replacing ":" by "\<in>"
authorpaulson
Thu Mar 15 16:35:02 2012 +0000 (2012-03-15)
changeset 469532b6e55924af3
parent 46952 5e1bcfdcb175
child 46954 d8b3412cdb99
replacing ":" by "\<in>"
src/ZF/AC.thy
src/ZF/Bin.thy
src/ZF/Cardinal.thy
src/ZF/CardinalArith.thy
src/ZF/Constructible/Formula.thy
src/ZF/Constructible/Relative.thy
src/ZF/Epsilon.thy
src/ZF/EquivClass.thy
src/ZF/Finite.thy
src/ZF/Induct/Multiset.thy
src/ZF/IntArith.thy
src/ZF/Int_ZF.thy
src/ZF/List_ZF.thy
src/ZF/Main_ZF.thy
src/ZF/Nat_ZF.thy
src/ZF/OrdQuant.thy
src/ZF/Order.thy
src/ZF/OrderArith.thy
src/ZF/OrderType.thy
src/ZF/Ordinal.thy
src/ZF/Perm.thy
src/ZF/QPair.thy
src/ZF/Sum.thy
src/ZF/Trancl.thy
src/ZF/UNITY/ClientImpl.thy
src/ZF/UNITY/GenPrefix.thy
src/ZF/UNITY/SubstAx.thy
src/ZF/UNITY/Union.thy
src/ZF/UNITY/WFair.thy
src/ZF/WF.thy
src/ZF/ex/Group.thy
src/ZF/func.thy
src/ZF/pair.thy
src/ZF/upair.thy
     1.1 --- a/src/ZF/AC.thy	Thu Mar 15 15:54:22 2012 +0000
     1.2 +++ b/src/ZF/AC.thy	Thu Mar 15 16:35:02 2012 +0000
     1.3 @@ -9,7 +9,7 @@
     1.4  
     1.5  text{*This definition comes from Halmos (1960), page 59.*}
     1.6  axiomatization where
     1.7 -  AC: "[| a: A;  !!x. x:A ==> (\<exists>y. y:B(x)) |] ==> \<exists>z. z \<in> Pi(A,B)"
     1.8 +  AC: "[| a \<in> A;  !!x. x \<in> A ==> (\<exists>y. y \<in> B(x)) |] ==> \<exists>z. z \<in> Pi(A,B)"
     1.9  
    1.10  (*The same as AC, but no premise @{term"a \<in> A"}*)
    1.11  lemma AC_Pi: "[| !!x. x \<in> A ==> (\<exists>y. y \<in> B(x)) |] ==> \<exists>z. z \<in> Pi(A,B)"
     2.1 --- a/src/ZF/Bin.thy	Thu Mar 15 15:54:22 2012 +0000
     2.2 +++ b/src/ZF/Bin.thy	Thu Mar 15 16:35:02 2012 +0000
     2.3 @@ -24,7 +24,7 @@
     2.4  datatype
     2.5    "bin" = Pls
     2.6          | Min
     2.7 -        | Bit ("w: bin", "b: bool")     (infixl "BIT" 90)
     2.8 +        | Bit ("w \<in> bin", "b \<in> bool")     (infixl "BIT" 90)
     2.9  
    2.10  consts
    2.11    integ_of  :: "i=>i"
    2.12 @@ -132,26 +132,26 @@
    2.13  
    2.14  (** Type checking **)
    2.15  
    2.16 -lemma integ_of_type [TC]: "w: bin ==> integ_of(w) \<in> int"
    2.17 +lemma integ_of_type [TC]: "w \<in> bin ==> integ_of(w) \<in> int"
    2.18  apply (induct_tac "w")
    2.19  apply (simp_all add: bool_into_nat)
    2.20  done
    2.21  
    2.22 -lemma NCons_type [TC]: "[| w: bin; b: bool |] ==> NCons(w,b) \<in> bin"
    2.23 +lemma NCons_type [TC]: "[| w \<in> bin; b \<in> bool |] ==> NCons(w,b) \<in> bin"
    2.24  by (induct_tac "w", auto)
    2.25  
    2.26 -lemma bin_succ_type [TC]: "w: bin ==> bin_succ(w) \<in> bin"
    2.27 +lemma bin_succ_type [TC]: "w \<in> bin ==> bin_succ(w) \<in> bin"
    2.28  by (induct_tac "w", auto)
    2.29  
    2.30 -lemma bin_pred_type [TC]: "w: bin ==> bin_pred(w) \<in> bin"
    2.31 +lemma bin_pred_type [TC]: "w \<in> bin ==> bin_pred(w) \<in> bin"
    2.32  by (induct_tac "w", auto)
    2.33  
    2.34 -lemma bin_minus_type [TC]: "w: bin ==> bin_minus(w) \<in> bin"
    2.35 +lemma bin_minus_type [TC]: "w \<in> bin ==> bin_minus(w) \<in> bin"
    2.36  by (induct_tac "w", auto)
    2.37  
    2.38  (*This proof is complicated by the mutual recursion*)
    2.39  lemma bin_add_type [rule_format,TC]:
    2.40 -     "v: bin ==> \<forall>w\<in>bin. bin_add(v,w) \<in> bin"
    2.41 +     "v \<in> bin ==> \<forall>w\<in>bin. bin_add(v,w) \<in> bin"
    2.42  apply (unfold bin_add_def)
    2.43  apply (induct_tac "v")
    2.44  apply (rule_tac [3] ballI)
    2.45 @@ -160,7 +160,7 @@
    2.46  apply (simp_all add: NCons_type)
    2.47  done
    2.48  
    2.49 -lemma bin_mult_type [TC]: "[| v: bin; w: bin |] ==> bin_mult(v,w) \<in> bin"
    2.50 +lemma bin_mult_type [TC]: "[| v \<in> bin; w \<in> bin |] ==> bin_mult(v,w) \<in> bin"
    2.51  by (induct_tac "v", auto)
    2.52  
    2.53  
    2.54 @@ -169,19 +169,19 @@
    2.55  
    2.56  (*NCons preserves the integer value of its argument*)
    2.57  lemma integ_of_NCons [simp]:
    2.58 -     "[| w: bin; b: bool |] ==> integ_of(NCons(w,b)) = integ_of(w BIT b)"
    2.59 +     "[| w \<in> bin; b \<in> bool |] ==> integ_of(NCons(w,b)) = integ_of(w BIT b)"
    2.60  apply (erule bin.cases)
    2.61  apply (auto elim!: boolE)
    2.62  done
    2.63  
    2.64  lemma integ_of_succ [simp]:
    2.65 -     "w: bin ==> integ_of(bin_succ(w)) = $#1 $+ integ_of(w)"
    2.66 +     "w \<in> bin ==> integ_of(bin_succ(w)) = $#1 $+ integ_of(w)"
    2.67  apply (erule bin.induct)
    2.68  apply (auto simp add: zadd_ac elim!: boolE)
    2.69  done
    2.70  
    2.71  lemma integ_of_pred [simp]:
    2.72 -     "w: bin ==> integ_of(bin_pred(w)) = $- ($#1) $+ integ_of(w)"
    2.73 +     "w \<in> bin ==> integ_of(bin_pred(w)) = $- ($#1) $+ integ_of(w)"
    2.74  apply (erule bin.induct)
    2.75  apply (auto simp add: zadd_ac elim!: boolE)
    2.76  done
    2.77 @@ -189,7 +189,7 @@
    2.78  
    2.79  subsubsection{*@{term bin_minus}: Unary Negation of Binary Integers*}
    2.80  
    2.81 -lemma integ_of_minus: "w: bin ==> integ_of(bin_minus(w)) = $- integ_of(w)"
    2.82 +lemma integ_of_minus: "w \<in> bin ==> integ_of(bin_minus(w)) = $- integ_of(w)"
    2.83  apply (erule bin.induct)
    2.84  apply (auto simp add: zadd_ac zminus_zadd_distrib  elim!: boolE)
    2.85  done
    2.86 @@ -197,18 +197,18 @@
    2.87  
    2.88  subsubsection{*@{term bin_add}: Binary Addition*}
    2.89  
    2.90 -lemma bin_add_Pls [simp]: "w: bin ==> bin_add(Pls,w) = w"
    2.91 +lemma bin_add_Pls [simp]: "w \<in> bin ==> bin_add(Pls,w) = w"
    2.92  by (unfold bin_add_def, simp)
    2.93  
    2.94 -lemma bin_add_Pls_right: "w: bin ==> bin_add(w,Pls) = w"
    2.95 +lemma bin_add_Pls_right: "w \<in> bin ==> bin_add(w,Pls) = w"
    2.96  apply (unfold bin_add_def)
    2.97  apply (erule bin.induct, auto)
    2.98  done
    2.99  
   2.100 -lemma bin_add_Min [simp]: "w: bin ==> bin_add(Min,w) = bin_pred(w)"
   2.101 +lemma bin_add_Min [simp]: "w \<in> bin ==> bin_add(Min,w) = bin_pred(w)"
   2.102  by (unfold bin_add_def, simp)
   2.103  
   2.104 -lemma bin_add_Min_right: "w: bin ==> bin_add(w,Min) = bin_pred(w)"
   2.105 +lemma bin_add_Min_right: "w \<in> bin ==> bin_add(w,Min) = bin_pred(w)"
   2.106  apply (unfold bin_add_def)
   2.107  apply (erule bin.induct, auto)
   2.108  done
   2.109 @@ -220,13 +220,13 @@
   2.110  by (unfold bin_add_def, simp)
   2.111  
   2.112  lemma bin_add_BIT_BIT [simp]:
   2.113 -     "[| w: bin;  y: bool |]
   2.114 +     "[| w \<in> bin;  y \<in> bool |]
   2.115        ==> bin_add(v BIT x, w BIT y) =
   2.116            NCons(bin_add(v, cond(x and y, bin_succ(w), w)), x xor y)"
   2.117  by (unfold bin_add_def, simp)
   2.118  
   2.119  lemma integ_of_add [rule_format]:
   2.120 -     "v: bin ==>
   2.121 +     "v \<in> bin ==>
   2.122            \<forall>w\<in>bin. integ_of(bin_add(v,w)) = integ_of(v) $+ integ_of(w)"
   2.123  apply (erule bin.induct, simp, simp)
   2.124  apply (rule ballI)
   2.125 @@ -236,7 +236,7 @@
   2.126  
   2.127  (*Subtraction*)
   2.128  lemma diff_integ_of_eq:
   2.129 -     "[| v: bin;  w: bin |]
   2.130 +     "[| v \<in> bin;  w \<in> bin |]
   2.131        ==> integ_of(v) $- integ_of(w) = integ_of(bin_add (v, bin_minus(w)))"
   2.132  apply (unfold zdiff_def)
   2.133  apply (simp add: integ_of_add integ_of_minus)
   2.134 @@ -246,7 +246,7 @@
   2.135  subsubsection{*@{term bin_mult}: Binary Multiplication*}
   2.136  
   2.137  lemma integ_of_mult:
   2.138 -     "[| v: bin;  w: bin |]
   2.139 +     "[| v \<in> bin;  w \<in> bin |]
   2.140        ==> integ_of(bin_mult(v,w)) = integ_of(v) $* integ_of(w)"
   2.141  apply (induct_tac "v", simp)
   2.142  apply (simp add: integ_of_minus)
   2.143 @@ -280,15 +280,15 @@
   2.144  
   2.145  (** extra rules for bin_add **)
   2.146  
   2.147 -lemma bin_add_BIT_11: "w: bin ==> bin_add(v BIT 1, w BIT 1) =
   2.148 +lemma bin_add_BIT_11: "w \<in> bin ==> bin_add(v BIT 1, w BIT 1) =
   2.149                       NCons(bin_add(v, bin_succ(w)), 0)"
   2.150  by simp
   2.151  
   2.152 -lemma bin_add_BIT_10: "w: bin ==> bin_add(v BIT 1, w BIT 0) =
   2.153 +lemma bin_add_BIT_10: "w \<in> bin ==> bin_add(v BIT 1, w BIT 0) =
   2.154                       NCons(bin_add(v,w), 1)"
   2.155  by simp
   2.156  
   2.157 -lemma bin_add_BIT_0: "[| w: bin;  y: bool |]
   2.158 +lemma bin_add_BIT_0: "[| w \<in> bin;  y \<in> bool |]
   2.159        ==> bin_add(v BIT 0, w BIT y) = NCons(bin_add(v,w), y)"
   2.160  by simp
   2.161  
   2.162 @@ -345,7 +345,7 @@
   2.163  (** Equals (=) **)
   2.164  
   2.165  lemma eq_integ_of_eq:
   2.166 -     "[| v: bin;  w: bin |]
   2.167 +     "[| v \<in> bin;  w \<in> bin |]
   2.168        ==> ((integ_of(v)) = integ_of(w)) \<longleftrightarrow>
   2.169            iszero (integ_of (bin_add (v, bin_minus(w))))"
   2.170  apply (unfold iszero_def)
   2.171 @@ -362,7 +362,7 @@
   2.172  done
   2.173  
   2.174  lemma iszero_integ_of_BIT:
   2.175 -     "[| w: bin; x: bool |]
   2.176 +     "[| w \<in> bin; x \<in> bool |]
   2.177        ==> iszero (integ_of (w BIT x)) \<longleftrightarrow> (x=0 & iszero (integ_of(w)))"
   2.178  apply (unfold iszero_def, simp)
   2.179  apply (subgoal_tac "integ_of (w) \<in> int")
   2.180 @@ -374,10 +374,10 @@
   2.181  done
   2.182  
   2.183  lemma iszero_integ_of_0:
   2.184 -     "w: bin ==> iszero (integ_of (w BIT 0)) \<longleftrightarrow> iszero (integ_of(w))"
   2.185 +     "w \<in> bin ==> iszero (integ_of (w BIT 0)) \<longleftrightarrow> iszero (integ_of(w))"
   2.186  by (simp only: iszero_integ_of_BIT, blast)
   2.187  
   2.188 -lemma iszero_integ_of_1: "w: bin ==> ~ iszero (integ_of (w BIT 1))"
   2.189 +lemma iszero_integ_of_1: "w \<in> bin ==> ~ iszero (integ_of (w BIT 1))"
   2.190  by (simp only: iszero_integ_of_BIT, blast)
   2.191  
   2.192  
   2.193 @@ -385,7 +385,7 @@
   2.194  (** Less-than (<) **)
   2.195  
   2.196  lemma less_integ_of_eq_neg:
   2.197 -     "[| v: bin;  w: bin |]
   2.198 +     "[| v \<in> bin;  w \<in> bin |]
   2.199        ==> integ_of(v) $< integ_of(w)
   2.200            \<longleftrightarrow> znegative (integ_of (bin_add (v, bin_minus(w))))"
   2.201  apply (unfold zless_def zdiff_def)
   2.202 @@ -399,7 +399,7 @@
   2.203  by simp
   2.204  
   2.205  lemma neg_integ_of_BIT:
   2.206 -     "[| w: bin; x: bool |]
   2.207 +     "[| w \<in> bin; x \<in> bool |]
   2.208        ==> znegative (integ_of (w BIT x)) \<longleftrightarrow> znegative (integ_of(w))"
   2.209  apply simp
   2.210  apply (subgoal_tac "integ_of (w) \<in> int")
   2.211 @@ -471,24 +471,24 @@
   2.212  (** Simplification of arithmetic when nested to the right **)
   2.213  
   2.214  lemma add_integ_of_left [simp]:
   2.215 -     "[| v: bin;  w: bin |]
   2.216 +     "[| v \<in> bin;  w \<in> bin |]
   2.217        ==> integ_of(v) $+ (integ_of(w) $+ z) = (integ_of(bin_add(v,w)) $+ z)"
   2.218  by (simp add: zadd_assoc [symmetric])
   2.219  
   2.220  lemma mult_integ_of_left [simp]:
   2.221 -     "[| v: bin;  w: bin |]
   2.222 +     "[| v \<in> bin;  w \<in> bin |]
   2.223        ==> integ_of(v) $* (integ_of(w) $* z) = (integ_of(bin_mult(v,w)) $* z)"
   2.224  by (simp add: zmult_assoc [symmetric])
   2.225  
   2.226  lemma add_integ_of_diff1 [simp]:
   2.227 -    "[| v: bin;  w: bin |]
   2.228 +    "[| v \<in> bin;  w \<in> bin |]
   2.229        ==> integ_of(v) $+ (integ_of(w) $- c) = integ_of(bin_add(v,w)) $- (c)"
   2.230  apply (unfold zdiff_def)
   2.231  apply (rule add_integ_of_left, auto)
   2.232  done
   2.233  
   2.234  lemma add_integ_of_diff2 [simp]:
   2.235 -     "[| v: bin;  w: bin |]
   2.236 +     "[| v \<in> bin;  w \<in> bin |]
   2.237        ==> integ_of(v) $+ (c $- integ_of(w)) =
   2.238            integ_of (bin_add (v, bin_minus(w))) $+ (c)"
   2.239  apply (subst diff_integ_of_eq [symmetric])
   2.240 @@ -509,10 +509,10 @@
   2.241  lemma zdiff_self [simp]: "x $- x = #0"
   2.242  by (simp add: zdiff_def)
   2.243  
   2.244 -lemma znegative_iff_zless_0: "k: int ==> znegative(k) \<longleftrightarrow> k $< #0"
   2.245 +lemma znegative_iff_zless_0: "k \<in> int ==> znegative(k) \<longleftrightarrow> k $< #0"
   2.246  by (simp add: zless_def)
   2.247  
   2.248 -lemma zero_zless_imp_znegative_zminus: "[|#0 $< k; k: int|] ==> znegative($-k)"
   2.249 +lemma zero_zless_imp_znegative_zminus: "[|#0 $< k; k \<in> int|] ==> znegative($-k)"
   2.250  by (simp add: zless_def)
   2.251  
   2.252  lemma zero_zle_int_of [simp]: "#0 $<= $# n"
   2.253 @@ -521,7 +521,7 @@
   2.254  lemma nat_of_0 [simp]: "nat_of(#0) = 0"
   2.255  by (simp only: natify_0 int_of_0 [symmetric] nat_of_int_of)
   2.256  
   2.257 -lemma nat_le_int0_lemma: "[| z $<= $#0; z: int |] ==> nat_of(z) = 0"
   2.258 +lemma nat_le_int0_lemma: "[| z $<= $#0; z \<in> int |] ==> nat_of(z) = 0"
   2.259  by (auto simp add: znegative_iff_zless_0 [THEN iff_sym] zle_def zneg_nat_of)
   2.260  
   2.261  lemma nat_le_int0: "z $<= $#0 ==> nat_of(z) = 0"
   2.262 @@ -545,7 +545,7 @@
   2.263  lemma int_of_nat_of_if: "$# nat_of(z) = (if #0 $<= z then intify(z) else #0)"
   2.264  by (simp add: int_of_nat_of znegative_iff_zless_0 not_zle_iff_zless)
   2.265  
   2.266 -lemma zless_nat_iff_int_zless: "[| m: nat; z: int |] ==> (m < nat_of(z)) \<longleftrightarrow> ($#m $< z)"
   2.267 +lemma zless_nat_iff_int_zless: "[| m \<in> nat; z \<in> int |] ==> (m < nat_of(z)) \<longleftrightarrow> ($#m $< z)"
   2.268  apply (case_tac "znegative (z) ")
   2.269  apply (erule_tac [2] not_zneg_nat_of [THEN subst])
   2.270  apply (auto dest: zless_trans dest!: zero_zle_int_of [THEN zle_zless_trans]
     3.1 --- a/src/ZF/Cardinal.thy	Thu Mar 15 15:54:22 2012 +0000
     3.2 +++ b/src/ZF/Cardinal.thy	Thu Mar 15 16:35:02 2012 +0000
     3.3 @@ -14,11 +14,11 @@
     3.4  
     3.5  definition
     3.6    eqpoll   :: "[i,i] => o"     (infixl "eqpoll" 50)  where
     3.7 -    "A eqpoll B == \<exists>f. f: bij(A,B)"
     3.8 +    "A eqpoll B == \<exists>f. f \<in> bij(A,B)"
     3.9  
    3.10  definition
    3.11    lepoll   :: "[i,i] => o"     (infixl "lepoll" 50)  where
    3.12 -    "A lepoll B == \<exists>f. f: inj(A,B)"
    3.13 +    "A lepoll B == \<exists>f. f \<in> inj(A,B)"
    3.14  
    3.15  definition
    3.16    lesspoll :: "[i,i] => o"     (infixl "lesspoll" 50)  where
    3.17 @@ -56,7 +56,7 @@
    3.18  by (rule bnd_monoI, blast+)
    3.19  
    3.20  lemma Banach_last_equation:
    3.21 -    "g: Y->X
    3.22 +    "g \<in> Y->X
    3.23       ==> g``(Y - f`` lfp(X, %W. X - g``(Y - f``W))) =
    3.24           X - lfp(X, %W. X - g``(Y - f``W))"
    3.25  apply (rule_tac P = "%u. ?v = X-u"
    3.26 @@ -65,7 +65,7 @@
    3.27  done
    3.28  
    3.29  lemma decomposition:
    3.30 -     "[| f: X->Y;  g: Y->X |] ==>
    3.31 +     "[| f \<in> X->Y;  g \<in> Y->X |] ==>
    3.32        \<exists>XA XB YA YB. (XA \<inter> XB = 0) & (XA \<union> XB = X) &
    3.33                        (YA \<inter> YB = 0) & (YA \<union> YB = Y) &
    3.34                        f``XA=YA & g``YB=XB"
    3.35 @@ -77,7 +77,7 @@
    3.36  done
    3.37  
    3.38  lemma schroeder_bernstein:
    3.39 -    "[| f: inj(X,Y);  g: inj(Y,X) |] ==> \<exists>h. h: bij(X,Y)"
    3.40 +    "[| f \<in> inj(X,Y);  g \<in> inj(Y,X) |] ==> \<exists>h. h \<in> bij(X,Y)"
    3.41  apply (insert decomposition [of f X Y g])
    3.42  apply (simp add: inj_is_fun)
    3.43  apply (blast intro!: restrict_bij bij_disjoint_Un intro: bij_converse_bij)
    3.44 @@ -88,7 +88,7 @@
    3.45  
    3.46  (** Equipollence is an equivalence relation **)
    3.47  
    3.48 -lemma bij_imp_eqpoll: "f: bij(A,B) ==> A \<approx> B"
    3.49 +lemma bij_imp_eqpoll: "f \<in> bij(A,B) ==> A \<approx> B"
    3.50  apply (unfold eqpoll_def)
    3.51  apply (erule exI)
    3.52  done
    3.53 @@ -128,10 +128,10 @@
    3.54  done
    3.55  
    3.56  lemma eq_lepoll_trans [trans]: "[| X \<approx> Y;  Y \<lesssim> Z |] ==> X \<lesssim> Z"
    3.57 - by (blast intro: eqpoll_imp_lepoll lepoll_trans) 
    3.58 + by (blast intro: eqpoll_imp_lepoll lepoll_trans)
    3.59  
    3.60  lemma lepoll_eq_trans [trans]: "[| X \<lesssim> Y;  Y \<approx> Z |] ==> X \<lesssim> Z"
    3.61 - by (blast intro: eqpoll_imp_lepoll lepoll_trans) 
    3.62 + by (blast intro: eqpoll_imp_lepoll lepoll_trans)
    3.63  
    3.64  (*Asymmetry law*)
    3.65  lemma eqpollI: "[| X \<lesssim> Y;  Y \<lesssim> X |] ==> X \<approx> Y"
    3.66 @@ -234,11 +234,11 @@
    3.67  
    3.68  lemma eq_lesspoll_trans [trans]:
    3.69        "[| X \<approx> Y; Y \<prec> Z |] ==> X \<prec> Z"
    3.70 -  by (blast intro: eqpoll_imp_lepoll lesspoll_trans1) 
    3.71 +  by (blast intro: eqpoll_imp_lepoll lesspoll_trans1)
    3.72  
    3.73  lemma lesspoll_eq_trans [trans]:
    3.74        "[| X \<prec> Y; Y \<approx> Z |] ==> X \<prec> Z"
    3.75 -  by (blast intro: eqpoll_imp_lepoll lesspoll_trans2) 
    3.76 +  by (blast intro: eqpoll_imp_lepoll lesspoll_trans2)
    3.77  
    3.78  
    3.79  (** LEAST -- the least number operator [from HOL/Univ.ML] **)
    3.80 @@ -328,12 +328,12 @@
    3.81   by (rule Ord_cardinal_eqpoll [THEN cardinal_cong])
    3.82  
    3.83  lemma well_ord_cardinal_eqE:
    3.84 -  assumes woX: "well_ord(X,r)" and woY: "well_ord(Y,s)" and eq: "|X| = |Y|" 
    3.85 +  assumes woX: "well_ord(X,r)" and woY: "well_ord(Y,s)" and eq: "|X| = |Y|"
    3.86  shows "X \<approx> Y"
    3.87  proof -
    3.88 -  have "X \<approx> |X|" by (blast intro: well_ord_cardinal_eqpoll [OF woX] eqpoll_sym) 
    3.89 +  have "X \<approx> |X|" by (blast intro: well_ord_cardinal_eqpoll [OF woX] eqpoll_sym)
    3.90    also have "... = |Y|" by (rule eq)
    3.91 -  also have "... \<approx> Y" by (rule well_ord_cardinal_eqpoll [OF woY]) 
    3.92 +  also have "... \<approx> Y" by (rule well_ord_cardinal_eqpoll [OF woY])
    3.93    finally show ?thesis .
    3.94  qed
    3.95  
    3.96 @@ -413,45 +413,45 @@
    3.97      next
    3.98        case True                         --{*real case: @{term A} is isomorphic to some ordinal*}
    3.99        then obtain i where i: "Ord(i)" "i \<approx> A" by blast
   3.100 -      show ?thesis 
   3.101 +      show ?thesis
   3.102          proof (rule CardI [OF Ord_Least], rule notI)
   3.103            fix j
   3.104 -          assume j: "j < (\<mu> i. i \<approx> A)" 
   3.105 +          assume j: "j < (\<mu> i. i \<approx> A)"
   3.106            assume "j \<approx> (\<mu> i. i \<approx> A)"
   3.107            also have "... \<approx> A" using i by (auto intro: LeastI)
   3.108            finally have "j \<approx> A" .
   3.109 -          thus False 
   3.110 +          thus False
   3.111              by (rule less_LeastE [OF _ j])
   3.112          qed
   3.113      qed
   3.114  qed
   3.115  
   3.116  (*Kunen's Lemma 10.5*)
   3.117 -lemma cardinal_eq_lemma: 
   3.118 +lemma cardinal_eq_lemma:
   3.119    assumes i:"|i| \<le> j" and j: "j \<le> i" shows "|j| = |i|"
   3.120  proof (rule eqpollI [THEN cardinal_cong])
   3.121    show "j \<lesssim> i" by (rule le_imp_lepoll [OF j])
   3.122  next
   3.123    have Oi: "Ord(i)" using j by (rule le_Ord2)
   3.124 -  hence "i \<approx> |i|" 
   3.125 -    by (blast intro: Ord_cardinal_eqpoll eqpoll_sym) 
   3.126 -  also have "... \<lesssim> j" 
   3.127 -    by (blast intro: le_imp_lepoll i) 
   3.128 +  hence "i \<approx> |i|"
   3.129 +    by (blast intro: Ord_cardinal_eqpoll eqpoll_sym)
   3.130 +  also have "... \<lesssim> j"
   3.131 +    by (blast intro: le_imp_lepoll i)
   3.132    finally show "i \<lesssim> j" .
   3.133  qed
   3.134  
   3.135 -lemma cardinal_mono: 
   3.136 +lemma cardinal_mono:
   3.137    assumes ij: "i \<le> j" shows "|i| \<le> |j|"
   3.138  proof (cases rule: Ord_linear_le [OF Ord_cardinal Ord_cardinal])
   3.139    assume "|i| \<le> |j|" thus ?thesis .
   3.140  next
   3.141    assume cj: "|j| \<le> |i|"
   3.142    have i: "Ord(i)" using ij
   3.143 -    by (simp add: lt_Ord) 
   3.144 -  have ci: "|i| \<le> j"  
   3.145 -    by (blast intro: Ord_cardinal_le ij le_trans i) 
   3.146 -  have "|i| = ||i||" 
   3.147 -    by (auto simp add: Ord_cardinal_idem i) 
   3.148 +    by (simp add: lt_Ord)
   3.149 +  have ci: "|i| \<le> j"
   3.150 +    by (blast intro: Ord_cardinal_le ij le_trans i)
   3.151 +  have "|i| = ||i||"
   3.152 +    by (auto simp add: Ord_cardinal_idem i)
   3.153    also have "... = |j|"
   3.154      by (rule cardinal_eq_lemma [OF cj ci])
   3.155    finally have "|i| = |j|" .
   3.156 @@ -482,11 +482,11 @@
   3.157    assume BA: "|B| \<le> |A|"
   3.158    from lepoll_well_ord [OF AB wB]
   3.159    obtain s where s: "well_ord(A, s)" by blast
   3.160 -  have "B  \<approx> |B|" by (blast intro: wB eqpoll_sym well_ord_cardinal_eqpoll) 
   3.161 +  have "B  \<approx> |B|" by (blast intro: wB eqpoll_sym well_ord_cardinal_eqpoll)
   3.162    also have "... \<lesssim> |A|" by (rule le_imp_lepoll [OF BA])
   3.163    also have "... \<approx> A" by (rule well_ord_cardinal_eqpoll [OF s])
   3.164    finally have "B \<lesssim> A" .
   3.165 -  hence "A \<approx> B" by (blast intro: eqpollI AB) 
   3.166 +  hence "A \<approx> B" by (blast intro: eqpollI AB)
   3.167    hence "|A| = |B|" by (rule cardinal_cong)
   3.168    thus ?thesis by simp
   3.169  qed
   3.170 @@ -556,7 +556,7 @@
   3.171      qed
   3.172  qed
   3.173  
   3.174 -lemma nat_eqpoll_iff: "[| m \<in> nat; n: nat |] ==> m \<approx> n \<longleftrightarrow> m = n"
   3.175 +lemma nat_eqpoll_iff: "[| m \<in> nat; n \<in> nat |] ==> m \<approx> n \<longleftrightarrow> m = n"
   3.176  apply (rule iffI)
   3.177  apply (blast intro: nat_lepoll_imp_le le_anti_sym elim!: eqpollE)
   3.178  apply (simp add: eqpoll_refl)
   3.179 @@ -564,7 +564,7 @@
   3.180  
   3.181  (*The object of all this work: every natural number is a (finite) cardinal*)
   3.182  lemma nat_into_Card:
   3.183 -    "n: nat ==> Card(n)"
   3.184 +    "n \<in> nat ==> Card(n)"
   3.185  apply (unfold Card_def cardinal_def)
   3.186  apply (subst Least_equality)
   3.187  apply (rule eqpoll_refl)
   3.188 @@ -601,13 +601,13 @@
   3.189    assumes A: "A \<lesssim> m" and m: "m \<in> nat"
   3.190    shows "A \<prec> succ(m)"
   3.191  proof -
   3.192 -  { assume "A \<approx> succ(m)" 
   3.193 +  { assume "A \<approx> succ(m)"
   3.194      hence "succ(m) \<approx> A" by (rule eqpoll_sym)
   3.195      also have "... \<lesssim> m" by (rule A)
   3.196      finally have "succ(m) \<lesssim> m" .
   3.197      hence False by (rule succ_lepoll_natE) (rule m) }
   3.198    moreover have "A \<lesssim> succ(m)" by (blast intro: lepoll_trans A lepoll_succ)
   3.199 -  ultimately show ?thesis by (auto simp add: lesspoll_def) 
   3.200 +  ultimately show ?thesis by (auto simp add: lesspoll_def)
   3.201  qed
   3.202  
   3.203  lemma lesspoll_succ_imp_lepoll:
   3.204 @@ -642,7 +642,7 @@
   3.205  proof -
   3.206    { assume i: "i \<lesssim> n"
   3.207      have "succ(n) \<lesssim> i" using n
   3.208 -      by (elim ltE, blast intro: Ord_succ_subsetI [THEN subset_imp_lepoll]) 
   3.209 +      by (elim ltE, blast intro: Ord_succ_subsetI [THEN subset_imp_lepoll])
   3.210      also have "... \<lesssim> n" by (rule i)
   3.211      finally have "succ(n) \<lesssim> n" .
