term b},
wenzelm@61798
   196
      @{term c}, @{term d}, etc., of the locale \<open>Formula_Rec\<close>.\<close>
wenzelm@21233
   197
definition
wenzelm@21404
   198
  satisfies_a :: "[i,i,i]=>i" where
paulson@13494
   199
   "satisfies_a(A) == 
paulson@13494
   200
    \<lambda>x y. \<lambda>env \<in> list(A). bool_of_o (nth(x,env) \<in> nth(y,env))"
paulson@13494
   201
wenzelm@21404
   202
definition
wenzelm@21404
   203
  satisfies_is_a :: "[i=>o,i,i,i,i]=>o" where
paulson@13494
   204
   "satisfies_is_a(M,A) == 
paulson@46823
   205
    \<lambda>x y zz. \<forall>lA[M]. is_list(M,A,lA) \<longrightarrow>
paulson@13496
   206
             is_lambda(M, lA, 
wenzelm@32960
   207
                \<lambda>env z. is_bool_of_o(M, 
paulson@13496
   208
                      \<exists>nx[M]. \<exists>ny[M]. 
wenzelm@32960
   209
                       is_nth(M,x,env,nx) & is_nth(M,y,env,ny) & nx \<in> ny, z),
paulson@13496
   210
                zz)"
paulson@13494
   211
wenzelm@21404
   212
definition
wenzelm@21404
   213
  satisfies_b :: "[i,i,i]=>i" where
paulson@13494
   214
   "satisfies_b(A) ==
paulson@13494
   215
    \<lambda>x y. \<lambda>env \<in> list(A). bool_of_o (nth(x,env) = nth(y,env))"
paulson@13494
   216
wenzelm@21404
   217
definition
wenzelm@21404
   218
  satisfies_is_b :: "[i=>o,i,i,i,i]=>o" where
wenzelm@61798
   219
   \<comment>\<open>We simplify the formula to have just @{term nx} rather than 
wenzelm@60770
   220
       introducing @{term ny} with  @{term "nx=ny"}\<close>
wenzelm@21404
   221
  "satisfies_is_b(M,A) == 
paulson@46823
   222
    \<lambda>x y zz. \<forall>lA[M]. is_list(M,A,lA) \<longrightarrow>
paulson@13496
   223
             is_lambda(M, lA, 
paulson@13496
   224
                \<lambda>env z. is_bool_of_o(M, 
paulson@13496
   225
                      \<exists>nx[M]. is_nth(M,x,env,nx) & is_nth(M,y,env,nx), z),
paulson@13496
   226
                zz)"
wenzelm@21404
   227
wenzelm@21404
   228
definition 
wenzelm@21404
   229
  satisfies_c :: "[i,i,i,i,i]=>i" where
paulson@13502
   230
   "satisfies_c(A) == \<lambda>p q rp rq. \<lambda>env \<in> list(A). not(rp ` env and rq ` env)"
paulson@13494
   231
wenzelm@21404
   232
definition
wenzelm@21404
   233
  satisfies_is_c :: "[i=>o,i,i,i,i,i]=>o" where
paulson@13494
   234
   "satisfies_is_c(M,A,h) == 
paulson@46823
   235
    \<lambda>p q zz. \<forall>lA[M]. is_list(M,A,lA) \<longrightarrow>
paulson@13496
   236
             is_lambda(M, lA, \<lambda>env z. \<exists>hp[M]. \<exists>hq[M]. 
wenzelm@32960
   237
                 (\<exists>rp[M]. is_depth_apply(M,h,p,rp) & fun_apply(M,rp,env,hp)) & 
wenzelm@32960
   238
                 (\<exists>rq[M]. is_depth_apply(M,h,q,rq) & fun_apply(M,rq,env,hq)) & 
paulson@13496
   239
                 (\<exists>pq[M]. is_and(M,hp,hq,pq) & is_not(M,pq,z)),
paulson@13496
   240
                zz)"
paulson@13494
   241
wenzelm@21404
   242
definition
wenzelm@21404
   243
  satisfies_d :: "[i,i,i]=>i" where
paulson@13494
   244
   "satisfies_d(A) 
paulson@13494
   245
    == \<lambda>p rp. \<lambda>env \<in> list(A). bool_of_o (\<forall>x\<in>A. rp ` (Cons(x,env)) = 1)"
paulson@13494
   246
wenzelm@21404
   247
definition
wenzelm@21404
   248
  satisfies_is_d :: "[i=>o,i,i,i,i]=>o" where
paulson@13494
   249
   "satisfies_is_d(M,A,h) == 
paulson@46823
   250
    \<lambda>p zz. \<forall>lA[M]. is_list(M,A,lA) \<longrightarrow>
paulson@13496
   251
             is_lambda(M, lA, 
paulson@13496
   252
                \<lambda>env z. \<exists>rp[M]. is_depth_apply(M,h,p,rp) & 
paulson@13496
   253
                    is_bool_of_o(M, 
paulson@13496
   254
                           \<forall>x[M]. \<forall>xenv[M]. \<forall>hp[M]. 
paulson@46823
   255
                              x\<in>A \<longrightarrow> is_Cons(M,x,env,xenv) \<longrightarrow> 
paulson@46823
   256
                              fun_apply(M,rp,xenv,hp) \<longrightarrow> number1(M,hp),
paulson@13496
   257
                  z),
paulson@13496
   258
               zz)"
paulson@13494
   259
wenzelm@21404
   260
definition
wenzelm@21404
   261
  satisfies_MH :: "[i=>o,i,i,i,i]=>o" where
wenzelm@61798
   262
    \<comment>\<open>The variable @{term u} is unused, but gives @{term satisfies_MH} 
wenzelm@60770
   263
        the correct arity.\<close>
wenzelm@21404
   264
  "satisfies_MH == 
paulson@13502
   265
    \<lambda>M A u f z. 
paulson@46823
   266
         \<forall>fml[M]. is_formula(M,fml) \<longrightarrow>
paulson@13496
   267
             is_lambda (M, fml, 
paulson@13496
   268
               is_formula_case (M, satisfies_is_a(M,A), 
paulson@13496
   269
                                satisfies_is_b(M,A), 
paulson@13496
   270
                                satisfies_is_c(M,A,f), satisfies_is_d(M,A,f)),
paulson@13502
   271
               z)"
paulson@13494
   272
wenzelm@21404
   273
definition
wenzelm@21404
   274
  is_satisfies :: "[i=>o,i,i,i]=>o" where
wenzelm@21404
   275
  "is_satisfies(M,A) == is_formula_rec (M, satisfies_MH(M,A))"
paulson@13502
   276
paulson@13502
   277
wenzelm@60770
   278
text\<open>This lemma relates the fragments defined above to the original primitive
paulson@13502
   279
      recursion in @{term satisfies}.
wenzelm@60770
   280
      Induction is not required: the definitions are directly equal!\<close>
paulson@13502
   281
lemma satisfies_eq:
paulson@13502
   282
  "satisfies(A,p) = 
paulson@13502
   283
   formula_rec (satisfies_a(A), satisfies_b(A), 
paulson@13502
   284
                satisfies_c(A), satisfies_d(A), p)"
paulson@13502
   285
by (simp add: satisfies_formula_def satisfies_a_def satisfies_b_def 
paulson@13502
   286
              satisfies_c_def satisfies_d_def) 
paulson@13494
   287
wenzelm@60770
   288
text\<open>Further constraints on the class @{term M} in order to prove
paulson@13494
   289
      absoluteness for the constants defined above.  The ultimate goal
wenzelm@60770
   290
      is the absoluteness of the function @{term satisfies}.\<close>
paulson@13502
   291
locale M_satisfies = M_eclose +
paulson@13494
   292
 assumes 
paulson@13494
   293
   Member_replacement:
paulson@13494
   294
    "[|M(A); x \<in> nat; y \<in> nat|]
paulson@13494
   295
     ==> strong_replacement
wenzelm@32960
   296
         (M, \<lambda>env z. \<exists>bo[M]. \<exists>nx[M]. \<exists>ny[M]. 
paulson@13494
   297
              env \<in> list(A) & is_nth(M,x,env,nx) & is_nth(M,y,env,ny) & 
paulson@13494
   298
              is_bool_of_o(M, nx \<in> ny, bo) &
paulson@13494
   299
              pair(M, env, bo, z))"
paulson@13494
   300
 and
paulson@13494
   301
   Equal_replacement:
paulson@13494
   302
    "[|M(A); x \<in> nat; y \<in> nat|]
paulson@13494
   303
     ==> strong_replacement
wenzelm@32960
   304
         (M, \<lambda>env z. \<exists>bo[M]. \<exists>nx[M]. \<exists>ny[M]. 
