src/ZF/Constructible/WFrec.thy
author wenzelm
Thu Sep 02 00:48:07 2010 +0200 (2010-09-02)
changeset 38980 af73cf0dc31f
parent 32960 69916a850301
child 46823 57bf0cecb366
permissions -rw-r--r--
turned show_question_marks into proper configuration option;
show_question_marks only affects regular type/term pretty printing, not raw Term.string_of_vname;
tuned;
paulson@13505
     1
(*  Title:      ZF/Constructible/WFrec.thy
paulson@13505
     2
    Author:     Lawrence C Paulson, Cambridge University Computer Laboratory
paulson@13505
     3
*)
paulson@13505
     4
paulson@13306
     5
header{*Relativized Well-Founded Recursion*}
paulson@13306
     6
haftmann@16417
     7
theory WFrec imports Wellorderings begin
paulson@13223
     8
paulson@13223
     9
paulson@13506
    10
subsection{*General Lemmas*}
paulson@13506
    11
paulson@13254
    12
(*Many of these might be useful in WF.thy*)
paulson@13223
    13
paulson@13269
    14
lemma apply_recfun2:
paulson@13269
    15
    "[| is_recfun(r,a,H,f); <x,i>:f |] ==> i = H(x, restrict(f,r-``{x}))"
paulson@13269
    16
apply (frule apply_recfun) 
paulson@13269
    17
 apply (blast dest: is_recfun_type fun_is_rel) 
paulson@13269
    18
apply (simp add: function_apply_equality [OF _ is_recfun_imp_function])
paulson@13223
    19
done
paulson@13223
    20
paulson@13223
    21
text{*Expresses @{text is_recfun} as a recursion equation*}
paulson@13223
    22
lemma is_recfun_iff_equation:
paulson@13223
    23
     "is_recfun(r,a,H,f) <->
wenzelm@32960
    24
           f \<in> r -`` {a} \<rightarrow> range(f) &
wenzelm@32960
    25
           (\<forall>x \<in> r-``{a}. f`x = H(x, restrict(f, r-``{x})))"  
paulson@13223
    26
apply (rule iffI) 
paulson@13223
    27
 apply (simp add: is_recfun_type apply_recfun Ball_def vimage_singleton_iff, 
paulson@13223
    28
        clarify)  
paulson@13223
    29
apply (simp add: is_recfun_def) 
paulson@13223
    30
apply (rule fun_extension) 
paulson@13223
    31
  apply assumption
paulson@13223
    32
 apply (fast intro: lam_type, simp) 
paulson@13223
    33
done
paulson@13223
    34
paulson@13245
    35
lemma is_recfun_imp_in_r: "[|is_recfun(r,a,H,f); \<langle>x,i\<rangle> \<in> f|] ==> \<langle>x, a\<rangle> \<in> r"
paulson@13269
    36
by (blast dest: is_recfun_type fun_is_rel)
paulson@13245
    37
paulson@13254
    38
lemma trans_Int_eq:
paulson@13254
    39
      "[| trans(r); <y,x> \<in> r |] ==> r -`` {x} \<inter> r -`` {y} = r -`` {y}"
paulson@13251
    40
by (blast intro: transD) 
paulson@13223
    41
paulson@13254
    42
lemma is_recfun_restrict_idem:
paulson@13254
    43
     "is_recfun(r,a,H,f) ==> restrict(f, r -`` {a}) = f"
paulson@13254
    44
apply (drule is_recfun_type)
paulson@13254
    45
apply (auto simp add: Pi_iff subset_Sigma_imp_relation restrict_idem)  
paulson@13254
    46
done
paulson@13254
    47
paulson@13254
    48
lemma is_recfun_cong_lemma:
paulson@13254
    49
  "[| is_recfun(r,a,H,f); r = r'; a = a'; f = f'; 
paulson@13254
    50
      !!x g. [| <x,a'> \<in> r'; relation(g); domain(g) <= r' -``{x} |] 
paulson@13254
    51
             ==> H(x,g) = H'(x,g) |]
paulson@13254
    52
   ==> is_recfun(r',a',H',f')"
paulson@13254
    53
apply (simp add: is_recfun_def) 
paulson@13254
    54
apply (erule trans) 
paulson@13254
    55
apply (rule lam_cong) 
paulson@13254
    56
apply (simp_all add: vimage_singleton_iff Int_lower2)  
paulson@13254
    57
done
paulson@13254
    58
paulson@13254
    59
text{*For @{text is_recfun} we need only pay attention to functions
paulson@13254
    60
      whose domains are initial segments of @{term r}.*}
paulson@13254