   3.212      hence False  by (rule succ_lepoll_natE) (rule n) }
   3.213 @@ -657,13 +657,13 @@
   3.214  next
   3.215    assume "i < n"
   3.216    hence  "i \<in> nat" by (rule lt_nat_in_nat) (rule n)
   3.217 -  thus ?thesis by (simp add: nat_eqpoll_iff n) 
   3.218 +  thus ?thesis by (simp add: nat_eqpoll_iff n)
   3.219  next
   3.220    assume "i = n"
   3.221 -  thus ?thesis by (simp add: eqpoll_refl) 
   3.222 +  thus ?thesis by (simp add: eqpoll_refl)
   3.223  next
   3.224    assume "n < i"
   3.225 -  hence  "~ i \<lesssim> n" using n  by (rule lt_not_lepoll) 
   3.226 +  hence  "~ i \<lesssim> n" using n  by (rule lt_not_lepoll)
   3.227    hence  "~ i \<approx> n" using n  by (blast intro: eqpoll_imp_lepoll)
   3.228    moreover have "i \<noteq> n" using `n<i` by auto
   3.229    ultimately show ?thesis by blast
   3.230 @@ -672,15 +672,15 @@
   3.231  lemma Card_nat: "Card(nat)"
   3.232  proof -
   3.233    { fix i
   3.234 -    assume i: "i < nat" "i \<approx> nat" 
   3.235 -    hence "~ nat \<lesssim> i" 
   3.236 -      by (simp add: lt_def lt_not_lepoll) 
   3.237 -    hence False using i 
   3.238 +    assume i: "i < nat" "i \<approx> nat"
   3.239 +    hence "~ nat \<lesssim> i"
   3.240 +      by (simp add: lt_def lt_not_lepoll)
   3.241 +    hence False using i
   3.242        by (simp add: eqpoll_iff)
   3.243    }
   3.244 -  hence "(\<mu> i. i \<approx> nat) = nat" by (blast intro: Least_equality eqpoll_refl) 
   3.245 +  hence "(\<mu> i. i \<approx> nat) = nat" by (blast intro: Least_equality eqpoll_refl)
   3.246    thus ?thesis
   3.247 -    by (auto simp add: Card_def cardinal_def) 
   3.248 +    by (auto simp add: Card_def cardinal_def)
   3.249  qed
   3.250  
   3.251  (*Allows showing that |i| is a limit cardinal*)
   3.252 @@ -701,7 +701,7 @@
   3.253      "[| A \<lesssim> B;  b \<notin> B |] ==> cons(a,A) \<lesssim> cons(b,B)"
   3.254  apply (unfold lepoll_def, safe)
   3.255  apply (rule_tac x = "\<lambda>y\<in>cons (a,A) . if y=a then b else f`y" in exI)
   3.256 -apply (rule_tac d = "%z. if z:B then converse (f) `z else a" in lam_injective)
   3.257 +apply (rule_tac d = "%z. if z \<in> B then converse (f) `z else a" in lam_injective)
   3.258  apply (safe elim!: consE')
   3.259     apply simp_all
   3.260  apply (blast intro: inj_is_fun [THEN apply_type])+
   3.261 @@ -756,11 +756,11 @@
   3.262  done
   3.263  
   3.264  lemma inj_disjoint_eqpoll:
   3.265 -    "[| f: inj(A,B);  A \<inter> B = 0 |] ==> A \<union> (B - range(f)) \<approx> B"
   3.266 +    "[| f \<in> inj(A,B);  A \<inter> B = 0 |] ==> A \<union> (B - range(f)) \<approx> B"
   3.267  apply (unfold eqpoll_def)
   3.268  apply (rule exI)
   3.269 -apply (rule_tac c = "%x. if x:A then f`x else x"
   3.270 -            and d = "%y. if y: range (f) then converse (f) `y else y"
   3.271 +apply (rule_tac c = "%x. if x \<in> A then f`x else x"
   3.272 +            and d = "%y. if y \<in> range (f) then converse (f) `y else y"
   3.273         in lam_bijective)
   3.274  apply (blast intro!: if_type inj_is_fun [THEN apply_type])
   3.275  apply (simp (no_asm_simp) add: inj_converse_fun [THEN apply_funtype])
   3.276 @@ -774,7 +774,7 @@
   3.277  
   3.278  (*New proofs using cons_lepoll_cons. Could generalise from succ to cons.*)
   3.279  
   3.280 -text{*If @{term A} has at most @{term"n+1"} elements and @{term"a \<in> A"} 
   3.281 +text{*If @{term A} has at most @{term"n+1"} elements and @{term"a \<in> A"}
   3.282        then @{term"A-{a}"} has at most @{term n}.*}
   3.283  lemma Diff_sing_lepoll:
   3.284        "[| a \<in> A;  A \<lesssim> succ(n) |] ==> A - {a} \<lesssim> n"
   3.285 @@ -790,11 +790,11 @@
   3.286  proof -
   3.287    have "cons(n,n) \<lesssim> A" using A
   3.288      by (unfold succ_def)
   3.289 -  also have "... \<lesssim> cons(a, A-{a})" 
   3.290 +  also have "... \<lesssim> cons(a, A-{a})"
   3.291      by (blast intro: subset_imp_lepoll)
   3.292    finally have "cons(n,n) \<lesssim> cons(a, A-{a})" .
   3.293    thus ?thesis
   3.294 -    by (blast intro: cons_lepoll_consD mem_irrefl) 
   3.295 +    by (blast intro: cons_lepoll_consD mem_irrefl)
   3.296  qed
   3.297  
   3.298  lemma Diff_sing_eqpoll: "[| a \<in> A; A \<approx> succ(n) |] ==> A - {a} \<approx> n"
   3.299 @@ -855,8 +855,8 @@
   3.300  lemma lepoll_Finite:
   3.301    assumes Y: "Y \<lesssim> X" and X: "Finite(X)" shows "Finite(Y)"
   3.302  proof -
   3.303 -  obtain n where n: "n \<in> nat" "X \<approx> n" using X 
   3.304 -    by (auto simp add: Finite_def) 
   3.305 +  obtain n where n: "n \<in> nat" "X \<approx> n" using X
   3.306 +    by (auto simp add: Finite_def)
   3.307    have "Y \<lesssim> X"         by (rule Y)
   3.308    also have "... \<approx> n"  by (rule n)
   3.309    finally have "Y \<lesssim> n" .
   3.310 @@ -872,7 +872,7 @@
   3.311  
   3.312  lemma Finite_cons: "Finite(x) ==> Finite(cons(y,x))"
   3.313  apply (unfold Finite_def)
   3.314 -apply (case_tac "y:x")
   3.315 +apply (case_tac "y \<in> x")
   3.316  apply (simp add: cons_absorb)
   3.317  apply (erule bexE)
   3.318  apply (rule bexI)
   3.319 @@ -936,10 +936,10 @@
   3.320  apply (blast intro: eqpoll_trans eqpoll_sym)
   3.321  done
   3.322  
   3.323 -lemma Fin_lemma [rule_format]: "n: nat ==> \<forall>A. A \<approx> n \<longrightarrow> A \<in> Fin(A)"
   3.324 +lemma Fin_lemma [rule_format]: "n \<in> nat ==> \<forall>A. A \<approx> n \<longrightarrow> A \<in> Fin(A)"
   3.325  apply (induct_tac n)
   3.326  apply (simp add: eqpoll_0_iff, clarify)
   3.327 -apply (subgoal_tac "\<exists>u. u:A")
   3.328 +apply (subgoal_tac "\<exists>u. u \<in> A")
   3.329  apply (erule exE)
   3.330  apply (rule Diff_sing_eqpoll [elim_format])
   3.331  prefer 2 apply assumption
   3.332 @@ -1004,7 +1004,7 @@
   3.333     [| ~Finite(A); Finite(B) |] ==> ~Finite(A-B) *)
   3.334  lemma Diff_Finite [rule_format]: "Finite(B) ==> Finite(A-B) \<longrightarrow> Finite(A)"
   3.335  apply (erule Finite_induct, auto)
   3.336 -apply (case_tac "x:A")
   3.337 +apply (case_tac "x \<in> A")
   3.338   apply (subgoal_tac [2] "A-cons (x, B) = A - B")
   3.339  apply (subgoal_tac "A - cons (x, B) = (A - B) - {x}", simp)
   3.340  apply (drule Diff_sing_Finite, auto)
   3.341 @@ -1060,8 +1060,8 @@
   3.342  apply (blast intro: wf_onI)
   3.343  apply (rule wf_onI)
   3.344  apply (simp add: wf_on_def wf_def)
   3.345 -apply (case_tac "x:Z")
   3.346 - txt{*x:Z case*}
   3.347 +apply (case_tac "x \<in> Z")
   3.348 + txt{*true case*}
   3.349   apply (drule_tac x = x in bspec, assumption)
   3.350   apply (blast elim: mem_irrefl mem_asym)
   3.351  txt{*other case*}
   3.352 @@ -1085,15 +1085,15 @@
   3.353  done
   3.354  
   3.355  lemma ordertype_eq_n:
   3.356 -  assumes r: "well_ord(A,r)" and A: "A \<approx> n" and n: "n \<in> nat" 
   3.357 +  assumes r: "well_ord(A,r)" and A: "A \<approx> n" and n: "n \<in> nat"
   3.358    shows "ordertype(A,r) = n"
   3.359  proof -
   3.360 -  have "ordertype(A,r) \<approx> A" 
   3.361 -    by (blast intro: bij_imp_eqpoll bij_converse_bij ordermap_bij r) 
   3.362 +  have "ordertype(A,r) \<approx> A"
   3.363 +    by (blast intro: bij_imp_eqpoll bij_converse_bij ordermap_bij r)
   3.364    also have "... \<approx> n" by (rule A)
   3.365    finally have "ordertype(A,r) \<approx> n" .
   3.366    thus ?thesis
   3.367 -    by (simp add: Ord_nat_eqpoll_iff Ord_ordertype n r) 
   3.368 +    by (simp add: Ord_nat_eqpoll_iff Ord_ordertype n r)
   3.369  qed
   3.370  
   3.371  lemma Finite_well_ord_converse:
   3.372 @@ -1112,15 +1112,15 @@
   3.373  proof -
   3.374    { fix n
   3.375      assume n: "n \<in> nat" "nat \<approx> n"
   3.376 -    have "n \<in> nat"    by (rule n) 
   3.377 +    have "n \<in> nat"    by (rule n)
   3.378      also have "... = n" using n
   3.379 -      by (simp add: Ord_nat_eqpoll_iff Ord_nat) 
   3.380 +      by (simp add: Ord_nat_eqpoll_iff Ord_nat)
   3.381      finally have "n \<in> n" .
   3.382 -    hence False 
   3.383 -      by (blast elim: mem_irrefl) 
   3.384 +    hence False
   3.385 +      by (blast elim: mem_irrefl)
   3.386    }
   3.387    thus ?thesis
   3.388 -    by (auto simp add: Finite_def) 
   3.389 +    by (auto simp add: Finite_def)
   3.390  qed
   3.391  
   3.392  end
     4.1 --- a/src/ZF/CardinalArith.thy	Thu Mar 15 15:54:22 2012 +0000
     4.2 +++ b/src/ZF/CardinalArith.thy	Thu Mar 15 16:35:02 2012 +0000
     4.3 @@ -31,7 +31,7 @@
     4.4      --{*This def is more complex than Kunen's but it more easily proved to
     4.5          be a cardinal*}
     4.6      "jump_cardinal(K) ==
     4.7 -         \<Union>X\<in>Pow(K). {z. r: Pow(K*K), well_ord(X,r) & z = ordertype(X,r)}"
     4.8 +         \<Union>X\<in>Pow(K). {z. r \<in> Pow(K*K), well_ord(X,r) & z = ordertype(X,r)}"
     4.9  
    4.10  definition
    4.11    csucc         :: "i=>i"  where
    4.12 @@ -48,10 +48,10 @@
    4.13    cmult  (infixl "\<otimes>" 70)
    4.14  
    4.15  
    4.16 -lemma Card_Union [simp,intro,TC]: 
    4.17 +lemma Card_Union [simp,intro,TC]:
    4.18    assumes A: "\<And>x. x\<in>A \<Longrightarrow> Card(x)" shows "Card(\<Union>(A))"
    4.19  proof (rule CardI)
    4.20 -  show "Ord(\<Union>A)" using A 
    4.21 +  show "Ord(\<Union>A)" using A
    4.22      by (simp add: Card_is_Ord)
    4.23  next
    4.24    fix j
    4.25 @@ -60,24 +60,24 @@
    4.26      by (auto simp add: lt_def intro: Card_is_Ord)
    4.27    then obtain c where c: "c\<in>A" "j < c" "Card(c)"
    4.28      by blast
    4.29 -  hence jls: "j \<prec> c" 
    4.30 -    by (simp add: lt_Card_imp_lesspoll) 
    4.31 +  hence jls: "j \<prec> c"
    4.32 +    by (simp add: lt_Card_imp_lesspoll)
    4.33    { assume eqp: "j \<approx> \<Union>A"
    4.34      have  "c \<lesssim> \<Union>A" using c
    4.35        by (blast intro: subset_imp_lepoll)
    4.36      also have "... \<approx> j"  by (rule eqpoll_sym [OF eqp])
    4.37      also have "... \<prec> c"  by (rule jls)
    4.38      finally have "c \<prec> c" .
    4.39 -    hence False 
    4.40 +    hence False
    4.41        by auto
    4.42    } thus "\<not> j \<approx> \<Union>A" by blast
    4.43  qed
    4.44  
    4.45 -lemma Card_UN: "(!!x. x:A ==> Card(K(x))) ==> Card(\<Union>x\<in>A. K(x))"
    4.46 +lemma Card_UN: "(!!x. x \<in> A ==> Card(K(x))) ==> Card(\<Union>x\<in>A. K(x))"
    4.47    by blast
    4.48  
    4.49  lemma Card_OUN [simp,intro,TC]:
    4.50 -     "(!!x. x:A ==> Card(K(x))) ==> Card(\<Union>x<A. K(x))"
    4.51 +     "(!!x. x \<in> A ==> Card(K(x))) ==> Card(\<Union>x<A. K(x))"
    4.52    by (auto simp add: OUnion_def Card_0)
    4.53  
    4.54  lemma in_Card_imp_lesspoll: "[| Card(K); b \<in> K |] ==> b \<prec> K"
    4.55 @@ -99,7 +99,7 @@
    4.56  lemma sum_commute_eqpoll: "A+B \<approx> B+A"
    4.57  proof (unfold eqpoll_def, rule exI)
    4.58    show "(\<lambda>z\<in>A+B. case(Inr,Inl,z)) \<in> bij(A+B, B+A)"
    4.59 -    by (auto intro: lam_bijective [where d = "case(Inr,Inl)"]) 
    4.60 +    by (auto intro: lam_bijective [where d = "case(Inr,Inl)"])
    4.61  qed
    4.62  
    4.63  lemma cadd_commute: "i \<oplus> j = j \<oplus> i"
    4.64 @@ -121,11 +121,11 @@
    4.65    shows "(i \<oplus> j) \<oplus> k = i \<oplus> (j \<oplus> k)"
    4.66  proof (unfold cadd_def, rule cardinal_cong)
    4.67    have "|i + j| + k \<approx> (i + j) + k"
    4.68 -    by (blast intro: sum_eqpoll_cong well_ord_cardinal_eqpoll eqpoll_refl well_ord_radd i j) 
    4.69 +    by (blast intro: sum_eqpoll_cong well_ord_cardinal_eqpoll eqpoll_refl well_ord_radd i j)
    4.70    also have "...  \<approx> i + (j + k)"
    4.71 -    by (rule sum_assoc_eqpoll) 
    4.72 +    by (rule sum_assoc_eqpoll)
    4.73    also have "...  \<approx> i + |j + k|"
    4.74 -    by (blast intro: sum_eqpoll_cong well_ord_cardinal_eqpoll eqpoll_refl well_ord_radd j k eqpoll_sym) 
    4.75 +    by (blast intro: sum_eqpoll_cong well_ord_cardinal_eqpoll eqpoll_refl well_ord_radd j k eqpoll_sym)
    4.76    finally show "|i + j| + k \<approx> i + |j + k|" .
    4.77  qed
    4.78  
    4.79 @@ -148,7 +148,7 @@
    4.80  lemma sum_lepoll_self: "A \<lesssim> A+B"
    4.81  proof (unfold lepoll_def, rule exI)
    4.82    show "(\<lambda>x\<in>A. Inl (x)) \<in> inj(A, A + B)"
    4.83 -    by (simp add: inj_def) 
    4.84 +    by (simp add: inj_def)
    4.85  qed
    4.86  
    4.87  (*Could probably weaken the premises to well_ord(K,r), or removing using AC*)
    4.88 @@ -157,12 +157,12 @@
    4.89    assumes K: "Card(K)" and L: "Ord(L)" shows "K \<le> (K \<oplus> L)"
    4.90  proof (unfold cadd_def)
    4.91    have "K \<le> |K|"
    4.92 -    by (rule Card_cardinal_le [OF K]) 
    4.93 +    by (rule Card_cardinal_le [OF K])
    4.94    moreover have "|K| \<le> |K + L|" using K L
    4.95      by (blast intro: well_ord_lepoll_imp_Card_le sum_lepoll_self
    4.96 -                     well_ord_radd well_ord_Memrel Card_is_Ord) 
    4.97 -  ultimately show "K \<le> |K + L|" 
    4.98 -    by (blast intro: le_trans) 
    4.99 +                     well_ord_radd well_ord_Memrel Card_is_Ord)
   4.100 +  ultimately show "K \<le> |K + L|"
   4.101 +    by (blast intro: le_trans)
   4.102  qed
   4.103  
   4.104  subsubsection{*Monotonicity of addition*}
   4.105 @@ -197,7 +197,7 @@
   4.106  apply (blast dest: sym [THEN eq_imp_not_mem] elim: mem_irrefl)+
   4.107  done
   4.108  
   4.109 -(*Pulling the  succ(...)  outside the |...| requires m, n: nat  *)
   4.110 +(*Pulling the  succ(...)  outside the |...| requires m, n \<in> nat  *)
   4.111  (*Unconditional version requires AC*)
   4.112  lemma cadd_succ_lemma:
   4.113    assumes "Ord(m)" "Ord(n)" shows "succ(m) \<oplus> n = |succ(m \<oplus> n)|"
   4.114 @@ -206,14 +206,14 @@
   4.115      by (blast intro: eqpoll_sym well_ord_cardinal_eqpoll well_ord_radd well_ord_Memrel)
   4.116  
   4.117    have "|succ(m) + n| = |succ(m + n)|"
   4.118 -    by (rule sum_succ_eqpoll [THEN cardinal_cong]) 
   4.119 -  also have "... = |succ(|m + n|)|" 
   4.120 +    by (rule sum_succ_eqpoll [THEN cardinal_cong])
   4.121 +  also have "... = |succ(|m + n|)|"
   4.122      by (blast intro: succ_eqpoll_cong cardinal_cong)
   4.123    finally show "|succ(m) + n| = |succ(|m + n|)|" .
   4.124  qed
   4.125  
   4.126  lemma nat_cadd_eq_add:
   4.127 -  assumes m: "m: nat" and [simp]: "n: nat" shows"m \<oplus> n = m #+ n"
   4.128 +  assumes m: "m \<in> nat" and [simp]: "n \<in> nat" shows"m \<oplus> n = m #+ n"
   4.129  using m
   4.130  proof (induct m)
   4.131    case 0 thus ?case by (simp add: nat_into_Card cadd_0)
   4.132 @@ -252,11 +252,11 @@
   4.133    shows "(i \<otimes> j) \<otimes> k = i \<otimes> (j \<otimes> k)"
   4.134  proof (unfold cmult_def, rule cardinal_cong)
   4.135    have "|i * j| * k \<approx> (i * j) * k"
   4.136 -    by (blast intro: prod_eqpoll_cong well_ord_cardinal_eqpoll eqpoll_refl well_ord_rmult i j) 
   4.137 +    by (blast intro: prod_eqpoll_cong well_ord_cardinal_eqpoll eqpoll_refl well_ord_rmult i j)
   4.138    also have "...  \<approx> i * (j * k)"
   4.139 -    by (rule prod_assoc_eqpoll) 
   4.140 +    by (rule prod_assoc_eqpoll)
   4.141    also have "...  \<approx> i * |j * k|"
   4.142 -    by (blast intro: prod_eqpoll_cong well_ord_cardinal_eqpoll eqpoll_refl well_ord_rmult j k eqpoll_sym) 
   4.143 +    by (blast intro: prod_eqpoll_cong well_ord_cardinal_eqpoll eqpoll_refl well_ord_rmult j k eqpoll_sym)
   4.144    finally show "|i * j| * k \<approx> i * |j * k|" .
   4.145  qed
   4.146  
   4.147 @@ -273,11 +273,11 @@
   4.148    shows "(i \<oplus> j) \<otimes> k = (i \<otimes> k) \<oplus> (j \<otimes> k)"
   4.149  proof (unfold cadd_def cmult_def, rule cardinal_cong)
   4.150    have "|i + j| * k \<approx> (i + j) * k"
   4.151 -    by (blast intro: prod_eqpoll_cong well_ord_cardinal_eqpoll eqpoll_refl well_ord_radd i j) 
   4.152 +    by (blast intro: prod_eqpoll_cong well_ord_cardinal_eqpoll eqpoll_refl well_ord_radd i j)
   4.153    also have "...  \<approx> i * k + j * k"
   4.154 -    by (rule sum_prod_distrib_eqpoll) 
   4.155 +    by (rule sum_prod_distrib_eqpoll)
   4.156    also have "...  \<approx> |i * k| + |j * k|"
   4.157 -    by (blast intro: sum_eqpoll_cong well_ord_cardinal_eqpoll well_ord_rmult i j k eqpoll_sym) 
   4.158 +    by (blast intro: sum_eqpoll_cong well_ord_cardinal_eqpoll well_ord_rmult i j k eqpoll_sym)
   4.159    finally show "|i + j| * k \<approx> |i * k| + |j * k|" .
   4.160  qed
   4.161  
   4.162 @@ -324,7 +324,7 @@
   4.163  
   4.164  subsubsection{*Multiplication by a non-zero cardinal*}
   4.165  
   4.166 -lemma prod_lepoll_self: "b: B ==> A \<lesssim> A*B"
   4.167 +lemma prod_lepoll_self: "b \<in> B ==> A \<lesssim> A*B"
   4.168  apply (unfold lepoll_def inj_def)
   4.169  apply (rule_tac x = "\<lambda>x\<in>A. <x,b>" in exI, simp)
   4.170  done
   4.171 @@ -381,7 +381,7 @@
   4.172  apply (blast intro: well_ord_rmult well_ord_Memrel)
   4.173  done
   4.174  
   4.175 -lemma nat_cmult_eq_mult: "[| m: nat;  n: nat |] ==> m \<otimes> n = m#*n"
   4.176 +lemma nat_cmult_eq_mult: "[| m \<in> nat;  n \<in> nat |] ==> m \<otimes> n = m#*n"
   4.177  apply (induct_tac m)
   4.178  apply (simp_all add: cmult_succ_lemma nat_cadd_eq_add)
   4.179  done
   4.180 @@ -389,13 +389,13 @@
   4.181  lemma cmult_2: "Card(n) ==> 2 \<otimes> n = n \<oplus> n"
   4.182  by (simp add: cmult_succ_lemma Card_is_Ord cadd_commute [of _ 0])
   4.183  
   4.184 -lemma sum_lepoll_prod: 
   4.185 +lemma sum_lepoll_prod:
   4.186    assumes C: "2 \<lesssim> C" shows "B+B \<lesssim> C*B"
   4.187  proof -
   4.188    have "B+B \<lesssim> 2*B"
   4.189 -    by (simp add: sum_eq_2_times) 
   4.190 +    by (simp add: sum_eq_2_times)
   4.191    also have "... \<lesssim> C*B"
   4.192 -    by (blast intro: prod_lepoll_mono lepoll_refl C) 
   4.193 +    by (blast intro: prod_lepoll_mono lepoll_refl C)
   4.194    finally show "B+B \<lesssim> C*B" .
   4.195  qed
   4.196  
   4.197 @@ -407,18 +407,18 @@
   4.198  
   4.199  (*This proof is modelled upon one assuming nat<=A, with injection
   4.200    \<lambda>z\<in>cons(u,A). if z=u then 0 else if z \<in> nat then succ(z) else z
   4.201 -  and inverse %y. if y:nat then nat_case(u, %z. z, y) else y.  \
   4.202 -  If f: inj(nat,A) then range(f) behaves like the natural numbers.*)
   4.203 +  and inverse %y. if y \<in> nat then nat_case(u, %z. z, y) else y.  \
   4.204 +  If f \<in> inj(nat,A) then range(f) behaves like the natural numbers.*)
   4.205  lemma nat_cons_lepoll: "nat \<lesssim> A ==> cons(u,A) \<lesssim> A"
   4.206  apply (unfold lepoll_def)
   4.207  apply (erule exE)
   4.208  apply (rule_tac x =
   4.209            "\<lambda>z\<in>cons (u,A).
   4.210               if z=u then f`0
   4.211 -             else if z: range (f) then f`succ (converse (f) `z) else z"
   4.212 +             else if z \<in> range (f) then f`succ (converse (f) `z) else z"
   4.213         in exI)
   4.214  apply (rule_tac d =
   4.215 -          "%y. if y: range(f) then nat_case (u, %z. f`z, converse(f) `y)
   4.216 +          "%y. if y \<in> range(f) then nat_case (u, %z. f`z, converse(f) `y)
   4.217                                else y"
   4.218         in lam_injective)
   4.219  apply (fast intro!: if_type apply_type intro: inj_is_fun inj_converse_fun)
   4.220 @@ -475,7 +475,7 @@
   4.221  
   4.222  (*A general fact about ordermap*)
   4.223  lemma ordermap_eqpoll_pred:
   4.224 -    "[| well_ord(A,r);  x:A |] ==> ordermap(A,r)`x \<approx> Order.pred(A,x,r)"
   4.225 +    "[| well_ord(A,r);  x \<in> A |] ==> ordermap(A,r)`x \<approx> Order.pred(A,x,r)"
   4.226  apply (unfold eqpoll_def)
   4.227  apply (rule exI)
   4.228  apply (simp add: ordermap_eq_image well_ord_is_wf)
   4.229 @@ -486,7 +486,7 @@
   4.230  
   4.231  subsubsection{*Establishing the well-ordering*}
   4.232  
   4.233 -lemma well_ord_csquare: 
   4.234 +lemma well_ord_csquare:
   4.235    assumes K: "Ord(K)" shows "well_ord(K*K, csquare_rel(K))"
   4.236  proof (unfold csquare_rel_def, rule well_ord_rvimage)
   4.237    show "(\<lambda>\<langle>x,y\<rangle>\<in>K \<times> K. \<langle>x \<union> y, x, y\<rangle>) \<in> inj(K \<times> K, K \<times> K \<times> K)" using K
   4.238 @@ -553,23 +553,23 @@
   4.239  
   4.240  text{*Kunen: "each @{term"\<langle>x,y\<rangle> \<in> K \<times> K"} has no more than @{term"z \<times> z"} predecessors..." (page 29) *}
   4.241  lemma ordermap_csquare_le:
   4.242 -  assumes K: "Limit(K)" and x: "x<K" and y: " y<K" 
   4.243 +  assumes K: "Limit(K)" and x: "x<K" and y: " y<K"
   4.244    defines "z \<equiv> succ(x \<union> y)"
   4.245    shows "|ordermap(K \<times> K, csquare_rel(K)) ` \<langle>x,y\<rangle>| \<le> |succ(z)| \<otimes> |succ(z)|"
   4.246  proof (unfold cmult_def, rule well_ord_lepoll_imp_Card_le)
   4.247 -  show "well_ord(|succ(z)| \<times> |succ(z)|, 
   4.248 +  show "well_ord(|succ(z)| \<times> |succ(z)|,
   4.249                   rmult(|succ(z)|, Memrel(|succ(z)|), |succ(z)|, Memrel(|succ(z)|)))"
   4.250 -    by (blast intro: Ord_cardinal well_ord_Memrel well_ord_rmult) 
   4.251 +    by (blast intro: Ord_cardinal well_ord_Memrel well_ord_rmult)
   4.252  next
   4.253    have zK: "z<K" using x y K z_def
   4.254      by (blast intro: Un_least_lt Limit_has_succ)
   4.255 -  hence oz: "Ord(z)" by (elim ltE) 
   4.256 +  hence oz: "Ord(z)" by (elim ltE)
   4.257    have "ordermap(K \<times> K, csquare_rel(K)) ` \<langle>x,y\<rangle> \<lesssim> ordermap(K \<times> K, csquare_rel(K)) ` \<langle>z,z\<rangle>"
   4.258      using z_def
   4.259 -    by (blast intro: ordermap_z_lt leI le_imp_lepoll K x y) 
   4.260 +    by (blast intro: ordermap_z_lt leI le_imp_lepoll K x y)
   4.261    also have "... \<approx>  Order.pred(K \<times> K, \<langle>z,z\<rangle>, csquare_rel(K))"
   4.262      proof (rule ordermap_eqpoll_pred)
   4.263 -      show "well_ord(K \<times> K, csquare_rel(K))" using K 
   4.264 +      show "well_ord(K \<times> K, csquare_rel(K))" using K
   4.265          by (rule Limit_is_Ord [THEN well_ord_csquare])
   4.266      next
   4.267        show "\<langle>z, z\<rangle> \<in> K \<times> K" using zK
   4.268 @@ -578,7 +578,7 @@
   4.269    also have "...  \<lesssim> succ(z) \<times> succ(z)" using zK
   4.270      by (rule pred_csquare_subset [THEN subset_imp_lepoll])
   4.271    also have "... \<approx> |succ(z)| \<times> |succ(z)|" using oz
   4.272 -    by (blast intro: prod_eqpoll_cong Ord_succ Ord_cardinal_eqpoll eqpoll_sym) 
   4.273 +    by (blast intro: prod_eqpoll_cong Ord_succ Ord_cardinal_eqpoll eqpoll_sym)
   4.274    finally show "ordermap(K \<times> K, csquare_rel(K)) ` \<langle>x,y\<rangle> \<lesssim> |succ(z)| \<times> |succ(z)|" .
   4.275  qed
   4.276  
   4.277 @@ -587,8 +587,8 @@
   4.278    assumes IK: "InfCard(K)" and eq: "\<And>y. y\<in>K \<Longrightarrow> InfCard(y) \<Longrightarrow> y \<otimes> y = y"
   4.279    shows "ordertype(K*K, csquare_rel(K)) \<le> K"
   4.280  proof -
   4.281 -  have  CK: "Card(K)" using IK by (rule InfCard_is_Card) 
   4.282 -  hence OK: "Ord(K)"  by (rule Card_is_Ord) 
   4.283 +  have  CK: "Card(K)" using IK by (rule InfCard_is_Card)
   4.284 +  hence OK: "Ord(K)"  by (rule Card_is_Ord)
   4.285    moreover have "Ord(ordertype(K \<times> K, csquare_rel(K)))" using OK
   4.286      by (rule well_ord_csquare [THEN Ord_ordertype])
   4.287    ultimately show ?thesis
   4.288 @@ -596,18 +596,18 @@
   4.289      fix i
   4.290      assume i: "i < ordertype(K \<times> K, csquare_rel(K))"
   4.291      hence Oi: "Ord(i)" by (elim ltE)
   4.292 -    obtain x y where x: "x \<in> K" and y: "y \<in> K" 
   4.293 +    obtain x y where x: "x \<in> K" and y: "y \<in> K"
   4.294                   and ieq: "i = ordermap(K \<times> K, csquare_rel(K)) ` \<langle>x,y\<rangle>"
   4.295        using i by (auto simp add: ordertype_unfold elim: ltE)
   4.296 -    hence xy: "Ord(x)" "Ord(y)" "x < K" "y < K" using OK 
   4.297 +    hence xy: "Ord(x)" "Ord(y)" "x < K" "y < K" using OK
   4.298        by (blast intro: Ord_in_Ord ltI)+
   4.299      hence ou: "Ord(x \<union> y)"
   4.300 -      by (simp add: Ord_Un) 
   4.301 +      by (simp add: Ord_Un)
   4.302      show "i < K"
   4.303        proof (rule Card_lt_imp_lt [OF _ Oi CK])
   4.304          have "|i| \<le> |succ(succ(x \<union> y))| \<otimes> |succ(succ(x \<union> y))|" using IK xy
   4.305            by (auto simp add: ieq intro: InfCard_is_Limit [THEN ordermap_csquare_le])
   4.306 -        moreover have "|succ(succ(x \<union> y))| \<otimes> |succ(succ(x \<union> y))| < K" 
   4.307 +        moreover have "|succ(succ(x \<union> y))| \<otimes> |succ(succ(x \<union> y))| < K"
   4.308            proof (cases rule: Ord_linear2 [OF ou Ord_nat])
   4.309              assume "x \<union> y < nat"
   4.310              hence "|succ(succ(x \<union> y))| \<otimes> |succ(succ(x \<union> y))| \<in> nat"
   4.311 @@ -615,46 +615,46 @@
   4.312                           nat_into_Card [THEN Card_cardinal_eq]  Ord_nat)
   4.313              also have "... \<subseteq> K" using IK
   4.314                by (simp add: InfCard_def le_imp_subset)
   4.315 -            finally show "|succ(succ(x \<union> y))| \<otimes> |succ(succ(x \<union> y))| < K" 
   4.316 -              by (simp add: ltI OK) 
   4.317 +            finally show "|succ(succ(x \<union> y))| \<otimes> |succ(succ(x \<union> y))| < K"
   4.318 +              by (simp add: ltI OK)
   4.319            next
   4.320              assume natxy: "nat \<le> x \<union> y"
   4.321 -            hence seq: "|succ(succ(x \<union> y))| = |x \<union> y|" using xy 
   4.322 +            hence seq: "|succ(succ(x \<union> y))| = |x \<union> y|" using xy
   4.323                by (simp add: le_imp_subset nat_succ_eqpoll [THEN cardinal_cong] le_succ_iff)
   4.324 -            also have "... < K" using xy  
   4.325 +            also have "... < K" using xy
   4.326                by (simp add: Un_least_lt Ord_cardinal_le [THEN lt_trans1])
   4.327              finally have "|succ(succ(x \<union> y))| < K" .
   4.328              moreover have "InfCard(|succ(succ(x \<union> y))|)" using xy natxy
   4.329                by (simp add: seq InfCard_def Card_cardinal nat_le_cardinal)
   4.330 -            ultimately show ?thesis  by (simp add: eq ltD) 
   4.331 +            ultimately show ?thesis  by (simp add: eq ltD)
   4.332            qed
   4.333 -        ultimately show "|i| < K" by (blast intro: lt_trans1) 
   4.334 +        ultimately show "|i| < K" by (blast intro: lt_trans1)
   4.335      qed
   4.336    qed
   4.337  qed
   4.338  
   4.339  (*Main result: Kunen's Theorem 10.12*)
   4.340 -lemma InfCard_csquare_eq: 
   4.341 +lemma InfCard_csquare_eq:
   4.342    assumes IK: "InfCard(K)" shows "InfCard(K) ==> K \<otimes> K = K"
   4.343  proof -
   4.344 -  have  OK: "Ord(K)" using IK by (simp add: Card_is_Ord InfCard_is_Card) 
   4.345 +  have  OK: "Ord(K)" using IK by (simp add: Card_is_Ord InfCard_is_Card)
   4.346    show "InfCard(K) ==> K \<otimes> K = K" using OK
   4.347    proof (induct rule: trans_induct)
   4.348      case (step i)
   4.349      show "i \<otimes> i = i"
   4.350      proof (rule le_anti_sym)
   4.351 -      have "|i \<times> i| = |ordertype(i \<times> i, csquare_rel(i))|" 
   4.352 -        by (rule cardinal_cong, 
   4.353 +      have "|i \<times> i| = |ordertype(i \<times> i, csquare_rel(i))|"
   4.354 +        by (rule cardinal_cong,
   4.355            simp add: step.hyps well_ord_csquare [THEN ordermap_bij, THEN bij_imp_eqpoll])
   4.356 -      hence "i \<otimes> i \<le> ordertype(i \<times> i, csquare_rel(i))" 
   4.357 +      hence "i \<otimes> i \<le> ordertype(i \<times> i, csquare_rel(i))"
   4.358          by (simp add: step.hyps cmult_def Ord_cardinal_le well_ord_csquare [THEN Ord_ordertype])
   4.359        moreover
   4.360        have "ordertype(i \<times> i, csquare_rel(i)) \<le> i" using step
   4.361 -        by (simp add: ordertype_csquare_le) 
   4.362 +        by (simp add: ordertype_csquare_le)
   4.363        ultimately show "i \<otimes> i \<le> i" by (rule le_trans)
   4.364      next
   4.365        show "i \<le> i \<otimes> i" using step
   4.366 -        by (blast intro: cmult_square_le InfCard_is_Card) 
   4.367 +        by (blast intro: cmult_square_le InfCard_is_Card)
   4.368      qed
   4.369    qed
   4.370  qed
   4.371 @@ -664,7 +664,7 @@
   4.372    assumes r: "well_ord(A,r)" and I: "InfCard(|A|)" shows "A \<times> A \<approx> A"
   4.373  proof -
   4.374    have "A \<times> A \<approx> |A| \<times> |A|"
   4.375 -    by (blast intro: prod_eqpoll_cong well_ord_cardinal_eqpoll eqpoll_sym r) 
   4.376 +    by (blast intro: prod_eqpoll_cong well_ord_cardinal_eqpoll eqpoll_sym r)
   4.377    also have "... \<approx> A"
   4.378      proof (rule well_ord_cardinal_eqE [OF _ r])
   4.379        show "well_ord(|A| \<times> |A|, rmult(|A|, Memrel(|A|), |A|, Memrel(|A|)))"
   4.380 @@ -672,7 +672,7 @@
   4.381      next
   4.382        show "||A| \<times> |A|| = |A|" using InfCard_csquare_eq I
   4.383          by (simp add: cmult_def)
   4.384 -    qed    
   4.385 +    qed
   4.386    finally show ?thesis .