paulson@13494
   305
              env \<in> list(A) & is_nth(M,x,env,nx) & is_nth(M,y,env,ny) & 
paulson@13494
   306
              is_bool_of_o(M, nx = ny, bo) &
paulson@13494
   307
              pair(M, env, bo, z))"
paulson@13494
   308
 and
paulson@13494
   309
   Nand_replacement:
paulson@13494
   310
    "[|M(A); M(rp); M(rq)|]
paulson@13494
   311
     ==> strong_replacement
wenzelm@32960
   312
         (M, \<lambda>env z. \<exists>rpe[M]. \<exists>rqe[M]. \<exists>andpq[M]. \<exists>notpq[M]. 
paulson@13494
   313
               fun_apply(M,rp,env,rpe) & fun_apply(M,rq,env,rqe) & 
paulson@13494
   314
               is_and(M,rpe,rqe,andpq) & is_not(M,andpq,notpq) & 
paulson@13494
   315
               env \<in> list(A) & pair(M, env, notpq, z))"
paulson@13494
   316
 and
paulson@13494
   317
  Forall_replacement:
paulson@13494
   318
   "[|M(A); M(rp)|]
paulson@13494
   319
    ==> strong_replacement
wenzelm@32960
   320
        (M, \<lambda>env z. \<exists>bo[M]. 
wenzelm@32960
   321
              env \<in> list(A) & 
wenzelm@32960
   322
              is_bool_of_o (M, 
wenzelm@32960
   323
                            \<forall>a[M]. \<forall>co[M]. \<forall>rpco[M]. 
paulson@46823
   324
                               a\<in>A \<longrightarrow> is_Cons(M,a,env,co) \<longrightarrow>
paulson@46823
   325
                               fun_apply(M,rp,co,rpco) \<longrightarrow> number1(M, rpco), 
paulson@13494
   326
                            bo) &
wenzelm@32960
   327
              pair(M,env,bo,z))"
paulson@13494
   328
 and
paulson@13494
   329
  formula_rec_replacement: 
wenzelm@61798
   330
      \<comment>\<open>For the @{term transrec}\<close>
paulson@13494
   331
   "[|n \<in> nat; M(A)|] ==> transrec_replacement(M, satisfies_MH(M,A), n)"
paulson@13494
   332
 and
paulson@13494
   333
  formula_rec_lambda_replacement:  
wenzelm@61798
   334
      \<comment>\<open>For the \<open>\<lambda>-abstraction\<close> in the @{term transrec} body\<close>
paulson@13502
   335
   "[|M(g); M(A)|] ==>
paulson@13502
   336
    strong_replacement (M, 
paulson@13502
   337
       \<lambda>x y. mem_formula(M,x) &
paulson@13502
   338
             (\<exists>c[M]. is_formula_case(M, satisfies_is_a(M,A),
paulson@13502
   339
                                  satisfies_is_b(M,A),
paulson@13502
   340
                                  satisfies_is_c(M,A,g),
paulson@13502
   341
                                  satisfies_is_d(M,A,g), x, c) &
paulson@13502
   342
             pair(M, x, c, y)))"
paulson@13494
   343
paulson@13494
   344
paulson@13494
   345
lemma (in M_satisfies) Member_replacement':
paulson@13494
   346
    "[|M(A); x \<in> nat; y \<in> nat|]
paulson@13494
   347
     ==> strong_replacement
wenzelm@32960
   348
         (M, \<lambda>env z. env \<in> list(A) &
wenzelm@32960
   349
                     z = \<langle>env, bool_of_o(nth(x, env) \<in> nth(y, env))\<rangle>)"
paulson@13494
   350
by (insert Member_replacement, simp) 
paulson@13494
   351
paulson@13494
   352
lemma (in M_satisfies) Equal_replacement':
paulson@13494
   353
    "[|M(A); x \<in> nat; y \<in> nat|]
paulson@13494
   354
     ==> strong_replacement
wenzelm@32960
   355
         (M, \<lambda>env z. env \<in> list(A) &
wenzelm@32960
   356
                     z = \<langle>env, bool_of_o(nth(x, env) = nth(y, env))\<rangle>)"
paulson@13494
   357
by (insert Equal_replacement, simp) 
paulson@13494
   358
paulson@13494
   359
lemma (in M_satisfies) Nand_replacement':
paulson@13494
   360
    "[|M(A); M(rp); M(rq)|]
paulson@13494
   361
     ==> strong_replacement
wenzelm@32960
   362
         (M, \<lambda>env z. env \<in> list(A) & z = \<langle>env, not(rp`env and rq`env)\<rangle>)"
paulson@13494
   363
by (insert Nand_replacement, simp) 
paulson@13494
   364
paulson@13494
   365
lemma (in M_satisfies) Forall_replacement':
paulson@13494
   366
   "[|M(A); M(rp)|]
paulson@13494
   367
    ==> strong_replacement
wenzelm@32960
   368
        (M, \<lambda>env z.
wenzelm@32960
   369
               env \<in> list(A) &
wenzelm@32960
   370
               z = \<langle>env, bool_of_o (\<forall>a\<in>A. rp ` Cons(a,env) = 1)\<rangle>)"
paulson@13494
   371
by (insert Forall_replacement, simp) 
paulson@13494
   372
paulson@13494
   373
lemma (in M_satisfies) a_closed:
paulson@13494
   374
     "[|M(A); x\<in>nat; y\<in>nat|] ==> M(satisfies_a(A,x,y))"
paulson@13494
   375
apply (simp add: satisfies_a_def) 
paulson@13494
   376
apply (blast intro: lam_closed2 Member_replacement') 
paulson@13494
   377
done
paulson@13494
   378
paulson@13494
   379
lemma (in M_satisfies) a_rel:
paulson@13634
   380
     "M(A) ==> Relation2(M, nat, nat, satisfies_is_a(M,A), satisfies_a(A))"
paulson@13634
   381
apply (simp add: Relation2_def satisfies_is_a_def satisfies_a_def)
paulson@13702
   382
apply (auto del: iffI intro!: lambda_abs2 simp add: Relation1_def) 
paulson@13494
   383
done
paulson@13494
   384
paulson@13494
   385
lemma (in M_satisfies) b_closed:
paulson@13494
   386
     "[|M(A); x\<in>nat; y\<in>nat|] ==> M(satisfies_b(A,x,y))"
paulson@13494
   387
apply (simp add: satisfies_b_def) 
paulson@13494
   388
apply (blast intro: lam_closed2 Equal_replacement') 
paulson@13494
   389
done
paulson@13494
   390
paulson@13494
   391
lemma (in M_satisfies) b_rel:
paulson@13634
   392
     "M(A) ==> Relation2(M, nat, nat, satisfies_is_b(M,A), satisfies_b(A))"
paulson@13634
   393
apply (simp add: Relation2_def satisfies_is_b_def satisfies_b_def)
paulson@13702
   394
apply (auto del: iffI intro!: lambda_abs2 simp add: Relation1_def) 
paulson@13494
   395
done
paulson@13494
   396
paulson@13494
   397
lemma (in M_satisfies) c_closed:
paulson@13494
   398
     "[|M(A); x \<in> formula; y \<in> formula; M(rx); M(ry)|] 
paulson@13494
   399
      ==> M(satisfies_c(A,x,y,rx,ry))"
paulson@13494
   400
apply (simp add: satisfies_c_def) 
paulson@13494
   401
apply (rule lam_closed2) 
paulson@13494
   402
apply (rule Nand_replacement') 
paulson@13494
   403
apply (simp_all add: formula_into_M list_into_M [of _ A])
paulson@13494
   404
done
paulson@13494
   405
paulson@13494
   406
lemma (in M_satisfies) c_rel:
paulson@13494
   407
 "[|M(A); M(f)|] ==> 
paulson@13634
   408