    61
lemma is_recfun_cong:
paulson@13254
    62
  "[| r = r'; a = a'; f = f'; 
paulson@13254
    63
      !!x g. [| <x,a'> \<in> r'; relation(g); domain(g) <= r' -``{x} |] 
paulson@13254
    64
             ==> H(x,g) = H'(x,g) |]
paulson@13254
    65
   ==> is_recfun(r,a,H,f) <-> is_recfun(r',a',H',f')"
paulson@13254
    66
apply (rule iffI)
paulson@13254
    67
txt{*Messy: fast and blast don't work for some reason*}
paulson@13254
    68
apply (erule is_recfun_cong_lemma, auto) 
paulson@13254
    69
apply (erule is_recfun_cong_lemma)
paulson@13254
    70
apply (blast intro: sym)+
paulson@13254
    71
done
paulson@13223
    72
paulson@13506
    73
subsection{*Reworking of the Recursion Theory Within @{term M}*}
paulson@13506
    74
paulson@13564
    75
lemma (in M_basic) is_recfun_separation':
paulson@13319
    76
    "[| f \<in> r -`` {a} \<rightarrow> range(f); g \<in> r -`` {b} \<rightarrow> range(g);
paulson@13319
    77
        M(r); M(f); M(g); M(a); M(b) |] 
paulson@13319
    78
     ==> separation(M, \<lambda>x. \<not> (\<langle>x, a\<rangle> \<in> r \<longrightarrow> \<langle>x, b\<rangle> \<in> r \<longrightarrow> f ` x = g ` x))"
paulson@13319
    79
apply (insert is_recfun_separation [of r f g a b]) 
paulson@13352
    80
apply (simp add: vimage_singleton_iff)
paulson@13319
    81
done
paulson@13223
    82
paulson@13251
    83
text{*Stated using @{term "trans(r)"} rather than
paulson@13223
    84
      @{term "transitive_rel(M,A,r)"} because the latter rewrites to
paulson@13223
    85
      the former anyway, by @{text transitive_rel_abs}.
paulson@13251
    86
      As always, theorems should be expressed in simplified form.
paulson@13251
    87
      The last three M-premises are redundant because of @{term "M(r)"}, 
paulson@13251
    88
      but without them we'd have to undertake
paulson@13251
    89
      more work to set up the induction formula.*}
paulson@13564
    90
lemma (in M_basic) is_recfun_equal [rule_format]: 
paulson@13223
    91
    "[|is_recfun(r,a,H,f);  is_recfun(r,b,H,g);  
paulson@13251
    92
       wellfounded(M,r);  trans(r);
paulson@13251
    93
       M(f); M(g); M(r); M(x); M(a); M(b) |] 
paulson@13223
    94
     ==> <x,a> \<in> r --> <x,b> \<in> r --> f`x=g`x"
paulson@13339
    95
apply (frule_tac f=f in is_recfun_type) 
paulson@13339
    96
apply (frule_tac f=g in is_recfun_type) 
paulson@13223
    97
apply (simp add: is_recfun_def)
paulson@13254
    98
apply (erule_tac a=x in wellfounded_induct, assumption+)
paulson@13251
    99
txt{*Separation to justify the induction*}
paulson@13319
   100
 apply (blast intro: is_recfun_separation') 
paulson@13251
   101
txt{*Now the inductive argument itself*}
paulson@13254
   102
apply clarify 
paulson@13223
   103
apply (erule ssubst)+
paulson@13223
   104
apply (simp (no_asm_simp) add: vimage_singleton_iff restrict_def)
paulson@13223
   105
apply (rename_tac x1)
paulson@13223
   106
apply (rule_tac t="%z. H(x1,z)" in subst_context) 
paulson@13721
   107
apply (subgoal_tac "\<forall>y \<in> r-``{x1}. ALL z. <y,z>\<in>f <-> <y,z>\<in>g")
paulson@13251
   108
 apply (blast intro: transD) 
paulson@13223
   109
apply (simp add: apply_iff) 
paulson@13251
   110
apply (blast intro: transD sym) 
paulson@13223
   111
done
paulson@13223
   112
paulson@13564
   113
lemma (in M_basic) is_recfun_cut: 
paulson@13223
   114
    "[|is_recfun(r,a,H,f);  is_recfun(r,b,H,g);  
paulson@13251
   115
       wellfounded(M,r); trans(r); 
paulson@13251
   116
       M(f); M(g); M(r); <b,a> \<in> r |]   
paulson@13223
   117
      ==> restrict(f, r-``{b}) = g"
paulson@13339
   118