   4.387  qed
   4.388  
   4.389 @@ -842,21 +842,21 @@
   4.390    { fix X
   4.391      have "Finite(X) ==> a \<notin> X \<Longrightarrow> cons(a,X) \<lesssim> X \<Longrightarrow> False"
   4.392        proof (induct X rule: Finite_induct)
   4.393 -        case 0 thus False  by (simp add: lepoll_0_iff) 
   4.394 +        case 0 thus False  by (simp add: lepoll_0_iff)
   4.395        next
   4.396 -        case (cons x Y) 
   4.397 -        hence "cons(x, cons(a, Y)) \<lesssim> cons(x, Y)" by (simp add: cons_commute) 
   4.398 +        case (cons x Y)
   4.399 +        hence "cons(x, cons(a, Y)) \<lesssim> cons(x, Y)" by (simp add: cons_commute)
   4.400          hence "cons(a, Y) \<lesssim> Y" using cons        by (blast dest: cons_lepoll_consD)
   4.401          thus False using cons by auto
   4.402        qed
   4.403 -  } 
   4.404 +  }
   4.405    hence [simp]: "~ cons(a,A) \<lesssim> A" using a FA by auto
   4.406    have [simp]: "|A| \<approx> A" using Finite_imp_well_ord [OF FA]
   4.407      by (blast intro: well_ord_cardinal_eqpoll)
   4.408 -  have "(\<mu> i. i \<approx> cons(a, A)) = succ(|A|)" 
   4.409 +  have "(\<mu> i. i \<approx> cons(a, A)) = succ(|A|)"
   4.410      proof (rule Least_equality [OF _ _ notI])
   4.411 -      show "succ(|A|) \<approx> cons(a, A)" 
   4.412 -        by (simp add: succ_def cons_eqpoll_cong mem_not_refl a) 
   4.413 +      show "succ(|A|) \<approx> cons(a, A)"
   4.414 +        by (simp add: succ_def cons_eqpoll_cong mem_not_refl a)
   4.415      next
   4.416        show "Ord(succ(|A|))" by simp
   4.417      next
   4.418 @@ -868,17 +868,17 @@
   4.419        finally have "cons(a, A) \<lesssim> A" .
   4.420        thus False by simp
   4.421      qed
   4.422 -  thus ?thesis by (simp add: cardinal_def) 
   4.423 +  thus ?thesis by (simp add: cardinal_def)
   4.424  qed
   4.425  
   4.426  lemma Finite_imp_succ_cardinal_Diff:
   4.427 -     "[| Finite(A);  a:A |] ==> succ(|A-{a}|) = |A|"
   4.428 +     "[| Finite(A);  a \<in> A |] ==> succ(|A-{a}|) = |A|"
   4.429  apply (rule_tac b = A in cons_Diff [THEN subst], assumption)
   4.430  apply (simp add: Finite_imp_cardinal_cons Diff_subset [THEN subset_Finite])
   4.431  apply (simp add: cons_Diff)
   4.432  done
   4.433  
   4.434 -lemma Finite_imp_cardinal_Diff: "[| Finite(A);  a:A |] ==> |A-{a}| < |A|"
   4.435 +lemma Finite_imp_cardinal_Diff: "[| Finite(A);  a \<in> A |] ==> |A-{a}| < |A|"
   4.436  apply (rule succ_leE)
   4.437  apply (simp add: Finite_imp_succ_cardinal_Diff)
   4.438  done
   4.439 @@ -922,11 +922,11 @@
   4.440  
   4.441  lemmas nat_implies_well_ord = nat_into_Ord [THEN well_ord_Memrel]
   4.442  
   4.443 -lemma nat_sum_eqpoll_sum: 
   4.444 +lemma nat_sum_eqpoll_sum:
   4.445    assumes m: "m \<in> nat" and n: "n \<in> nat" shows "m + n \<approx> m #+ n"
   4.446  proof -
   4.447    have "m + n \<approx> |m+n|" using m n
   4.448 -    by (blast intro: nat_implies_well_ord well_ord_radd well_ord_cardinal_eqpoll eqpoll_sym) 
   4.449 +    by (blast intro: nat_implies_well_ord well_ord_radd well_ord_cardinal_eqpoll eqpoll_sym)
   4.450    also have "... = m #+ n" using m n
   4.451      by (simp add: nat_cadd_eq_add [symmetric] cadd_def)
   4.452    finally show ?thesis .
     5.1 --- a/src/ZF/Constructible/Formula.thy	Thu Mar 15 15:54:22 2012 +0000
     5.2 +++ b/src/ZF/Constructible/Formula.thy	Thu Mar 15 16:35:02 2012 +0000
     5.3 @@ -13,10 +13,10 @@
     5.4  
     5.5  consts   formula :: i
     5.6  datatype
     5.7 -  "formula" = Member ("x: nat", "y: nat")
     5.8 -            | Equal  ("x: nat", "y: nat")
     5.9 -            | Nand ("p: formula", "q: formula")
    5.10 -            | Forall ("p: formula")
    5.11 +  "formula" = Member ("x \<in> nat", "y \<in> nat")
    5.12 +            | Equal  ("x \<in> nat", "y \<in> nat")
    5.13 +            | Nand ("p \<in> formula", "q \<in> formula")
    5.14 +            | Forall ("p \<in> formula")
    5.15  
    5.16  declare formula.intros [TC]
    5.17  
    5.18 @@ -488,7 +488,7 @@
    5.19  DPow(B)"}.*}
    5.20  
    5.21  (*This may be true but the proof looks difficult, requiring relativization
    5.22 -lemma DPow_insert: "DPow (cons(a,A)) = DPow(A) \<union> {cons(a,X) . X: DPow(A)}"
    5.23 +lemma DPow_insert: "DPow (cons(a,A)) = DPow(A) \<union> {cons(a,X) . X \<in> DPow(A)}"
    5.24  apply (rule equalityI, safe)
    5.25  oops
    5.26  *)
    5.27 @@ -656,7 +656,7 @@
    5.28  
    5.29  text{*This version lets us remove the premise @{term "Ord(i)"} sometimes.*}
    5.30  lemma Lset_mono_mem [rule_format]:
    5.31 -     "\<forall>j. i:j \<longrightarrow> Lset(i) \<subseteq> Lset(j)"
    5.32 +     "\<forall>j. i \<in> j \<longrightarrow> Lset(i) \<subseteq> Lset(j)"
    5.33  proof (induct i rule: eps_induct, intro allI impI)
    5.34    fix x j
    5.35    assume "\<forall>y\<in>x. \<forall>j. y \<in> j \<longrightarrow> Lset(y) \<subseteq> Lset(j)"
    5.36 @@ -712,12 +712,12 @@
    5.37      "Limit(i) ==> Lset(i) = (\<Union>y\<in>i. Lset(y))"
    5.38  by (simp add: Lset_Union [symmetric] Limit_Union_eq)
    5.39  
    5.40 -lemma lt_LsetI: "[| a: Lset(j);  j<i |] ==> a \<in> Lset(i)"
    5.41 +lemma lt_LsetI: "[| a \<in> Lset(j);  j<i |] ==> a \<in> Lset(i)"
    5.42  by (blast dest: Lset_mono [OF le_imp_subset [OF leI]])
    5.43  
    5.44  lemma Limit_LsetE:
    5.45 -    "[| a: Lset(i);  ~R ==> Limit(i);
    5.46 -        !!x. [| x<i;  a: Lset(x) |] ==> R
    5.47 +    "[| a \<in> Lset(i);  ~R ==> Limit(i);
    5.48 +        !!x. [| x<i;  a \<in> Lset(x) |] ==> R
    5.49       |] ==> R"
    5.50  apply (rule classical)
    5.51  apply (rule Limit_Lset_eq [THEN equalityD1, THEN subsetD, THEN UN_E])
    5.52 @@ -728,7 +728,7 @@
    5.53  
    5.54  subsubsection{* Basic closure properties *}
    5.55  
    5.56 -lemma zero_in_Lset: "y:x ==> 0 \<in> Lset(x)"
    5.57 +lemma zero_in_Lset: "y \<in> x ==> 0 \<in> Lset(x)"
    5.58  by (subst Lset, blast intro: empty_in_DPow)
    5.59  
    5.60  lemma notin_Lset: "x \<notin> Lset(x)"
    5.61 @@ -792,15 +792,15 @@
    5.62  
    5.63  subsubsection{* Finite sets and ordered pairs *}
    5.64  
    5.65 -lemma singleton_in_Lset: "a: Lset(i) ==> {a} \<in> Lset(succ(i))"
    5.66 +lemma singleton_in_Lset: "a \<in> Lset(i) ==> {a} \<in> Lset(succ(i))"
    5.67  by (simp add: Lset_succ singleton_in_DPow)
    5.68  
    5.69  lemma doubleton_in_Lset:
    5.70 -     "[| a: Lset(i);  b: Lset(i) |] ==> {a,b} \<in> Lset(succ(i))"
    5.71 +     "[| a \<in> Lset(i);  b \<in> Lset(i) |] ==> {a,b} \<in> Lset(succ(i))"
    5.72  by (simp add: Lset_succ empty_in_DPow cons_in_DPow)
    5.73  
    5.74  lemma Pair_in_Lset:
    5.75 -    "[| a: Lset(i);  b: Lset(i); Ord(i) |] ==> <a,b> \<in> Lset(succ(succ(i)))"
    5.76 +    "[| a \<in> Lset(i);  b \<in> Lset(i); Ord(i) |] ==> <a,b> \<in> Lset(succ(succ(i)))"
    5.77  apply (unfold Pair_def)
    5.78  apply (blast intro: doubleton_in_Lset)
    5.79  done
    5.80 @@ -808,9 +808,9 @@
    5.81  lemmas Lset_UnI1 = Un_upper1 [THEN Lset_mono [THEN subsetD]]
    5.82  lemmas Lset_UnI2 = Un_upper2 [THEN Lset_mono [THEN subsetD]]
    5.83  
    5.84 -text{*Hard work is finding a single j:i such that {a,b}<=Lset(j)*}
    5.85 +text{*Hard work is finding a single @{term"j \<in> i"} such that @{term"{a,b} \<subseteq> Lset(j)"}*}
    5.86  lemma doubleton_in_LLimit:
    5.87 -    "[| a: Lset(i);  b: Lset(i);  Limit(i) |] ==> {a,b} \<in> Lset(i)"
    5.88 +    "[| a \<in> Lset(i);  b \<in> Lset(i);  Limit(i) |] ==> {a,b} \<in> Lset(i)"
    5.89  apply (erule Limit_LsetE, assumption)
    5.90  apply (erule Limit_LsetE, assumption)
    5.91  apply (blast intro: lt_LsetI [OF doubleton_in_Lset]
    5.92 @@ -824,7 +824,7 @@
    5.93  done
    5.94  
    5.95  lemma Pair_in_LLimit:
    5.96 -    "[| a: Lset(i);  b: Lset(i);  Limit(i) |] ==> <a,b> \<in> Lset(i)"
    5.97 +    "[| a \<in> Lset(i);  b \<in> Lset(i);  Limit(i) |] ==> <a,b> \<in> Lset(i)"
    5.98  txt{*Infer that a, b occur at ordinals x,xa < i.*}
    5.99  apply (erule Limit_LsetE, assumption)
   5.100  apply (erule Limit_LsetE, assumption)
     6.1 --- a/src/ZF/Constructible/Relative.thy	Thu Mar 15 15:54:22 2012 +0000
     6.2 +++ b/src/ZF/Constructible/Relative.thy	Thu Mar 15 16:35:02 2012 +0000
     6.3 @@ -745,7 +745,7 @@
     6.4  (*The first premise can't simply be assumed as a schema.
     6.5    It is essential to take care when asserting instances of Replacement.
     6.6    Let K be a nonconstructible subset of nat and define
     6.7 -  f(x) = x if x:K and f(x)=0 otherwise.  Then RepFun(nat,f) = cons(0,K), a
     6.8 +  f(x) = x if x \<in> K and f(x)=0 otherwise.  Then RepFun(nat,f) = cons(0,K), a
     6.9    nonconstructible set.  So we cannot assume that M(X) implies M(RepFun(X,f))
    6.10    even for f \<in> M -> M.
    6.11  *)
     7.1 --- a/src/ZF/Epsilon.thy	Thu Mar 15 15:54:22 2012 +0000
     7.2 +++ b/src/ZF/Epsilon.thy	Thu Mar 15 16:35:02 2012 +0000
     7.3 @@ -67,7 +67,7 @@
     7.4  lemmas arg_into_eclose_sing = arg_in_eclose_sing [THEN ecloseD]
     7.5  
     7.6  (* This is epsilon-induction for eclose(A); see also eclose_induct_down...
     7.7 -   [| a: eclose(A);  !!x. [| x: eclose(A); \<forall>y\<in>x. P(y) |] ==> P(x)
     7.8 +   [| a \<in> eclose(A);  !!x. [| x \<in> eclose(A); \<forall>y\<in>x. P(y) |] ==> P(x)
     7.9     |] ==> P(a)
    7.10  *)
    7.11  lemmas eclose_induct =
    7.12 @@ -85,7 +85,7 @@
    7.13  (** eclose(A) is the least transitive set including A as a subset. **)
    7.14  
    7.15  lemma eclose_least_lemma:
    7.16 -    "[| Transset(X);  A<=X;  n: nat |] ==> nat_rec(n, A, %m r. \<Union>(r)) \<subseteq> X"
    7.17 +    "[| Transset(X);  A<=X;  n \<in> nat |] ==> nat_rec(n, A, %m r. \<Union>(r)) \<subseteq> X"
    7.18  apply (unfold Transset_def)
    7.19  apply (erule nat_induct)
    7.20  apply (simp add: nat_rec_0)
    7.21 @@ -100,9 +100,9 @@
    7.22  
    7.23  (*COMPLETELY DIFFERENT induction principle from eclose_induct!!*)
    7.24  lemma eclose_induct_down [consumes 1]:
    7.25 -    "[| a: eclose(b);
    7.26 -        !!y.   [| y: b |] ==> P(y);
    7.27 -        !!y z. [| y: eclose(b);  P(y);  z: y |] ==> P(z)
    7.28 +    "[| a \<in> eclose(b);
    7.29 +        !!y.   [| y \<in> b |] ==> P(y);
    7.30 +        !!y z. [| y \<in> eclose(b);  P(y);  z \<in> y |] ==> P(z)
    7.31       |] ==> P(a)"
    7.32  apply (rule eclose_least [THEN subsetD, THEN CollectD2, of "eclose(b)"])
    7.33    prefer 3 apply assumption
    7.34 @@ -131,17 +131,17 @@
    7.35  subsection{*Epsilon Recursion*}
    7.36  
    7.37  (*Unused...*)
    7.38 -lemma mem_eclose_trans: "[| A: eclose(B);  B: eclose(C) |] ==> A: eclose(C)"
    7.39 +lemma mem_eclose_trans: "[| A \<in> eclose(B);  B \<in> eclose(C) |] ==> A \<in> eclose(C)"
    7.40  by (rule eclose_least [OF Transset_eclose eclose_subset, THEN subsetD],
    7.41      assumption+)
    7.42  
    7.43  (*Variant of the previous lemma in a useable form for the sequel*)
    7.44  lemma mem_eclose_sing_trans:
    7.45 -     "[| A: eclose({B});  B: eclose({C}) |] ==> A: eclose({C})"
    7.46 +     "[| A \<in> eclose({B});  B \<in> eclose({C}) |] ==> A \<in> eclose({C})"
    7.47  by (rule eclose_least [OF Transset_eclose singleton_subsetI, THEN subsetD],
    7.48      assumption+)
    7.49  
    7.50 -lemma under_Memrel: "[| Transset(i);  j:i |] ==> Memrel(i)-``{j} = j"
    7.51 +lemma under_Memrel: "[| Transset(i);  j \<in> i |] ==> Memrel(i)-``{j} = j"
    7.52  by (unfold Transset_def, blast)
    7.53  
    7.54  lemma lt_Memrel: "j < i ==> Memrel(i) -`` {j} = j"
    7.55 @@ -153,7 +153,7 @@
    7.56  lemmas wfrec_ssubst = wf_Memrel [THEN wfrec, THEN ssubst]
    7.57  
    7.58  lemma wfrec_eclose_eq:
    7.59 -    "[| k:eclose({j});  j:eclose({i}) |] ==>
    7.60 +    "[| k \<in> eclose({j});  j \<in> eclose({i}) |] ==>
    7.61       wfrec(Memrel(eclose({i})), k, H) = wfrec(Memrel(eclose({j})), k, H)"
    7.62  apply (erule eclose_induct)
    7.63  apply (rule wfrec_ssubst)
    7.64 @@ -162,7 +162,7 @@
    7.65  done
    7.66  
    7.67  lemma wfrec_eclose_eq2:
    7.68 -    "k: i ==> wfrec(Memrel(eclose({i})),k,H) = wfrec(Memrel(eclose({k})),k,H)"
    7.69 +    "k \<in> i ==> wfrec(Memrel(eclose({i})),k,H) = wfrec(Memrel(eclose({k})),k,H)"
    7.70  apply (rule arg_in_eclose_sing [THEN wfrec_eclose_eq])
    7.71  apply (erule arg_into_eclose_sing)
    7.72  done
    7.73 @@ -181,7 +181,7 @@
    7.74  done
    7.75  
    7.76  lemma transrec_type:
    7.77 -    "[| !!x u. [| x:eclose({a});  u: Pi(x,B) |] ==> H(x,u) \<in> B(x) |]
    7.78 +    "[| !!x u. [| x \<in> eclose({a});  u \<in> Pi(x,B) |] ==> H(x,u) \<in> B(x) |]
    7.79       ==> transrec(a,H) \<in> B(a)"
    7.80  apply (rule_tac i = a in arg_in_eclose_sing [THEN eclose_induct])
    7.81  apply (subst transrec)
    7.82 @@ -205,9 +205,9 @@
    7.83  done
    7.84  
    7.85  lemma Ord_transrec_type:
    7.86 -  assumes jini: "j: i"
    7.87 +  assumes jini: "j \<in> i"
    7.88        and ordi: "Ord(i)"
    7.89 -      and minor: " !!x u. [| x: i;  u: Pi(x,B) |] ==> H(x,u) \<in> B(x)"
    7.90 +      and minor: " !!x u. [| x \<in> i;  u \<in> Pi(x,B) |] ==> H(x,u) \<in> B(x)"
    7.91    shows "transrec(j,H) \<in> B(j)"
    7.92  apply (rule transrec_type)
    7.93  apply (insert jini ordi)
    7.94 @@ -235,13 +235,13 @@
    7.95  apply (simp add: Ord_equality)
    7.96  done
    7.97  
    7.98 -lemma rank_lt: "a:b ==> rank(a) < rank(b)"
    7.99 +lemma rank_lt: "a \<in> b ==> rank(a) < rank(b)"
   7.100  apply (rule_tac a1 = b in rank [THEN ssubst])
   7.101  apply (erule UN_I [THEN ltI])
   7.102  apply (rule_tac [2] Ord_UN, auto)
   7.103  done
   7.104  
   7.105 -lemma eclose_rank_lt: "a: eclose(b) ==> rank(a) < rank(b)"
   7.106 +lemma eclose_rank_lt: "a \<in> eclose(b) ==> rank(a) < rank(b)"
   7.107  apply (erule eclose_induct_down)
   7.108  apply (erule rank_lt)
   7.109  apply (erule rank_lt [THEN lt_trans], assumption)
   7.110 @@ -321,7 +321,7 @@
   7.111  
   7.112  subsection{*Corollaries of Leastness*}
   7.113  
   7.114 -lemma mem_eclose_subset: "A:B ==> eclose(A)<=eclose(B)"
   7.115 +lemma mem_eclose_subset: "A \<in> B ==> eclose(A)<=eclose(B)"
   7.116  apply (rule Transset_eclose [THEN eclose_least])
   7.117  apply (erule arg_into_eclose [THEN eclose_subset])
   7.118  done
   7.119 @@ -390,9 +390,9 @@
   7.120  done
   7.121  
   7.122  lemma rec_type:
   7.123 -    "[| n: nat;
   7.124 -        a: C(0);
   7.125 -        !!m z. [| m: nat;  z: C(m) |] ==> b(m,z): C(succ(m)) |]
   7.126 +    "[| n \<in> nat;
   7.127 +        a \<in> C(0);
   7.128 +        !!m z. [| m \<in> nat;  z \<in> C(m) |] ==> b(m,z): C(succ(m)) |]
   7.129       ==> rec(n,a,b) \<in> C(n)"
   7.130  by (erule nat_induct, auto)
   7.131  
     8.1 --- a/src/ZF/EquivClass.thy	Thu Mar 15 15:54:22 2012 +0000
     8.2 +++ b/src/ZF/EquivClass.thy	Thu Mar 15 16:35:02 2012 +0000
     8.3 @@ -9,7 +9,7 @@
     8.4  
     8.5  definition
     8.6    quotient   :: "[i,i]=>i"    (infixl "'/'/" 90)  (*set of equiv classes*)  where
     8.7 -      "A//r == {r``{x} . x:A}"
     8.8 +      "A//r == {r``{x} . x \<in> A}"
     8.9  
    8.10  definition
    8.11    congruent  :: "[i,i=>i]=>o"  where
    8.12 @@ -72,15 +72,15 @@
    8.13  done
    8.14  
    8.15  lemma equiv_class_self:
    8.16 -    "[| equiv(A,r);  a: A |] ==> a: r``{a}"
    8.17 +    "[| equiv(A,r);  a \<in> A |] ==> a \<in> r``{a}"
    8.18  by (unfold equiv_def refl_def, blast)
    8.19  
    8.20  (*Lemma for the next result*)
    8.21  lemma subset_equiv_class:
    8.22 -    "[| equiv(A,r);  r``{b} \<subseteq> r``{a};  b: A |] ==> <a,b>: r"
    8.23 +    "[| equiv(A,r);  r``{b} \<subseteq> r``{a};  b \<in> A |] ==> <a,b>: r"
    8.24  by (unfold equiv_def refl_def, blast)
    8.25  
    8.26 -lemma eq_equiv_class: "[| r``{a} = r``{b};  equiv(A,r);  b: A |] ==> <a,b>: r"
    8.27 +lemma eq_equiv_class: "[| r``{a} = r``{b};  equiv(A,r);  b \<in> A |] ==> <a,b>: r"
    8.28  by (assumption | rule equalityD2 subset_equiv_class)+
    8.29  
    8.30  (*thus r``{a} = r``{b} as well*)
    8.31 @@ -92,24 +92,24 @@
    8.32  by (unfold equiv_def, blast)
    8.33  
    8.34  lemma equiv_class_eq_iff:
    8.35 -     "equiv(A,r) ==> <x,y>: r \<longleftrightarrow> r``{x} = r``{y} & x:A & y:A"
    8.36 +     "equiv(A,r) ==> <x,y>: r \<longleftrightarrow> r``{x} = r``{y} & x \<in> A & y \<in> A"
    8.37  by (blast intro: eq_equiv_class equiv_class_eq dest: equiv_type)
    8.38  
    8.39  lemma eq_equiv_class_iff:
    8.40 -     "[| equiv(A,r);  x: A;  y: A |] ==> r``{x} = r``{y} \<longleftrightarrow> <x,y>: r"
    8.41 +     "[| equiv(A,r);  x \<in> A;  y \<in> A |] ==> r``{x} = r``{y} \<longleftrightarrow> <x,y>: r"
    8.42  by (blast intro: eq_equiv_class equiv_class_eq dest: equiv_type)
    8.43  
    8.44  (*** Quotients ***)
    8.45  
    8.46  (** Introduction/elimination rules -- needed? **)
    8.47  
    8.48 -lemma quotientI [TC]: "x:A ==> r``{x}: A//r"
    8.49 +lemma quotientI [TC]: "x \<in> A ==> r``{x}: A//r"
    8.50  apply (unfold quotient_def)
    8.51  apply (erule RepFunI)
    8.52  done
    8.53  
    8.54  lemma quotientE:
    8.55 -    "[| X: A//r;  !!x. [| X = r``{x};  x:A |] ==> P |] ==> P"
    8.56 +    "[| X \<in> A//r;  !!x. [| X = r``{x};  x \<in> A |] ==> P |] ==> P"
    8.57  by (unfold quotient_def, blast)
    8.58  
    8.59  lemma Union_quotient:
    8.60 @@ -117,7 +117,7 @@
    8.61  by (unfold equiv_def refl_def quotient_def, blast)
    8.62  
    8.63  lemma quotient_disj:
    8.64 -    "[| equiv(A,r);  X: A//r;  Y: A//r |] ==> X=Y | (X \<inter> Y \<subseteq> 0)"
    8.65 +    "[| equiv(A,r);  X \<in> A//r;  Y \<in> A//r |] ==> X=Y | (X \<inter> Y \<subseteq> 0)"
    8.66  apply (unfold quotient_def)
    8.67  apply (safe intro!: equiv_class_eq, assumption)
    8.68  apply (unfold equiv_def trans_def sym_def, blast)
    8.69 @@ -130,7 +130,7 @@
    8.70  
    8.71  (*Conversion rule*)
    8.72  lemma UN_equiv_class:
    8.73 -    "[| equiv(A,r);  b respects r;  a: A |] ==> (\<Union>x\<in>r``{a}. b(x)) = b(a)"
    8.74 +    "[| equiv(A,r);  b respects r;  a \<in> A |] ==> (\<Union>x\<in>r``{a}. b(x)) = b(a)"
    8.75  apply (subgoal_tac "\<forall>x \<in> r``{a}. b(x) = b(a)")
    8.76   apply simp
    8.77   apply (blast intro: equiv_class_self)
    8.78 @@ -139,19 +139,19 @@
    8.79  
    8.80  (*type checking of  @{term"\<Union>x\<in>r``{a}. b(x)"} *)
    8.81  lemma UN_equiv_class_type:
    8.82 -    "[| equiv(A,r);  b respects r;  X: A//r;  !!x.  x \<in> A ==> b(x) \<in> B |]
    8.83 +    "[| equiv(A,r);  b respects r;  X \<in> A//r;  !!x.  x \<in> A ==> b(x) \<in> B |]
    8.84       ==> (\<Union>x\<in>X. b(x)) \<in> B"
    8.85  apply (unfold quotient_def, safe)
    8.86  apply (simp (no_asm_simp) add: UN_equiv_class)
    8.87  done
    8.88  
    8.89  (*Sufficient conditions for injectiveness.  Could weaken premises!