  Relation2 (M, formula, formula, 
paulson@13494
   409
               satisfies_is_c(M,A,f),
wenzelm@32960
   410
               \<lambda>u v. satisfies_c(A, u, v, f ` succ(depth(u)) ` u, 
wenzelm@32960
   411
                                          f ` succ(depth(v)) ` v))"
paulson@13634
   412
apply (simp add: Relation2_def satisfies_is_c_def satisfies_c_def)
paulson@13702
   413
apply (auto del: iffI intro!: lambda_abs2 
paulson@13702
   414
            simp add: Relation1_def formula_into_M) 
paulson@13494
   415
done
paulson@13494
   416
paulson@13494
   417
lemma (in M_satisfies) d_closed:
paulson@13494
   418
     "[|M(A); x \<in> formula; M(rx)|] ==> M(satisfies_d(A,x,rx))"
paulson@13494
   419
apply (simp add: satisfies_d_def) 
paulson@13494
   420
apply (rule lam_closed2) 
paulson@13494
   421
apply (rule Forall_replacement') 
paulson@13494
   422
apply (simp_all add: formula_into_M list_into_M [of _ A])
paulson@13494
   423
done
paulson@13494
   424
paulson@13494
   425
lemma (in M_satisfies) d_rel:
paulson@13494
   426
 "[|M(A); M(f)|] ==> 
paulson@13634
   427
  Relation1(M, formula, satisfies_is_d(M,A,f), 
paulson@13494
   428
     \<lambda>u. satisfies_d(A, u, f ` succ(depth(u)) ` u))"
paulson@13494
   429
apply (simp del: rall_abs 
paulson@13634
   430
            add: Relation1_def satisfies_is_d_def satisfies_d_def)
paulson@13702
   431
apply (auto del: iffI intro!: lambda_abs2 simp add: Relation1_def) 
paulson@13494
   432
done
paulson@13494
   433
paulson@13494
   434
paulson@13494
   435
lemma (in M_satisfies) fr_replace:
paulson@13494
   436
      "[|n \<in> nat; M(A)|] ==> transrec_replacement(M,satisfies_MH(M,A),n)" 
paulson@13494
   437
by (blast intro: formula_rec_replacement) 
paulson@13494
   438
paulson@13502
   439
lemma (in M_satisfies) formula_case_satisfies_closed:
paulson@13502
   440
 "[|M(g); M(A); x \<in> formula|] ==>
paulson@13502
   441
  M(formula_case (satisfies_a(A), satisfies_b(A),
paulson@13502
   442
       \<lambda>u v. satisfies_c(A, u, v, 
paulson@13502
   443
                         g ` succ(depth(u)) ` u, g ` succ(depth(v)) ` v),
paulson@13502
   444
       \<lambda>u. satisfies_d (A, u, g ` succ(depth(u)) ` u),
paulson@13502
   445
       x))"
paulson@13502
   446
by (blast intro: formula_case_closed a_closed b_closed c_closed d_closed) 
paulson@13502
   447
paulson@13494
   448
lemma (in M_satisfies) fr_lam_replace:
paulson@13502
   449
   "[|M(g); M(A)|] ==>
paulson@13494
   450
    strong_replacement (M, \<lambda>x y. x \<in> formula &
paulson@13494
   451
            y = \<langle>x, 
paulson@13494
   452
                 formula_rec_case(satisfies_a(A),
paulson@13494
   453
                                  satisfies_b(A),
paulson@13494
   454
                                  satisfies_c(A),
paulson@13494
   455
                                  satisfies_d(A), g, x)\<rangle>)"
paulson@13502
   456
apply (insert formula_rec_lambda_replacement) 
paulson@13502
   457
apply (simp add: formula_rec_case_def formula_case_satisfies_closed
paulson@13502
   458
                 formula_case_abs [OF a_rel b_rel c_rel d_rel]) 
paulson@13502
   459
done
paulson@13494
   460
paulson@13494
   461
paulson@13494
   462
wenzelm@61798
   463
text\<open>Instantiate locale \<open>Formula_Rec\<close> for the 
wenzelm@60770
   464
      Function @{term satisfies}\<close>
paulson@13494
   465
paulson@13504
   466
lemma (in M_satisfies) Formula_Rec_axioms_M:
paulson@13502
   467
   "M(A) ==>
paulson@13504
   468
    Formula_Rec_axioms(M, satisfies_a(A), satisfies_is_a(M,A), 
wenzelm@32960
   469
                          satisfies_b(A), satisfies_is_b(M,A), 
wenzelm@32960
   470
                          satisfies_c(A), satisfies_is_c(M,A), 
wenzelm@32960
   471
                          satisfies_d(A), satisfies_is_d(M,A))"
paulson@13504
   472
apply (rule Formula_Rec_axioms.intro)
paulson@13502
   473
apply (assumption | 
paulson@13502
   474
       rule a_closed a_rel b_closed b_rel c_closed c_rel d_closed d_rel
paulson@13502
   475
       fr_replace [unfolded satisfies_MH_def]
paulson@13502
   476
       fr_lam_replace) +
paulson@13494
   477
done
paulson@13494
   478
paulson@13494
   479
paulson@13504
   480
theorem (in M_satisfies) Formula_Rec_M: 
paulson@13502
   481
    "M(A) ==>
paulson@13504
   482
     PROP Formula_Rec(M, satisfies_a(A), satisfies_is_a(M,A), 
wenzelm@32960
   483
                         satisfies_b(A), satisfies_is_b(M,A), 
wenzelm@32960
   484
                         satisfies_c(A), satisfies_is_c(M,A), 
wenzelm@32960
   485
                         satisfies_d(A), satisfies_is_d(M,A))"
ballarin@19931
   486
  apply (rule Formula_Rec.intro)
wenzelm@23464
   487
   apply (rule M_satisfies.axioms, rule M_satisfies_axioms)
ballarin@19931
   488
  apply (erule Formula_Rec_axioms_M) 
ballarin@19931
   489
  done
paulson@13494
   490
paulson@13502
   491
lemmas (in M_satisfies) 
wenzelm@13535
   492
    satisfies_closed' = Formula_Rec.formula_rec_closed [OF Formula_Rec_M]
wenzelm@13535
   493
and satisfies_abs'    = Formula_Rec.formula_rec_abs [OF Formula_Rec_M]
paulson@13494
   494
paulson@13494
   495
paulson@13502
   496
lemma (in M_satisfies) satisfies_closed:
paulson@13502
   497
  "[|M(A); p \<in> formula|] ==> M(satisfies(A,p))"
paulson@13504
   498
by (simp add: Formula_Rec.formula_rec_closed [OF Formula_Rec_M]  
paulson@13502
   499
              satisfies_eq) 
paulson@13494
   500
paulson@13502
   501
lemma (in M_satisfies) satisfies_abs:
paulson@13502
   502
  "[|M(A); M(z); p \<in> formula|] 
paulson@46823
   503
   ==> is_satisfies(M,A,p,z) \<longleftrightarrow> z = satisfies(A,p)"
paulson@13504
   504
by (simp only: Formula_Rec.formula_rec_abs [OF Formula_Rec_M]  
paulson@13503
   505
               satisfies_eq is_satisfies_def satisfies_MH_def)
paulson@13494
   506
paulson@13494
   507
wenzelm@61798
   508
subsection\<open>Internalizations Needed to Instantiate \<open>M_satisfies\<close>\<close>
paulson@13494
   509
wenzelm@60770
   510
subsubsection\<open>The Operator @{term is_depth_apply}, Internalized\<close>
paulson@13496
   511
paulson@13496
   512
(* is_depth_apply(M,h,p,z) ==
paulson@13496
   513
    \<exists>dp[M]. \<exists>sdp[M]. \<exists>hsdp[M]. 