apply (frule_tac f=f in is_recfun_type) 
paulson@13223
   119
apply (rule fun_extension) 
paulson@13251
   120
apply (blast intro: transD restrict_type2) 
paulson@13223
   121
apply (erule is_recfun_type, simp) 
paulson@13251
   122
apply (blast intro: is_recfun_equal transD dest: transM) 
paulson@13223
   123
done
paulson@13223
   124
paulson@13564
   125
lemma (in M_basic) is_recfun_functional:
paulson@13223
   126
     "[|is_recfun(r,a,H,f);  is_recfun(r,a,H,g);  
paulson@13268
   127
       wellfounded(M,r); trans(r); M(f); M(g); M(r) |] ==> f=g"
paulson@13223
   128
apply (rule fun_extension)
paulson@13223
   129
apply (erule is_recfun_type)+
paulson@13251
   130
apply (blast intro!: is_recfun_equal dest: transM) 
paulson@13254
   131
done 
paulson@13223
   132
wenzelm@13295
   133
text{*Tells us that @{text is_recfun} can (in principle) be relativized.*}
paulson@13564
   134
lemma (in M_basic) is_recfun_relativize:
paulson@13254
   135
  "[| M(r); M(f); \<forall>x[M]. \<forall>g[M]. function(g) --> M(H(x,g)) |] 
paulson@13251
   136
   ==> is_recfun(r,a,H,f) <->
paulson@13254
   137
       (\<forall>z[M]. z \<in> f <-> 
paulson@13254
   138
        (\<exists>x[M]. <x,a> \<in> r & z = <x, H(x, restrict(f, r-``{x}))>))";
paulson@13254
   139
apply (simp add: is_recfun_def lam_def)
paulson@13223
   140
apply (safe intro!: equalityI) 
paulson@13254
   141
   apply (drule equalityD1 [THEN subsetD], assumption) 
paulson@13254
   142
   apply (blast dest: pair_components_in_M) 
paulson@13254
   143
  apply (blast elim!: equalityE dest: pair_components_in_M)
paulson@13615
   144
 apply (frule transM, assumption) 
paulson@13223
   145
 apply simp  
paulson@13223
   146
 apply blast
paulson@13254
   147
apply (subgoal_tac "is_function(M,f)")
paulson@13254
   148
 txt{*We use @{term "is_function"} rather than @{term "function"} because
paulson@13254
   149
      the subgoal's easier to prove with relativized quantifiers!*}
paulson@13254
   150
 prefer 2 apply (simp add: is_function_def) 
paulson@13223
   151
apply (frule pair_components_in_M, assumption) 
paulson@13254
   152
apply (simp add: is_recfun_imp_function function_restrictI) 
paulson@13223
   153
done
paulson@13223
   154
paulson@13564
   155
lemma (in M_basic) is_recfun_restrict:
paulson@13251
   156
     "[| wellfounded(M,r); trans(r); is_recfun(r,x,H,f); \<langle>y,x\<rangle> \<in> r; 
paulson@13251
   157
       M(r); M(f); 
paulson@13254
   158
       \<forall>x[M]. \<forall>g[M]. function(g) --> M(H(x,g)) |]
paulson@13223
   159
       ==> is_recfun(r, y, H, restrict(f, r -`` {y}))"
paulson@13223
   160
apply (frule pair_components_in_M, assumption, clarify) 
paulson@13254
   161
apply (simp (no_asm_simp) add: is_recfun_relativize restrict_iff
paulson@13254
   162
           trans_Int_eq)
paulson@13223
   163
apply safe
paulson@13223
   164
  apply (simp_all add: vimage_singleton_iff is_recfun_type [THEN apply_iff]) 
paulson@13223
   165
  apply (frule_tac x=xa in pair_components_in_M, assumption)
paulson@13251
   166
  apply (frule_tac x=xa in apply_recfun, blast intro: transD)  
paulson@13247
   167
  apply (simp add: is_recfun_type [THEN apply_iff] 
paulson@13251
   168
                   is_recfun_imp_function function_restrictI)
paulson@13251
   169
apply (blast intro: apply_recfun dest: transD)
paulson@13223
   170
done
paulson@13223
   171
 
paulson@13564
   172
lemma (in M_basic) restrict_Y_lemma:
paulson@13251
   173
   "[| wellfounded(M,r); trans(r); M(r);
paulson@13254
   174
       \<forall>x[M]. \<forall>g[M]. function(g) --> M(H(x,g));  M(Y);
paulson@13299
   175
       \<forall>b[M]. 