    8.90 -  major premise could be an inclusion; bcong could be !!y. y:A ==> b(y):B
    8.91 +  major premise could be an inclusion; bcong could be !!y. y \<in> A ==> b(y):B
    8.92  *)
    8.93  lemma UN_equiv_class_inject:
    8.94      "[| equiv(A,r);   b respects r;
    8.95 -        (\<Union>x\<in>X. b(x))=(\<Union>y\<in>Y. b(y));  X: A//r;  Y: A//r;
    8.96 -        !!x y. [| x:A; y:A; b(x)=b(y) |] ==> <x,y>:r |]
    8.97 +        (\<Union>x\<in>X. b(x))=(\<Union>y\<in>Y. b(y));  X \<in> A//r;  Y \<in> A//r;
    8.98 +        !!x y. [| x \<in> A; y \<in> A; b(x)=b(y) |] ==> <x,y>:r |]
    8.99       ==> X=Y"
   8.100  apply (unfold quotient_def, safe)
   8.101  apply (rule equiv_class_eq, assumption)
   8.102 @@ -162,11 +162,11 @@
   8.103  subsection{*Defining Binary Operations upon Equivalence Classes*}
   8.104  
   8.105  lemma congruent2_implies_congruent:
   8.106 -    "[| equiv(A,r1);  congruent2(r1,r2,b);  a: A |] ==> congruent(r2,b(a))"
   8.107 +    "[| equiv(A,r1);  congruent2(r1,r2,b);  a \<in> A |] ==> congruent(r2,b(a))"
   8.108  by (unfold congruent_def congruent2_def equiv_def refl_def, blast)
   8.109  
   8.110  lemma congruent2_implies_congruent_UN:
   8.111 -    "[| equiv(A1,r1);  equiv(A2,r2);  congruent2(r1,r2,b);  a: A2 |] ==>
   8.112 +    "[| equiv(A1,r1);  equiv(A2,r2);  congruent2(r1,r2,b);  a \<in> A2 |] ==>
   8.113       congruent(r1, %x1. \<Union>x2 \<in> r2``{a}. b(x1,x2))"
   8.114  apply (unfold congruent_def, safe)
   8.115  apply (frule equiv_type [THEN subsetD], assumption)
   8.116 @@ -206,8 +206,8 @@
   8.117  
   8.118  lemma congruent2_commuteI:
   8.119   assumes equivA: "equiv(A,r)"
   8.120 -     and commute: "!! y z. [| y: A;  z: A |] ==> b(y,z) = b(z,y)"
   8.121 -     and congt:   "!! y z w. [| w: A;  <y,z>: r |] ==> b(w,y) = b(w,z)"
   8.122 +     and commute: "!! y z. [| y \<in> A;  z \<in> A |] ==> b(y,z) = b(z,y)"
   8.123 +     and congt:   "!! y z w. [| w \<in> A;  <y,z>: r |] ==> b(w,y) = b(w,z)"
   8.124   shows "b respects2 r"
   8.125  apply (insert equivA [THEN equiv_type, THEN subsetD])
   8.126  apply (rule congruent2I [OF equivA equivA])
   8.127 @@ -219,9 +219,9 @@
   8.128  
   8.129  (*Obsolete?*)
   8.130  lemma congruent_commuteI:
   8.131 -    "[| equiv(A,r);  Z: A//r;
   8.132 -        !!w. [| w: A |] ==> congruent(r, %z. b(w,z));
   8.133 -        !!x y. [| x: A;  y: A |] ==> b(y,x) = b(x,y)
   8.134 +    "[| equiv(A,r);  Z \<in> A//r;
   8.135 +        !!w. [| w \<in> A |] ==> congruent(r, %z. b(w,z));
   8.136 +        !!x y. [| x \<in> A;  y \<in> A |] ==> b(y,x) = b(x,y)
   8.137       |] ==> congruent(r, %w. \<Union>z\<in>Z. b(w,z))"
   8.138  apply (simp (no_asm) add: congruent_def)
   8.139  apply (safe elim!: quotientE)
     9.1 --- a/src/ZF/Finite.thy	Thu Mar 15 15:54:22 2012 +0000
     9.2 +++ b/src/ZF/Finite.thy	Thu Mar 15 16:35:02 2012 +0000
     9.3 @@ -2,7 +2,7 @@
     9.4      Author:     Lawrence C Paulson, Cambridge University Computer Laboratory
     9.5      Copyright   1994  University of Cambridge
     9.6  
     9.7 -prove:  b: Fin(A) ==> inj(b,b) \<subseteq> surj(b,b)
     9.8 +prove:  b \<in> Fin(A) ==> inj(b,b) \<subseteq> surj(b,b)
     9.9  *)
    9.10  
    9.11  header{*Finite Powerset Operator and Finite Function Space*}
    9.12 @@ -25,7 +25,7 @@
    9.13    domains   "Fin(A)" \<subseteq> "Pow(A)"
    9.14    intros
    9.15      emptyI:  "0 \<in> Fin(A)"
    9.16 -    consI:   "[| a: A;  b: Fin(A) |] ==> cons(a,b) \<in> Fin(A)"
    9.17 +    consI:   "[| a \<in> A;  b \<in> Fin(A) |] ==> cons(a,b) \<in> Fin(A)"
    9.18    type_intros  empty_subsetI cons_subsetI PowI
    9.19    type_elims   PowD [elim_format]
    9.20  
    9.21 @@ -33,7 +33,7 @@
    9.22    domains   "FiniteFun(A,B)" \<subseteq> "Fin(A*B)"
    9.23    intros
    9.24      emptyI:  "0 \<in> A -||> B"
    9.25 -    consI:   "[| a: A;  b: B;  h: A -||> B;  a \<notin> domain(h) |]
    9.26 +    consI:   "[| a \<in> A;  b \<in> B;  h \<in> A -||> B;  a \<notin> domain(h) |]
    9.27                ==> cons(<a,b>,h) \<in> A -||> B"
    9.28    type_intros Fin.intros
    9.29  
    9.30 @@ -54,12 +54,12 @@
    9.31  
    9.32  (*Discharging @{term"x\<notin>y"} entails extra work*)
    9.33  lemma Fin_induct [case_names 0 cons, induct set: Fin]:
    9.34 -    "[| b: Fin(A);
    9.35 +    "[| b \<in> Fin(A);
    9.36          P(0);
    9.37 -        !!x y. [| x: A;  y: Fin(A);  x\<notin>y;  P(y) |] ==> P(cons(x,y))
    9.38 +        !!x y. [| x \<in> A;  y \<in> Fin(A);  x\<notin>y;  P(y) |] ==> P(cons(x,y))
    9.39       |] ==> P(b)"
    9.40  apply (erule Fin.induct, simp)
    9.41 -apply (case_tac "a:b")
    9.42 +apply (case_tac "a \<in> b")
    9.43   apply (erule cons_absorb [THEN ssubst], assumption) (*backtracking!*)
    9.44  apply simp
    9.45  done
    9.46 @@ -72,7 +72,7 @@
    9.47  by (blast intro: Fin.emptyI dest: FinD)
    9.48  
    9.49  (*The union of two finite sets is finite.*)
    9.50 -lemma Fin_UnI [simp]: "[| b: Fin(A);  c: Fin(A) |] ==> b \<union> c \<in> Fin(A)"
    9.51 +lemma Fin_UnI [simp]: "[| b \<in> Fin(A);  c \<in> Fin(A) |] ==> b \<union> c \<in> Fin(A)"
    9.52  apply (erule Fin_induct)
    9.53  apply (simp_all add: Un_cons)
    9.54  done
    9.55 @@ -83,25 +83,25 @@
    9.56  by (erule Fin_induct, simp_all)
    9.57  
    9.58  (*Every subset of a finite set is finite.*)
    9.59 -lemma Fin_subset_lemma [rule_format]: "b: Fin(A) ==> \<forall>z. z<=b \<longrightarrow> z: Fin(A)"
    9.60 +lemma Fin_subset_lemma [rule_format]: "b \<in> Fin(A) ==> \<forall>z. z<=b \<longrightarrow> z \<in> Fin(A)"
    9.61  apply (erule Fin_induct)
    9.62  apply (simp add: subset_empty_iff)
    9.63  apply (simp add: subset_cons_iff distrib_simps, safe)
    9.64  apply (erule_tac b = z in cons_Diff [THEN subst], simp)
    9.65  done
    9.66  
    9.67 -lemma Fin_subset: "[| c<=b;  b: Fin(A) |] ==> c: Fin(A)"
    9.68 +lemma Fin_subset: "[| c<=b;  b \<in> Fin(A) |] ==> c \<in> Fin(A)"
    9.69  by (blast intro: Fin_subset_lemma)
    9.70  
    9.71 -lemma Fin_IntI1 [intro,simp]: "b: Fin(A) ==> b \<inter> c \<in> Fin(A)"
    9.72 +lemma Fin_IntI1 [intro,simp]: "b \<in> Fin(A) ==> b \<inter> c \<in> Fin(A)"
    9.73  by (blast intro: Fin_subset)
    9.74  
    9.75 -lemma Fin_IntI2 [intro,simp]: "c: Fin(A) ==> b \<inter> c \<in> Fin(A)"
    9.76 +lemma Fin_IntI2 [intro,simp]: "c \<in> Fin(A) ==> b \<inter> c \<in> Fin(A)"
    9.77  by (blast intro: Fin_subset)
    9.78  
    9.79  lemma Fin_0_induct_lemma [rule_format]:
    9.80 -    "[| c: Fin(A);  b: Fin(A); P(b);
    9.81 -        !!x y. [| x: A;  y: Fin(A);  x:y;  P(y) |] ==> P(y-{x})
    9.82 +    "[| c \<in> Fin(A);  b \<in> Fin(A); P(b);
    9.83 +        !!x y. [| x \<in> A;  y \<in> Fin(A);  x \<in> y;  P(y) |] ==> P(y-{x})
    9.84       |] ==> c<=b \<longrightarrow> P(b-c)"
    9.85  apply (erule Fin_induct, simp)
    9.86  apply (subst Diff_cons)
    9.87 @@ -109,16 +109,16 @@
    9.88  done
    9.89  
    9.90  lemma Fin_0_induct:
    9.91 -    "[| b: Fin(A);
    9.92 +    "[| b \<in> Fin(A);
    9.93          P(b);
    9.94 -        !!x y. [| x: A;  y: Fin(A);  x:y;  P(y) |] ==> P(y-{x})
    9.95 +        !!x y. [| x \<in> A;  y \<in> Fin(A);  x \<in> y;  P(y) |] ==> P(y-{x})
    9.96       |] ==> P(0)"
    9.97  apply (rule Diff_cancel [THEN subst])
    9.98  apply (blast intro: Fin_0_induct_lemma)
    9.99  done
   9.100  
   9.101  (*Functions from a finite ordinal*)
   9.102 -lemma nat_fun_subset_Fin: "n: nat ==> n->A \<subseteq> Fin(nat*A)"
   9.103 +lemma nat_fun_subset_Fin: "n \<in> nat ==> n->A \<subseteq> Fin(nat*A)"
   9.104  apply (induct_tac "n")
   9.105  apply (simp add: subset_iff)
   9.106  apply (simp add: succ_def mem_not_refl [THEN cons_fun_eq])
   9.107 @@ -139,19 +139,19 @@
   9.108  lemma FiniteFun_mono1: "A<=B ==> A -||> A  \<subseteq>  B -||> B"
   9.109  by (blast dest: FiniteFun_mono)
   9.110  
   9.111 -lemma FiniteFun_is_fun: "h: A -||>B ==> h: domain(h) -> B"
   9.112 +lemma FiniteFun_is_fun: "h \<in> A -||>B ==> h \<in> domain(h) -> B"
   9.113  apply (erule FiniteFun.induct, simp)
   9.114  apply (simp add: fun_extend3)
   9.115  done
   9.116  
   9.117 -lemma FiniteFun_domain_Fin: "h: A -||>B ==> domain(h) \<in> Fin(A)"
   9.118 +lemma FiniteFun_domain_Fin: "h \<in> A -||>B ==> domain(h) \<in> Fin(A)"
   9.119  by (erule FiniteFun.induct, simp, simp)
   9.120  
   9.121  lemmas FiniteFun_apply_type = FiniteFun_is_fun [THEN apply_type]
   9.122  
   9.123  (*Every subset of a finite function is a finite function.*)
   9.124  lemma FiniteFun_subset_lemma [rule_format]:
   9.125 -     "b: A-||>B ==> \<forall>z. z<=b \<longrightarrow> z: A-||>B"
   9.126 +     "b \<in> A-||>B ==> \<forall>z. z<=b \<longrightarrow> z \<in> A-||>B"
   9.127  apply (erule FiniteFun.induct)
   9.128  apply (simp add: subset_empty_iff FiniteFun.intros)
   9.129  apply (simp add: subset_cons_iff distrib_simps, safe)
   9.130 @@ -160,15 +160,15 @@
   9.131  apply (fast intro!: FiniteFun.intros)
   9.132  done
   9.133  
   9.134 -lemma FiniteFun_subset: "[| c<=b;  b: A-||>B |] ==> c: A-||>B"
   9.135 +lemma FiniteFun_subset: "[| c<=b;  b \<in> A-||>B |] ==> c \<in> A-||>B"
   9.136  by (blast intro: FiniteFun_subset_lemma)
   9.137  
   9.138  (** Some further results by Sidi O. Ehmety **)
   9.139  
   9.140 -lemma fun_FiniteFunI [rule_format]: "A:Fin(X) ==> \<forall>f. f:A->B \<longrightarrow> f:A-||>B"
   9.141 +lemma fun_FiniteFunI [rule_format]: "A \<in> Fin(X) ==> \<forall>f. f \<in> A->B \<longrightarrow> f \<in> A-||>B"
   9.142  apply (erule Fin.induct)
   9.143   apply (simp add: FiniteFun.intros, clarify)
   9.144 -apply (case_tac "a:b")
   9.145 +apply (case_tac "a \<in> b")
   9.146   apply (simp add: cons_absorb)
   9.147  apply (subgoal_tac "restrict (f,b) \<in> b -||> B")
   9.148   prefer 2 apply (blast intro: restrict_type2)
   9.149 @@ -178,11 +178,11 @@
   9.150                      FiniteFun_mono [THEN [2] rev_subsetD])
   9.151  done
   9.152  
   9.153 -lemma lam_FiniteFun: "A: Fin(X) ==> (\<lambda>x\<in>A. b(x)) \<in> A -||> {b(x). x:A}"
   9.154 +lemma lam_FiniteFun: "A \<in> Fin(X) ==> (\<lambda>x\<in>A. b(x)) \<in> A -||> {b(x). x \<in> A}"
   9.155  by (blast intro: fun_FiniteFunI lam_funtype)
   9.156  
   9.157  lemma FiniteFun_Collect_iff:
   9.158 -     "f \<in> FiniteFun(A, {y:B. P(y)})
   9.159 +     "f \<in> FiniteFun(A, {y \<in> B. P(y)})
   9.160        \<longleftrightarrow> f \<in> FiniteFun(A,B) & (\<forall>x\<in>domain(f). P(f`x))"
   9.161  apply auto
   9.162  apply (blast intro: FiniteFun_mono [THEN [2] rev_subsetD])
    10.1 --- a/src/ZF/Induct/Multiset.thy	Thu Mar 15 15:54:22 2012 +0000
    10.2 +++ b/src/ZF/Induct/Multiset.thy	Thu Mar 15 16:35:02 2012 +0000
    10.3 @@ -93,7 +93,7 @@
    10.4  
    10.5  definition
    10.6    multirel :: "[i, i] => i"  where
    10.7 -  "multirel(A, r) == multirel1(A, r)^+"                 
    10.8 +  "multirel(A, r) == multirel1(A, r)^+"
    10.9  
   10.10    (* ordinal multiset orderings *)
   10.11  
   10.12 @@ -446,7 +446,7 @@
   10.13  by (induct_tac n) auto
   10.14  
   10.15  lemma munion_is_single:
   10.16 -     "[|multiset(M); multiset(N)|] 
   10.17 +     "[|multiset(M); multiset(N)|]
   10.18        ==> (M +# N = {#a#}) \<longleftrightarrow>  (M={#a#} & N=0) | (M = 0 & N = {#a#})"
   10.19  apply (simp (no_asm_simp) add: multiset_equality)
   10.20  apply safe
   10.21 @@ -747,7 +747,7 @@
   10.22  done
   10.23  
   10.24  lemma multirel1_mono2: "r\<subseteq>s ==> multirel1(A,r)\<subseteq>multirel1(A, s)"
   10.25 -apply (simp add: multirel1_def, auto) 
   10.26 +apply (simp add: multirel1_def, auto)
   10.27  apply (rule_tac x = a in bexI)
   10.28  apply (rule_tac x = M0 in bexI)
   10.29  apply (simp_all add: Mult_iff_multiset)
   10.30 @@ -807,9 +807,9 @@
   10.31  apply (erule_tac P = "mset_of (K) \<subseteq>A" in rev_mp)
   10.32  apply (erule_tac M = K in multiset_induct)
   10.33  (* three subgoals *)
   10.34 -(* subgoal 1: the induction base case *)
   10.35 +(* subgoal 1 \<in> the induction base case *)
   10.36  apply (simp (no_asm_simp))
   10.37 -(* subgoal 2: the induction general case *)
   10.38 +(* subgoal 2 \<in> the induction general case *)
   10.39  apply (simp add: Ball_def Un_subset_iff, clarify)
   10.40  apply (drule_tac x = aa in spec, simp)
   10.41  apply (subgoal_tac "aa \<in> A")
   10.42 @@ -817,7 +817,7 @@
   10.43  apply (drule_tac x = "M0 +# M" and P =
   10.44         "%x. x \<in> acc(multirel1(A, r)) \<longrightarrow> ?Q(x)" in spec)
   10.45  apply (simp add: munion_assoc [symmetric])
   10.46 -(* subgoal 3: additional conditions *)
   10.47 +(* subgoal 3 \<in> additional conditions *)
   10.48  apply (auto intro!: multirel1_base [THEN fieldI2] simp add: Mult_iff_multiset)
   10.49  done
   10.50  
    11.1 --- a/src/ZF/IntArith.thy	Thu Mar 15 15:54:22 2012 +0000
    11.2 +++ b/src/ZF/IntArith.thy	Thu Mar 15 16:35:02 2012 +0000
    11.3 @@ -34,7 +34,7 @@
    11.4  lemma zless_iff_zdiff_zless_0: "(x $< y) \<longleftrightarrow> (x$-y $< #0)"
    11.5    by (simp add: zcompare_rls)
    11.6  
    11.7 -lemma eq_iff_zdiff_eq_0: "[| x: int; y: int |] ==> (x = y) \<longleftrightarrow> (x$-y = #0)"
    11.8 +lemma eq_iff_zdiff_eq_0: "[| x \<in> int; y \<in> int |] ==> (x = y) \<longleftrightarrow> (x$-y = #0)"
    11.9    by (simp add: zcompare_rls)
   11.10  
   11.11  lemma zle_iff_zdiff_zle_0: "(x $<= y) \<longleftrightarrow> (x$-y $<= #0)"
    12.1 --- a/src/ZF/Int_ZF.thy	Thu Mar 15 15:54:22 2012 +0000
    12.2 +++ b/src/ZF/Int_ZF.thy	Thu Mar 15 16:35:02 2012 +0000
    12.3 @@ -9,12 +9,12 @@
    12.4  
    12.5  definition
    12.6    intrel :: i  where
    12.7 -    "intrel == {p \<in> (nat*nat)*(nat*nat).                 
    12.8 +    "intrel == {p \<in> (nat*nat)*(nat*nat).
    12.9                  \<exists>x1 y1 x2 y2. p=<<x1,y1>,<x2,y2>> & x1#+y2 = x2#+y1}"
   12.10  
   12.11  definition
   12.12    int :: i  where
   12.13 -    "int == (nat*nat)//intrel"  
   12.14 +    "int == (nat*nat)//intrel"
   12.15  
   12.16  definition
   12.17    int_of :: "i=>i" --{*coercion from nat to int*}    ("$# _" [80] 80)  where
   12.18 @@ -39,7 +39,7 @@
   12.19  definition
   12.20    iszero      ::      "i=>o"  where
   12.21      "iszero(z) == z = $# 0"
   12.22 -    
   12.23 +
   12.24  definition
   12.25    raw_nat_of  :: "i=>i"  where
   12.26    "raw_nat_of(z) == natify (\<Union><x,y>\<in>z. x#-y)"
   12.27 @@ -60,8 +60,8 @@
   12.28      (*Cannot use UN<x1,y2> here or in zadd because of the form of congruent2.
   12.29        Perhaps a "curried" or even polymorphic congruent predicate would be
   12.30        better.*)
   12.31 -     "raw_zmult(z1,z2) == 
   12.32 -       \<Union>p1\<in>z1. \<Union>p2\<in>z2.  split(%x1 y1. split(%x2 y2.        
   12.33 +     "raw_zmult(z1,z2) ==
   12.34 +       \<Union>p1\<in>z1. \<Union>p2\<in>z2.  split(%x1 y1. split(%x2 y2.
   12.35                     intrel``{<x1#*x2 #+ y1#*y2, x1#*y2 #+ y1#*x2>}, p2), p1)"
   12.36  
   12.37  definition
   12.38 @@ -70,8 +70,8 @@
   12.39  
   12.40  definition
   12.41    raw_zadd    ::      "[i,i]=>i"  where
   12.42 -     "raw_zadd (z1, z2) == 
   12.43 -       \<Union>z1\<in>z1. \<Union>z2\<in>z2. let <x1,y1>=z1; <x2,y2>=z2                 
   12.44 +     "raw_zadd (z1, z2) ==
   12.45 +       \<Union>z1\<in>z1. \<Union>z2\<in>z2. let <x1,y1>=z1; <x2,y2>=z2
   12.46                             in intrel``{<x1#+x2, y1#+y2>}"
   12.47  
   12.48  definition
   12.49 @@ -85,11 +85,11 @@
   12.50  definition
   12.51    zless        ::      "[i,i]=>o"      (infixl "$<" 50)  where
   12.52       "z1 $< z2 == znegative(z1 $- z2)"
   12.53 -  
   12.54 +
   12.55  definition
   12.56    zle          ::      "[i,i]=>o"      (infixl "$<=" 50)  where
   12.57       "z1 $<= z2 == z1 $< z2 | intify(z1)=intify(z2)"
   12.58 -  
   12.59 +
   12.60  
   12.61  notation (xsymbols)
   12.62    zmult  (infixl "$\<times>" 70) and
   12.63 @@ -106,22 +106,22 @@
   12.64  
   12.65  (** Natural deduction for intrel **)
   12.66  
   12.67 -lemma intrel_iff [simp]: 
   12.68 -    "<<x1,y1>,<x2,y2>>: intrel \<longleftrightarrow>  
   12.69 +lemma intrel_iff [simp]:
   12.70 +    "<<x1,y1>,<x2,y2>>: intrel \<longleftrightarrow>
   12.71       x1\<in>nat & y1\<in>nat & x2\<in>nat & y2\<in>nat & x1#+y2 = x2#+y1"
   12.72  by (simp add: intrel_def)
   12.73  
   12.74 -lemma intrelI [intro!]: 
   12.75 -    "[| x1#+y2 = x2#+y1; x1\<in>nat; y1\<in>nat; x2\<in>nat; y2\<in>nat |]   
   12.76 +lemma intrelI [intro!]:
   12.77 +    "[| x1#+y2 = x2#+y1; x1\<in>nat; y1\<in>nat; x2\<in>nat; y2\<in>nat |]
   12.78       ==> <<x1,y1>,<x2,y2>>: intrel"
   12.79  by (simp add: intrel_def)
   12.80  
   12.81  lemma intrelE [elim!]:
   12.82 -  "[| p: intrel;   
   12.83 -      !!x1 y1 x2 y2. [| p = <<x1,y1>,<x2,y2>>;  x1#+y2 = x2#+y1;  
   12.84 -                        x1\<in>nat; y1\<in>nat; x2\<in>nat; y2\<in>nat |] ==> Q |]  
   12.85 +  "[| p \<in> intrel;
   12.86 +      !!x1 y1 x2 y2. [| p = <<x1,y1>,<x2,y2>>;  x1#+y2 = x2#+y1;
   12.87 +                        x1\<in>nat; y1\<in>nat; x2\<in>nat; y2\<in>nat |] ==> Q |]
   12.88     ==> Q"
   12.89 -by (simp add: intrel_def, blast) 
   12.90 +by (simp add: intrel_def, blast)
   12.91  
   12.92  lemma int_trans_lemma:
   12.93       "[| x1 #+ y2 = x2 #+ y1; x2 #+ y3 = x3 #+ y2 |] ==> x1 #+ y3 = x3 #+ y1"
   12.94 @@ -228,8 +228,8 @@
   12.95  lemma zminus_type [TC,iff]: "$-z \<in> int"
   12.96  by (simp add: zminus_def raw_zminus_type)
   12.97  
   12.98 -lemma raw_zminus_inject: 
   12.99 -     "[| raw_zminus(z) = raw_zminus(w);  z: int;  w: int |] ==> z=w"
  12.100 +lemma raw_zminus_inject:
  12.101 +     "[| raw_zminus(z) = raw_zminus(w);  z \<in> int;  w \<in> int |] ==> z=w"
  12.102  apply (simp add: int_def raw_zminus_def)
  12.103  apply (erule UN_equiv_class_inject [OF equiv_intrel zminus_congruent], safe)
  12.104  apply (auto dest: eq_intrelD simp add: add_ac)
  12.105 @@ -240,16 +240,16 @@
  12.106  apply (blast dest!: raw_zminus_inject)
  12.107  done
  12.108  
  12.109 -lemma zminus_inject: "[| $-z = $-w;  z: int;  w: int |] ==> z=w"
  12.110 +lemma zminus_inject: "[| $-z = $-w;  z \<in> int;  w \<in> int |] ==> z=w"
  12.111  by auto
  12.112  
  12.113 -lemma raw_zminus: 
  12.114 +lemma raw_zminus:
  12.115      "[| x\<in>nat;  y\<in>nat |] ==> raw_zminus(intrel``{<x,y>}) = intrel `` {<y,x>}"
  12.116  apply (simp add: raw_zminus_def UN_equiv_class [OF equiv_intrel zminus_congruent])
  12.117  done
  12.118  
  12.119 -lemma zminus: 
  12.120 -    "[| x\<in>nat;  y\<in>nat |]  
  12.121 +lemma zminus:
  12.122 +    "[| x\<in>nat;  y\<in>nat |]
  12.123       ==> $- (intrel``{<x,y>}) = intrel `` {<y,x>}"
  12.124  by (simp add: zminus_def raw_zminus image_intrel_int)
  12.125  
  12.126 @@ -269,15 +269,15 @@
  12.127  subsection{*@{term znegative}: the test for negative integers*}
  12.128  
  12.129  lemma znegative: "[| x\<in>nat; y\<in>nat |] ==> znegative(intrel``{<x,y>}) \<longleftrightarrow> x<y"
  12.130 -apply (cases "x<y") 
  12.131 +apply (cases "x<y")
  12.132  apply (auto simp add: znegative_def not_lt_iff_le)
  12.133 -apply (subgoal_tac "y #+ x2 < x #+ y2", force) 
  12.134 -apply (rule add_le_lt_mono, auto) 
  12.135 +apply (subgoal_tac "y #+ x2 < x #+ y2", force)
  12.136 +apply (rule add_le_lt_mono, auto)
  12.137  done
  12.138  
  12.139  (*No natural number is negative!*)
  12.140  lemma not_znegative_int_of [iff]: "~ znegative($# n)"
  12.141 -by (simp add: znegative int_of_def) 
  12.142 +by (simp add: znegative int_of_def)
  12.143  
  12.144  lemma znegative_zminus_int_of [simp]: "znegative($- $# succ(n))"
  12.145  by (simp add: znegative int_of_def zminus natify_succ)
  12.146 @@ -294,7 +294,7 @@
  12.147  lemma nat_of_congruent: "(\<lambda>x. (\<lambda>\<langle>x,y\<rangle>. x #- y)(x)) respects intrel"
  12.148  by (auto simp add: congruent_def split add: nat_diff_split)
  12.149  
  12.150 -lemma raw_nat_of: 
  12.151 +lemma raw_nat_of:
  12.152      "[| x\<in>nat;  y\<in>nat |] ==> raw_nat_of(intrel``{<x,y>}) = x#-y"
  12.153  by (simp add: raw_nat_of_def UN_equiv_class [OF equiv_intrel nat_of_congruent])
  12.154  
  12.155 @@ -332,24 +332,24 @@
  12.156  apply (rule theI2, auto)
  12.157  done
  12.158  
  12.159 -lemma not_zneg_int_of: 
  12.160 -     "[| z: int; ~ znegative(z) |] ==> \<exists>n\<in>nat. z = $# n"
  12.161 +lemma not_zneg_int_of:
  12.162 +     "[| z \<in> int; ~ znegative(z) |] ==> \<exists>n\<in>nat. z = $# n"
  12.163  apply (auto simp add: int_def znegative int_of_def not_lt_iff_le)
  12.164 -apply (rename_tac x y) 
  12.165 -apply (rule_tac x="x#-y" in bexI) 
  12.166 -apply (auto simp add: add_diff_inverse2) 
  12.167 +apply (rename_tac x y)
  12.168 +apply (rule_tac x="x#-y" in bexI)
  12.169 +apply (auto simp add: add_diff_inverse2)
  12.170  done
  12.171  
  12.172  lemma not_zneg_mag [simp]:
  12.173 -     "[| z: int; ~ znegative(z) |] ==> $# (zmagnitude(z)) = z"
  12.174 +     "[| z \<in> int; ~ znegative(z) |] ==> $# (zmagnitude(z)) = z"
  12.175  by (drule not_zneg_int_of, auto)
  12.176  
  12.177 -lemma zneg_int_of: 
  12.178 -     "[| znegative(z); z: int |] ==> \<exists>n\<in>nat. z = $- ($# succ(n))"
  12.179 +lemma zneg_int_of:
  12.180 +     "[| znegative(z); z \<in> int |] ==> \<exists>n\<in>nat. z = $- ($# succ(n))"
  12.181  by (auto simp add: int_def znegative zminus int_of_def dest!: less_imp_succ_add)
  12.182  
  12.183  lemma zneg_mag [simp]:
  12.184 -     "[| znegative(z); z: int |] ==> $# (zmagnitude(z)) = $- z"
  12.185 +     "[| znegative(z); z \<in> int |] ==> $# (zmagnitude(z)) = $- z"
  12.186  by (drule zneg_int_of, auto)
  12.187  
  12.188  lemma int_cases: "z \<in> int ==> \<exists>n\<in>nat. z = $# n | z = $- ($# succ(n))"
  12.189 @@ -359,7 +359,7 @@
  12.190  done
  12.191  
  12.192  lemma not_zneg_raw_nat_of:
  12.193 -     "[| ~ znegative(z); z: int |] ==> $# (raw_nat_of(z)) = z"
  12.194 +     "[| ~ znegative(z); z \<in> int |] ==> $# (raw_nat_of(z)) = z"
  12.195  apply (drule not_zneg_int_of)
  12.196  apply (auto simp add: raw_nat_of_type raw_nat_of_int_of)
  12.197  done
  12.198 @@ -368,23 +368,23 @@
  12.199       "~ znegative(intify(z)) ==> $# (nat_of(z)) = intify(z)"
  12.200  by (simp (no_asm_simp) add: nat_of_def not_zneg_raw_nat_of)
  12.201  
  12.202 -lemma not_zneg_nat_of: "[| ~ znegative(z); z: int |] ==> $# (nat_of(z)) = z"
  12.203 +lemma not_zneg_nat_of: "[| ~ znegative(z); z \<in> int |] ==> $# (nat_of(z)) = z"
  12.204  apply (simp (no_asm_simp) add: not_zneg_nat_of_intify)
  12.205  done
  12.206  
  12.207  lemma zneg_nat_of [simp]: "znegative(intify(z)) ==> nat_of(z) = 0"
  12.208  apply (subgoal_tac "intify(z) \<in> int")
  12.209 -apply (simp add: int_def) 
  12.210 -apply (auto simp add: znegative nat_of_def raw_nat_of 
  12.211 -            split add: nat_diff_split) 
  12.212 +apply (simp add: int_def)
  12.213 +apply (auto simp add: znegative nat_of_def raw_nat_of
  12.214 +            split add: nat_diff_split)
  12.215  done
  12.216  
  12.217  
  12.218  subsection{*@{term zadd}: addition on int*}
  12.219  
  12.220  text{*Congruence Property for Addition*}
  12.221 -lemma zadd_congruent2: 
  12.222 -    "(%z1 z2. let <x1,y1>=z1; <x2,y2>=z2                  
  12.223 +lemma zadd_congruent2:
  12.224 +    "(%z1 z2. let <x1,y1>=z1; <x2,y2>=z2
  12.225                              in intrel``{<x1#+x2, y1#+y2>})
  12.226       respects2 intrel"
  12.227  apply (simp add: congruent2_def)
  12.228 @@ -398,7 +398,7 @@
  12.229  apply (simp (no_asm_simp) add: add_assoc [symmetric])
  12.230  done
  12.231  
  12.232 -lemma raw_zadd_type: "[| z: int;  w: int |] ==> raw_zadd(z,w) \<in> int"
  12.233 +lemma raw_zadd_type: "[| z \<in> int;  w \<in> int |] ==> raw_zadd(z,w) \<in> int"
  12.234  apply (simp add: int_def raw_zadd_def)
  12.235  apply (rule UN_equiv_class_type2 [OF equiv_intrel zadd_congruent2], assumption+)
  12.236  apply (simp add: Let_def)
  12.237 @@ -407,18 +407,18 @@
  12.238  lemma zadd_type [iff,TC]: "z $+ w \<in> int"
  12.239  by (simp add: zadd_def raw_zadd_type)
  12.240  
  12.241 -lemma raw_zadd: 
  12.242 -  "[| x1\<in>nat; y1\<in>nat;  x2\<in>nat; y2\<in>nat |]               
  12.243 -   ==> raw_zadd (intrel``{<x1,y1>}, intrel``{<x2,y2>}) =   
  12.244 +lemma raw_zadd:
  12.245 +  "[| x1\<in>nat; y1\<in>nat;  x2\<in>nat; y2\<in>nat |]
  12.246 +   ==> raw_zadd (intrel``{<x1,y1>}, intrel``{<x2,y2>}) =
  12.247         intrel `` {<x1#+x2, y1#+y2>}"
  12.248 -apply (simp add: raw_zadd_def 
  12.249 +apply (simp add: raw_zadd_def
  12.250               UN_equiv_class2 [OF equiv_intrel equiv_intrel zadd_congruent2])
  12.251  apply (simp add: Let_def)
  12.252  done
  12.253  
  12.254 -lemma zadd: 
  12.255 -  "[| x1\<in>nat; y1\<in>nat;  x2\<in>nat; y2\<in>nat |]          
  12.256 -   ==> (intrel``{<x1,y1>}) $+ (intrel``{<x2,y2>}) =   
  12.257 +lemma zadd:
  12.258 +  "[| x1\<in>nat; y1\<in>nat;  x2\<in>nat; y2\<in>nat |]
  12.259 +   ==> (intrel``{<x1,y1>}) $+ (intrel``{<x2,y2>}) =
  12.260         intrel `` {<x1#+x2, y1#+y2>}"
  12.261  by (simp add: zadd_def raw_zadd image_intrel_int)
  12.262  
  12.263 @@ -428,25 +428,25 @@
  12.264  lemma zadd_int0_intify [simp]: "$#0 $+ z = intify(z)"
  12.265  by (simp add: zadd_def raw_zadd_int0)
  12.266  
  12.267 -lemma zadd_int0: "z: int ==> $#0 $+ z = z"
  12.268 +lemma zadd_int0: "z \<in> int ==> $#0 $+ z = z"
  12.269  by simp
  12.270  
  12.271 -lemma raw_zminus_zadd_distrib: 
  12.272 -     "[| z: int;  w: int |] ==> $- raw_zadd(z,w) = raw_zadd($- z, $- w)"
  12.273 +lemma raw_zminus_zadd_distrib:
  12.274 +     "[| z \<in> int;  w \<in> int |] ==> $- raw_zadd(z,w) = raw_zadd($- z, $- w)"
  12.275  by (auto simp add: zminus raw_zadd int_def)
  12.276  
  12.277  lemma zminus_zadd_distrib [simp]: "$- (z $+ w) = $- z $+ $- w"
  12.278  by (simp add: zadd_def raw_zminus_zadd_distrib)
  12.279  
  12.280  lemma raw_zadd_commute:
  12.281 -     "[| z: int;  w: int |] ==> raw_zadd(z,w) = raw_zadd(w,z)"
  12.282 +     "[| z \<in> int;  w \<in> int |] ==> raw_zadd(z,w) = raw_zadd(w,z)"
  12.283  by (auto simp add: raw_zadd add_ac int_def)
  12.284  
  12.285  lemma zadd_commute: "z $+ w = w $+ z"
  12.286  by (simp add: zadd_def raw_zadd_commute)
  12.287  
  12.288 -lemma raw_zadd_assoc: 
  12.289 -    "[| z1: int;  z2: int;  z3: int |]    
  12.290 +lemma raw_zadd_assoc:
  12.291 +    "[| z1: int;  z2: int;  z3: int |]
  12.292       ==> raw_zadd (raw_zadd(z1,z2),z3) = raw_zadd(z1,raw_zadd(z2,z3))"
  12.293  by (auto simp add: int_def raw_zadd add_assoc)
  12.294  
  12.295 @@ -468,7 +468,7 @@
  12.296  lemma int_succ_int_1: "$# succ(m) = $# 1 $+ ($# m)"
  12.297  by (simp add: int_of_add [symmetric] natify_succ)
  12.298  
  12.299 -lemma int_of_diff: 
  12.300 +lemma int_of_diff:
  12.301       "[| m\<in>nat;  n \<le> m |] ==> $# (m #- n) = ($#m) $- ($#n)"
  12.302  apply (simp add: int_of_def zdiff_def)
  12.303  apply (frule lt_nat_in_nat)
  12.304 @@ -490,7 +490,7 @@
  12.305  lemma zadd_int0_right_intify [simp]: "z $+ $#0 = intify(z)"
  12.306  by (rule trans [OF zadd_commute zadd_int0_intify])
  12.307  
  12.308 -lemma zadd_int0_right: "z:int ==> z $+ $#0 = z"
  12.309 +lemma zadd_int0_right: "z \<in> int ==> z $+ $#0 = z"
  12.310  by simp
  12.311  
  12.312  
  12.313 @@ -498,7 +498,7 @@
  12.314  
  12.315  text{*Congruence property for multiplication*}
  12.316  lemma zmult_congruent2:
  12.317 -    "(%p1 p2. split(%x1 y1. split(%x2 y2.      
  12.318 +    "(%p1 p2. split(%x1 y1. split(%x2 y2.