paulson@13496
   514
      2        1         0
wenzelm@32960
   515
        finite_ordinal(M,dp) & is_depth(M,p,dp) & successor(M,dp,sdp) &
wenzelm@32960
   516
        fun_apply(M,h,sdp,hsdp) & fun_apply(M,hsdp,p,z) *)
wenzelm@21404
   517
definition
wenzelm@21404
   518
  depth_apply_fm :: "[i,i,i]=>i" where
paulson@13496
   519
    "depth_apply_fm(h,p,z) ==
paulson@13496
   520
       Exists(Exists(Exists(
paulson@13496
   521
        And(finite_ordinal_fm(2),
paulson@13496
   522
         And(depth_fm(p#+3,2),
paulson@13496
   523
          And(succ_fm(2,1),
paulson@13496
   524
           And(fun_apply_fm(h#+3,1,0), fun_apply_fm(0,p#+3,z#+3))))))))"
paulson@13496
   525
paulson@13496
   526
lemma depth_apply_type [TC]:
paulson@13496
   527
     "[| x \<in> nat; y \<in> nat; z \<in> nat |] ==> depth_apply_fm(x,y,z) \<in> formula"
paulson@13496
   528
by (simp add: depth_apply_fm_def)
paulson@13496
   529
paulson@13496
   530
lemma sats_depth_apply_fm [simp]:
paulson@13496
   531
   "[| x \<in> nat; y \<in> nat; z \<in> nat; env \<in> list(A)|]
paulson@46823
   532
    ==> sats(A, depth_apply_fm(x,y,z), env) \<longleftrightarrow>
paulson@13807
   533
        is_depth_apply(##A, nth(x,env), nth(y,env), nth(z,env))"
paulson@13496
   534
by (simp add: depth_apply_fm_def is_depth_apply_def)
paulson@13496
   535
paulson@13496
   536
lemma depth_apply_iff_sats:
paulson@13496
   537
    "[| nth(i,env) = x; nth(j,env) = y; nth(k,env) = z;
paulson@13496
   538
        i \<in> nat; j \<in> nat; k \<in> nat; env \<in> list(A)|]
paulson@46823
   539
     ==> is_depth_apply(##A, x, y, z) \<longleftrightarrow> sats(A, depth_apply_fm(i,j,k), env)"
paulson@13496
   540
by simp
paulson@13496
   541
paulson@13496
   542
lemma depth_apply_reflection:
paulson@13496
   543
     "REFLECTS[\<lambda>x. is_depth_apply(L,f(x),g(x),h(x)),
paulson@13807
   544
               \<lambda>i x. is_depth_apply(##Lset(i),f(x),g(x),h(x))]"
paulson@13655
   545
apply (simp only: is_depth_apply_def)
paulson@13496
   546
apply (intro FOL_reflections function_reflections depth_reflection 
paulson@13496
   547
             finite_ordinal_reflection)
paulson@13496
   548
done
paulson@13496
   549
paulson@13496
   550
wenzelm@60770
   551
subsubsection\<open>The Operator @{term satisfies_is_a}, Internalized\<close>
paulson@13496
   552
paulson@13496
   553
(* satisfies_is_a(M,A) == 
paulson@46823
   554
    \<lambda>x y zz. \<forall>lA[M]. is_list(M,A,lA) \<longrightarrow>
paulson@13496
   555
             is_lambda(M, lA, 
wenzelm@32960
   556
                \<lambda>env z. is_bool_of_o(M, 
paulson@13496
   557
                      \<exists>nx[M]. \<exists>ny[M]. 
wenzelm@32960
   558
                       is_nth(M,x,env,nx) & is_nth(M,y,env,ny) & nx \<in> ny, z),
paulson@13496
   559
                zz)  *)
paulson@13496
   560
wenzelm@21404
   561
definition
wenzelm@21404
   562
  satisfies_is_a_fm :: "[i,i,i,i]=>i" where
wenzelm@21404
   563
  "satisfies_is_a_fm(A,x,y,z) ==
paulson@13496
   564
   Forall(
paulson@13496
   565
     Implies(is_list_fm(succ(A),0),
paulson@13496
   566
       lambda_fm(
paulson@13496
   567
         bool_of_o_fm(Exists(
paulson@13496
   568
                       Exists(And(nth_fm(x#+6,3,1), 
paulson@13496
   569
                               And(nth_fm(y#+6,3,0), 
paulson@13496
   570
                                   Member(1,0))))), 0), 
paulson@13496
   571
         0, succ(z))))"
paulson@13496
   572
paulson@13496
   573
lemma satisfies_is_a_type [TC]:
paulson@13496
   574
     "[| A \<in> nat; x \<in> nat; y \<in> nat; z \<in> nat |]
paulson@13496
   575
      ==> satisfies_is_a_fm(A,x,y,z) \<in> formula"
paulson@13496
   576
by (simp add: satisfies_is_a_fm_def)
paulson@13496
   577
paulson@13496
   578
lemma sats_satisfies_is_a_fm [simp]:
paulson@13496
   579
   "[| u \<in> nat; x < length(env); y < length(env); z \<in> nat; env \<in> list(A)|]
paulson@46823
   580
    ==> sats(A, satisfies_is_a_fm(u,x,y,z), env) \<longleftrightarrow>
paulson@13807
   581
        satisfies_is_a(##A, nth(u,env), nth(x,env), nth(y,env), nth(z,env))"
paulson@13496
   582
apply (frule_tac x=x in lt_length_in_nat, assumption)  
paulson@13496
   583
apply (frule_tac x=y in lt_length_in_nat, assumption)  
paulson@13496
   584
apply (simp add: satisfies_is_a_fm_def satisfies_is_a_def sats_lambda_fm 
paulson@13496
   585
                 sats_bool_of_o_fm)
paulson@13496
   586
done
paulson@13496
   587
paulson@13496
   588
lemma satisfies_is_a_iff_sats:
paulson@13496
   589
  "[| nth(u,env) = nu; nth(x,env) = nx; nth(y,env) = ny; nth(z,env) = nz;
paulson@13496
   590
      u \<in> nat; x < length(env); y < length(env); z \<in> nat; env \<in> list(A)|]
paulson@46823
   591
   ==> satisfies_is_a(##A,nu,nx,ny,nz) \<longleftrightarrow>
paulson@13496
   592
       sats(A, satisfies_is_a_fm(u,x,y,z), env)"
paulson@13496
   593
by simp
paulson@13496
   594
paulson@13494
   595
theorem satisfies_is_a_reflection:
paulson@13494
   596
     "REFLECTS[\<lambda>x. satisfies_is_a(L,f(x),g(x),h(x),g'(x)),
paulson@13807
   597
               \<lambda>i x. satisfies_is_a(##Lset(i),f(x),g(x),h(x),g'(x))]"
paulson@13494
   598
apply (unfold satisfies_is_a_def) 
paulson@13494
   599
apply (intro FOL_reflections is_lambda_reflection bool_of_o_reflection 
paulson@13496
   600
             nth_reflection is_list_reflection)
paulson@13494
   601
done
paulson@13494
   602
paulson@13494
   603
wenzelm@60770
   604
subsubsection\<open>The Operator @{term satisfies_is_b}, Internalized\<close>
paulson@13496
   605
paulson@13496
   606
(* satisfies_is_b(M,A) == 
paulson@46823
   607
    \<lambda>x y zz. \<forall>lA[M]. is_list(M,A,lA) \<longrightarrow>
paulson@13496
   608
             is_lambda(M, lA, 
paulson@13496
   609
                \<lambda>env z. is_bool_of_o(M, 
paulson@13496
   610
                      \<exists>nx[M]. is_nth(M,x,env,nx) & is_nth(M,y,env,nx), z),
paulson@13496
   611
                zz) *)
paulson@13496
   612
wenzelm@21404
   613
definition
wenzelm@21404
   614
  satisfies_is_b_fm :: "[i,i,i,i]=>i" where
paulson@13496
   615
 "satisfies_is_b_fm(A,x,y,z) ==
paulson@13496
   616
   Forall(
paulson@13496
   617
     Implies(is_list_fm(succ(A),0),
paulson@13496
   618
       lambda_fm(
paulson@13496
   619
         bool_of_o_fm(Exists(And(nth_fm(x#+5,2,0), nth_fm(y#+5,2,0))), 0), 
paulson@13496
   620
         0, succ(z))))"
paulson@13496
   621
paulson@13496
   622
lemma satisfies_is_b_type [TC]:
paulson@13496
   623
     "[| A \<in> nat; x \<in> nat; y \<in> nat; z \<in> nat |]
paulson@13496
   624
      ==> satisfies_is_b_fm(A,x,y,z) \<in> formula"
paulson@13496
   625
by (simp add: satisfies_is_b_fm_def)
paulson@13496
   626
paulson@13496
   627
lemma sats_satisfies_is_b_fm [simp]:
paulson@13496
   628
   "[| u \<in> nat; x < length(env); y < length(env); z \<in> nat; env \<in> list(A)|]
paulson@46823
   629
    ==> sats(A, satisfies_is_b_fm(u,x,y,z), env) \<longleftrightarrow>
paulson@13807
   630
        satisfies_is_b(##A, nth(u,env), nth(x,env), nth(y,env), nth(z,env))"
paulson@13496
   631
apply (frule_tac x=x in lt_length_in_nat, assumption)  
paulson@13496
   632
apply (frule_tac x=y in lt_length_in_nat, assumption)  
paulson@13496
   633
apply (simp add: satisfies_is_b_fm_def satisfies_is_b_def sats_lambda_fm 
paulson@13496
   634
                 sats_bool_of_o_fm)
paulson@13496
   635
done
paulson@13496
   636
paulson@13496
   637
lemma satisfies_is_b_iff_sats:
paulson@13496
   638
  "[| nth(u,env) = nu; nth(x,env) = nx; nth(y,env) = ny; nth(z,env) = nz;
paulson@13496
   639
      u \<in> nat; x < length(env); y < length(env); z \<in> nat; env \<in> list(A)|]
paulson@46823
   640
   ==> satisfies_is_b(##A,nu,nx,ny,nz) \<longleftrightarrow>
paulson@13496
   641
       sats(A, satisfies_is_b_fm(u,x,y,z), env)"
paulson@13496
   642
by simp
paulson@13496
   643
paulson@13494
   644
theorem satisfies_is_b_reflection:
paulson@13494
   645
     "REFLECTS[\<lambda>x. satisfies_is_b(L,f(x),g(x),h(x),g'(x)),
paulson@13807
   646
               \<lambda>i x. satisfies_is_b(##Lset(i),f(x),g(x),h(x),g'(x))]"
paulson@13494
   647
apply (unfold satisfies_is_b_def) 
paulson@13494
   648
apply (intro FOL_reflections is_lambda_reflection bool_of_o_reflection 
paulson@13496
   649
             nth_reflection is_list_reflection)
paulson@13494
   650
done
paulson@13494
   651
paulson@13496
   652
wenzelm@60770
   653
subsubsection\<open>The Operator @{term satisfies_is_c}, Internalized\<close>
paulson@13496
   654
paulson@13496
   655
(* satisfies_is_c(M,A,h) == 
paulson@46823
   656
    \<lambda>p q zz. \<forall>lA[M]. is_list(M,A,lA) \<longrightarrow>
paulson@13496
   657
             is_lambda(M, lA, \<lambda>env z. \<exists>hp[M]. \<exists>hq[M]. 