wenzelm@32960
   176
           b \<in> Y <->
wenzelm@32960
   177
           (\<exists>x[M]. <x,a1> \<in> r &
paulson@13299
   178
            (\<exists>y[M]. b = \<langle>x,y\<rangle> & (\<exists>g[M]. is_recfun(r,x,H,g) \<and> y = H(x,g))));
paulson@13299
   179
          \<langle>x,a1\<rangle> \<in> r; is_recfun(r,x,H,f); M(f) |]
paulson@13223
   180
       ==> restrict(Y, r -`` {x}) = f"
paulson@13251
   181
apply (subgoal_tac "\<forall>y \<in> r-``{x}. \<forall>z. <y,z>:Y <-> <y,z>:f") 
paulson@13251
   182
 apply (simp (no_asm_simp) add: restrict_def) 
paulson@13254
   183
 apply (thin_tac "rall(M,?P)")+  --{*essential for efficiency*}
paulson@13251
   184
 apply (frule is_recfun_type [THEN fun_is_rel], blast)
paulson@13223
   185
apply (frule pair_components_in_M, assumption, clarify) 
paulson@13223
   186
apply (rule iffI)
paulson@13505
   187
 apply (frule_tac y="<y,z>" in transM, assumption)
paulson@13223
   188
 apply (clarsimp simp add: vimage_singleton_iff is_recfun_type [THEN apply_iff]
wenzelm@32960
   189
                           apply_recfun is_recfun_cut) 
paulson@13223
   190
txt{*Opposite inclusion: something in f, show in Y*}
paulson@13293
   191
apply (frule_tac y="<y,z>" in transM, assumption)  
paulson@13293
   192
apply (simp add: vimage_singleton_iff) 
paulson@13293
   193
apply (rule conjI) 
paulson@13293
   194
 apply (blast dest: transD) 
paulson@13268
   195
apply (rule_tac x="restrict(f, r -`` {y})" in rexI) 
paulson@13268
   196
apply (simp_all add: is_recfun_restrict
paulson@13268
   197
                     apply_recfun is_recfun_type [THEN apply_iff]) 
paulson@13223
   198
done
paulson@13223
   199
paulson@13245
   200
text{*For typical applications of Replacement for recursive definitions*}
paulson@13564
   201
lemma (in M_basic) univalent_is_recfun:
paulson@13251
   202
     "[|wellfounded(M,r); trans(r); M(r)|]
paulson@13268
   203
      ==> univalent (M, A, \<lambda>x p. 
paulson@13293
   204
              \<exists>y[M]. p = \<langle>x,y\<rangle> & (\<exists>f[M]. is_recfun(r,x,H,f) & y = H(x,f)))"
paulson@13245
   205
apply (simp add: univalent_def) 
paulson@13245
   206
apply (blast dest: is_recfun_functional) 
paulson@13245
   207
done
paulson@13245
   208
paulson@13299
   209
paulson@13223
   210
text{*Proof of the inductive step for @{text exists_is_recfun}, since
paulson@13223
   211
      we must prove two versions.*}
paulson@13564
   212
lemma (in M_basic) exists_is_recfun_indstep:
paulson@13268
   213
    "[|\<forall>y. \<langle>y, a1\<rangle> \<in> r --> (\<exists>f[M]. is_recfun(r, y, H, f)); 
paulson@13251
   214
       wellfounded(M,r); trans(r); M(r); M(a1);
paulson@13268
   215
       strong_replacement(M, \<lambda>x z. 