  12.319                      intrel``{<x1#*x2 #+ y1#*y2, x1#*y2 #+ y1#*x2>}, p2), p1))
  12.320       respects2 intrel"
  12.321  apply (rule equiv_intrel [THEN congruent2_commuteI], auto)
  12.322 @@ -511,7 +511,7 @@
  12.323  done
  12.324  
  12.325  
  12.326 -lemma raw_zmult_type: "[| z: int;  w: int |] ==> raw_zmult(z,w) \<in> int"
  12.327 +lemma raw_zmult_type: "[| z \<in> int;  w \<in> int |] ==> raw_zmult(z,w) \<in> int"
  12.328  apply (simp add: int_def raw_zmult_def)
  12.329  apply (rule UN_equiv_class_type2 [OF equiv_intrel zmult_congruent2], assumption+)
  12.330  apply (simp add: Let_def)
  12.331 @@ -520,16 +520,16 @@
  12.332  lemma zmult_type [iff,TC]: "z $* w \<in> int"
  12.333  by (simp add: zmult_def raw_zmult_type)
  12.334  
  12.335 -lemma raw_zmult: 
  12.336 -     "[| x1\<in>nat; y1\<in>nat;  x2\<in>nat; y2\<in>nat |]     
  12.337 -      ==> raw_zmult(intrel``{<x1,y1>}, intrel``{<x2,y2>}) =      
  12.338 +lemma raw_zmult:
  12.339 +     "[| x1\<in>nat; y1\<in>nat;  x2\<in>nat; y2\<in>nat |]
  12.340 +      ==> raw_zmult(intrel``{<x1,y1>}, intrel``{<x2,y2>}) =
  12.341            intrel `` {<x1#*x2 #+ y1#*y2, x1#*y2 #+ y1#*x2>}"
  12.342 -by (simp add: raw_zmult_def 
  12.343 +by (simp add: raw_zmult_def
  12.344             UN_equiv_class2 [OF equiv_intrel equiv_intrel zmult_congruent2])
  12.345  
  12.346 -lemma zmult: 
  12.347 -     "[| x1\<in>nat; y1\<in>nat;  x2\<in>nat; y2\<in>nat |]     
  12.348 -      ==> (intrel``{<x1,y1>}) $* (intrel``{<x2,y2>}) =      
  12.349 +lemma zmult:
  12.350 +     "[| x1\<in>nat; y1\<in>nat;  x2\<in>nat; y2\<in>nat |]
  12.351 +      ==> (intrel``{<x1,y1>}) $* (intrel``{<x2,y2>}) =
  12.352            intrel `` {<x1#*x2 #+ y1#*y2, x1#*y2 #+ y1#*x2>}"
  12.353  by (simp add: zmult_def raw_zmult image_intrel_int)
  12.354  
  12.355 @@ -549,14 +549,14 @@
  12.356  by simp
  12.357  
  12.358  lemma raw_zmult_commute:
  12.359 -     "[| z: int;  w: int |] ==> raw_zmult(z,w) = raw_zmult(w,z)"
  12.360 +     "[| z \<in> int;  w \<in> int |] ==> raw_zmult(z,w) = raw_zmult(w,z)"
  12.361  by (auto simp add: int_def raw_zmult add_ac mult_ac)
  12.362  
  12.363  lemma zmult_commute: "z $* w = w $* z"
  12.364  by (simp add: zmult_def raw_zmult_commute)
  12.365  
  12.366 -lemma raw_zmult_zminus: 
  12.367 -     "[| z: int;  w: int |] ==> raw_zmult($- z, w) = $- raw_zmult(z, w)"
  12.368 +lemma raw_zmult_zminus:
  12.369 +     "[| z \<in> int;  w \<in> int |] ==> raw_zmult($- z, w) = $- raw_zmult(z, w)"
  12.370  by (auto simp add: int_def zminus raw_zmult add_ac)
  12.371  
  12.372  lemma zmult_zminus [simp]: "($- z) $* w = $- (z $* w)"
  12.373 @@ -567,8 +567,8 @@
  12.374  lemma zmult_zminus_right [simp]: "w $* ($- z) = $- (w $* z)"
  12.375  by (simp add: zmult_commute [of w])
  12.376  
  12.377 -lemma raw_zmult_assoc: 
  12.378 -    "[| z1: int;  z2: int;  z3: int |]    
  12.379 +lemma raw_zmult_assoc:
  12.380 +    "[| z1: int;  z2: int;  z3: int |]
  12.381       ==> raw_zmult (raw_zmult(z1,z2),z3) = raw_zmult(z1,raw_zmult(z2,z3))"
  12.382  by (auto simp add: int_def raw_zmult add_mult_distrib_left add_ac mult_ac)
  12.383  
  12.384 @@ -584,20 +584,20 @@
  12.385  (*Integer multiplication is an AC operator*)
  12.386  lemmas zmult_ac = zmult_assoc zmult_commute zmult_left_commute
  12.387  
  12.388 -lemma raw_zadd_zmult_distrib: 
  12.389 -    "[| z1: int;  z2: int;  w: int |]   
  12.390 -     ==> raw_zmult(raw_zadd(z1,z2), w) =  
  12.391 +lemma raw_zadd_zmult_distrib:
  12.392 +    "[| z1: int;  z2: int;  w \<in> int |]
  12.393 +     ==> raw_zmult(raw_zadd(z1,z2), w) =
  12.394           raw_zadd (raw_zmult(z1,w), raw_zmult(z2,w))"
  12.395  by (auto simp add: int_def raw_zadd raw_zmult add_mult_distrib_left add_ac mult_ac)
  12.396  
  12.397  lemma zadd_zmult_distrib: "(z1 $+ z2) $* w = (z1 $* w) $+ (z2 $* w)"
  12.398 -by (simp add: zmult_def zadd_def raw_zadd_type raw_zmult_type 
  12.399 +by (simp add: zmult_def zadd_def raw_zadd_type raw_zmult_type
  12.400                raw_zadd_zmult_distrib)
  12.401  
  12.402  lemma zadd_zmult_distrib2: "w $* (z1 $+ z2) = (w $* z1) $+ (w $* z2)"
  12.403  by (simp add: zmult_commute [of w] zadd_zmult_distrib)
  12.404  
  12.405 -lemmas int_typechecks = 
  12.406 +lemmas int_typechecks =
  12.407    int_of_type zminus_type zmagnitude_type zadd_type zmult_type
  12.408  
  12.409  
  12.410 @@ -628,8 +628,8 @@
  12.411  subsection{*The "Less Than" Relation*}
  12.412  
  12.413  (*"Less than" is a linear ordering*)
  12.414 -lemma zless_linear_lemma: 
  12.415 -     "[| z: int; w: int |] ==> z$<w | z=w | w$<z"
  12.416 +lemma zless_linear_lemma:
  12.417 +     "[| z \<in> int; w \<in> int |] ==> z$<w | z=w | w$<z"
  12.418  apply (simp add: int_def zless_def znegative_def zdiff_def, auto)
  12.419  apply (simp add: zadd zminus image_iff Bex_def)
  12.420  apply (rule_tac i = "xb#+ya" and j = "xc #+ y" in Ord_linear_lt)
  12.421 @@ -644,7 +644,7 @@
  12.422  lemma zless_not_refl [iff]: "~ (z$<z)"
  12.423  by (auto simp add: zless_def znegative_def int_of_def zdiff_def)
  12.424  
  12.425 -lemma neq_iff_zless: "[| x: int; y: int |] ==> (x \<noteq> y) \<longleftrightarrow> (x $< y | y $< x)"
  12.426 +lemma neq_iff_zless: "[| x \<in> int; y \<in> int |] ==> (x \<noteq> y) \<longleftrightarrow> (x $< y | y $< x)"
  12.427  by (cut_tac z = x and w = y in zless_linear, auto)
  12.428  
  12.429  lemma zless_imp_intify_neq: "w $< z ==> intify(w) \<noteq> intify(z)"
  12.430 @@ -656,8 +656,8 @@
  12.431  done
  12.432  
  12.433  (*This lemma allows direct proofs of other <-properties*)
  12.434 -lemma zless_imp_succ_zadd_lemma: 
  12.435 -    "[| w $< z; w: int; z: int |] ==> (\<exists>n\<in>nat. z = w $+ $#(succ(n)))"
  12.436 +lemma zless_imp_succ_zadd_lemma:
  12.437 +    "[| w $< z; w \<in> int; z \<in> int |] ==> (\<exists>n\<in>nat. z = w $+ $#(succ(n)))"
  12.438  apply (simp add: zless_def znegative_def zdiff_def int_def)
  12.439  apply (auto dest!: less_imp_succ_add simp add: zadd zminus int_of_def)
  12.440  apply (rule_tac x = k in bexI)
  12.441 @@ -671,7 +671,7 @@
  12.442  apply auto
  12.443  done
  12.444  
  12.445 -lemma zless_succ_zadd_lemma: 
  12.446 +lemma zless_succ_zadd_lemma:
  12.447      "w \<in> int ==> w $< w $+ $# succ(n)"
  12.448  apply (simp add: zless_def znegative_def zdiff_def int_def)
  12.449  apply (auto simp add: zadd zminus int_of_def image_iff)
  12.450 @@ -694,8 +694,8 @@
  12.451  apply (blast intro: sym)
  12.452  done
  12.453  
  12.454 -lemma zless_trans_lemma: 
  12.455 -    "[| x $< y; y $< z; x: int; y \<in> int; z: int |] ==> x $< z"
  12.456 +lemma zless_trans_lemma:
  12.457 +    "[| x $< y; y $< z; x \<in> int; y \<in> int; z \<in> int |] ==> x $< z"
  12.458  apply (simp add: zless_def znegative_def zdiff_def int_def)
  12.459  apply (auto simp add: zadd zminus image_iff)
  12.460  apply (rename_tac x1 x2 y1 y2)
  12.461 @@ -741,11 +741,11 @@
  12.462  apply (blast dest: zless_trans)
  12.463  done
  12.464  
  12.465 -lemma zle_anti_sym: "[| x $<= y; y $<= x; x: int; y: int |] ==> x=y"
  12.466 +lemma zle_anti_sym: "[| x $<= y; y $<= x; x \<in> int; y \<in> int |] ==> x=y"
  12.467  by (drule zle_anti_sym_intify, auto)
  12.468  
  12.469  lemma zle_trans_lemma:
  12.470 -     "[| x: int; y: int; z: int; x $<= y; y $<= z |] ==> x $<= z"
  12.471 +     "[| x \<in> int; y \<in> int; z \<in> int; x $<= y; y $<= z |] ==> x $<= z"
  12.472  apply (simp add: zle_def, auto)
  12.473  apply (blast intro: zless_trans)
  12.474  done
  12.475 @@ -792,21 +792,21 @@
  12.476  lemma zless_zdiff_iff: "(x $< z$-y) \<longleftrightarrow> (x $+ y $< z)"
  12.477  by (simp add: zless_def zdiff_def zadd_ac)
  12.478  
  12.479 -lemma zdiff_eq_iff: "[| x: int; z: int |] ==> (x$-y = z) \<longleftrightarrow> (x = z $+ y)"
  12.480 +lemma zdiff_eq_iff: "[| x \<in> int; z \<in> int |] ==> (x$-y = z) \<longleftrightarrow> (x = z $+ y)"
  12.481  by (auto simp add: zdiff_def zadd_assoc)
  12.482  
  12.483 -lemma eq_zdiff_iff: "[| x: int; z: int |] ==> (x = z$-y) \<longleftrightarrow> (x $+ y = z)"
  12.484 +lemma eq_zdiff_iff: "[| x \<in> int; z \<in> int |] ==> (x = z$-y) \<longleftrightarrow> (x $+ y = z)"
  12.485  by (auto simp add: zdiff_def zadd_assoc)
  12.486  
  12.487  lemma zdiff_zle_iff_lemma:
  12.488 -     "[| x: int; z: int |] ==> (x$-y $<= z) \<longleftrightarrow> (x $<= z $+ y)"
  12.489 +     "[| x \<in> int; z \<in> int |] ==> (x$-y $<= z) \<longleftrightarrow> (x $<= z $+ y)"
  12.490  by (auto simp add: zle_def zdiff_eq_iff zdiff_zless_iff)
  12.491  
  12.492  lemma zdiff_zle_iff: "(x$-y $<= z) \<longleftrightarrow> (x $<= z $+ y)"
  12.493  by (cut_tac zdiff_zle_iff_lemma [OF intify_in_int intify_in_int], simp)
  12.494  
  12.495  lemma zle_zdiff_iff_lemma:
  12.496 -     "[| x: int; z: int |] ==>(x $<= z$-y) \<longleftrightarrow> (x $+ y $<= z)"
  12.497 +     "[| x \<in> int; z \<in> int |] ==>(x $<= z$-y) \<longleftrightarrow> (x $+ y $<= z)"
  12.498  apply (auto simp add: zle_def zdiff_eq_iff zless_zdiff_iff)
  12.499  apply (auto simp add: zdiff_def zadd_assoc)
  12.500  done
  12.501 @@ -815,12 +815,12 @@
  12.502  by (cut_tac zle_zdiff_iff_lemma [ OF intify_in_int intify_in_int], simp)
  12.503  
  12.504  text{*This list of rewrites simplifies (in)equalities by bringing subtractions
  12.505 -  to the top and then moving negative terms to the other side.  
  12.506 +  to the top and then moving negative terms to the other side.
  12.507    Use with @{text zadd_ac}*}
  12.508  lemmas zcompare_rls =
  12.509       zdiff_def [symmetric]
  12.510 -     zadd_zdiff_eq zdiff_zadd_eq zdiff_zdiff_eq zdiff_zdiff_eq2 
  12.511 -     zdiff_zless_iff zless_zdiff_iff zdiff_zle_iff zle_zdiff_iff 
  12.512 +     zadd_zdiff_eq zdiff_zadd_eq zdiff_zdiff_eq zdiff_zdiff_eq2
  12.513 +     zdiff_zless_iff zless_zdiff_iff zdiff_zle_iff zle_zdiff_iff
  12.514       zdiff_eq_iff eq_zdiff_iff
  12.515  
  12.516  
  12.517 @@ -828,7 +828,7 @@
  12.518       of the CancelNumerals Simprocs*}
  12.519  
  12.520  lemma zadd_left_cancel:
  12.521 -     "[| w: int; w': int |] ==> (z $+ w' = z $+ w) \<longleftrightarrow> (w' = w)"
  12.522 +     "[| w \<in> int; w': int |] ==> (z $+ w' = z $+ w) \<longleftrightarrow> (w' = w)"
  12.523  apply safe
  12.524  apply (drule_tac t = "%x. x $+ ($-z) " in subst_context)
  12.525  apply (simp add: zadd_ac)
  12.526 @@ -841,7 +841,7 @@
  12.527  done
  12.528  
  12.529  lemma zadd_right_cancel:
  12.530 -     "[| w: int; w': int |] ==> (w' $+ z = w $+ z) \<longleftrightarrow> (w' = w)"
  12.531 +     "[| w \<in> int; w': int |] ==> (w' $+ z = w $+ z) \<longleftrightarrow> (w' = w)"
  12.532  apply safe
  12.533  apply (drule_tac t = "%x. x $+ ($-z) " in subst_context)
  12.534  apply (simp add: zadd_ac)
  12.535 @@ -895,10 +895,10 @@
  12.536  
  12.537  subsubsection{*More inequality lemmas*}
  12.538  
  12.539 -lemma equation_zminus: "[| x: int;  y: int |] ==> (x = $- y) \<longleftrightarrow> (y = $- x)"
  12.540 +lemma equation_zminus: "[| x \<in> int;  y \<in> int |] ==> (x = $- y) \<longleftrightarrow> (y = $- x)"
  12.541  by auto
  12.542  
  12.543 -lemma zminus_equation: "[| x: int;  y: int |] ==> ($- x = y) \<longleftrightarrow> ($- y = x)"
  12.544 +lemma zminus_equation: "[| x \<in> int;  y \<in> int |] ==> ($- x = y) \<longleftrightarrow> ($- y = x)"
  12.545  by auto
  12.546  
  12.547  lemma equation_zminus_intify: "(intify(x) = $- y) \<longleftrightarrow> (intify(y) = $- x)"
    13.1 --- a/src/ZF/List_ZF.thy	Thu Mar 15 15:54:22 2012 +0000
    13.2 +++ b/src/ZF/List_ZF.thy	Thu Mar 15 16:35:02 2012 +0000
    13.3 @@ -11,7 +11,7 @@
    13.4    list       :: "i=>i"
    13.5  
    13.6  datatype
    13.7 -  "list(A)" = Nil | Cons ("a:A", "l: list(A)")
    13.8 +  "list(A)" = Nil | Cons ("a \<in> A", "l \<in> list(A)")
    13.9  
   13.10  
   13.11  syntax
   13.12 @@ -171,13 +171,13 @@
   13.13  (*These two theorems justify datatypes involving list(nat), list(A), ...*)
   13.14  lemmas list_subset_univ = subset_trans [OF list_mono list_univ]
   13.15  
   13.16 -lemma list_into_univ: "[| l: list(A);  A \<subseteq> univ(B) |] ==> l: univ(B)"
   13.17 +lemma list_into_univ: "[| l \<in> list(A);  A \<subseteq> univ(B) |] ==> l \<in> univ(B)"
   13.18  by (blast intro: list_subset_univ [THEN subsetD])
   13.19  
   13.20  lemma list_case_type:
   13.21 -    "[| l: list(A);
   13.22 -        c: C(Nil);
   13.23 -        !!x y. [| x: A;  y: list(A) |] ==> h(x,y): C(Cons(x,y))
   13.24 +    "[| l \<in> list(A);
   13.25 +        c \<in> C(Nil);
   13.26 +        !!x y. [| x \<in> A;  y \<in> list(A) |] ==> h(x,y): C(Cons(x,y))
   13.27       |] ==> list_case(c,h,l) \<in> C(l)"
   13.28  by (erule list.induct, auto)
   13.29  
   13.30 @@ -189,26 +189,26 @@
   13.31  
   13.32  (*** List functions ***)
   13.33  
   13.34 -lemma tl_type: "l: list(A) ==> tl(l) \<in> list(A)"
   13.35 +lemma tl_type: "l \<in> list(A) ==> tl(l) \<in> list(A)"
   13.36  apply (induct_tac "l")
   13.37  apply (simp_all (no_asm_simp) add: list.intros)
   13.38  done
   13.39  
   13.40  (** drop **)
   13.41  
   13.42 -lemma drop_Nil [simp]: "i:nat ==> drop(i, Nil) = Nil"
   13.43 +lemma drop_Nil [simp]: "i \<in> nat ==> drop(i, Nil) = Nil"
   13.44  apply (induct_tac "i")
   13.45  apply (simp_all (no_asm_simp))
   13.46  done
   13.47  
   13.48 -lemma drop_succ_Cons [simp]: "i:nat ==> drop(succ(i), Cons(a,l)) = drop(i,l)"
   13.49 +lemma drop_succ_Cons [simp]: "i \<in> nat ==> drop(succ(i), Cons(a,l)) = drop(i,l)"
   13.50  apply (rule sym)
   13.51  apply (induct_tac "i")
   13.52  apply (simp (no_asm))
   13.53  apply (simp (no_asm_simp))
   13.54  done
   13.55  
   13.56 -lemma drop_type [simp,TC]: "[| i:nat; l: list(A) |] ==> drop(i,l) \<in> list(A)"
   13.57 +lemma drop_type [simp,TC]: "[| i \<in> nat; l \<in> list(A) |] ==> drop(i,l) \<in> list(A)"
   13.58  apply (induct_tac "i")
   13.59  apply (simp_all (no_asm_simp) add: tl_type)
   13.60  done
   13.61 @@ -219,28 +219,28 @@
   13.62  (** Type checking -- proved by induction, as usual **)
   13.63  
   13.64  lemma list_rec_type [TC]:
   13.65 -    "[| l: list(A);
   13.66 -        c: C(Nil);
   13.67 -        !!x y r. [| x:A;  y: list(A);  r: C(y) |] ==> h(x,y,r): C(Cons(x,y))
   13.68 +    "[| l \<in> list(A);
   13.69 +        c \<in> C(Nil);
   13.70 +        !!x y r. [| x \<in> A;  y \<in> list(A);  r \<in> C(y) |] ==> h(x,y,r): C(Cons(x,y))
   13.71       |] ==> list_rec(c,h,l) \<in> C(l)"
   13.72  by (induct_tac "l", auto)
   13.73  
   13.74  (** map **)
   13.75  
   13.76  lemma map_type [TC]:
   13.77 -    "[| l: list(A);  !!x. x: A ==> h(x): B |] ==> map(h,l) \<in> list(B)"
   13.78 +    "[| l \<in> list(A);  !!x. x \<in> A ==> h(x): B |] ==> map(h,l) \<in> list(B)"
   13.79  apply (simp add: map_list_def)
   13.80  apply (typecheck add: list.intros list_rec_type, blast)
   13.81  done
   13.82  
   13.83 -lemma map_type2 [TC]: "l: list(A) ==> map(h,l) \<in> list({h(u). u:A})"
   13.84 +lemma map_type2 [TC]: "l \<in> list(A) ==> map(h,l) \<in> list({h(u). u \<in> A})"
   13.85  apply (erule map_type)
   13.86  apply (erule RepFunI)
   13.87  done
   13.88  
   13.89  (** length **)
   13.90  
   13.91 -lemma length_type [TC]: "l: list(A) ==> length(l) \<in> nat"
   13.92 +lemma length_type [TC]: "l \<in> list(A) ==> length(l) \<in> nat"
   13.93  by (simp add: length_list_def)
   13.94  
   13.95  lemma lt_length_in_nat:
   13.96 @@ -266,7 +266,7 @@
   13.97  
   13.98  (** set_of_list **)
   13.99  
  13.100 -lemma set_of_list_type [TC]: "l: list(A) ==> set_of_list(l) \<in> Pow(A)"
  13.101 +lemma set_of_list_type [TC]: "l \<in> list(A) ==> set_of_list(l) \<in> Pow(A)"
  13.102  apply (unfold set_of_list_list_def)
  13.103  apply (erule list_rec_type, auto)
  13.104  done
  13.105 @@ -286,12 +286,12 @@
  13.106  
  13.107  (*** theorems about map ***)
  13.108  
  13.109 -lemma map_ident [simp]: "l: list(A) ==> map(%u. u, l) = l"
  13.110 +lemma map_ident [simp]: "l \<in> list(A) ==> map(%u. u, l) = l"
  13.111  apply (induct_tac "l")
  13.112  apply (simp_all (no_asm_simp))
  13.113  done
  13.114  
  13.115 -lemma map_compose: "l: list(A) ==> map(h, map(j,l)) = map(%u. h(j(u)), l)"
  13.116 +lemma map_compose: "l \<in> list(A) ==> map(h, map(j,l)) = map(%u. h(j(u)), l)"
  13.117  apply (induct_tac "l")
  13.118  apply (simp_all (no_asm_simp))
  13.119  done
  13.120 @@ -307,7 +307,7 @@
  13.121  done
  13.122  
  13.123  lemma list_rec_map:
  13.124 -     "l: list(A) ==>
  13.125 +     "l \<in> list(A) ==>
  13.126        list_rec(c, d, map(h,l)) =
  13.127        list_rec(c, %x xs r. d(h(x), map(h,xs), r), l)"
  13.128  apply (induct_tac "l")
  13.129 @@ -319,7 +319,7 @@
  13.130  (* @{term"c \<in> list(Collect(B,P)) ==> c \<in> list"} *)
  13.131  lemmas list_CollectD = Collect_subset [THEN list_mono, THEN subsetD]
  13.132  
  13.133 -lemma map_list_Collect: "l: list({x:A. h(x)=j(x)}) ==> map(h,l) = map(j,l)"
  13.134 +lemma map_list_Collect: "l \<in> list({x \<in> A. h(x)=j(x)}) ==> map(h,l) = map(j,l)"
  13.135  apply (induct_tac "l")
  13.136  apply (simp_all (no_asm_simp))
  13.137  done
  13.138 @@ -354,7 +354,7 @@
  13.139  by (erule list.induct, simp_all)
  13.140  
  13.141  lemma drop_length [rule_format]:
  13.142 -     "l: list(A) ==> \<forall>i \<in> length(l). (\<exists>z zs. drop(i,l) = Cons(z,zs))"
  13.143 +     "l \<in> list(A) ==> \<forall>i \<in> length(l). (\<exists>z zs. drop(i,l) = Cons(z,zs))"
  13.144  apply (erule list.induct, simp_all, safe)
  13.145  apply (erule drop_length_Cons)
  13.146  apply (rule natE)
  13.147 @@ -378,7 +378,7 @@
  13.148  
  13.149  (*** theorems about rev ***)
  13.150  
  13.151 -lemma rev_map_distrib: "l: list(A) ==> rev(map(h,l)) = map(h,rev(l))"
  13.152 +lemma rev_map_distrib: "l \<in> list(A) ==> rev(map(h,l)) = map(h,rev(l))"
  13.153  apply (induct_tac "l")
  13.154  apply (simp_all (no_asm_simp) add: map_app_distrib)
  13.155  done
  13.156 @@ -393,7 +393,7 @@
  13.157  apply (simp_all add: app_assoc)
  13.158  done
  13.159  
  13.160 -lemma rev_rev_ident [simp]: "l: list(A) ==> rev(rev(l))=l"
  13.161 +lemma rev_rev_ident [simp]: "l \<in> list(A) ==> rev(rev(l))=l"
  13.162  apply (induct_tac "l")
  13.163  apply (simp_all (no_asm_simp) add: rev_app_distrib)
  13.164  done
  13.165 @@ -412,7 +412,7 @@
  13.166  apply (induct_tac "xs", simp_all)
  13.167  done
  13.168  
  13.169 -lemma list_add_rev: "l: list(nat) ==> list_add(rev(l)) = list_add(l)"
  13.170 +lemma list_add_rev: "l \<in> list(nat) ==> list_add(rev(l)) = list_add(l)"
  13.171  apply (induct_tac "l")
  13.172  apply (simp_all (no_asm_simp) add: list_add_app)
  13.173  done
  13.174 @@ -426,9 +426,9 @@
  13.175  (** New induction rules **)
  13.176  
  13.177  lemma list_append_induct [case_names Nil snoc, consumes 1]:
  13.178 -    "[| l: list(A);
  13.179 +    "[| l \<in> list(A);
  13.180          P(Nil);
  13.181 -        !!x y. [| x: A;  y: list(A);  P(y) |] ==> P(y @ [x])
  13.182 +        !!x y. [| x \<in> A;  y \<in> list(A);  P(y) |] ==> P(y @ [x])
  13.183       |] ==> P(l)"
  13.184  apply (subgoal_tac "P(rev(rev(l)))", simp)
  13.185  apply (erule rev_type [THEN list.induct], simp_all)
  13.186 @@ -462,31 +462,31 @@
  13.187  
  13.188  (** min FIXME: replace by Int! **)
  13.189  (* Min theorems are also true for i, j ordinals *)
  13.190 -lemma min_sym: "[| i:nat; j:nat |] ==> min(i,j)=min(j,i)"
  13.191 +lemma min_sym: "[| i \<in> nat; j \<in> nat |] ==> min(i,j)=min(j,i)"
  13.192  apply (unfold min_def)
  13.193  apply (auto dest!: not_lt_imp_le dest: lt_not_sym intro: le_anti_sym)
  13.194  done
  13.195  
  13.196 -lemma min_type [simp,TC]: "[| i:nat; j:nat |] ==> min(i,j):nat"
  13.197 +lemma min_type [simp,TC]: "[| i \<in> nat; j \<in> nat |] ==> min(i,j):nat"
  13.198  by (unfold min_def, auto)
  13.199  
  13.200 -lemma min_0 [simp]: "i:nat ==> min(0,i) = 0"
  13.201 +lemma min_0 [simp]: "i \<in> nat ==> min(0,i) = 0"
  13.202  apply (unfold min_def)
  13.203  apply (auto dest: not_lt_imp_le)
  13.204  done
  13.205  
  13.206 -lemma min_02 [simp]: "i:nat ==> min(i, 0) = 0"
  13.207 +lemma min_02 [simp]: "i \<in> nat ==> min(i, 0) = 0"
  13.208  apply (unfold min_def)
  13.209  apply (auto dest: not_lt_imp_le)
  13.210  done
  13.211  
  13.212 -lemma lt_min_iff: "[| i:nat; j:nat; k:nat |] ==> i<min(j,k) \<longleftrightarrow> i<j & i<k"
  13.213 +lemma lt_min_iff: "[| i \<in> nat; j \<in> nat; k \<in> nat |] ==> i<min(j,k) \<longleftrightarrow> i<j & i<k"
  13.214  apply (unfold min_def)
  13.215  apply (auto dest!: not_lt_imp_le intro: lt_trans2 lt_trans)
  13.216  done
  13.217  
  13.218  lemma min_succ_succ [simp]:
  13.219 -     "[| i:nat; j:nat |] ==>  min(succ(i), succ(j))= succ(min(i, j))"
  13.220 +     "[| i \<in> nat; j \<in> nat |] ==>  min(succ(i), succ(j))= succ(min(i, j))"
  13.221  apply (unfold min_def, auto)
  13.222  done
  13.223  
  13.224 @@ -603,7 +603,7 @@
  13.225  by simp
  13.226  
  13.227  (* Can also be proved from append_eq_append_iff2,
  13.228 -but the proof requires two more hypotheses: x:A and y:A *)
  13.229 +but the proof requires two more hypotheses: x \<in> A and y \<in> A *)
  13.230  lemma append1_eq_iff [rule_format,simp]:
  13.231       "xs:list(A) ==> \<forall>ys \<in> list(A). xs@[x] = ys@[y] \<longleftrightarrow> (xs = ys & x=y)"
  13.232  apply (erule list.induct)
  13.233 @@ -656,26 +656,26 @@
  13.234  (** more theorems about drop **)
  13.235  
  13.236  lemma length_drop [rule_format,simp]:
  13.237 -     "n:nat ==> \<forall>xs \<in> list(A). length(drop(n, xs)) = length(xs) #- n"
  13.238 +     "n \<in> nat ==> \<forall>xs \<in> list(A). length(drop(n, xs)) = length(xs) #- n"
  13.239  apply (erule nat_induct)
  13.240  apply (auto elim: list.cases)
  13.241  done
  13.242  
  13.243  lemma drop_all [rule_format,simp]:
  13.244 -     "n:nat ==> \<forall>xs \<in> list(A). length(xs) \<le> n \<longrightarrow> drop(n, xs)=Nil"
  13.245 +     "n \<in> nat ==> \<forall>xs \<in> list(A). length(xs) \<le> n \<longrightarrow> drop(n, xs)=Nil"
  13.246  apply (erule nat_induct)
  13.247  apply (auto elim: list.cases)
  13.248  done
  13.249  
  13.250  lemma drop_append [rule_format]:
  13.251 -     "n:nat ==>
  13.252 +     "n \<in> nat ==>
  13.253        \<forall>xs \<in> list(A). drop(n, xs@ys) = drop(n,xs) @ drop(n #- length(xs), ys)"
  13.254  apply (induct_tac "n")
  13.255  apply (auto elim: list.cases)
  13.256  done
  13.257  
  13.258  lemma drop_drop:
  13.259 -    "m:nat ==> \<forall>xs \<in> list(A). \<forall>n \<in> nat. drop(n, drop(m, xs))=drop(n #+ m, xs)"
  13.260 +    "m \<in> nat ==> \<forall>xs \<in> list(A). \<forall>n \<in> nat. drop(n, drop(m, xs))=drop(n #+ m, xs)"
  13.261  apply (induct_tac "m")
  13.262  apply (auto elim: list.cases)
  13.263  done
  13.264 @@ -688,15 +688,15 @@
  13.265  done
  13.266  
  13.267  lemma take_succ_Cons [simp]:
  13.268 -    "n:nat ==> take(succ(n), Cons(a, xs)) = Cons(a, take(n, xs))"
  13.269 +    "n \<in> nat ==> take(succ(n), Cons(a, xs)) = Cons(a, take(n, xs))"
  13.270  by (simp add: take_def)
  13.271  
  13.272  (* Needed for proving take_all *)
  13.273 -lemma take_Nil [simp]: "n:nat ==> take(n, Nil) = Nil"
  13.274 +lemma take_Nil [simp]: "n \<in> nat ==> take(n, Nil) = Nil"
  13.275  by (unfold take_def, auto)
  13.276  
  13.277  lemma take_all [rule_format,simp]:
  13.278 -     "n:nat ==> \<forall>xs \<in> list(A). length(xs) \<le> n  \<longrightarrow> take(n, xs) = xs"
  13.279 +     "n \<in> nat ==> \<forall>xs \<in> list(A). length(xs) \<le> n  \<longrightarrow> take(n, xs) = xs"
  13.280  apply (erule nat_induct)
  13.281  apply (auto elim: list.cases)
  13.282  done
  13.283 @@ -730,7 +730,7 @@
  13.284  lemma nth_0 [simp]: "nth(0, Cons(a, l)) = a"
  13.285  by (simp add: nth_def)
  13.286  
  13.287 -lemma nth_Cons [simp]: "n:nat ==> nth(succ(n), Cons(a,l)) = nth(n,l)"
  13.288 +lemma nth_Cons [simp]: "n \<in> nat ==> nth(succ(n), Cons(a,l)) = nth(n,l)"
  13.289  by (simp add: nth_def)
  13.290  
  13.291  lemma nth_empty [simp]: "nth(n, Nil) = 0"
  13.292 @@ -759,7 +759,7 @@
  13.293  
  13.294  lemma set_of_list_conv_nth:
  13.295      "xs:list(A)
  13.296 -     ==> set_of_list(xs) = {x:A. \<exists>i\<in>nat. i<length(xs) & x = nth(i,xs)}"
  13.297 +     ==> set_of_list(xs) = {x \<in> A. \<exists>i\<in>nat. i<length(xs) & x = nth(i,xs)}"
  13.298  apply (induct_tac "xs", simp_all)
  13.299  apply (rule equalityI, auto)
  13.300  apply (rule_tac x = 0 in bexI, auto)
  13.301 @@ -769,7 +769,7 @@
  13.302  (* Other theorems about lists *)
  13.303  
  13.304  lemma nth_take_lemma [rule_format]:
  13.305 - "k:nat ==>
  13.306 + "k \<in> nat ==>
  13.307    \<forall>xs \<in> list(A). (\<forall>ys \<in> list(A). k \<le> length(xs) \<longrightarrow> k \<le> length(ys) \<longrightarrow>
  13.308        (\<forall>i \<in> nat. i<k \<longrightarrow> nth(i,xs) = nth(i,ys))\<longrightarrow> take(k,xs) = take(k,ys))"
  13.309  apply (induct_tac "k")
  13.310 @@ -811,7 +811,7 @@
  13.311  done
  13.312  
  13.313  lemma nth_drop [rule_format]:
  13.314 -  "n:nat ==> \<forall>i \<in> nat. \<forall>xs \<in> list(A). nth(i, drop(n, xs)) = nth(n #+ i, xs)"
  13.315 +  "n \<in> nat ==> \<forall>i \<in> nat. \<forall>xs \<in> list(A). nth(i, drop(n, xs)) = nth(n #+ i, xs)"
  13.316  apply (induct_tac "n", simp_all, clarify)
  13.317  apply (erule list.cases, auto)
  13.318  done
  13.319 @@ -886,7 +886,7 @@
  13.320  done
  13.321  
  13.322  lemma zip_Cons_Cons [simp]:
  13.323 -     "[| xs:list(A); ys:list(B); x:A; y:B |] ==>
  13.324 +     "[| xs:list(A); ys:list(B); x \<in> A; y \<in> B |] ==>
  13.325        zip(Cons(x,xs), Cons(y, ys)) = Cons(<x,y>, zip(xs, ys))"
  13.326  apply (simp add: zip_def, auto)
  13.327  apply (rule zip_aux_unique, auto)
  13.328 @@ -951,7 +951,7 @@
  13.329  done
  13.330  
  13.331  lemma set_of_list_zip [rule_format]:
  13.332 -     "[| xs:list(A); ys:list(B); i:nat |]
  13.333 +     "[| xs:list(A); ys:list(B); i \<in> nat |]
  13.334        ==> set_of_list(zip(xs, ys)) =
  13.335            {<x, y>:A*B. \<exists>i\<in>nat. i < min(length(xs), length(ys))
  13.336            & x = nth(i, xs) & y = nth(i, ys)}"
  13.337 @@ -959,20 +959,20 @@
  13.338  
  13.339  (** list_update **)
  13.340  
  13.341 -lemma list_update_Nil [simp]: "i:nat ==>list_update(Nil, i, v) = Nil"
  13.342 +lemma list_update_Nil [simp]: "i \<in> nat ==>list_update(Nil, i, v) = Nil"
  13.343  by (unfold list_update_def, auto)
  13.344  
  13.345  lemma list_update_Cons_0 [simp]: "list_update(Cons(x, xs), 0, v)= Cons(v, xs)"
  13.346  by (unfold list_update_def, auto)
  13.347  
  13.348  lemma list_update_Cons_succ [simp]:
  13.349 -  "n:nat ==>
  13.350 +  "n \<in> nat ==>
  13.351      list_update(Cons(x, xs), succ(n), v)= Cons(x, list_update(xs, n, v))"
  13.352  apply (unfold list_update_def, auto)
  13.353  done
  13.354  
  13.355  lemma list_update_type [rule_format,simp,TC]:
  13.356 -     "[| xs:list(A); v:A |] ==> \<forall>n \<in> nat. list_update(xs, n, v):list(A)"
  13.357 +     "[| xs:list(A); v \<in> A |] ==> \<forall>n \<in> nat. list_update(xs, n, v):list(A)"
  13.358  apply (induct_tac "xs")
  13.359  apply (simp (no_asm))
  13.360  apply clarify
  13.361 @@ -1056,7 +1056,7 @@
  13.362  done
  13.363  
  13.364  lemma set_of_list_update_subsetI:
  13.365 -     "[| set_of_list(xs) \<subseteq> A; xs:list(A); x:A; i:nat|]