wenzelm@32960
   658
                 (\<exists>rp[M]. is_depth_apply(M,h,p,rp) & fun_apply(M,rp,env,hp)) & 
wenzelm@32960
   659
                 (\<exists>rq[M]. is_depth_apply(M,h,q,rq) & fun_apply(M,rq,env,hq)) & 
paulson@13496
   660
                 (\<exists>pq[M]. is_and(M,hp,hq,pq) & is_not(M,pq,z)),
paulson@13496
   661
                zz) *)
paulson@13496
   662
wenzelm@21404
   663
definition
wenzelm@21404
   664
  satisfies_is_c_fm :: "[i,i,i,i,i]=>i" where
paulson@13496
   665
 "satisfies_is_c_fm(A,h,p,q,zz) ==
paulson@13496
   666
   Forall(
paulson@13496
   667
     Implies(is_list_fm(succ(A),0),
paulson@13496
   668
       lambda_fm(
paulson@13496
   669
         Exists(Exists(
paulson@13496
   670
          And(Exists(And(depth_apply_fm(h#+7,p#+7,0), fun_apply_fm(0,4,2))),
paulson@13496
   671
          And(Exists(And(depth_apply_fm(h#+7,q#+7,0), fun_apply_fm(0,4,1))),
paulson@13496
   672
              Exists(And(and_fm(2,1,0), not_fm(0,3))))))),
paulson@13496
   673
         0, succ(zz))))"
paulson@13496
   674
paulson@13496
   675
lemma satisfies_is_c_type [TC]:
paulson@13496
   676
     "[| A \<in> nat; h \<in> nat; x \<in> nat; y \<in> nat; z \<in> nat |]
paulson@13496
   677
      ==> satisfies_is_c_fm(A,h,x,y,z) \<in> formula"
paulson@13496
   678
by (simp add: satisfies_is_c_fm_def)
paulson@13496
   679
paulson@13496
   680
lemma sats_satisfies_is_c_fm [simp]:
paulson@13496
   681
   "[| u \<in> nat; v \<in> nat; x \<in> nat; y \<in> nat; z \<in> nat; env \<in> list(A)|]
paulson@46823
   682
    ==> sats(A, satisfies_is_c_fm(u,v,x,y,z), env) \<longleftrightarrow>
paulson@13807
   683
        satisfies_is_c(##A, nth(u,env), nth(v,env), nth(x,env), 
paulson@13496
   684
                            nth(y,env), nth(z,env))"  
paulson@13496
   685
by (simp add: satisfies_is_c_fm_def satisfies_is_c_def sats_lambda_fm)
paulson@13496
   686
paulson@13496
   687
lemma satisfies_is_c_iff_sats:
paulson@13496
   688
  "[| nth(u,env) = nu; nth(v,env) = nv; nth(x,env) = nx; nth(y,env) = ny; 
paulson@13496
   689
      nth(z,env) = nz;
paulson@13496
   690
      u \<in> nat; v \<in> nat; x \<in> nat; y \<in> nat; z \<in> nat; env \<in> list(A)|]
paulson@46823
   691
   ==> satisfies_is_c(##A,nu,nv,nx,ny,nz) \<longleftrightarrow>
paulson@13496
   692
       sats(A, satisfies_is_c_fm(u,v,x,y,z), env)"
paulson@13496
   693
by simp
paulson@13496
   694
paulson@13494
   695
theorem satisfies_is_c_reflection:
paulson@13494
   696
     "REFLECTS[\<lambda>x. satisfies_is_c(L,f(x),g(x),h(x),g'(x),h'(x)),
paulson@13807
   697
               \<lambda>i x. satisfies_is_c(##Lset(i),f(x),g(x),h(x),g'(x),h'(x))]"
paulson@13496
   698
apply (unfold satisfies_is_c_def) 
paulson@13494
   699
apply (intro FOL_reflections function_reflections is_lambda_reflection
paulson@13496
   700
             extra_reflections nth_reflection depth_apply_reflection 
paulson@13496
   701
             is_list_reflection)
paulson@13494
   702
done
paulson@13494
   703
wenzelm@60770
   704
subsubsection\<open>The Operator @{term satisfies_is_d}, Internalized\<close>
paulson@13496
   705
paulson@13496
   706
(* satisfies_is_d(M,A,h) == 
paulson@46823
   707
    \<lambda>p zz. \<forall>lA[M]. is_list(M,A,lA) \<longrightarrow>
paulson@13496
   708
             is_lambda(M, lA, 
paulson@13496
   709
                \<lambda>env z. \<exists>rp[M]. is_depth_apply(M,h,p,rp) & 
paulson@13496
   710
                    is_bool_of_o(M, 
paulson@13496
   711
                           \<forall>x[M]. \<forall>xenv[M]. \<forall>hp[M]. 