paulson@13268
   216
              \<exists>y[M]. \<exists>g[M]. pair(M,x,y,z) & is_recfun(r,x,H,g) & y = H(x,g)); 
paulson@13254
   217
       \<forall>x[M]. \<forall>g[M]. function(g) --> M(H(x,g))|]   
paulson@13268
   218
      ==> \<exists>f[M]. is_recfun(r,a1,H,f)"
paulson@13223
   219
apply (drule_tac A="r-``{a1}" in strong_replacementD)
paulson@13251
   220
  apply blast 
paulson@13223
   221
 txt{*Discharge the "univalent" obligation of Replacement*}
paulson@13251
   222
 apply (simp add: univalent_is_recfun) 
paulson@13223
   223
txt{*Show that the constructed object satisfies @{text is_recfun}*} 
paulson@13223
   224
apply clarify 
paulson@13268
   225
apply (rule_tac x=Y in rexI)  
paulson@13254
   226
txt{*Unfold only the top-level occurrence of @{term is_recfun}*}
paulson@13254
   227
apply (simp (no_asm_simp) add: is_recfun_relativize [of concl: _ a1])
paulson@13268
   228
txt{*The big iff-formula defining @{term Y} is now redundant*}
paulson@13254
   229
apply safe 
paulson@13299
   230
 apply (simp add: vimage_singleton_iff restrict_Y_lemma [of r H _ a1]) 
paulson@13223
   231
txt{*one more case*}
paulson@13254
   232
apply (simp (no_asm_simp) add: Bex_def vimage_singleton_iff)
paulson@13223
   233
apply (drule_tac x1=x in spec [THEN mp], assumption, clarify) 
paulson@13268
   234
apply (rename_tac f) 
paulson@13268
   235
apply (rule_tac x=f in rexI) 
paulson@13293
   236
apply (simp_all add: restrict_Y_lemma [of r H])
paulson@13299
   237
txt{*FIXME: should not be needed!*}
paulson@13299
   238
apply (subst restrict_Y_lemma [of r H])
paulson@13299
   239
apply (simp add: vimage_singleton_iff)+
paulson@13299
   240
apply blast+
paulson@13223
   241
done
paulson@13223
   242
paulson@13223
   243
text{*Relativized version, when we have the (currently weaker) premise
paulson@13251
   244
      @{term "wellfounded(M,r)"}*}
paulson@13564
   245
lemma (in M_basic) wellfounded_exists_is_recfun:
paulson@13251
   246
    "[|wellfounded(M,r);  trans(r);  
paulson@13268
   247
       separation(M, \<lambda>x. ~ (\<exists>f[M]. is_recfun(r, x, H, f)));
paulson@13268
   248
       strong_replacement(M, \<lambda>x z. 
paulson@13268
   249
          \<exists>y[M]. \<exists>g[M]. pair(M,x,y,z) & is_recfun(r,x,H,g) & y = H(x,g)); 
paulson@13251
   250
       M(r);  M(a);  
paulson@13254
   251
       \<forall>x[M]. \<forall>g[M]. function(g) --> M(H(x,g)) |]   
paulson@13268
   252
      ==> \<exists>f[M]. is_recfun(r,a,H,f)"
paulson@13251
   253
apply (rule wellfounded_induct, assumption+, clarify)
paulson@13223
   254
apply (rule exists_is_recfun_indstep, assumption+)
paulson@13223
   255
done
paulson@13223
   256
paulson@13564
   257
lemma (in M_basic) wf_exists_is_recfun [rule_format]:
paulson@13268
   258
    "[|wf(r);  trans(r);  M(r);  
paulson@13268
   259
       strong_replacement(M, \<lambda>x z. 
paulson@13268
   260
         \<exists>y[M]. \<exists>g[M]. pair(M,x,y,z) & is_recfun(r,x,H,g) & y = H(x,g)); 
paulson@13254
   261
       \<forall>x[M]. \<forall>g[M]. function(g) --> M(H(x,g)) |]   
paulson@13268
   262
      ==> M(a) --> (\<exists>f[M]. is_recfun(r,a,H,f))"
paulson@13251
   263
apply (rule wf_induct, assumption+)
paulson@13251
   264
apply (frule wf_imp_relativized)
paulson@13251
   265
apply (intro impI)
paulson@13268
   266
apply (rule exists_is_recfun_indstep) 
paulson@13268
   267
      apply (blast dest: transM del: rev_rallE, assumption+)
paulson@13223
   268
done
paulson@13223
   269
paulson@13506
   270
paulson@13506
   271
subsection{*Relativization of the ZF Predicate @{term is_recfun}*}
paulson@13506
   272
wenzelm@21233
   273
definition
wenzelm@21404
   274
  M_is_recfun :: "[i=>o, [i,i,i]=>o, i, i, i] => o" where
paulson@13352
   275
   "M_is_recfun(M,MH,r,a,f) == 
paulson@13254
   276
     \<forall>z[M]. z \<in> f <-> 
paulson@13254
   277
            (\<exists>x[M]. \<exists>y[M]. \<exists>xa[M]. \<exists>sx[M]. \<exists>r_sx[M]. \<exists>f_r_sx[M]. 