  13.366 +     "[| set_of_list(xs) \<subseteq> A; xs:list(A); x \<in> A; i \<in> nat|]
  13.367     ==> set_of_list(list_update(xs, i,x)) \<subseteq> A"
  13.368  apply (rule subset_trans)
  13.369  apply (rule set_update_subset_cons, auto)
  13.370 @@ -1065,13 +1065,13 @@
  13.371  (** upt **)
  13.372  
  13.373  lemma upt_rec:
  13.374 -     "j:nat ==> upt(i,j) = (if i<j then Cons(i, upt(succ(i), j)) else Nil)"
  13.375 +     "j \<in> nat ==> upt(i,j) = (if i<j then Cons(i, upt(succ(i), j)) else Nil)"
  13.376  apply (induct_tac "j", auto)
  13.377  apply (drule not_lt_imp_le)
  13.378  apply (auto simp: lt_Ord intro: le_anti_sym)
  13.379  done
  13.380  
  13.381 -lemma upt_conv_Nil [simp]: "[| j \<le> i; j:nat |] ==> upt(i,j) = Nil"
  13.382 +lemma upt_conv_Nil [simp]: "[| j \<le> i; j \<in> nat |] ==> upt(i,j) = Nil"
  13.383  apply (subst upt_rec, auto)
  13.384  apply (auto simp add: le_iff)
  13.385  apply (drule lt_asym [THEN notE], auto)
  13.386 @@ -1079,34 +1079,34 @@
  13.387  
  13.388  (*Only needed if upt_Suc is deleted from the simpset*)
  13.389  lemma upt_succ_append:
  13.390 -     "[| i \<le> j; j:nat |] ==> upt(i,succ(j)) = upt(i, j)@[j]"
  13.391 +     "[| i \<le> j; j \<in> nat |] ==> upt(i,succ(j)) = upt(i, j)@[j]"
  13.392  by simp
  13.393  
  13.394  lemma upt_conv_Cons:
  13.395 -     "[| i<j; j:nat |]  ==> upt(i,j) = Cons(i,upt(succ(i),j))"
  13.396 +     "[| i<j; j \<in> nat |]  ==> upt(i,j) = Cons(i,upt(succ(i),j))"
  13.397  apply (rule trans)
  13.398  apply (rule upt_rec, auto)
  13.399  done
  13.400  
  13.401 -lemma upt_type [simp,TC]: "j:nat ==> upt(i,j):list(nat)"
  13.402 +lemma upt_type [simp,TC]: "j \<in> nat ==> upt(i,j):list(nat)"
  13.403  by (induct_tac "j", auto)
  13.404  
  13.405  (*LOOPS as a simprule, since j<=j*)
  13.406  lemma upt_add_eq_append:
  13.407 -     "[| i \<le> j; j:nat; k:nat |] ==> upt(i, j #+k) = upt(i,j)@upt(j,j#+k)"
  13.408 +     "[| i \<le> j; j \<in> nat; k \<in> nat |] ==> upt(i, j #+k) = upt(i,j)@upt(j,j#+k)"
  13.409  apply (induct_tac "k")
  13.410  apply (auto simp add: app_assoc app_type)
  13.411  apply (rule_tac j = j in le_trans, auto)
  13.412  done
  13.413  
  13.414 -lemma length_upt [simp]: "[| i:nat; j:nat |] ==>length(upt(i,j)) = j #- i"
  13.415 +lemma length_upt [simp]: "[| i \<in> nat; j \<in> nat |] ==>length(upt(i,j)) = j #- i"
  13.416  apply (induct_tac "j")
  13.417  apply (rule_tac [2] sym)
  13.418  apply (auto dest!: not_lt_imp_le simp add: diff_succ diff_is_0_iff)
  13.419  done
  13.420  
  13.421  lemma nth_upt [rule_format,simp]:
  13.422 -     "[| i:nat; j:nat; k:nat |] ==> i #+ k < j \<longrightarrow> nth(k, upt(i,j)) = i #+ k"
  13.423 +     "[| i \<in> nat; j \<in> nat; k \<in> nat |] ==> i #+ k < j \<longrightarrow> nth(k, upt(i,j)) = i #+ k"
  13.424  apply (induct_tac "j", simp)
  13.425  apply (simp add: nth_append le_iff)
  13.426  apply (auto dest!: not_lt_imp_le
  13.427 @@ -1114,7 +1114,7 @@
  13.428  done
  13.429  
  13.430  lemma take_upt [rule_format,simp]:
  13.431 -     "[| m:nat; n:nat |] ==>
  13.432 +     "[| m \<in> nat; n \<in> nat |] ==>
  13.433           \<forall>i \<in> nat. i #+ m \<le> n \<longrightarrow> take(m, upt(i,n)) = upt(i,i#+m)"
  13.434  apply (induct_tac "m")
  13.435  apply (simp (no_asm_simp) add: take_0)
  13.436 @@ -1128,7 +1128,7 @@
  13.437  done
  13.438  
  13.439  lemma map_succ_upt:
  13.440 -     "[| m:nat; n:nat |] ==> map(succ, upt(m,n))= upt(succ(m), succ(n))"
  13.441 +     "[| m \<in> nat; n \<in> nat |] ==> map(succ, upt(m,n))= upt(succ(m), succ(n))"
  13.442  apply (induct_tac "n")
  13.443  apply (auto simp add: map_app_distrib)
  13.444  done
  13.445 @@ -1142,7 +1142,7 @@
  13.446  done
  13.447  
  13.448  lemma nth_map_upt [rule_format]:
  13.449 -     "[| m:nat; n:nat |] ==>
  13.450 +     "[| m \<in> nat; n \<in> nat |] ==>
  13.451        \<forall>i \<in> nat. i < n #- m \<longrightarrow> nth(i, map(f, upt(m,n))) = f(m #+ i)"
  13.452  apply (rule_tac n = m and m = n in diff_induct, typecheck, simp, simp)
  13.453  apply (subst map_succ_upt [symmetric], simp_all, clarify)
  13.454 @@ -1170,9 +1170,9 @@
  13.455  by (unfold sublist_def, auto)
  13.456  
  13.457  lemma sublist_shift_lemma:
  13.458 - "[| xs:list(B); i:nat |] ==>
  13.459 + "[| xs:list(B); i \<in> nat |] ==>
  13.460    map(fst, filter(%p. snd(p):A, zip(xs, upt(i,i #+ length(xs))))) =
  13.461 -  map(fst, filter(%p. snd(p):nat & snd(p) #+ i:A, zip(xs,upt(0,length(xs)))))"
  13.462 +  map(fst, filter(%p. snd(p):nat & snd(p) #+ i \<in> A, zip(xs,upt(0,length(xs)))))"
  13.463  apply (erule list_append_induct)
  13.464  apply (simp (no_asm_simp))
  13.465  apply (auto simp add: add_commute length_app filter_append map_app_distrib)
  13.466 @@ -1186,12 +1186,12 @@
  13.467  done
  13.468  
  13.469  lemma upt_add_eq_append2:
  13.470 -     "[| i:nat; j:nat |] ==> upt(0, i #+ j) = upt(0, i) @ upt(i, i #+ j)"
  13.471 +     "[| i \<in> nat; j \<in> nat |] ==> upt(0, i #+ j) = upt(0, i) @ upt(i, i #+ j)"
  13.472  by (simp add: upt_add_eq_append [of 0] nat_0_le)
  13.473  
  13.474  lemma sublist_append:
  13.475   "[| xs:list(B); ys:list(B)  |] ==>
  13.476 -  sublist(xs@ys, A) = sublist(xs, A) @ sublist(ys, {j:nat. j #+ length(xs): A})"
  13.477 +  sublist(xs@ys, A) = sublist(xs, A) @ sublist(ys, {j \<in> nat. j #+ length(xs): A})"
  13.478  apply (unfold sublist_def)
  13.479  apply (erule_tac l = ys in list_append_induct, simp)
  13.480  apply (simp (no_asm_simp) add: upt_add_eq_append2 app_assoc [symmetric])
  13.481 @@ -1201,9 +1201,9 @@
  13.482  
  13.483  
  13.484  lemma sublist_Cons:
  13.485 -     "[| xs:list(B); x:B |] ==>
  13.486 +     "[| xs:list(B); x \<in> B |] ==>
  13.487        sublist(Cons(x, xs), A) =
  13.488 -      (if 0:A then [x] else []) @ sublist(xs, {j:nat. succ(j) \<in> A})"
  13.489 +      (if 0 \<in> A then [x] else []) @ sublist(xs, {j \<in> nat. succ(j) \<in> A})"
  13.490  apply (erule_tac l = xs in list_append_induct)
  13.491  apply (simp (no_asm_simp) add: sublist_def)
  13.492  apply (simp del: app_Cons add: app_Cons [symmetric] sublist_append, simp)
    14.1 --- a/src/ZF/Main_ZF.thy	Thu Mar 15 15:54:22 2012 +0000
    14.2 +++ b/src/ZF/Main_ZF.thy	Thu Mar 15 16:35:02 2012 +0000
    14.3 @@ -23,21 +23,21 @@
    14.4    iterates_omega  ("(_^\<omega> '(_'))" [60,1000] 60)
    14.5  
    14.6  lemma iterates_triv:
    14.7 -     "[| n\<in>nat;  F(x) = x |] ==> F^n (x) = x"  
    14.8 +     "[| n\<in>nat;  F(x) = x |] ==> F^n (x) = x"
    14.9  by (induct n rule: nat_induct, simp_all)
   14.10  
   14.11  lemma iterates_type [TC]:
   14.12 -     "[| n:nat;  a: A; !!x. x:A ==> F(x) \<in> A |] 
   14.13 -      ==> F^n (a) \<in> A"  
   14.14 +     "[| n \<in> nat;  a \<in> A; !!x. x \<in> A ==> F(x) \<in> A |]
   14.15 +      ==> F^n (a) \<in> A"
   14.16  by (induct n rule: nat_induct, simp_all)
   14.17  
   14.18  lemma iterates_omega_triv:
   14.19 -    "F(x) = x ==> F^\<omega> (x) = x" 
   14.20 -by (simp add: iterates_omega_def iterates_triv) 
   14.21 +    "F(x) = x ==> F^\<omega> (x) = x"
   14.22 +by (simp add: iterates_omega_def iterates_triv)
   14.23  
   14.24  lemma Ord_iterates [simp]:
   14.25 -     "[| n\<in>nat;  !!i. Ord(i) ==> Ord(F(i));  Ord(x) |] 
   14.26 -      ==> Ord(F^n (x))"  
   14.27 +     "[| n\<in>nat;  !!i. Ord(i) ==> Ord(F(i));  Ord(x) |]
   14.28 +      ==> Ord(F^n (x))"
   14.29  by (induct n rule: nat_induct, simp_all)
   14.30  
   14.31  lemma iterates_commute: "n \<in> nat ==> F(F^n (x)) = F^n (F(x))"
   14.32 @@ -46,12 +46,12 @@
   14.33  
   14.34  subsection{* Transfinite Recursion *}
   14.35  
   14.36 -text{*Transfinite recursion for definitions based on the 
   14.37 +text{*Transfinite recursion for definitions based on the
   14.38      three cases of ordinals*}
   14.39  
   14.40  definition
   14.41    transrec3 :: "[i, i, [i,i]=>i, [i,i]=>i] =>i" where
   14.42 -    "transrec3(k, a, b, c) ==                     
   14.43 +    "transrec3(k, a, b, c) ==
   14.44         transrec(k, \<lambda>x r.
   14.45           if x=0 then a
   14.46           else if Limit(x) then c(x, \<lambda>y\<in>x. r`y)
   14.47 @@ -65,7 +65,7 @@
   14.48  by (rule transrec3_def [THEN def_transrec, THEN trans], simp)
   14.49  
   14.50  lemma transrec3_Limit:
   14.51 -     "Limit(i) ==> 
   14.52 +     "Limit(i) ==>
   14.53        transrec3(i,a,b,c) = c(i, \<lambda>j\<in>i. transrec3(j,a,b,c))"
   14.54  by (rule transrec3_def [THEN def_transrec, THEN trans], force)
   14.55  
    15.1 --- a/src/ZF/Nat_ZF.thy	Thu Mar 15 15:54:22 2012 +0000
    15.2 +++ b/src/ZF/Nat_ZF.thy	Thu Mar 15 16:35:02 2012 +0000
    15.3 @@ -9,7 +9,7 @@
    15.4  
    15.5  definition
    15.6    nat :: i  where
    15.7 -    "nat == lfp(Inf, %X. {0} \<union> {succ(i). i:X})"
    15.8 +    "nat == lfp(Inf, %X. {0} \<union> {succ(i). i \<in> X})"
    15.9  
   15.10  definition
   15.11    quasinat :: "i => o"  where
   15.12 @@ -45,18 +45,18 @@
   15.13  
   15.14  definition
   15.15    greater_than :: "i=>i"  where
   15.16 -    "greater_than(n) == {i:nat. n < i}"
   15.17 +    "greater_than(n) == {i \<in> nat. n < i}"
   15.18  
   15.19  text{*No need for a less-than operator: a natural number is its list of
   15.20  predecessors!*}
   15.21  
   15.22  
   15.23 -lemma nat_bnd_mono: "bnd_mono(Inf, %X. {0} \<union> {succ(i). i:X})"
   15.24 +lemma nat_bnd_mono: "bnd_mono(Inf, %X. {0} \<union> {succ(i). i \<in> X})"
   15.25  apply (rule bnd_monoI)
   15.26  apply (cut_tac infinity, blast, blast)
   15.27  done
   15.28  
   15.29 -(* @{term"nat = {0} \<union> {succ(x). x:nat}"} *)
   15.30 +(* @{term"nat = {0} \<union> {succ(x). x \<in> nat}"} *)
   15.31  lemmas nat_unfold = nat_bnd_mono [THEN nat_def [THEN def_lfp_unfold]]
   15.32  
   15.33  (** Type checking of 0 and successor **)
   15.34 @@ -87,22 +87,22 @@
   15.35  
   15.36  (*Mathematical induction*)
   15.37  lemma nat_induct [case_names 0 succ, induct set: nat]:
   15.38 -    "[| n \<in> nat;  P(0);  !!x. [| x: nat;  P(x) |] ==> P(succ(x)) |] ==> P(n)"
   15.39 +    "[| n \<in> nat;  P(0);  !!x. [| x \<in> nat;  P(x) |] ==> P(succ(x)) |] ==> P(n)"
   15.40  by (erule def_induct [OF nat_def nat_bnd_mono], blast)
   15.41  
   15.42  lemma natE:
   15.43   assumes "n \<in> nat"
   15.44 - obtains (0) "n=0" | (succ) x where "x \<in> nat" "n=succ(x)" 
   15.45 + obtains (0) "n=0" | (succ) x where "x \<in> nat" "n=succ(x)"
   15.46  using assms
   15.47  by (rule nat_unfold [THEN equalityD1, THEN subsetD, THEN UnE]) auto
   15.48  
   15.49  lemma nat_into_Ord [simp]: "n \<in> nat ==> Ord(n)"
   15.50  by (erule nat_induct, auto)
   15.51  
   15.52 -(* @{term"i: nat ==> 0 \<le> i"}; same thing as @{term"0<succ(i)"}  *)
   15.53 +(* @{term"i \<in> nat ==> 0 \<le> i"}; same thing as @{term"0<succ(i)"}  *)
   15.54  lemmas nat_0_le = nat_into_Ord [THEN Ord_0_le]
   15.55  
   15.56 -(* @{term"i: nat ==> i \<le> i"}; same thing as @{term"i<succ(i)"}  *)
   15.57 +(* @{term"i \<in> nat ==> i \<le> i"}; same thing as @{term"i<succ(i)"}  *)
   15.58  lemmas nat_le_refl = nat_into_Ord [THEN le_refl]
   15.59  
   15.60  lemma Ord_nat [iff]: "Ord(nat)"
   15.61 @@ -122,7 +122,7 @@
   15.62  lemma naturals_not_limit: "a \<in> nat ==> ~ Limit(a)"
   15.63  by (induct a rule: nat_induct, auto)
   15.64  
   15.65 -lemma succ_natD: "succ(i): nat ==> i: nat"
   15.66 +lemma succ_natD: "succ(i): nat ==> i \<in> nat"
   15.67  by (rule Ord_trans [OF succI1], auto)
   15.68  
   15.69  lemma nat_succ_iff [iff]: "succ(n): nat \<longleftrightarrow> n \<in> nat"
   15.70 @@ -137,15 +137,15 @@
   15.71  apply (blast intro: Limit_has_succ [THEN ltD] ltI Limit_is_Ord)
   15.72  done
   15.73  
   15.74 -(* [| succ(i): k;  k: nat |] ==> i: k *)
   15.75 +(* [| succ(i): k;  k \<in> nat |] ==> i \<in> k *)
   15.76  lemmas succ_in_naturalD = Ord_trans [OF succI1 _ nat_into_Ord]
   15.77  
   15.78 -lemma lt_nat_in_nat: "[| m<n;  n \<in> nat |] ==> m: nat"
   15.79 +lemma lt_nat_in_nat: "[| m<n;  n \<in> nat |] ==> m \<in> nat"
   15.80  apply (erule ltE)
   15.81  apply (erule Ord_trans, assumption, simp)
   15.82  done
   15.83  
   15.84 -lemma le_in_nat: "[| m \<le> n; n:nat |] ==> m:nat"
   15.85 +lemma le_in_nat: "[| m \<le> n; n \<in> nat |] ==> m \<in> nat"
   15.86  by (blast dest!: lt_nat_in_nat)
   15.87  
   15.88  
   15.89 @@ -160,8 +160,8 @@
   15.90  
   15.91  
   15.92  lemma nat_induct_from_lemma [rule_format]:
   15.93 -    "[| n \<in> nat;  m: nat;
   15.94 -        !!x. [| x: nat;  m \<le> x;  P(x) |] ==> P(succ(x)) |]
   15.95 +    "[| n \<in> nat;  m \<in> nat;
   15.96 +        !!x. [| x \<in> nat;  m \<le> x;  P(x) |] ==> P(succ(x)) |]
   15.97       ==> m \<le> n \<longrightarrow> P(m) \<longrightarrow> P(n)"
   15.98  apply (erule nat_induct)
   15.99  apply (simp_all add: distrib_simps le0_iff le_succ_iff)
  15.100 @@ -169,19 +169,19 @@
  15.101  
  15.102  (*Induction starting from m rather than 0*)
  15.103  lemma nat_induct_from:
  15.104 -    "[| m \<le> n;  m: nat;  n \<in> nat;
  15.105 +    "[| m \<le> n;  m \<in> nat;  n \<in> nat;
  15.106          P(m);
  15.107 -        !!x. [| x: nat;  m \<le> x;  P(x) |] ==> P(succ(x)) |]
  15.108 +        !!x. [| x \<in> nat;  m \<le> x;  P(x) |] ==> P(succ(x)) |]
  15.109       ==> P(n)"
  15.110  apply (blast intro: nat_induct_from_lemma)
  15.111  done
  15.112  
  15.113  (*Induction suitable for subtraction and less-than*)
  15.114  lemma diff_induct [case_names 0 0_succ succ_succ, consumes 2]:
  15.115 -    "[| m: nat;  n \<in> nat;
  15.116 -        !!x. x: nat ==> P(x,0);
  15.117 -        !!y. y: nat ==> P(0,succ(y));
  15.118 -        !!x y. [| x: nat;  y: nat;  P(x,y) |] ==> P(succ(x),succ(y)) |]
  15.119 +    "[| m \<in> nat;  n \<in> nat;
  15.120 +        !!x. x \<in> nat ==> P(x,0);
  15.121 +        !!y. y \<in> nat ==> P(0,succ(y));
  15.122 +        !!x y. [| x \<in> nat;  y \<in> nat;  P(x,y) |] ==> P(succ(x),succ(y)) |]
  15.123       ==> P(m,n)"
  15.124  apply (erule_tac x = m in rev_bspec)
  15.125  apply (erule nat_induct, simp)
  15.126 @@ -194,7 +194,7 @@
  15.127  (** Induction principle analogous to trancl_induct **)
  15.128  
  15.129  lemma succ_lt_induct_lemma [rule_format]:
  15.130 -     "m: nat ==> P(m,succ(m)) \<longrightarrow> (\<forall>x\<in>nat. P(m,x) \<longrightarrow> P(m,succ(x))) \<longrightarrow>
  15.131 +     "m \<in> nat ==> P(m,succ(m)) \<longrightarrow> (\<forall>x\<in>nat. P(m,x) \<longrightarrow> P(m,succ(x))) \<longrightarrow>
  15.132                   (\<forall>n\<in>nat. m<n \<longrightarrow> P(m,n))"
  15.133  apply (erule nat_induct)
  15.134   apply (intro impI, rule nat_induct [THEN ballI])
  15.135 @@ -205,7 +205,7 @@
  15.136  lemma succ_lt_induct:
  15.137      "[| m<n;  n \<in> nat;
  15.138          P(m,succ(m));
  15.139 -        !!x. [| x: nat;  P(m,x) |] ==> P(m,succ(x)) |]
  15.140 +        !!x. [| x \<in> nat;  P(m,x) |] ==> P(m,succ(x)) |]
  15.141       ==> P(m,n)"
  15.142  by (blast intro: succ_lt_induct_lemma lt_nat_in_nat)
  15.143  
  15.144 @@ -243,7 +243,7 @@
  15.145  by (simp add: nat_case_def)
  15.146  
  15.147  lemma nat_case_type [TC]:
  15.148 -    "[| n \<in> nat;  a: C(0);  !!m. m: nat ==> b(m): C(succ(m)) |]
  15.149 +    "[| n \<in> nat;  a \<in> C(0);  !!m. m \<in> nat ==> b(m): C(succ(m)) |]
  15.150       ==> nat_case(a,b,n) \<in> C(n)";
  15.151  by (erule nat_induct, auto)
  15.152  
  15.153 @@ -266,7 +266,7 @@
  15.154  apply (rule nat_case_0)
  15.155  done
  15.156  
  15.157 -lemma nat_rec_succ: "m: nat ==> nat_rec(succ(m),a,b) = b(m, nat_rec(m,a,b))"
  15.158 +lemma nat_rec_succ: "m \<in> nat ==> nat_rec(succ(m),a,b) = b(m, nat_rec(m,a,b))"
  15.159  apply (rule nat_rec_def [THEN def_wfrec, THEN trans])
  15.160   apply (rule wf_Memrel)
  15.161  apply (simp add: vimage_singleton_iff)
  15.162 @@ -274,12 +274,12 @@
  15.163  
  15.164  (** The union of two natural numbers is a natural number -- their maximum **)
  15.165  
  15.166 -lemma Un_nat_type [TC]: "[| i: nat; j: nat |] ==> i \<union> j: nat"
  15.167 +lemma Un_nat_type [TC]: "[| i \<in> nat; j \<in> nat |] ==> i \<union> j \<in> nat"
  15.168  apply (rule Un_least_lt [THEN ltD])
  15.169  apply (simp_all add: lt_def)
  15.170  done
  15.171  
  15.172 -lemma Int_nat_type [TC]: "[| i: nat; j: nat |] ==> i \<inter> j: nat"
  15.173 +lemma Int_nat_type [TC]: "[| i \<in> nat; j \<in> nat |] ==> i \<inter> j \<in> nat"
  15.174  apply (rule Int_greatest_lt [THEN ltD])
  15.175  apply (simp_all add: lt_def)
  15.176  done
    16.1 --- a/src/ZF/OrdQuant.thy	Thu Mar 15 15:54:22 2012 +0000
    16.2 +++ b/src/ZF/OrdQuant.thy	Thu Mar 15 16:35:02 2012 +0000
    16.3 @@ -98,12 +98,12 @@
    16.4  by (blast intro: OUN_least_le OUN_upper_le le_Ord2 Ord_OUN)
    16.5  
    16.6  lemma OUN_UN_eq:
    16.7 -     "(!!x. x:A ==> Ord(B(x)))
    16.8 +     "(!!x. x \<in> A ==> Ord(B(x)))
    16.9        ==> (\<Union>z < (\<Union>x\<in>A. B(x)). C(z)) = (\<Union>x\<in>A. \<Union>z < B(x). C(z))"
   16.10  by (simp add: OUnion_def)
   16.11  
   16.12  lemma OUN_Union_eq:
   16.13 -     "(!!x. x:X ==> Ord(x))
   16.14 +     "(!!x. x \<in> X ==> Ord(x))
   16.15        ==> (\<Union>z < \<Union>(X). C(z)) = (\<Union>x\<in>X. \<Union>z < x. C(z))"
   16.16  by (simp add: OUnion_def)
   16.17  
   16.18 @@ -168,11 +168,11 @@
   16.19  
   16.20  subsubsection {*Rules for Ordinal-Indexed Unions*}
   16.21  
   16.22 -lemma OUN_I [intro]: "[| a<i;  b: B(a) |] ==> b: (\<Union>z<i. B(z))"
   16.23 +lemma OUN_I [intro]: "[| a<i;  b \<in> B(a) |] ==> b: (\<Union>z<i. B(z))"
   16.24  by (unfold OUnion_def lt_def, blast)
   16.25  
   16.26  lemma OUN_E [elim!]:
   16.27 -    "[| b \<in> (\<Union>z<i. B(z));  !!a.[| b: B(a);  a<i |] ==> R |] ==> R"
   16.28 +    "[| b \<in> (\<Union>z<i. B(z));  !!a.[| b \<in> B(a);  a<i |] ==> R |] ==> R"
   16.29  apply (unfold OUnion_def lt_def, blast)
   16.30  done
   16.31  
    17.1 --- a/src/ZF/Order.thy	Thu Mar 15 15:54:22 2012 +0000
    17.2 +++ b/src/ZF/Order.thy	Thu Mar 15 16:35:02 2012 +0000
    17.3 @@ -46,16 +46,16 @@
    17.4  definition
    17.5    mono_map :: "[i,i,i,i]=>i"            (*Order-preserving maps*)  where
    17.6     "mono_map(A,r,B,s) ==
    17.7 -              {f: A->B. \<forall>x\<in>A. \<forall>y\<in>A. <x,y>:r \<longrightarrow> <f`x,f`y>:s}"
    17.8 +              {f \<in> A->B. \<forall>x\<in>A. \<forall>y\<in>A. <x,y>:r \<longrightarrow> <f`x,f`y>:s}"
    17.9  
   17.10  definition
   17.11    ord_iso  :: "[i,i,i,i]=>i"            (*Order isomorphisms*)  where
   17.12     "ord_iso(A,r,B,s) ==
   17.13 -              {f: bij(A,B). \<forall>x\<in>A. \<forall>y\<in>A. <x,y>:r \<longleftrightarrow> <f`x,f`y>:s}"
   17.14 +              {f \<in> bij(A,B). \<forall>x\<in>A. \<forall>y\<in>A. <x,y>:r \<longleftrightarrow> <f`x,f`y>:s}"
   17.15  
   17.16  definition
   17.17    pred     :: "[i,i,i]=>i"              (*Set of predecessors*)  where
   17.18 -   "pred(A,x,r) == {y:A. <y,x>:r}"
   17.19 +   "pred(A,x,r) == {y \<in> A. <y,x>:r}"
   17.20  
   17.21  definition
   17.22    ord_iso_map :: "[i,i,i,i]=>i"         (*Construction for linearity theorem*)  where
   17.23 @@ -64,7 +64,7 @@
   17.24  
   17.25  definition
   17.26    first :: "[i, i, i] => o"  where
   17.27 -    "first(u, X, R) == u:X & (\<forall>v\<in>X. v\<noteq>u \<longrightarrow> <u,v> \<in> R)"
   17.28 +    "first(u, X, R) == u \<in> X & (\<forall>v\<in>X. v\<noteq>u \<longrightarrow> <u,v> \<in> R)"
   17.29  
   17.30  
   17.31  notation (xsymbols)
   17.32 @@ -78,7 +78,7 @@
   17.33  by (unfold part_ord_def irrefl_def trans_on_def asym_def, blast)
   17.34  
   17.35  lemma linearE:
   17.36 -    "[| linear(A,r);  x:A;  y:A;
   17.37 +    "[| linear(A,r);  x \<in> A;  y \<in> A;
   17.38          <x,y>:r ==> P;  x=y ==> P;  <y,x>:r ==> P |]
   17.39       ==> P"
   17.40  by (simp add: linear_def, blast)
   17.41 @@ -107,12 +107,12 @@
   17.42  
   17.43  (** Derived rules for pred(A,x,r) **)
   17.44  
   17.45 -lemma pred_iff: "y \<in> pred(A,x,r) \<longleftrightarrow> <y,x>:r & y:A"
   17.46 +lemma pred_iff: "y \<in> pred(A,x,r) \<longleftrightarrow> <y,x>:r & y \<in> A"
   17.47  by (unfold pred_def, blast)
   17.48  
   17.49  lemmas predI = conjI [THEN pred_iff [THEN iffD2]]
   17.50  
   17.51 -lemma predE: "[| y: pred(A,x,r);  [| y:A; <y,x>:r |] ==> P |] ==> P"
   17.52 +lemma predE: "[| y \<in> pred(A,x,r);  [| y \<in> A; <y,x>:r |] ==> P |] ==> P"
   17.53  by (simp add: pred_def)
   17.54  
   17.55  lemma pred_subset_under: "pred(A,x,r) \<subseteq> r -`` {x}"
   17.56 @@ -126,7 +126,7 @@
   17.57  by (simp add: pred_def, blast)
   17.58  
   17.59  lemma trans_pred_pred_eq:
   17.60 -    "[| trans[A](r);  <y,x>:r;  x:A;  y:A |]
   17.61 +    "[| trans[A](r);  <y,x>:r;  x \<in> A;  y \<in> A |]
   17.62       ==> pred(pred(A,x,r), y, r) = pred(A,y,r)"
   17.63  by (unfold trans_on_def pred_def, blast)
   17.64  
   17.65 @@ -244,39 +244,39 @@
   17.66  
   17.67  (** Order-preserving (monotone) maps **)
   17.68  
   17.69 -lemma mono_map_is_fun: "f: mono_map(A,r,B,s) ==> f: A->B"
   17.70 +lemma mono_map_is_fun: "f \<in> mono_map(A,r,B,s) ==> f \<in> A->B"
   17.71  by (simp add: mono_map_def)
   17.72  
   17.73  lemma mono_map_is_inj:
   17.74 -    "[| linear(A,r);  wf[B](s);  f: mono_map(A,r,B,s) |] ==> f: inj(A,B)"
   17.75 +    "[| linear(A,r);  wf[B](s);  f \<in> mono_map(A,r,B,s) |] ==> f \<in> inj(A,B)"
   17.76  apply (unfold mono_map_def inj_def, clarify)
   17.77  apply (erule_tac x=w and y=x in linearE, assumption+)
   17.78  apply (force intro: apply_type dest: wf_on_not_refl)+
   17.79  done
   17.80  
   17.81  lemma ord_isoI:
   17.82 -    "[| f: bij(A, B);
   17.83 -        !!x y. [| x:A; y:A |] ==> <x, y> \<in> r \<longleftrightarrow> <f`x, f`y> \<in> s |]
   17.84 -     ==> f: ord_iso(A,r,B,s)"
   17.85 +    "[| f \<in> bij(A, B);
   17.86 +        !!x y. [| x \<in> A; y \<in> A |] ==> <x, y> \<in> r \<longleftrightarrow> <f`x, f`y> \<in> s |]
   17.87 +     ==> f \<in> ord_iso(A,r,B,s)"
   17.88  by (simp add: ord_iso_def)
   17.89  
   17.90  lemma ord_iso_is_mono_map:
   17.91 -    "f: ord_iso(A,r,B,s) ==> f: mono_map(A,r,B,s)"
   17.92 +    "f \<in> ord_iso(A,r,B,s) ==> f \<in> mono_map(A,r,B,s)"
   17.93  apply (simp add: ord_iso_def mono_map_def)
   17.94  apply (blast dest!: bij_is_fun)
   17.95  done
   17.96  
   17.97  lemma ord_iso_is_bij:
   17.98 -    "f: ord_iso(A,r,B,s) ==> f: bij(A,B)"
   17.99 +    "f \<in> ord_iso(A,r,B,s) ==> f \<in> bij(A,B)"
  17.100  by (simp add: ord_iso_def)
  17.101  
  17.102  (*Needed?  But ord_iso_converse is!*)
  17.103  lemma ord_iso_apply:
  17.104 -    "[| f: ord_iso(A,r,B,s);  <x,y>: r;  x:A;  y:A |] ==> <f`x, f`y> \<in> s"
  17.105 +    "[| f \<in> ord_iso(A,r,B,s);  <x,y>: r;  x \<in> A;  y \<in> A |] ==> <f`x, f`y> \<in> s"
  17.106  by (simp add: ord_iso_def)
  17.107  
  17.108  lemma ord_iso_converse:
  17.109 -    "[| f: ord_iso(A,r,B,s);  <x,y>: s;  x:B;  y:B |]
  17.110 +    "[| f \<in> ord_iso(A,r,B,s);  <x,y>: s;  x \<in> B;  y \<in> B |]
  17.111       ==> <converse(f) ` x, converse(f) ` y> \<in> r"
  17.112  apply (simp add: ord_iso_def, clarify)
  17.113  apply (erule bspec [THEN bspec, THEN iffD2])
  17.114 @@ -292,7 +292,7 @@
  17.115  by (rule id_bij [THEN ord_isoI], simp)
  17.116  
  17.117  (*Symmetry of similarity*)
  17.118 -lemma ord_iso_sym: "f: ord_iso(A,r,B,s) ==> converse(f): ord_iso(B,s,A,r)"
  17.119 +lemma ord_iso_sym: "f \<in> ord_iso(A,r,B,s) ==> converse(f): ord_iso(B,s,A,r)"
  17.120  apply (simp add: ord_iso_def)
  17.121  apply (auto simp add: right_inverse_bij bij_converse_bij
  17.122                        bij_is_fun [THEN apply_funtype])
  17.123 @@ -300,7 +300,7 @@
  17.124  
  17.125  (*Transitivity of similarity*)
  17.126  lemma mono_map_trans:
  17.127 -    "[| g: mono_map(A,r,B,s);  f: mono_map(B,s,C,t) |]
  17.128 +    "[| g \<in> mono_map(A,r,B,s);  f \<in> mono_map(B,s,C,t) |]
  17.129       ==> (f O g): mono_map(A,r,C,t)"
  17.130  apply (unfold mono_map_def)
  17.131  apply (auto simp add: comp_fun)
  17.132 @@ -308,7 +308,7 @@
  17.133  
  17.134  (*Transitivity of similarity: the order-isomorphism relation*)
  17.135  lemma ord_iso_trans:
  17.136 -    "[| g: ord_iso(A,r,B,s);  f: ord_iso(B,s,C,t) |]
  17.137 +    "[| g \<in> ord_iso(A,r,B,s);  f \<in> ord_iso(B,s,C,t) |]
  17.138       ==> (f O g): ord_iso(A,r,C,t)"
  17.139  apply (unfold ord_iso_def, clarify)
  17.140  apply (frule bij_is_fun [of f])
  17.141 @@ -319,8 +319,8 @@
  17.142  (** Two monotone maps can make an order-isomorphism **)
  17.143  
  17.144  lemma mono_ord_isoI:
  17.145 -    "[| f: mono_map(A,r,B,s);  g: mono_map(B,s,A,r);
  17.146 -        f O g = id(B);  g O f = id(A) |] ==> f: ord_iso(A,r,B,s)"
  17.147 +    "[| f \<in> mono_map(A,r,B,s);  g \<in> mono_map(B,s,A,r);
  17.148 +        f O g = id(B);  g O f = id(A) |] ==> f \<in> ord_iso(A,r,B,s)"
  17.149  apply (simp add: ord_iso_def mono_map_def, safe)
  17.150  apply (intro fg_imp_bijective, auto)
  17.151  apply (subgoal_tac "<g` (f`x), g` (f`y) > \<in> r")
  17.152 @@ -330,8 +330,8 @@
  17.153  
  17.154  lemma well_ord_mono_ord_isoI:
  17.155       "[| well_ord(A,r);  well_ord(B,s);
  17.156 -         f: mono_map(A,r,B,s);  converse(f): mono_map(B,s,A,r) |]
  17.157 -      ==> f: ord_iso(A,r,B,s)"
  17.158 +         f \<in> mono_map(A,r,B,s);  converse(f): mono_map(B,s,A,r) |]
  17.159 +      ==> f \<in> ord_iso(A,r,B,s)"
  17.160  apply (intro mono_ord_isoI, auto)
  17.161  apply (frule mono_map_is_fun [THEN fun_is_rel])
  17.162  apply (erule converse_converse [THEN subst], rule left_comp_inverse)
  17.163 @@ -343,13 +343,13 @@
  17.164  (** Order-isomorphisms preserve the ordering's properties **)
  17.165  
  17.166  lemma part_ord_ord_iso:
  17.167 -    "[| part_ord(B,s);  f: ord_iso(A,r,B,s) |] ==> part_ord(A,r)"
  17.168 +    "[| part_ord(B,s);  f \<in> ord_iso(A,r,B,s) |] ==> part_ord(A,r)"
  17.169  apply (simp add: part_ord_def irrefl_def trans_on_def ord_iso_def)
  17.170  apply (fast intro: bij_is_fun [THEN apply_type])
  17.171  done
  17.172  
  17.173  lemma linear_ord_iso:
  17.174 -    "[| linear(B,s);  f: ord_iso(A,r,B,s) |] ==> linear(A,r)"
  17.175 +    "[| linear(B,s);  f \<in> ord_iso(A,r,B,s) |] ==> linear(A,r)"
  17.176  apply (simp add: linear_def ord_iso_def, safe)
  17.177  apply (drule_tac x1 = "f`x" and x = "f`y" in bspec [THEN bspec])
  17.178  apply (safe elim!: bij_is_fun [THEN apply_type])
  17.179 @@ -358,15 +358,15 @@
  17.180  done
  17.181  
  17.182  lemma wf_on_ord_iso:
  17.183 -    "[| wf[B](s);  f: ord_iso(A,r,B,s) |] ==> wf[A](r)"
  17.184 +    "[| wf[B](s);  f \<in> ord_iso(A,r,B,s) |] ==> wf[A](r)"
  17.185  apply (simp add: wf_on_def wf_def ord_iso_def, safe)
  17.186 -apply (drule_tac x = "{f`z. z:Z \<inter> A}" in spec)
  17.187 +apply (drule_tac x = "{f`z. z \<in> Z \<inter> A}" in spec)
  17.188  apply (safe intro!: equalityI)
  17.189  apply (blast dest!: equalityD1 intro: bij_is_fun [THEN apply_type])+
  17.190  done
  17.191  
  17.192  lemma well_ord_ord_iso:
  17.193 -    "[| well_ord(B,s);  f: ord_iso(A,r,B,s) |] ==> well_ord(A,r)"
  17.194 +    "[| well_ord(B,s);  f \<in> ord_iso(A,r,B,s) |] ==> well_ord(A,r)"
  17.195  apply (unfold well_ord_def tot_ord_def)
  17.196  apply (fast elim!: part_ord_ord_iso linear_ord_iso wf_on_ord_iso)
  17.197  done
  17.198 @@ -377,7 +377,7 @@
  17.199  (*Inductive argument for Kunen's Lemma 6.1, etc.