paulson@46823
   712
                              x\<in>A \<longrightarrow> is_Cons(M,x,env,xenv) \<longrightarrow> 
paulson@46823
   713
                              fun_apply(M,rp,xenv,hp) \<longrightarrow> number1(M,hp),
paulson@13496
   714
                  z),
paulson@13496
   715
               zz) *)
paulson@13496
   716
wenzelm@21404
   717
definition
wenzelm@21404
   718
  satisfies_is_d_fm :: "[i,i,i,i]=>i" where
paulson@13496
   719
 "satisfies_is_d_fm(A,h,p,zz) ==
paulson@13496
   720
   Forall(
paulson@13496
   721
     Implies(is_list_fm(succ(A),0),
paulson@13496
   722
       lambda_fm(
paulson@13496
   723
         Exists(
paulson@13496
   724
           And(depth_apply_fm(h#+5,p#+5,0),
paulson@13496
   725
               bool_of_o_fm(
paulson@13496
   726
                Forall(Forall(Forall(
paulson@13496
   727
                 Implies(Member(2,A#+8),
paulson@13496
   728
                  Implies(Cons_fm(2,5,1),
paulson@13496
   729
                   Implies(fun_apply_fm(3,1,0), number1_fm(0))))))), 1))),
paulson@13496
   730
         0, succ(zz))))"
paulson@13496
   731
paulson@13496
   732
lemma satisfies_is_d_type [TC]:
paulson@13496
   733
     "[| A \<in> nat; h \<in> nat; x \<in> nat; z \<in> nat |]
paulson@13496
   734
      ==> satisfies_is_d_fm(A,h,x,z) \<in> formula"
paulson@13496
   735
by (simp add: satisfies_is_d_fm_def)
paulson@13496
   736
paulson@13496
   737
lemma sats_satisfies_is_d_fm [simp]:
paulson@13496
   738
   "[| u \<in> nat; x \<in> nat; y \<in> nat; z \<in> nat; env \<in> list(A)|]
paulson@46823
   739
    ==> sats(A, satisfies_is_d_fm(u,x,y,z), env) \<longleftrightarrow>
paulson@13807
   740
        satisfies_is_d(##A, nth(u,env), nth(x,env), nth(y,env), nth(z,env))"  
paulson@13496
   741
by (simp add: satisfies_is_d_fm_def satisfies_is_d_def sats_lambda_fm
paulson@13496
   742
              sats_bool_of_o_fm)
paulson@13496
   743
paulson@13496
   744
lemma satisfies_is_d_iff_sats:
paulson@13496
   745
  "[| nth(u,env) = nu; nth(x,env) = nx; nth(y,env) = ny; nth(z,env) = nz;
paulson@13496
   746
      u \<in> nat; x \<in> nat; y \<in> nat; z \<in> nat; env \<in> list(A)|]
paulson@46823
   747
   ==> satisfies_is_d(##A,nu,nx,ny,nz) \<longleftrightarrow>
paulson@13496
   748
       sats(A, satisfies_is_d_fm(u,x,y,z), env)"
paulson@13496
   749
by simp
paulson@13496
   750
paulson@13494
   751
theorem satisfies_is_d_reflection:
paulson@13494
   752
     "REFLECTS[\<lambda>x. satisfies_is_d(L,f(x),g(x),h(x),g'(x)),
paulson@13807
   753
               \<lambda>i x. satisfies_is_d(##Lset(i),f(x),g(x),h(x),g'(x))]"
paulson@13505
   754
apply (unfold satisfies_is_d_def) 
paulson@13494
   755
apply (intro FOL_reflections function_reflections is_lambda_reflection
paulson@13496
   756
             extra_reflections nth_reflection depth_apply_reflection 
paulson@13496
   757
             is_list_reflection)
paulson@13496
   758
done
paulson@13496
   759
paulson@13496
   760
wenzelm@60770
   761
subsubsection\<open>The Operator @{term satisfies_MH}, Internalized\<close>
paulson@13496
   762
paulson@13496
   763
(* satisfies_MH == 
paulson@13496
   764
    \<lambda>M A u f zz. 
paulson@46823
   765
         \<forall>fml[M]. is_formula(M,fml) \<longrightarrow>
paulson@13496
   766
             is_lambda (M, fml, 
paulson@13496
   767
               is_formula_case (M, satisfies_is_a(M,A), 
paulson@13496
   768
                                satisfies_is_b(M,A), 
paulson@13496
   769
                                satisfies_is_c(M,A,f), satisfies_is_d(M,A,f)),
paulson@13496
   770
               zz) *)
paulson@13496
   771
wenzelm@21404
   772
definition
wenzelm@21404
   773
  satisfies_MH_fm :: "[i,i,i,i]=>i" where
paulson@13496
   774
 "satisfies_MH_fm(A,u,f,zz) ==
paulson@13496
   775
   Forall(
paulson@13496
   776
     Implies(is_formula_fm(0),
paulson@13496
   777
       lambda_fm(
paulson@13496
   778
         formula_case_fm(satisfies_is_a_fm(A#+7,2,1,0), 
paulson@13496
   779
                         satisfies_is_b_fm(A#+7,2,1,0), 
paulson@13496
   780
                         satisfies_is_c_fm(A#+7,f#+7,2,1,0), 
paulson@13496
   781
                         satisfies_is_d_fm(A#+6,f#+6,1,0), 
paulson@13496
   782
                         1, 0),
paulson@13496
   783
         0, succ(zz))))"
paulson@13496
   784
paulson@13496
   785
lemma satisfies_MH_type [TC]:
paulson@13496
   786
     "[| A \<in> nat; u \<in> nat; x \<in> nat; z \<in> nat |]
paulson@13496
   787
      ==> satisfies_MH_fm(A,u,x,z) \<in> formula"
paulson@13496
   788
by (simp add: satisfies_MH_fm_def)
paulson@13496
   789
paulson@13496
   790
lemma sats_satisfies_MH_fm [simp]:
paulson@13496
   791
   "[| u \<in> nat; x \<in> nat; y \<in> nat; z \<in> nat; env \<in> list(A)|]
paulson@46823
   792
    ==> sats(A, satisfies_MH_fm(u,x,y,z), env) \<longleftrightarrow>
paulson@13807
   793
        satisfies_MH(##A, nth(u,env), nth(x,env), nth(y,env), nth(z,env))"  
paulson@13496
   794
by (simp add: satisfies_MH_fm_def satisfies_MH_def sats_lambda_fm
paulson@13496
   795
              sats_formula_case_fm)
paulson@13496
   796
paulson@13496
   797
lemma satisfies_MH_iff_sats:
paulson@13496
   798
  "[| nth(u,env) = nu; nth(x,env) = nx; nth(y,env) = ny; nth(z,env) = nz;
paulson@13496
   799
      u \<in> nat; x \<in> nat; y \<in> nat; z \<in> nat; env \<in> list(A)|]
paulson@46823
   800
   ==> satisfies_MH(##A,nu,nx,ny,nz) \<longleftrightarrow>
paulson@13496
   801
       sats(A, satisfies_MH_fm(u,x,y,z), env)"
paulson@13496
   802
by simp 
paulson@13496
   803
paulson@13496
   804
lemmas satisfies_reflections =
paulson@13496
   805
       is_lambda_reflection is_formula_reflection 
paulson@13496
   806
       is_formula_case_reflection
paulson@13496
   807
       satisfies_is_a_reflection satisfies_is_b_reflection 
paulson@13496
   808
       satisfies_is_c_reflection satisfies_is_d_reflection
paulson@13496
   809
paulson@13496
   810
theorem satisfies_MH_reflection:
paulson@13496
   811
     "REFLECTS[\<lambda>x. satisfies_MH(L,f(x),g(x),h(x),g'(x)),
paulson@13807
   812
               \<lambda>i x. satisfies_MH(##Lset(i),f(x),g(x),h(x),g'(x))]"
paulson@13496
   813
apply (unfold satisfies_MH_def) 
paulson@13496
   814
apply (intro FOL_reflections satisfies_reflections)
paulson@13494
   815
done
paulson@13494
   816
paulson@13494
   817
wenzelm@61798
   818
subsection\<open>Lemmas for Instantiating the Locale \<open>M_satisfies\<close>\<close>
paulson@13502
   819
paulson@13502
   820
wenzelm@60770
   821
subsubsection\<open>The @{term "Member"} Case\<close>
paulson@13502
   822
paulson@13502
   823
lemma Member_Reflects:
paulson@13502
   824
 "REFLECTS[\<lambda>u. \<exists>v[L]. v \<in> B \<and> (\<exists>bo[L]. \<exists>nx[L]. \<exists>ny[L].
paulson@13502
   825
          v \<in> lstA \<and> is_nth(L,x,v,nx) \<and> is_nth(L,y,v,ny) \<and>
paulson@13502
   826
          is_bool_of_o(L, nx \<in> ny, bo) \<and> pair(L,v,bo,u)),
paulson@13502
   827
   \<lambda>i u. \<exists>v \<in> Lset(i). v \<in> B \<and> (\<exists>bo \<in> Lset(i). \<exists>nx \<in> Lset(i). \<exists>ny \<in> Lset(i).
paulson@13807
   828
             v \<in> lstA \<and> is_nth(##Lset(i), x, v, nx) \<and> 
paulson@13807
   829
             is_nth(##Lset(i), y, v, ny) \<and>
paulson@13807
   830
          is_bool_of_o(##Lset(i), nx \<in> ny, bo) \<and> pair(##Lset(i), v, bo, u))]"
paulson@13502
   831
by (intro FOL_reflections function_reflections nth_reflection 
paulson@13502
   832
          bool_of_o_reflection)
paulson@13502
   833
paulson@13502
   834
paulson@13502
   835
lemma Member_replacement:
paulson@13502
   836
    "[|L(A); x \<in> nat; y \<in> nat|]
paulson@13502
   837
     ==> strong_replacement
wenzelm@32960
   838
         (L, \<lambda>env z. \<exists>bo[L]. \<exists>nx[L]. \<exists>ny[L]. 