wenzelm@32960
   278
               pair(M,x,y,z) & pair(M,x,a,xa) & upair(M,x,x,sx) &
paulson@13254
   279
               pre_image(M,r,sx,r_sx) & restriction(M,f,r_sx,f_r_sx) &
paulson@13348
   280
               xa \<in> r & MH(x, f_r_sx, y))"
paulson@13223
   281
wenzelm@21404
   282
definition
wenzelm@21404
   283
  is_wfrec :: "[i=>o, [i,i,i]=>o, i, i, i] => o" where
paulson@13353
   284
   "is_wfrec(M,MH,r,a,z) == 
paulson@13353
   285
      \<exists>f[M]. M_is_recfun(M,MH,r,a,f) & MH(a,f,z)"
paulson@13353
   286
wenzelm@21404
   287
definition
wenzelm@21404
   288
  wfrec_replacement :: "[i=>o, [i,i,i]=>o, i] => o" where
paulson@13353
   289
   "wfrec_replacement(M,MH,r) ==
paulson@13353
   290
        strong_replacement(M, 
paulson@13353
   291
             \<lambda>x z. \<exists>y[M]. pair(M,x,y,z) & is_wfrec(M,MH,r,x,y))"
paulson@13353
   292
paulson@13564
   293
lemma (in M_basic) is_recfun_abs:
paulson@13350
   294
     "[| \<forall>x[M]. \<forall>g[M]. function(g) --> M(H(x,g));  M(r); M(a); M(f); 
paulson@13634
   295
         relation2(M,MH,H) |] 
paulson@13352
   296
      ==> M_is_recfun(M,MH,r,a,f) <-> is_recfun(r,a,H,f)"
paulson@13634
   297
apply (simp add: M_is_recfun_def relation2_def is_recfun_relativize)
paulson@13254
   298
apply (rule rall_cong)
paulson@13254
   299
apply (blast dest: transM)
paulson@13223
   300
done
paulson@13223
   301
paulson@13223
   302
lemma M_is_recfun_cong [cong]:
paulson@13223
   303
     "[| r = r'; a = a'; f = f'; 
paulson@13348
   304
       !!x g y. [| M(x); M(g); M(y) |] ==> MH(x,g,y) <-> MH'(x,g,y) |]
paulson@13352
   305
      ==> M_is_recfun(M,MH,r,a,f) <-> M_is_recfun(M,MH',r',a',f')"
paulson@13223
   306
by (simp add: M_is_recfun_def) 
paulson@13223
   307
paulson@13564
   308
lemma (in M_basic) is_wfrec_abs:
paulson@13353
   309
     "[| \<forall>x[M]. \<forall>g[M]. function(g) --> M(H(x,g)); 
paulson@13634
   310
         relation2(M,MH,H);  M(r); M(a); M(z) |]
paulson@13353
   311
      ==> is_wfrec(M,MH,r,a,z) <-> 
paulson@13353
   312
          (\<exists>g[M]. is_recfun(r,a,H,g) & z = H(a,g))"
paulson@13634
   313
by (simp add: is_wfrec_def relation2_def is_recfun_abs)
paulson@13223
   314
paulson@13353
   315
text{*Relating @{term wfrec_replacement} to native constructs*}
paulson@13564
   316
lemma (in M_basic) wfrec_replacement':
paulson@13353
   317
  "[|wfrec_replacement(M,MH,r);
paulson@13353
   318
     \<forall>x[M]. \<forall>g[M]. function(g) --> M(H(x,g)); 
paulson@13634
   319
     relation2(M,MH,H);  M(r)|] 
paulson@13353
   320
   ==> strong_replacement(M, \<lambda>x z. \<exists>y[M]. 
paulson@13353
   321
                pair(M,x,y,z) & (\<exists>g[M]. is_recfun(r,x,H,g) & y = H(x,g)))"
paulson@13615
   322
by (simp add: wfrec_replacement_def is_wfrec_abs) 
paulson@13353
   323
paulson@13353
   324
lemma wfrec_replacement_cong [cong]:
paulson@13353
   325
     "[| !!x y z. [| M(x); M(y); M(z) |] ==> MH(x,y,z) <-> MH'(x,y,z);
paulson@13353
   326
         r=r' |] 
paulson@13353
   327
      ==> wfrec_replacement(M, %x y. MH(x,y), r) <-> 
paulson@13353
   328
          wfrec_replacement(M, %x y. MH'(x,y), r')" 
paulson@13353
   329
by (simp add: is_wfrec_def wfrec_replacement_def) 
paulson@13353
   330
paulson@13353
   331
paulson@13223
   332
end
paulson@13223
   333