  17.200    Simple proof from Halmos, page 72*)
  17.201  lemma well_ord_iso_subset_lemma:
  17.202 -     "[| well_ord(A,r);  f: ord_iso(A,r, A',r);  A'<= A;  y: A |]
  17.203 +     "[| well_ord(A,r);  f \<in> ord_iso(A,r, A',r);  A'<= A;  y \<in> A |]
  17.204        ==> ~ <f`y, y>: r"
  17.205  apply (simp add: well_ord_def ord_iso_def)
  17.206  apply (elim conjE CollectE)
  17.207 @@ -385,10 +385,10 @@
  17.208  apply (blast dest: bij_is_fun [THEN apply_type])
  17.209  done
  17.210  
  17.211 -(*Kunen's Lemma 6.1: there's no order-isomorphism to an initial segment
  17.212 +(*Kunen's Lemma 6.1 \<in> there's no order-isomorphism to an initial segment
  17.213                       of a well-ordering*)
  17.214  lemma well_ord_iso_predE:
  17.215 -     "[| well_ord(A,r);  f \<in> ord_iso(A, r, pred(A,x,r), r);  x:A |] ==> P"
  17.216 +     "[| well_ord(A,r);  f \<in> ord_iso(A, r, pred(A,x,r), r);  x \<in> A |] ==> P"
  17.217  apply (insert well_ord_iso_subset_lemma [of A r f "pred(A,x,r)" x])
  17.218  apply (simp add: pred_subset)
  17.219  (*Now we know  f`x < x *)
  17.220 @@ -400,7 +400,7 @@
  17.221  (*Simple consequence of Lemma 6.1*)
  17.222  lemma well_ord_iso_pred_eq:
  17.223       "[| well_ord(A,r);  f \<in> ord_iso(pred(A,a,r), r, pred(A,c,r), r);
  17.224 -         a:A;  c:A |] ==> a=c"
  17.225 +         a \<in> A;  c \<in> A |] ==> a=c"
  17.226  apply (frule well_ord_is_trans_on)
  17.227  apply (frule well_ord_is_linear)
  17.228  apply (erule_tac x=a and y=c in linearE, assumption+)
  17.229 @@ -413,7 +413,7 @@
  17.230  
  17.231  (*Does not assume r is a wellordering!*)
  17.232  lemma ord_iso_image_pred:
  17.233 -     "[|f \<in> ord_iso(A,r,B,s);  a:A|] ==> f `` pred(A,a,r) = pred(B, f`a, s)"
  17.234 +     "[|f \<in> ord_iso(A,r,B,s);  a \<in> A|] ==> f `` pred(A,a,r) = pred(B, f`a, s)"
  17.235  apply (unfold ord_iso_def pred_def)
  17.236  apply (erule CollectE)
  17.237  apply (simp (no_asm_simp) add: image_fun [OF bij_is_fun Collect_subset])
  17.238 @@ -434,7 +434,7 @@
  17.239  (*But in use, A and B may themselves be initial segments.  Then use
  17.240    trans_pred_pred_eq to simplify the pred(pred...) terms.  See just below.*)
  17.241  lemma ord_iso_restrict_pred:
  17.242 -   "[| f \<in> ord_iso(A,r,B,s);   a:A |]
  17.243 +   "[| f \<in> ord_iso(A,r,B,s);   a \<in> A |]
  17.244      ==> restrict(f, pred(A,a,r)) \<in> ord_iso(pred(A,a,r), r, pred(B, f`a, s), s)"
  17.245  apply (simp add: ord_iso_image_pred [symmetric])
  17.246  apply (blast intro: ord_iso_restrict_image elim: predE)
  17.247 @@ -445,7 +445,7 @@
  17.248       "[| well_ord(A,r);  well_ord(B,s);  <a,c>: r;
  17.249           f \<in> ord_iso(pred(A,a,r), r, pred(B,b,s), s);
  17.250           g \<in> ord_iso(pred(A,c,r), r, pred(B,d,s), s);
  17.251 -         a:A;  c:A;  b:B;  d:B |] ==> <b,d>: s"
  17.252 +         a \<in> A;  c \<in> A;  b \<in> B;  d \<in> B |] ==> <b,d>: s"
  17.253  apply (frule ord_iso_is_bij [THEN bij_is_fun, THEN apply_type], (erule asm_rl predI predE)+)
  17.254  apply (subgoal_tac "b = g`a")
  17.255  apply (simp (no_asm_simp))
  17.256 @@ -458,7 +458,7 @@
  17.257  (*See Halmos, page 72*)
  17.258  lemma well_ord_iso_unique_lemma:
  17.259       "[| well_ord(A,r);
  17.260 -         f: ord_iso(A,r, B,s);  g: ord_iso(A,r, B,s);  y: A |]
  17.261 +         f \<in> ord_iso(A,r, B,s);  g \<in> ord_iso(A,r, B,s);  y \<in> A |]
  17.262        ==> ~ <g`y, f`y> \<in> s"
  17.263  apply (frule well_ord_iso_subset_lemma)
  17.264  apply (rule_tac f = "converse (f) " and g = g in ord_iso_trans)
  17.265 @@ -476,7 +476,7 @@
  17.266  
  17.267  (*Kunen's Lemma 6.2: Order-isomorphisms between well-orderings are unique*)
  17.268  lemma well_ord_iso_unique: "[| well_ord(A,r);
  17.269 -         f: ord_iso(A,r, B,s);  g: ord_iso(A,r, B,s) |] ==> f = g"
  17.270 +         f \<in> ord_iso(A,r, B,s);  g \<in> ord_iso(A,r, B,s) |] ==> f = g"
  17.271  apply (rule fun_extension)
  17.272  apply (erule ord_iso_is_bij [THEN bij_is_fun])+
  17.273  apply (subgoal_tac "f`x \<in> B & g`x \<in> B & linear(B,s)")
  17.274 @@ -522,7 +522,7 @@
  17.275  apply (unfold mono_map_def)
  17.276  apply (simp (no_asm_simp) add: ord_iso_map_fun)
  17.277  apply safe
  17.278 -apply (subgoal_tac "x:A & ya:A & y:B & yb:B")
  17.279 +apply (subgoal_tac "x \<in> A & ya:A & y \<in> B & yb:B")
  17.280   apply (simp add: apply_equality [OF _  ord_iso_map_fun])
  17.281   apply (unfold ord_iso_map_def)
  17.282   apply (blast intro: well_ord_iso_preserving, blast)
  17.283 @@ -545,7 +545,7 @@
  17.284  (*One way of saying that domain(ord_iso_map(A,r,B,s)) is downwards-closed*)
  17.285  lemma domain_ord_iso_map_subset:
  17.286       "[| well_ord(A,r);  well_ord(B,s);
  17.287 -         a: A;  a \<notin> domain(ord_iso_map(A,r,B,s)) |]
  17.288 +         a \<in> A;  a \<notin> domain(ord_iso_map(A,r,B,s)) |]
  17.289        ==>  domain(ord_iso_map(A,r,B,s)) \<subseteq> pred(A, a, r)"
  17.290  apply (unfold ord_iso_map_def)
  17.291  apply (safe intro!: predI)
  17.292 @@ -642,7 +642,7 @@
  17.293  (** By Krzysztof Grabczewski.
  17.294      Lemmas involving the first element of a well ordered set **)
  17.295  
  17.296 -lemma first_is_elem: "first(b,B,r) ==> b:B"
  17.297 +lemma first_is_elem: "first(b,B,r) ==> b \<in> B"
  17.298  by (unfold first_def, blast)
  17.299  
  17.300  lemma well_ord_imp_ex1_first:
    18.1 --- a/src/ZF/OrderArith.thy	Thu Mar 15 15:54:22 2012 +0000
    18.2 +++ b/src/ZF/OrderArith.thy	Thu Mar 15 16:35:02 2012 +0000
    18.3 @@ -10,24 +10,24 @@
    18.4  definition
    18.5    (*disjoint sum of two relations; underlies ordinal addition*)
    18.6    radd    :: "[i,i,i,i]=>i"  where
    18.7 -    "radd(A,r,B,s) == 
    18.8 -                {z: (A+B) * (A+B).  
    18.9 -                    (\<exists>x y. z = <Inl(x), Inr(y)>)   |   
   18.10 -                    (\<exists>x' x. z = <Inl(x'), Inl(x)> & <x',x>:r)   |      
   18.11 +    "radd(A,r,B,s) ==
   18.12 +                {z: (A+B) * (A+B).
   18.13 +                    (\<exists>x y. z = <Inl(x), Inr(y)>)   |
   18.14 +                    (\<exists>x' x. z = <Inl(x'), Inl(x)> & <x',x>:r)   |
   18.15                      (\<exists>y' y. z = <Inr(y'), Inr(y)> & <y',y>:s)}"
   18.16  
   18.17  definition
   18.18    (*lexicographic product of two relations; underlies ordinal multiplication*)
   18.19    rmult   :: "[i,i,i,i]=>i"  where
   18.20 -    "rmult(A,r,B,s) == 
   18.21 -                {z: (A*B) * (A*B).  
   18.22 -                    \<exists>x' y' x y. z = <<x',y'>, <x,y>> &         
   18.23 +    "rmult(A,r,B,s) ==
   18.24 +                {z: (A*B) * (A*B).
   18.25 +                    \<exists>x' y' x y. z = <<x',y'>, <x,y>> &
   18.26                         (<x',x>: r | (x'=x & <y',y>: s))}"
   18.27  
   18.28  definition
   18.29    (*inverse image of a relation*)
   18.30    rvimage :: "[i,i,i]=>i"  where
   18.31 -    "rvimage(A,f,r) == {z: A*A. \<exists>x y. z = <x,y> & <f`x,f`y>: r}"
   18.32 +    "rvimage(A,f,r) == {z \<in> A*A. \<exists>x y. z = <x,y> & <f`x,f`y>: r}"
   18.33  
   18.34  definition
   18.35    measure :: "[i, i\<Rightarrow>i] \<Rightarrow> i"  where
   18.36 @@ -38,33 +38,33 @@
   18.37  
   18.38  subsubsection{*Rewrite rules.  Can be used to obtain introduction rules*}
   18.39  
   18.40 -lemma radd_Inl_Inr_iff [iff]: 
   18.41 -    "<Inl(a), Inr(b)> \<in> radd(A,r,B,s)  \<longleftrightarrow>  a:A & b:B"
   18.42 +lemma radd_Inl_Inr_iff [iff]:
   18.43 +    "<Inl(a), Inr(b)> \<in> radd(A,r,B,s)  \<longleftrightarrow>  a \<in> A & b \<in> B"
   18.44  by (unfold radd_def, blast)
   18.45  
   18.46 -lemma radd_Inl_iff [iff]: 
   18.47 -    "<Inl(a'), Inl(a)> \<in> radd(A,r,B,s)  \<longleftrightarrow>  a':A & a:A & <a',a>:r"
   18.48 +lemma radd_Inl_iff [iff]:
   18.49 +    "<Inl(a'), Inl(a)> \<in> radd(A,r,B,s)  \<longleftrightarrow>  a':A & a \<in> A & <a',a>:r"
   18.50  by (unfold radd_def, blast)
   18.51  
   18.52 -lemma radd_Inr_iff [iff]: 
   18.53 -    "<Inr(b'), Inr(b)> \<in> radd(A,r,B,s) \<longleftrightarrow>  b':B & b:B & <b',b>:s"
   18.54 +lemma radd_Inr_iff [iff]:
   18.55 +    "<Inr(b'), Inr(b)> \<in> radd(A,r,B,s) \<longleftrightarrow>  b':B & b \<in> B & <b',b>:s"
   18.56  by (unfold radd_def, blast)
   18.57  
   18.58 -lemma radd_Inr_Inl_iff [simp]: 
   18.59 +lemma radd_Inr_Inl_iff [simp]:
   18.60      "<Inr(b), Inl(a)> \<in> radd(A,r,B,s) \<longleftrightarrow> False"
   18.61  by (unfold radd_def, blast)
   18.62  
   18.63 -declare radd_Inr_Inl_iff [THEN iffD1, dest!] 
   18.64 +declare radd_Inr_Inl_iff [THEN iffD1, dest!]
   18.65  
   18.66  subsubsection{*Elimination Rule*}
   18.67  
   18.68  lemma raddE:
   18.69 -    "[| <p',p> \<in> radd(A,r,B,s);                  
   18.70 -        !!x y. [| p'=Inl(x); x:A; p=Inr(y); y:B |] ==> Q;        
   18.71 -        !!x' x. [| p'=Inl(x'); p=Inl(x); <x',x>: r; x':A; x:A |] ==> Q;  
   18.72 -        !!y' y. [| p'=Inr(y'); p=Inr(y); <y',y>: s; y':B; y:B |] ==> Q   
   18.73 +    "[| <p',p> \<in> radd(A,r,B,s);
   18.74 +        !!x y. [| p'=Inl(x); x \<in> A; p=Inr(y); y \<in> B |] ==> Q;
   18.75 +        !!x' x. [| p'=Inl(x'); p=Inl(x); <x',x>: r; x':A; x \<in> A |] ==> Q;
   18.76 +        !!y' y. [| p'=Inr(y'); p=Inr(y); <y',y>: s; y':B; y \<in> B |] ==> Q
   18.77       |] ==> Q"
   18.78 -by (unfold radd_def, blast) 
   18.79 +by (unfold radd_def, blast)
   18.80  
   18.81  subsubsection{*Type checking*}
   18.82  
   18.83 @@ -77,9 +77,9 @@
   18.84  
   18.85  subsubsection{*Linearity*}
   18.86  
   18.87 -lemma linear_radd: 
   18.88 +lemma linear_radd:
   18.89      "[| linear(A,r);  linear(B,s) |] ==> linear(A+B,radd(A,r,B,s))"
   18.90 -by (unfold linear_def, blast) 
   18.91 +by (unfold linear_def, blast)
   18.92  
   18.93  
   18.94  subsubsection{*Well-foundedness*}
   18.95 @@ -92,17 +92,17 @@
   18.96   apply (erule_tac V = "y \<in> A + B" in thin_rl)
   18.97   apply (rule_tac ballI)
   18.98   apply (erule_tac r = r and a = x in wf_on_induct, assumption)
   18.99 - apply blast 
  18.100 + apply blast
  18.101  txt{*Returning to main part of proof*}
  18.102  apply safe
  18.103  apply blast
  18.104 -apply (erule_tac r = s and a = ya in wf_on_induct, assumption, blast) 
  18.105 +apply (erule_tac r = s and a = ya in wf_on_induct, assumption, blast)
  18.106  done
  18.107  
  18.108  lemma wf_radd: "[| wf(r);  wf(s) |] ==> wf(radd(field(r),r,field(s),s))"
  18.109  apply (simp add: wf_iff_wf_on_field)
  18.110  apply (rule wf_on_subset_A [OF _ field_radd])
  18.111 -apply (blast intro: wf_on_radd) 
  18.112 +apply (blast intro: wf_on_radd)
  18.113  done
  18.114  
  18.115  lemma well_ord_radd:
  18.116 @@ -115,17 +115,17 @@
  18.117  subsubsection{*An @{term ord_iso} congruence law*}
  18.118  
  18.119  lemma sum_bij:
  18.120 -     "[| f: bij(A,C);  g: bij(B,D) |]
  18.121 +     "[| f \<in> bij(A,C);  g \<in> bij(B,D) |]
  18.122        ==> (\<lambda>z\<in>A+B. case(%x. Inl(f`x), %y. Inr(g`y), z)) \<in> bij(A+B, C+D)"
  18.123 -apply (rule_tac d = "case (%x. Inl (converse(f)`x), %y. Inr(converse(g)`y))" 
  18.124 +apply (rule_tac d = "case (%x. Inl (converse(f)`x), %y. Inr(converse(g)`y))"
  18.125         in lam_bijective)
  18.126 -apply (typecheck add: bij_is_inj inj_is_fun) 
  18.127 -apply (auto simp add: left_inverse_bij right_inverse_bij) 
  18.128 +apply (typecheck add: bij_is_inj inj_is_fun)
  18.129 +apply (auto simp add: left_inverse_bij right_inverse_bij)
  18.130  done
  18.131  
  18.132 -lemma sum_ord_iso_cong: 
  18.133 -    "[| f: ord_iso(A,r,A',r');  g: ord_iso(B,s,B',s') |] ==>      
  18.134 -            (\<lambda>z\<in>A+B. case(%x. Inl(f`x), %y. Inr(g`y), z))             
  18.135 +lemma sum_ord_iso_cong:
  18.136 +    "[| f \<in> ord_iso(A,r,A',r');  g \<in> ord_iso(B,s,B',s') |] ==>
  18.137 +            (\<lambda>z\<in>A+B. case(%x. Inl(f`x), %y. Inr(g`y), z))
  18.138              \<in> ord_iso(A+B, radd(A,r,B,s), A'+B', radd(A',r',B',s'))"
  18.139  apply (unfold ord_iso_def)
  18.140  apply (safe intro!: sum_bij)
  18.141 @@ -133,27 +133,27 @@
  18.142  apply (auto cong add: conj_cong simp add: bij_is_fun [THEN apply_type])
  18.143  done
  18.144  
  18.145 -(*Could we prove an ord_iso result?  Perhaps 
  18.146 +(*Could we prove an ord_iso result?  Perhaps
  18.147       ord_iso(A+B, radd(A,r,B,s), A \<union> B, r \<union> s) *)
  18.148 -lemma sum_disjoint_bij: "A \<inter> B = 0 ==>      
  18.149 +lemma sum_disjoint_bij: "A \<inter> B = 0 ==>
  18.150              (\<lambda>z\<in>A+B. case(%x. x, %y. y, z)) \<in> bij(A+B, A \<union> B)"
  18.151 -apply (rule_tac d = "%z. if z:A then Inl (z) else Inr (z) " in lam_bijective)
  18.152 +apply (rule_tac d = "%z. if z \<in> A then Inl (z) else Inr (z) " in lam_bijective)
  18.153  apply auto
  18.154  done
  18.155  
  18.156  subsubsection{*Associativity*}
  18.157  
  18.158  lemma sum_assoc_bij:
  18.159 -     "(\<lambda>z\<in>(A+B)+C. case(case(Inl, %y. Inr(Inl(y))), %y. Inr(Inr(y)), z))  
  18.160 +     "(\<lambda>z\<in>(A+B)+C. case(case(Inl, %y. Inr(Inl(y))), %y. Inr(Inr(y)), z))
  18.161        \<in> bij((A+B)+C, A+(B+C))"
  18.162 -apply (rule_tac d = "case (%x. Inl (Inl (x)), case (%x. Inl (Inr (x)), Inr))" 
  18.163 +apply (rule_tac d = "case (%x. Inl (Inl (x)), case (%x. Inl (Inr (x)), Inr))"
  18.164         in lam_bijective)
  18.165  apply auto
  18.166  done
  18.167  
  18.168  lemma sum_assoc_ord_iso:
  18.169 -     "(\<lambda>z\<in>(A+B)+C. case(case(Inl, %y. Inr(Inl(y))), %y. Inr(Inr(y)), z))  
  18.170 -      \<in> ord_iso((A+B)+C, radd(A+B, radd(A,r,B,s), C, t),     
  18.171 +     "(\<lambda>z\<in>(A+B)+C. case(case(Inl, %y. Inr(Inl(y))), %y. Inr(Inr(y)), z))
  18.172 +      \<in> ord_iso((A+B)+C, radd(A+B, radd(A,r,B,s), C, t),
  18.173                  A+(B+C), radd(A, r, B+C, radd(B,s,C,t)))"
  18.174  by (rule sum_assoc_bij [THEN ord_isoI], auto)
  18.175  
  18.176 @@ -162,19 +162,19 @@
  18.177  
  18.178  subsubsection{*Rewrite rule.  Can be used to obtain introduction rules*}
  18.179  
  18.180 -lemma  rmult_iff [iff]: 
  18.181 -    "<<a',b'>, <a,b>> \<in> rmult(A,r,B,s) \<longleftrightarrow>        
  18.182 -            (<a',a>: r  & a':A & a:A & b': B & b: B) |   
  18.183 -            (<b',b>: s  & a'=a & a:A & b': B & b: B)"
  18.184 +lemma  rmult_iff [iff]:
  18.185 +    "<<a',b'>, <a,b>> \<in> rmult(A,r,B,s) \<longleftrightarrow>
  18.186 +            (<a',a>: r  & a':A & a \<in> A & b': B & b \<in> B) |
  18.187 +            (<b',b>: s  & a'=a & a \<in> A & b': B & b \<in> B)"
  18.188  
  18.189  by (unfold rmult_def, blast)
  18.190  
  18.191 -lemma rmultE: 
  18.192 -    "[| <<a',b'>, <a,b>> \<in> rmult(A,r,B,s);               
  18.193 -        [| <a',a>: r;  a':A;  a:A;  b':B;  b:B |] ==> Q;         
  18.194 -        [| <b',b>: s;  a:A;  a'=a;  b':B;  b:B |] ==> Q  
  18.195 +lemma rmultE:
  18.196 +    "[| <<a',b'>, <a,b>> \<in> rmult(A,r,B,s);
  18.197 +        [| <a',a>: r;  a':A;  a \<in> A;  b':B;  b \<in> B |] ==> Q;
  18.198 +        [| <b',b>: s;  a \<in> A;  a'=a;  b':B;  b \<in> B |] ==> Q
  18.199       |] ==> Q"
  18.200 -by blast 
  18.201 +by blast
  18.202  
  18.203  subsubsection{*Type checking*}
  18.204  
  18.205 @@ -187,7 +187,7 @@
  18.206  
  18.207  lemma linear_rmult:
  18.208      "[| linear(A,r);  linear(B,s) |] ==> linear(A*B,rmult(A,r,B,s))"
  18.209 -by (simp add: linear_def, blast) 
  18.210 +by (simp add: linear_def, blast)
  18.211  
  18.212  subsubsection{*Well-foundedness*}
  18.213  
  18.214 @@ -206,7 +206,7 @@
  18.215  lemma wf_rmult: "[| wf(r);  wf(s) |] ==> wf(rmult(field(r),r,field(s),s))"
  18.216  apply (simp add: wf_iff_wf_on_field)
  18.217  apply (rule wf_on_subset_A [OF _ field_rmult])
  18.218 -apply (blast intro: wf_on_rmult) 
  18.219 +apply (blast intro: wf_on_rmult)
  18.220  done
  18.221  
  18.222  lemma well_ord_rmult:
  18.223 @@ -220,17 +220,17 @@
  18.224  subsubsection{*An @{term ord_iso} congruence law*}
  18.225  
  18.226  lemma prod_bij:
  18.227 -     "[| f: bij(A,C);  g: bij(B,D) |] 
  18.228 +     "[| f \<in> bij(A,C);  g \<in> bij(B,D) |]
  18.229        ==> (lam <x,y>:A*B. <f`x, g`y>) \<in> bij(A*B, C*D)"
  18.230 -apply (rule_tac d = "%<x,y>. <converse (f) `x, converse (g) `y>" 
  18.231 +apply (rule_tac d = "%<x,y>. <converse (f) `x, converse (g) `y>"
  18.232         in lam_bijective)
  18.233 -apply (typecheck add: bij_is_inj inj_is_fun) 
  18.234 -apply (auto simp add: left_inverse_bij right_inverse_bij) 
  18.235 +apply (typecheck add: bij_is_inj inj_is_fun)
  18.236 +apply (auto simp add: left_inverse_bij right_inverse_bij)
  18.237  done
  18.238  
  18.239 -lemma prod_ord_iso_cong: 
  18.240 -    "[| f: ord_iso(A,r,A',r');  g: ord_iso(B,s,B',s') |]      
  18.241 -     ==> (lam <x,y>:A*B. <f`x, g`y>)                                  
  18.242 +lemma prod_ord_iso_cong:
  18.243 +    "[| f \<in> ord_iso(A,r,A',r');  g \<in> ord_iso(B,s,B',s') |]
  18.244 +     ==> (lam <x,y>:A*B. <f`x, g`y>)
  18.245           \<in> ord_iso(A*B, rmult(A,r,B,s), A'*B', rmult(A',r',B',s'))"
  18.246  apply (unfold ord_iso_def)
  18.247  apply (safe intro!: prod_bij)
  18.248 @@ -243,7 +243,7 @@
  18.249  
  18.250  (*Used??*)
  18.251  lemma singleton_prod_ord_iso:
  18.252 -     "well_ord({x},xr) ==>   
  18.253 +     "well_ord({x},xr) ==>
  18.254            (\<lambda>z\<in>A. <x,z>) \<in> ord_iso(A, r, {x}*A, rmult({x}, xr, A, r))"
  18.255  apply (rule singleton_prod_bij [THEN ord_isoI])
  18.256  apply (simp (no_asm_simp))
  18.257 @@ -253,8 +253,8 @@
  18.258  (*Here we build a complicated function term, then simplify it using
  18.259    case_cong, id_conv, comp_lam, case_case.*)
  18.260  lemma prod_sum_singleton_bij:
  18.261 -     "a\<notin>C ==>  
  18.262 -       (\<lambda>x\<in>C*B + D. case(%x. x, %y.<a,y>, x))  
  18.263 +     "a\<notin>C ==>
  18.264 +       (\<lambda>x\<in>C*B + D. case(%x. x, %y.<a,y>, x))
  18.265         \<in> bij(C*B + D, C*B \<union> {a}*D)"
  18.266  apply (rule subst_elem)
  18.267  apply (rule id_bij [THEN sum_bij, THEN comp_bij])
  18.268 @@ -267,10 +267,10 @@
  18.269  done
  18.270  
  18.271  lemma prod_sum_singleton_ord_iso:
  18.272 - "[| a:A;  well_ord(A,r) |] ==>  
  18.273 -    (\<lambda>x\<in>pred(A,a,r)*B + pred(B,b,s). case(%x. x, %y.<a,y>, x))  
  18.274 -    \<in> ord_iso(pred(A,a,r)*B + pred(B,b,s),               
  18.275 -                  radd(A*B, rmult(A,r,B,s), B, s),       
  18.276 + "[| a \<in> A;  well_ord(A,r) |] ==>
  18.277 +    (\<lambda>x\<in>pred(A,a,r)*B + pred(B,b,s). case(%x. x, %y.<a,y>, x))
  18.278 +    \<in> ord_iso(pred(A,a,r)*B + pred(B,b,s),
  18.279 +                  radd(A*B, rmult(A,r,B,s), B, s),
  18.280                pred(A,a,r)*B \<union> {a}*pred(B,b,s), rmult(A,r,B,s))"
  18.281  apply (rule prod_sum_singleton_bij [THEN ord_isoI])
  18.282  apply (simp (no_asm_simp) add: pred_iff well_ord_is_wf [THEN wf_on_not_refl])
  18.283 @@ -280,14 +280,14 @@
  18.284  subsubsection{*Distributive law*}
  18.285  
  18.286  lemma sum_prod_distrib_bij:
  18.287 -     "(lam <x,z>:(A+B)*C. case(%y. Inl(<y,z>), %y. Inr(<y,z>), x))  
  18.288 +     "(lam <x,z>:(A+B)*C. case(%y. Inl(<y,z>), %y. Inr(<y,z>), x))
  18.289        \<in> bij((A+B)*C, (A*C)+(B*C))"
  18.290 -by (rule_tac d = "case (%<x,y>.<Inl (x),y>, %<x,y>.<Inr (x),y>) " 
  18.291 +by (rule_tac d = "case (%<x,y>.<Inl (x),y>, %<x,y>.<Inr (x),y>) "
  18.292      in lam_bijective, auto)
  18.293  
  18.294  lemma sum_prod_distrib_ord_iso:
  18.295 - "(lam <x,z>:(A+B)*C. case(%y. Inl(<y,z>), %y. Inr(<y,z>), x))  
  18.296 -  \<in> ord_iso((A+B)*C, rmult(A+B, radd(A,r,B,s), C, t),  
  18.297 + "(lam <x,z>:(A+B)*C. case(%y. Inl(<y,z>), %y. Inr(<y,z>), x))
  18.298 +  \<in> ord_iso((A+B)*C, rmult(A+B, radd(A,r,B,s), C, t),
  18.299              (A*C)+(B*C), radd(A*C, rmult(A,r,C,t), B*C, rmult(B,s,C,t)))"
  18.300  by (rule sum_prod_distrib_bij [THEN ord_isoI], auto)
  18.301  
  18.302 @@ -298,8 +298,8 @@
  18.303  by (rule_tac d = "%<x, <y,z>>. <<x,y>, z>" in lam_bijective, auto)
  18.304  
  18.305  lemma prod_assoc_ord_iso:
  18.306 - "(lam <<x,y>, z>:(A*B)*C. <x,<y,z>>)                    
  18.307 -  \<in> ord_iso((A*B)*C, rmult(A*B, rmult(A,r,B,s), C, t),   
  18.308 + "(lam <<x,y>, z>:(A*B)*C. <x,<y,z>>)
  18.309 +  \<in> ord_iso((A*B)*C, rmult(A*B, rmult(A,r,B,s), C, t),
  18.310              A*(B*C), rmult(A, r, B*C, rmult(B,s,C,t)))"
  18.311  by (rule prod_assoc_bij [THEN ord_isoI], auto)
  18.312  
  18.313 @@ -307,7 +307,7 @@
  18.314  
  18.315  subsubsection{*Rewrite rule*}
  18.316  
  18.317 -lemma rvimage_iff: "<a,b> \<in> rvimage(A,f,r)  \<longleftrightarrow>  <f`a,f`b>: r & a:A & b:A"
  18.318 +lemma rvimage_iff: "<a,b> \<in> rvimage(A,f,r)  \<longleftrightarrow>  <f`a,f`b>: r & a \<in> A & b \<in> A"
  18.319  by (unfold rvimage_def, blast)
  18.320  
  18.321  subsubsection{*Type checking*}
  18.322 @@ -323,20 +323,20 @@
  18.323  
  18.324  subsubsection{*Partial Ordering Properties*}
  18.325  
  18.326 -lemma irrefl_rvimage: 
  18.327 -    "[| f: inj(A,B);  irrefl(B,r) |] ==> irrefl(A, rvimage(A,f,r))"
  18.328 +lemma irrefl_rvimage:
  18.329 +    "[| f \<in> inj(A,B);  irrefl(B,r) |] ==> irrefl(A, rvimage(A,f,r))"
  18.330  apply (unfold irrefl_def rvimage_def)
  18.331  apply (blast intro: inj_is_fun [THEN apply_type])
  18.332  done
  18.333  
  18.334 -lemma trans_on_rvimage: 
  18.335 -    "[| f: inj(A,B);  trans[B](r) |] ==> trans[A](rvimage(A,f,r))"
  18.336 +lemma trans_on_rvimage:
  18.337 +    "[| f \<in> inj(A,B);  trans[B](r) |] ==> trans[A](rvimage(A,f,r))"
  18.338  apply (unfold trans_on_def rvimage_def)
  18.339  apply (blast intro: inj_is_fun [THEN apply_type])
  18.340  done
  18.341  
  18.342 -lemma part_ord_rvimage: 
  18.343 -    "[| f: inj(A,B);  part_ord(B,r) |] ==> part_ord(A, rvimage(A,f,r))"