paulson@13502
   839
              env \<in> list(A) & is_nth(L,x,env,nx) & is_nth(L,y,env,ny) & 
paulson@13502
   840
              is_bool_of_o(L, nx \<in> ny, bo) &
paulson@13502
   841
              pair(L, env, bo, z))"
paulson@13566
   842
apply (rule strong_replacementI)
paulson@13566
   843
apply (rule_tac u="{list(A),B,x,y}" 
paulson@13687
   844
         in gen_separation_multi [OF Member_Reflects], 
paulson@13687
   845
       auto simp add: nat_into_M list_closed)
paulson@13687
   846
apply (rule_tac env="[list(A),B,x,y]" in DPow_LsetI)
paulson@13566
   847
apply (rule sep_rules nth_iff_sats is_bool_of_o_iff_sats | simp)+
paulson@13502
   848
done
paulson@13502
   849
paulson@13502
   850
wenzelm@60770
   851
subsubsection\<open>The @{term "Equal"} Case\<close>
paulson@13502
   852
paulson@13502
   853
lemma Equal_Reflects:
paulson@13502
   854
 "REFLECTS[\<lambda>u. \<exists>v[L]. v \<in> B \<and> (\<exists>bo[L]. \<exists>nx[L]. \<exists>ny[L].
paulson@13502
   855
          v \<in> lstA \<and> is_nth(L, x, v, nx) \<and> is_nth(L, y, v, ny) \<and>
paulson@13502
   856
          is_bool_of_o(L, nx = ny, bo) \<and> pair(L, v, bo, u)),
paulson@13502
   857
   \<lambda>i u. \<exists>v \<in> Lset(i). v \<in> B \<and> (\<exists>bo \<in> Lset(i). \<exists>nx \<in> Lset(i). \<exists>ny \<in> Lset(i).
paulson@13807
   858
             v \<in> lstA \<and> is_nth(##Lset(i), x, v, nx) \<and> 
paulson@13807
   859
             is_nth(##Lset(i), y, v, ny) \<and>
paulson@13807
   860
          is_bool_of_o(##Lset(i), nx = ny, bo) \<and> pair(##Lset(i), v, bo, u))]"
paulson@13502
   861
by (intro FOL_reflections function_reflections nth_reflection 
paulson@13502
   862
          bool_of_o_reflection)
paulson@13502
   863
paulson@13502
   864
paulson@13502
   865
lemma Equal_replacement:
paulson@13502
   866
    "[|L(A); x \<in> nat; y \<in> nat|]
paulson@13502
   867
     ==> strong_replacement
wenzelm@32960
   868
         (L, \<lambda>env z. \<exists>bo[L]. \<exists>nx[L]. \<exists>ny[L]. 
paulson@13502
   869
              env \<in> list(A) & is_nth(L,x,env,nx) & is_nth(L,y,env,ny) & 
paulson@13502
   870
              is_bool_of_o(L, nx = ny, bo) &
paulson@13502
   871
              pair(L, env, bo, z))"
paulson@13566
   872
apply (rule strong_replacementI)
paulson@13566
   873
apply (rule_tac u="{list(A),B,x,y}" 
paulson@13687
   874
         in gen_separation_multi [OF Equal_Reflects], 
paulson@13687
   875
       auto simp add: nat_into_M list_closed)
paulson@13687
   876
apply (rule_tac env="[list(A),B,x,y]" in DPow_LsetI)
paulson@13566
   877
apply (rule sep_rules nth_iff_sats is_bool_of_o_iff_sats | simp)+
paulson@13502
   878
done
paulson@13502
   879
wenzelm@60770
   880
subsubsection\<open>The @{term "Nand"} Case\<close>
paulson@13502
   881
paulson@13502
   882
lemma Nand_Reflects:
paulson@13502
   883
    "REFLECTS [\<lambda>x. \<exists>u[L]. u \<in> B \<and>
wenzelm@32960
   884
               (\<exists>rpe[L]. \<exists>rqe[L]. \<exists>andpq[L]. \<exists>notpq[L].
wenzelm@32960
   885
                 fun_apply(L, rp, u, rpe) \<and> fun_apply(L, rq, u, rqe) \<and>
wenzelm@32960
   886
                 is_and(L, rpe, rqe, andpq) \<and> is_not(L, andpq, notpq) \<and>
wenzelm@32960
   887
                 u \<in> list(A) \<and> pair(L, u, notpq, x)),
paulson@13502
   888
    \<lambda>i x. \<exists>u \<in> Lset(i). u \<in> B \<and>
paulson@13502
   889
     (\<exists>rpe \<in> Lset(i). \<exists>rqe \<in> Lset(i). \<exists>andpq \<in> Lset(i). \<exists>notpq \<in> Lset(i).
paulson@13807
   890
       fun_apply(##Lset(i), rp, u, rpe) \<and> fun_apply(##Lset(i), rq, u, rqe) \<and>
paulson@13807
   891
       is_and(##Lset(i), rpe, rqe, andpq) \<and> is_not(##Lset(i), andpq, notpq) \<and>
paulson@13807
   892
       u \<in> list(A) \<and> pair(##Lset(i), u, notpq, x))]"
paulson@13502
   893
apply (unfold is_and_def is_not_def) 
paulson@13502
   894
apply (intro FOL_reflections function_reflections)
paulson@13502
   895
done
paulson@13502
   896
paulson@13502
   897
lemma Nand_replacement:
paulson@13502
   898
    "[|L(A); L(rp); L(rq)|]
paulson@13502
   899
     ==> strong_replacement
wenzelm@32960
   900
         (L, \<lambda>env z. \<exists>rpe[L]. \<exists>rqe[L]. \<exists>andpq[L]. \<exists>notpq[L]. 
paulson@13502
   901
               fun_apply(L,rp,env,rpe) & fun_apply(L,rq,env,rqe) & 
paulson@13502
   902
               is_and(L,rpe,rqe,andpq) & is_not(L,andpq,notpq) & 
paulson@13502
   903
               env \<in> list(A) & pair(L, env, notpq, z))"
paulson@13566
   904
apply (rule strong_replacementI)
paulson@13687
   905
apply (rule_tac u="{list(A),B,rp,rq}" 
paulson@13687
   906
         in gen_separation_multi [OF Nand_Reflects],
paulson@13687
   907
       auto simp add: list_closed)
paulson@13687
   908
apply (rule_tac env="[list(A),B,rp,rq]" in DPow_LsetI)
paulson@13566
   909
apply (rule sep_rules is_and_iff_sats is_not_iff_sats | simp)+
paulson@13502
   910
done
paulson@13502
   911
paulson@13502
   912
wenzelm@60770
   913
subsubsection\<open>The @{term "Forall"} Case\<close>
paulson@13502
   914
paulson@13502
   915
lemma Forall_Reflects:
paulson@13502
   916
 "REFLECTS [\<lambda>x. \<exists>u[L]. u \<in> B \<and> (\<exists>bo[L]. u \<in> list(A) \<and>
paulson@13502
   917
                 is_bool_of_o (L,
paulson@13502
   918
     \<forall>a[L]. \<forall>co[L]. \<forall>rpco[L]. a \<in> A \<longrightarrow>
paulson@13502
   919
                is_Cons(L,a,u,co) \<longrightarrow> fun_apply(L,rp,co,rpco) \<longrightarrow> 
paulson@13502
   920
                number1(L,rpco),
paulson@13502
   921
                           bo) \<and> pair(L,u,bo,x)),
paulson@13502
   922
 \<lambda>i x. \<exists>u \<in> Lset(i). u \<in> B \<and> (\<exists>bo \<in> Lset(i). u \<in> list(A) \<and>
paulson@13807
   923
        is_bool_of_o (##Lset(i),
paulson@13502
   924
 \<forall>a \<in> Lset(i). \<forall>co \<in> Lset(i). \<forall>rpco \<in> Lset(i). a \<in> A \<longrightarrow>
wenzelm@32960
   925
            is_Cons(##Lset(i),a,u,co) \<longrightarrow> fun_apply(##Lset(i),rp,co,rpco) \<longrightarrow> 
wenzelm@32960
   926
            number1(##Lset(i),rpco),
wenzelm@32960
   927
                       bo) \<and> pair(##Lset(i),u,bo,x))]"
paulson@13502
   928
apply (unfold is_bool_of_o_def) 
paulson@13502
   929
apply (intro FOL_reflections function_reflections Cons_reflection)
paulson@13502
   930
done
paulson@13502
   931
paulson@13502
   932
lemma Forall_replacement:
paulson@13502
   933
   "[|L(A); L(rp)|]
paulson@13502
   934
    ==> strong_replacement
wenzelm@32960
   935
        (L, \<lambda>env z. \<exists>bo[L]. 
wenzelm@32960
   936
              env \<in> list(A) & 
wenzelm@32960
   937
              is_bool_of_o (L, 
wenzelm@32960
   938
                            \<forall>a[L]. \<forall>co[L]. \<forall>rpco[L]. 
paulson@46823
   939
                               a\<in>A \<longrightarrow> is_Cons(L,a,env,co) \<longrightarrow>
paulson@46823
   940
                               fun_apply(L,rp,co,rpco) \<longrightarrow> number1(L, rpco), 
paulson@13502
   941
                            bo) &
wenzelm@32960
   942
              pair(L,env,bo,z))"
paulson@13566
   943
apply (rule strong_replacementI)
paulson@13687
   944
apply (rule_tac u="{A,list(A),B,rp}" 
paulson@13687
   945
         in gen_separation_multi [OF Forall_Reflects],
paulson@13687
   946
       auto simp add: list_closed)
paulson@13687
   947
apply (rule_tac env="[A,list(A),B,rp]" in DPow_LsetI)
paulson@13566
   948
apply (rule sep_rules is_bool_of_o_iff_sats Cons_iff_sats | simp)+
paulson@13502
   949
done
paulson@13502
   950
wenzelm@60770
   951
subsubsection\<open>The @{term "transrec_replacement"} Case\<close>
paulson@13502
   952
paulson@13494
   953
lemma formula_rec_replacement_Reflects:
paulson@13494
   954
 "REFLECTS [\<lambda>x. \<exists>u[L]. u \<in> B \<and> (\<exists>y[L]. pair(L, u, y, x) \<and>
paulson@13494
   955
             is_wfrec (L, satisfies_MH(L,A), mesa, u, y)),
paulson@13807
   956
    \<lambda>i x. \<exists>u \<in> Lset(i). u \<in> B \<and> (\<exists>y \<in> Lset(i). pair(##Lset(i), u, y, x) \<and>
paulson@13807
   957
             is_wfrec (##Lset(i), satisfies_MH(##Lset(i),A), mesa, u, y))]"
paulson@13496
   958
by (intro FOL_reflections function_reflections satisfies_MH_reflection 
paulson@13496
   959
          is_wfrec_reflection) 
paulson@13496
   960
paulson@13496
   961
lemma formula_rec_replacement: 
wenzelm@61798
   962
      \<comment>\<open>For the @{term transrec}\<close>
paulson@13496
   963
   "[|n \<in> nat; L(A)|] ==> transrec_replacement(L, satisfies_MH(L,A), n)"
paulson@13566
   964
apply (rule transrec_replacementI, simp add: nat_into_M) 
paulson@13496
   965
apply (rule strong_replacementI)
paulson@13566
   966
apply (rule_tac u="{B,A,n,Memrel(eclose({n}))}"
paulson@13687
   967
         in gen_separation_multi [OF formula_rec_replacement_Reflects],
paulson@13687
   968
       auto simp add: nat_into_M)
paulson@13687
   969
apply (rule_tac env="[B,A,n,Memrel(eclose({n}))]" in DPow_LsetI)
paulson@13496
   970
apply (rule sep_rules satisfies_MH_iff_sats is_wfrec_iff_sats | simp)+
paulson@13494
   971
done
paulson@13494
   972
paulson@13502
   973
wenzelm@60770
   974
subsubsection\<open>The Lambda Replacement Case\<close>
paulson@13502
   975
paulson@13502
   976
lemma formula_rec_lambda_replacement_Reflects:
paulson@13502
   977
 "REFLECTS [\<lambda>x. \<exists>u[L]. u \<in> B &
paulson@13502
   978
     mem_formula(L,u) &
paulson@13502
   979
     (\<exists>c[L].
wenzelm@32960
   980
         is_formula_case
wenzelm@32960
   981
          (L, satisfies_is_a(L,A), satisfies_is_b(L,A),
wenzelm@32960
   982
           satisfies_is_c(L,A,g), satisfies_is_d(L,A,g),
wenzelm@32960
   983
           u, c) &
wenzelm@32960
   984
         pair(L,u,c,x)),
paulson@13807
   985
  \<lambda>i x. \<exists>u \<in> Lset(i). u \<in> B & mem_formula(##Lset(i),u) &
paulson@13502
   986
     (\<exists>c \<in> Lset(i).
wenzelm@32960
   987
         is_formula_case
wenzelm@32960
   988
          (##Lset(i), satisfies_is_a(##Lset(i),A), satisfies_is_b(##Lset(i),A),
wenzelm@32960
   989
           satisfies_is_c(##Lset(i),A,g), satisfies_is_d(##Lset(i),A,g),
wenzelm@32960
   990
           u, c) &
wenzelm@32960
   991
         pair(##Lset(i),u,c,x))]"
paulson@13502
   992
by (intro FOL_reflections function_reflections mem_formula_reflection
paulson@13502
   993
          is_formula_case_reflection satisfies_is_a_reflection
paulson@13502
   994
          satisfies_is_b_reflection satisfies_is_c_reflection
paulson@13502
   995
          satisfies_is_d_reflection)  
paulson@13502
   996
paulson@13502
   997
lemma formula_rec_lambda_replacement: 
wenzelm@61798
   998
      \<comment>\<open>For the @{term transrec}\<close>
paulson@13502
   999
   "[|L(g); L(A)|] ==>
paulson@13502
  1000
    strong_replacement (L, 
paulson@13502
  1001
       \<lambda>x y. mem_formula(L,x) &
paulson@13502
  1002
             (\<exists>c[L]. is_formula_case(L, satisfies_is_a(L,A),
paulson@13502
  1003
                                  satisfies_is_b(L,A),
paulson@13502
  1004
                                  satisfies_is_c(L,A,g),
paulson@13502
  1005
                                  satisfies_is_d(L,A,g), x, c) &
paulson@13502
  1006
             pair(L, x, c, y)))" 
paulson@13502
  1007
apply (rule strong_replacementI)
paulson@13566
  1008
apply (rule_tac u="{B,A,g}"
paulson@13687
  1009
         in gen_separation_multi [OF formula_rec_lambda_replacement_Reflects], 
paulson@13687
  1010
       auto)
paulson@13687
  1011
apply (rule_tac env="[A,g,B]" in DPow_LsetI)
paulson@13502
  1012
apply (rule sep_rules mem_formula_iff_sats
paulson@13502
  1013
          formula_case_iff_sats satisfies_is_a_iff_sats
paulson@13502
  1014
          satisfies_is_b_iff_sats satisfies_is_c_iff_sats
paulson@13502
  1015
          satisfies_is_d_iff_sats | simp)+
paulson@13502
  1016
done
paulson@13502
  1017
paulson@13502
  1018
wenzelm@61798
  1019
subsection\<open>Instantiating \<open>M_satisfies\<close>\<close>
paulson@13502
  1020
paulson@13502
  1021
lemma M_satisfies_axioms_L: "M_satisfies_axioms(L)"
paulson@13502
  1022
  apply (rule M_satisfies_axioms.intro)
paulson@13502
  1023
       apply (assumption | rule
wenzelm@32960
  1024
         Member_replacement Equal_replacement 
paulson@13502
  1025
         Nand_replacement Forall_replacement
paulson@13502
  1026
         formula_rec_replacement formula_rec_lambda_replacement)+
paulson@13502
  1027
  done
paulson@13502
  1028
paulson@13502
  1029
theorem M_satisfies_L: "PROP M_satisfies(L)"
ballarin@19931
  1030
  apply (rule M_satisfies.intro)
ballarin@19931
  1031
   apply (rule M_eclose_L)
ballarin@19931
  1032
  apply (rule M_satisfies_axioms_L)
ballarin@19931
  1033
  done
paulson@13502
  1034
wenzelm@60770
  1035
text\<open>Finally: the point of the whole theory!\<close>
paulson@13504
  1036
lemmas satisfies_closed = M_satisfies.satisfies_closed [OF M_satisfies_L]
paulson@13504
  1037
   and satisfies_abs = M_satisfies.satisfies_abs [OF M_satisfies_L]
paulson@13504
  1038
paulson@13494
  1039
end