  18.344 +lemma part_ord_rvimage:
  18.345 +    "[| f \<in> inj(A,B);  part_ord(B,r) |] ==> part_ord(A, rvimage(A,f,r))"
  18.346  apply (unfold part_ord_def)
  18.347  apply (blast intro!: irrefl_rvimage trans_on_rvimage)
  18.348  done
  18.349 @@ -344,13 +344,13 @@
  18.350  subsubsection{*Linearity*}
  18.351  
  18.352  lemma linear_rvimage:
  18.353 -    "[| f: inj(A,B);  linear(B,r) |] ==> linear(A,rvimage(A,f,r))"
  18.354 -apply (simp add: inj_def linear_def rvimage_iff) 
  18.355 -apply (blast intro: apply_funtype) 
  18.356 +    "[| f \<in> inj(A,B);  linear(B,r) |] ==> linear(A,rvimage(A,f,r))"
  18.357 +apply (simp add: inj_def linear_def rvimage_iff)
  18.358 +apply (blast intro: apply_funtype)
  18.359  done
  18.360  
  18.361 -lemma tot_ord_rvimage: 
  18.362 -    "[| f: inj(A,B);  tot_ord(B,r) |] ==> tot_ord(A, rvimage(A,f,r))"
  18.363 +lemma tot_ord_rvimage:
  18.364 +    "[| f \<in> inj(A,B);  tot_ord(B,r) |] ==> tot_ord(A, rvimage(A,f,r))"
  18.365  apply (unfold tot_ord_def)
  18.366  apply (blast intro!: part_ord_rvimage linear_rvimage)
  18.367  done
  18.368 @@ -361,19 +361,19 @@
  18.369  lemma wf_rvimage [intro!]: "wf(r) ==> wf(rvimage(A,f,r))"
  18.370  apply (simp (no_asm_use) add: rvimage_def wf_eq_minimal)
  18.371  apply clarify
  18.372 -apply (subgoal_tac "\<exists>w. w \<in> {w: {f`x. x:Q}. \<exists>x. x: Q & (f`x = w) }")
  18.373 +apply (subgoal_tac "\<exists>w. w \<in> {w: {f`x. x \<in> Q}. \<exists>x. x \<in> Q & (f`x = w) }")
  18.374   apply (erule allE)
  18.375   apply (erule impE)
  18.376   apply assumption
  18.377   apply blast
  18.378 -apply blast 
  18.379 +apply blast
  18.380  done
  18.381  
  18.382  text{*But note that the combination of @{text wf_imp_wf_on} and
  18.383   @{text wf_rvimage} gives @{prop "wf(r) ==> wf[C](rvimage(A,f,r))"}*}
  18.384 -lemma wf_on_rvimage: "[| f: A->B;  wf[B](r) |] ==> wf[A](rvimage(A,f,r))"
  18.385 +lemma wf_on_rvimage: "[| f \<in> A->B;  wf[B](r) |] ==> wf[A](rvimage(A,f,r))"
  18.386  apply (rule wf_onI2)
  18.387 -apply (subgoal_tac "\<forall>z\<in>A. f`z=f`y \<longrightarrow> z: Ba")
  18.388 +apply (subgoal_tac "\<forall>z\<in>A. f`z=f`y \<longrightarrow> z \<in> Ba")
  18.389   apply blast
  18.390  apply (erule_tac a = "f`y" in wf_on_induct)
  18.391   apply (blast intro!: apply_funtype)
  18.392 @@ -382,21 +382,21 @@
  18.393  
  18.394  (*Note that we need only wf[A](...) and linear(A,...) to get the result!*)
  18.395  lemma well_ord_rvimage:
  18.396 -     "[| f: inj(A,B);  well_ord(B,r) |] ==> well_ord(A, rvimage(A,f,r))"
  18.397 +     "[| f \<in> inj(A,B);  well_ord(B,r) |] ==> well_ord(A, rvimage(A,f,r))"
  18.398  apply (rule well_ordI)
  18.399  apply (unfold well_ord_def tot_ord_def)
  18.400  apply (blast intro!: wf_on_rvimage inj_is_fun)
  18.401  apply (blast intro!: linear_rvimage)
  18.402  done
  18.403  
  18.404 -lemma ord_iso_rvimage: 
  18.405 -    "f: bij(A,B) ==> f: ord_iso(A, rvimage(A,f,s), B, s)"
  18.406 +lemma ord_iso_rvimage:
  18.407 +    "f \<in> bij(A,B) ==> f \<in> ord_iso(A, rvimage(A,f,s), B, s)"
  18.408  apply (unfold ord_iso_def)
  18.409  apply (simp add: rvimage_iff)
  18.410  done
  18.411  
  18.412 -lemma ord_iso_rvimage_eq: 
  18.413 -    "f: ord_iso(A,r, B,s) ==> rvimage(A,f,s) = r \<inter> A*A"
  18.414 +lemma ord_iso_rvimage_eq:
  18.415 +    "f \<in> ord_iso(A,r, B,s) ==> rvimage(A,f,s) = r \<inter> A*A"
  18.416  by (unfold ord_iso_def rvimage_def, blast)
  18.417  
  18.418  
  18.419 @@ -463,14 +463,14 @@
  18.420  text{*Could also be used to prove @{text wf_radd}*}
  18.421  lemma wf_Un:
  18.422       "[| range(r) \<inter> domain(s) = 0; wf(r);  wf(s) |] ==> wf(r \<union> s)"
  18.423 -apply (simp add: wf_def, clarify) 
  18.424 -apply (rule equalityI) 
  18.425 - prefer 2 apply blast 
  18.426 -apply clarify 
  18.427 +apply (simp add: wf_def, clarify)
  18.428 +apply (rule equalityI)
  18.429 + prefer 2 apply blast
  18.430 +apply clarify
  18.431  apply (drule_tac x=Z in spec)
  18.432  apply (drule_tac x="Z \<inter> domain(s)" in spec)
  18.433 -apply simp 
  18.434 -apply (blast intro: elim: equalityE) 
  18.435 +apply simp
  18.436 +apply (blast intro: elim: equalityE)
  18.437  done
  18.438  
  18.439  subsubsection{*The Empty Relation*}
  18.440 @@ -496,29 +496,29 @@
  18.441  lemma wf_measure [iff]: "wf(measure(A,f))"
  18.442  by (simp (no_asm) add: measure_eq_rvimage_Memrel wf_Memrel wf_rvimage)
  18.443  
  18.444 -lemma measure_iff [iff]: "<x,y> \<in> measure(A,f) \<longleftrightarrow> x:A & y:A & f(x)<f(y)"
  18.445 +lemma measure_iff [iff]: "<x,y> \<in> measure(A,f) \<longleftrightarrow> x \<in> A & y \<in> A & f(x)<f(y)"
  18.446  by (simp (no_asm) add: measure_def)
  18.447  
  18.448 -lemma linear_measure: 
  18.449 +lemma linear_measure:
  18.450   assumes Ordf: "!!x. x \<in> A ==> Ord(f(x))"
  18.451       and inj:  "!!x y. [|x \<in> A; y \<in> A; f(x) = f(y) |] ==> x=y"
  18.452   shows "linear(A, measure(A,f))"
  18.453 -apply (auto simp add: linear_def) 
  18.454 -apply (rule_tac i="f(x)" and j="f(y)" in Ord_linear_lt) 
  18.455 -    apply (simp_all add: Ordf) 
  18.456 -apply (blast intro: inj) 
  18.457 +apply (auto simp add: linear_def)
  18.458 +apply (rule_tac i="f(x)" and j="f(y)" in Ord_linear_lt)
  18.459 +    apply (simp_all add: Ordf)
  18.460 +apply (blast intro: inj)
  18.461  done
  18.462  
  18.463  lemma wf_on_measure: "wf[B](measure(A,f))"
  18.464  by (rule wf_imp_wf_on [OF wf_measure])
  18.465  
  18.466 -lemma well_ord_measure: 
  18.467 +lemma well_ord_measure:
  18.468   assumes Ordf: "!!x. x \<in> A ==> Ord(f(x))"
  18.469       and inj:  "!!x y. [|x \<in> A; y \<in> A; f(x) = f(y) |] ==> x=y"
  18.470   shows "well_ord(A, measure(A,f))"
  18.471  apply (rule well_ordI)
  18.472 -apply (rule wf_on_measure) 
  18.473 -apply (blast intro: linear_measure Ordf inj) 
  18.474 +apply (rule wf_on_measure)
  18.475 +apply (blast intro: linear_measure Ordf inj)
  18.476  done
  18.477  
  18.478  lemma measure_type: "measure(A,f) \<subseteq> A*A"
  18.479 @@ -529,7 +529,7 @@
  18.480  lemma wf_on_Union:
  18.481   assumes wfA: "wf[A](r)"
  18.482       and wfB: "!!a. a\<in>A ==> wf[B(a)](s)"
  18.483 -     and ok: "!!a u v. [|<u,v> \<in> s; v \<in> B(a); a \<in> A|] 
  18.484 +     and ok: "!!a u v. [|<u,v> \<in> s; v \<in> B(a); a \<in> A|]
  18.485                         ==> (\<exists>a'\<in>A. <a',a> \<in> r & u \<in> B(a')) | u \<in> B(a)"
  18.486   shows "wf[\<Union>a\<in>A. B(a)](s)"
  18.487  apply (rule wf_onI2)
  18.488 @@ -538,25 +538,25 @@
  18.489  apply (rule_tac a = a in wf_on_induct [OF wfA], assumption)
  18.490  apply (rule ballI)
  18.491  apply (rule_tac a = z in wf_on_induct [OF wfB], assumption, assumption)
  18.492 -apply (rename_tac u) 
  18.493 -apply (drule_tac x=u in bspec, blast) 
  18.494 +apply (rename_tac u)
  18.495 +apply (drule_tac x=u in bspec, blast)
  18.496  apply (erule mp, clarify)
  18.497 -apply (frule ok, assumption+, blast) 
  18.498 +apply (frule ok, assumption+, blast)
  18.499  done
  18.500  
  18.501  subsubsection{*Bijections involving Powersets*}
  18.502  
  18.503  lemma Pow_sum_bij:
  18.504 -    "(\<lambda>Z \<in> Pow(A+B). <{x \<in> A. Inl(x) \<in> Z}, {y \<in> B. Inr(y) \<in> Z}>)  
  18.505 +    "(\<lambda>Z \<in> Pow(A+B). <{x \<in> A. Inl(x) \<in> Z}, {y \<in> B. Inr(y) \<in> Z}>)
  18.506       \<in> bij(Pow(A+B), Pow(A)*Pow(B))"
  18.507 -apply (rule_tac d = "%<X,Y>. {Inl (x). x \<in> X} \<union> {Inr (y). y \<in> Y}" 
  18.508 +apply (rule_tac d = "%<X,Y>. {Inl (x). x \<in> X} \<union> {Inr (y). y \<in> Y}"
  18.509         in lam_bijective)
  18.510  apply force+
  18.511  done
  18.512  
  18.513  text{*As a special case, we have @{term "bij(Pow(A*B), A -> Pow(B))"} *}
  18.514  lemma Pow_Sigma_bij:
  18.515 -    "(\<lambda>r \<in> Pow(Sigma(A,B)). \<lambda>x \<in> A. r``{x})  
  18.516 +    "(\<lambda>r \<in> Pow(Sigma(A,B)). \<lambda>x \<in> A. r``{x})
  18.517       \<in> bij(Pow(Sigma(A,B)), \<Pi> x \<in> A. Pow(B(x)))"
  18.518  apply (rule_tac d = "%f. \<Union>x \<in> A. \<Union>y \<in> f`x. {<x,y>}" in lam_bijective)
  18.519  apply (blast intro: lam_type)
    19.1 --- a/src/ZF/OrderType.thy	Thu Mar 15 15:54:22 2012 +0000
    19.2 +++ b/src/ZF/OrderType.thy	Thu Mar 15 16:35:02 2012 +0000
    19.3 @@ -79,11 +79,11 @@
    19.4  done
    19.5  
    19.6  lemma pred_Memrel:
    19.7 -      "x:A ==> pred(A, x, Memrel(A)) = A \<inter> x"
    19.8 +      "x \<in> A ==> pred(A, x, Memrel(A)) = A \<inter> x"
    19.9  by (unfold pred_def Memrel_def, blast)
   19.10  
   19.11  lemma Ord_iso_implies_eq_lemma:
   19.12 -     "[| j<i;  f: ord_iso(i,Memrel(i),j,Memrel(j)) |] ==> R"
   19.13 +     "[| j<i;  f \<in> ord_iso(i,Memrel(i),j,Memrel(j)) |] ==> R"
   19.14  apply (frule lt_pred_Memrel)
   19.15  apply (erule ltE)
   19.16  apply (rule well_ord_Memrel [THEN well_ord_iso_predE, of i f j], auto)
   19.17 @@ -95,7 +95,7 @@
   19.18  
   19.19  (*Kunen's Theorem 7.3 (ii), page 16.  Isomorphic ordinals are equal*)
   19.20  lemma Ord_iso_implies_eq:
   19.21 -     "[| Ord(i);  Ord(j);  f:  ord_iso(i,Memrel(i),j,Memrel(j)) |]
   19.22 +     "[| Ord(i);  Ord(j);  f \<in> ord_iso(i,Memrel(i),j,Memrel(j)) |]
   19.23        ==> i=j"
   19.24  apply (rule_tac i = i and j = j in Ord_linear_lt)
   19.25  apply (blast intro: ord_iso_sym Ord_iso_implies_eq_lemma)+
   19.26 @@ -115,7 +115,7 @@
   19.27  
   19.28  (*Useful for cardinality reasoning; see CardinalArith.ML*)
   19.29  lemma ordermap_eq_image:
   19.30 -    "[| wf[A](r);  x:A |]
   19.31 +    "[| wf[A](r);  x \<in> A |]
   19.32       ==> ordermap(A,r) ` x = ordermap(A,r) `` pred(A,x,r)"
   19.33  apply (unfold ordermap_def pred_def)
   19.34  apply (simp (no_asm_simp))
   19.35 @@ -125,7 +125,7 @@
   19.36  
   19.37  (*Useful for rewriting PROVIDED pred is not unfolded until later!*)
   19.38  lemma ordermap_pred_unfold:
   19.39 -     "[| wf[A](r);  x:A |]
   19.40 +     "[| wf[A](r);  x \<in> A |]
   19.41        ==> ordermap(A,r) ` x = {ordermap(A,r)`y . y \<in> pred(A,x,r)}"
   19.42  by (simp add: ordermap_eq_image pred_subset ordermap_type [THEN image_fun])
   19.43  
   19.44 @@ -135,14 +135,14 @@
   19.45  (*The theorem above is
   19.46  
   19.47  [| wf[A](r); x \<in> A |]
   19.48 -==> ordermap(A,r) ` x = {ordermap(A,r) ` y . y: {y: A . <y,x> \<in> r}}
   19.49 +==> ordermap(A,r) ` x = {ordermap(A,r) ` y . y: {y \<in> A . <y,x> \<in> r}}
   19.50  
   19.51  NOTE: the definition of ordermap used here delivers ordinals only if r is
   19.52  transitive.  If r is the predecessor relation on the naturals then
   19.53  ordermap(nat,predr) ` n equals {n-1} and not n.  A more complicated definition,
   19.54  like
   19.55  
   19.56 -  ordermap(A,r) ` x = Union{succ(ordermap(A,r) ` y) . y: {y: A . <y,x> \<in> r}},
   19.57 +  ordermap(A,r) ` x = Union{succ(ordermap(A,r) ` y) . y: {y \<in> A . <y,x> \<in> r}},
   19.58  
   19.59  might eliminate the need for r to be transitive.
   19.60  *)
   19.61 @@ -151,7 +151,7 @@
   19.62  subsubsection{*Showing that ordermap, ordertype yield ordinals *}
   19.63  
   19.64  lemma Ord_ordermap:
   19.65 -    "[| well_ord(A,r);  x:A |] ==> Ord(ordermap(A,r) ` x)"
   19.66 +    "[| well_ord(A,r);  x \<in> A |] ==> Ord(ordermap(A,r) ` x)"
   19.67  apply (unfold well_ord_def tot_ord_def part_ord_def, safe)
   19.68  apply (rule_tac a=x in wf_on_induct, assumption+)
   19.69  apply (simp (no_asm_simp) add: ordermap_pred_unfold)
   19.70 @@ -176,14 +176,14 @@
   19.71  subsubsection{*ordermap preserves the orderings in both directions *}
   19.72  
   19.73  lemma ordermap_mono:
   19.74 -     "[| <w,x>: r;  wf[A](r);  w: A; x: A |]
   19.75 +     "[| <w,x>: r;  wf[A](r);  w \<in> A; x \<in> A |]
   19.76        ==> ordermap(A,r)`w \<in> ordermap(A,r)`x"
   19.77  apply (erule_tac x1 = x in ordermap_unfold [THEN ssubst], assumption, blast)
   19.78  done
   19.79  
   19.80  (*linearity of r is crucial here*)
   19.81  lemma converse_ordermap_mono:
   19.82 -    "[| ordermap(A,r)`w \<in> ordermap(A,r)`x;  well_ord(A,r); w: A; x: A |]
   19.83 +    "[| ordermap(A,r)`w \<in> ordermap(A,r)`x;  well_ord(A,r); w \<in> A; x \<in> A |]
   19.84       ==> <w,x>: r"
   19.85  apply (unfold well_ord_def tot_ord_def, safe)
   19.86  apply (erule_tac x=w and y=x in linearE, assumption+)
   19.87 @@ -214,7 +214,7 @@
   19.88  done
   19.89  
   19.90  lemma ordertype_eq:
   19.91 -     "[| f: ord_iso(A,r,B,s);  well_ord(B,s) |]
   19.92 +     "[| f \<in> ord_iso(A,r,B,s);  well_ord(B,s) |]
   19.93        ==> ordertype(A,r) = ordertype(B,s)"
   19.94  apply (frule well_ord_ord_iso, assumption)
   19.95  apply (rule Ord_iso_implies_eq, (erule Ord_ordertype)+)
   19.96 @@ -223,7 +223,7 @@
   19.97  
   19.98  lemma ordertype_eq_imp_ord_iso:
   19.99       "[| ordertype(A,r) = ordertype(B,s); well_ord(A,r);  well_ord(B,s) |]
  19.100 -      ==> \<exists>f. f: ord_iso(A,r,B,s)"
  19.101 +      ==> \<exists>f. f \<in> ord_iso(A,r,B,s)"
  19.102  apply (rule exI)
  19.103  apply (rule ordertype_ord_iso [THEN ord_iso_trans], assumption)
  19.104  apply (erule ssubst)
  19.105 @@ -254,7 +254,7 @@
  19.106  apply (rule Ord_0 [THEN ordertype_Memrel])
  19.107  done
  19.108  
  19.109 -(*Ordertype of rvimage:  [| f: bij(A,B);  well_ord(B,s) |] ==>
  19.110 +(*Ordertype of rvimage:  [| f \<in> bij(A,B);  well_ord(B,s) |] ==>
  19.111                           ordertype(A, rvimage(A,f,s)) = ordertype(B,s) *)
  19.112  lemmas bij_ordertype_vimage = ord_iso_rvimage [THEN ordertype_eq]
  19.113  
  19.114 @@ -262,7 +262,7 @@
  19.115  
  19.116  (*Ordermap returns the same result if applied to an initial segment*)
  19.117  lemma ordermap_pred_eq_ordermap:
  19.118 -     "[| well_ord(A,r);  y:A;  z: pred(A,y,r) |]
  19.119 +     "[| well_ord(A,r);  y \<in> A;  z \<in> pred(A,y,r) |]
  19.120        ==> ordermap(pred(A,y,r), r) ` z = ordermap(A, r) ` z"
  19.121  apply (frule wf_on_subset_A [OF well_ord_is_wf pred_subset])
  19.122  apply (rule_tac a=z in wf_on_induct, assumption+)
  19.123 @@ -284,14 +284,14 @@
  19.124  
  19.125  text{*Theorems by Krzysztof Grabczewski; proofs simplified by lcp *}
  19.126  
  19.127 -lemma ordertype_pred_subset: "[| well_ord(A,r);  x:A |] ==>
  19.128 +lemma ordertype_pred_subset: "[| well_ord(A,r);  x \<in> A |] ==>
  19.129            ordertype(pred(A,x,r),r) \<subseteq> ordertype(A,r)"
  19.130  apply (simp add: ordertype_unfold well_ord_subset [OF _ pred_subset])
  19.131  apply (fast intro: ordermap_pred_eq_ordermap elim: predE)
  19.132  done
  19.133  
  19.134  lemma ordertype_pred_lt:
  19.135 -     "[| well_ord(A,r);  x:A |]
  19.136 +     "[| well_ord(A,r);  x \<in> A |]
  19.137        ==> ordertype(pred(A,x,r),r) < ordertype(A,r)"
  19.138  apply (rule ordertype_pred_subset [THEN subset_imp_le, THEN leE])
  19.139  apply (simp_all add: Ord_ordertype well_ord_subset [OF _ pred_subset])
  19.140 @@ -304,7 +304,7 @@
  19.141          well_ord(pred(A,x,r), r) *)
  19.142  lemma ordertype_pred_unfold:
  19.143       "well_ord(A,r)
  19.144 -      ==> ordertype(A,r) = {ordertype(pred(A,x,r),r). x:A}"
  19.145 +      ==> ordertype(A,r) = {ordertype(pred(A,x,r),r). x \<in> A}"
  19.146  apply (rule equalityI)
  19.147  apply (safe intro!: ordertype_pred_lt [THEN ltD])
  19.148  apply (auto simp add: ordertype_def well_ord_is_wf [THEN ordermap_eq_image]
  19.149 @@ -367,7 +367,7 @@
  19.150  
  19.151  (*In fact, pred(A+B, Inl(a), radd(A,r,B,s)) = pred(A,a,r)+0 *)
  19.152  lemma pred_Inl_bij:
  19.153 - "a:A ==> (\<lambda>x\<in>pred(A,a,r). Inl(x))
  19.154 + "a \<in> A ==> (\<lambda>x\<in>pred(A,a,r). Inl(x))
  19.155            \<in> bij(pred(A,a,r), pred(A+B, Inl(a), radd(A,r,B,s)))"
  19.156  apply (unfold pred_def)
  19.157  apply (rule_tac d = "case (%x. x, %y. y) " in lam_bijective)
  19.158 @@ -375,7 +375,7 @@
  19.159  done
  19.160  
  19.161  lemma ordertype_pred_Inl_eq:
  19.162 -     "[| a:A;  well_ord(A,r) |]
  19.163 +     "[| a \<in> A;  well_ord(A,r) |]
  19.164        ==> ordertype(pred(A+B, Inl(a), radd(A,r,B,s)), radd(A,r,B,s)) =
  19.165            ordertype(pred(A,a,r), r)"
  19.166  apply (rule pred_Inl_bij [THEN ord_isoI, THEN ord_iso_sym, THEN ordertype_eq])
  19.167 @@ -384,7 +384,7 @@
  19.168  done
  19.169  
  19.170  lemma pred_Inr_bij:
  19.171 - "b:B ==>
  19.172 + "b \<in> B ==>
  19.173           id(A+pred(B,b,s))
  19.174           \<in> bij(A+pred(B,b,s), pred(A+B, Inr(b), radd(A,r,B,s)))"
  19.175  apply (unfold pred_def id_def)
  19.176 @@ -392,7 +392,7 @@
  19.177  done
  19.178  
  19.179  lemma ordertype_pred_Inr_eq:
  19.180 -     "[| b:B;  well_ord(A,r);  well_ord(B,s) |]
  19.181 +     "[| b \<in> B;  well_ord(A,r);  well_ord(B,s) |]
  19.182        ==> ordertype(pred(A+B, Inr(b), radd(A,r,B,s)), radd(A,r,B,s)) =
  19.183            ordertype(A+pred(B,b,s), radd(A,r,pred(B,b,s),s))"
  19.184  apply (rule pred_Inr_bij [THEN ord_isoI, THEN ord_iso_sym, THEN ordertype_eq])
  19.185 @@ -476,7 +476,7 @@
  19.186  done
  19.187  
  19.188  lemma subset_ord_iso_Memrel:
  19.189 -     "[| f: ord_iso(A,Memrel(B),C,r); A<=B |] ==> f: ord_iso(A,Memrel(A),C,r)"
  19.190 +     "[| f \<in> ord_iso(A,Memrel(B),C,r); A<=B |] ==> f \<in> ord_iso(A,Memrel(A),C,r)"
  19.191  apply (frule ord_iso_is_bij [THEN bij_is_fun, THEN fun_is_rel])
  19.192  apply (frule ord_iso_trans [OF id_ord_iso_Memrel], assumption)
  19.193  apply (simp add: right_comp_id)
  19.194 @@ -594,7 +594,7 @@
  19.195  text{*Ordinal addition with limit ordinals *}
  19.196  
  19.197  lemma oadd_UN:
  19.198 -     "[| !!x. x:A ==> Ord(j(x));  a:A |]
  19.199 +     "[| !!x. x \<in> A ==> Ord(j(x));  a \<in> A |]
  19.200        ==> i ++ (\<Union>x\<in>A. j(x)) = (\<Union>x\<in>A. i++j(x))"
  19.201  by (blast intro: ltI Ord_UN Ord_oadd lt_oadd1 [THEN ltD]
  19.202                   oadd_lt_mono2 [THEN ltD]
  19.203 @@ -632,15 +632,15 @@
  19.204  
  19.205  lemma oadd_le_self2: "Ord(i) ==> i \<le> j++i"
  19.206  proof (induct i rule: trans_induct3)
  19.207 -  case 0 thus ?case by (simp add: Ord_0_le) 
  19.208 +  case 0 thus ?case by (simp add: Ord_0_le)
  19.209  next
  19.210 -  case (succ i) thus ?case by (simp add: oadd_succ succ_leI) 
  19.211 +  case (succ i) thus ?case by (simp add: oadd_succ succ_leI)
  19.212  next
  19.213    case (limit l)
  19.214 -  hence "l = (\<Union>x\<in>l. x)" 
  19.215 +  hence "l = (\<Union>x\<in>l. x)"
  19.216      by (simp add: Union_eq_UN [symmetric] Limit_Union_eq)
  19.217 -  also have "... \<le> (\<Union>x\<in>l. j++x)" 
  19.218 -    by (rule le_implies_UN_le_UN) (rule limit.hyps) 
  19.219 +  also have "... \<le> (\<Union>x\<in>l. j++x)"
  19.220 +    by (rule le_implies_UN_le_UN) (rule limit.hyps)
  19.221    finally have "l \<le> (\<Union>x\<in>l. j++x)" .
  19.222    thus ?case using limit.hyps by (simp add: oadd_Limit)
  19.223  qed
  19.224 @@ -691,7 +691,7 @@
  19.225      It's probably simpler to define the difference recursively!*}
  19.226  
  19.227  lemma bij_sum_Diff:
  19.228 -     "A<=B ==> (\<lambda>y\<in>B. if(y:A, Inl(y), Inr(y))) \<in> bij(B, A+(B-A))"
  19.229 +     "A<=B ==> (\<lambda>y\<in>B. if(y \<in> A, Inl(y), Inr(y))) \<in> bij(B, A+(B-A))"
  19.230  apply (rule_tac d = "case (%x. x, %y. y) " in lam_bijective)
  19.231  apply (blast intro!: if_type)
  19.232  apply (fast intro!: case_type)
  19.233 @@ -763,13 +763,13 @@
  19.234  subsubsection{*A useful unfolding law *}
  19.235  
  19.236  lemma pred_Pair_eq:
  19.237 - "[| a:A;  b:B |] ==> pred(A*B, <a,b>, rmult(A,r,B,s)) =
  19.238 + "[| a \<in> A;  b \<in> B |] ==> pred(A*B, <a,b>, rmult(A,r,B,s)) =
  19.239                        pred(A,a,r)*B \<union> ({a} * pred(B,b,s))"
  19.240  apply (unfold pred_def, blast)
  19.241  done
  19.242  
  19.243  lemma ordertype_pred_Pair_eq:
  19.244 -     "[| a:A;  b:B;  well_ord(A,r);  well_ord(B,s) |] ==>
  19.245 +     "[| a \<in> A;  b \<in> B;  well_ord(A,r);  well_ord(B,s) |] ==>
  19.246           ordertype(pred(A*B, <a,b>, rmult(A,r,B,s)), rmult(A,r,B,s)) =
  19.247           ordertype(pred(A,a,r)*B + pred(B,b,s),
  19.248                    radd(A*B, rmult(A,r,B,s), B, s))"
  19.249 @@ -908,7 +908,7 @@
  19.250  text{*Ordinal multiplication with limit ordinals *}
  19.251  
  19.252  lemma omult_UN:
  19.253 -     "[| Ord(i);  !!x. x:A ==> Ord(j(x)) |]
  19.254 +     "[| Ord(i);  !!x. x \<in> A ==> Ord(j(x)) |]
  19.255        ==> i ** (\<Union>x\<in>A. j(x)) = (\<Union>x\<in>A. i**j(x))"
  19.256  by (simp (no_asm_simp) add: Ord_UN omult_unfold, blast)
  19.257  
  19.258 @@ -934,17 +934,17 @@
  19.259    have o: "Ord(k)" "Ord(j)" by (rule lt_Ord [OF kj] le_Ord2 [OF kj])+
  19.260    show ?thesis using i
  19.261    proof (induct i rule: trans_induct3)
  19.262 -    case 0 thus ?case 
  19.263 +    case 0 thus ?case
  19.264        by simp
  19.265    next
  19.266 -    case (succ i) thus ?case 
  19.267 -      by (simp add: o kj omult_succ oadd_le_mono) 
  19.268 +    case (succ i) thus ?case
  19.269 +      by (simp add: o kj omult_succ oadd_le_mono)
  19.270    next
  19.271      case (limit l)
  19.272 -    thus ?case 
  19.273 -      by (auto simp add: o kj omult_Limit le_implies_UN_le_UN) 
  19.274 +    thus ?case
  19.275 +      by (auto simp add: o kj omult_Limit le_implies_UN_le_UN)
  19.276    qed
  19.277 -qed    
  19.278 +qed
  19.279  
  19.280  lemma omult_lt_mono2: "[| k<j;  0<i |] ==> i**k < i**j"
  19.281  apply (rule ltI)
  19.282 @@ -966,30 +966,30 @@
  19.283  lemma omult_lt_mono: "[| i' \<le> i;  j'<j;  0<i |] ==> i'**j' < i**j"
  19.284  by (blast intro: lt_trans1 omult_le_mono1 omult_lt_mono2 Ord_succD elim: ltE)
  19.285  
  19.286 -lemma omult_le_self2: 
  19.287 +lemma omult_le_self2:
  19.288    assumes i: "Ord(i)" and j: "0<j" shows "i \<le> j**i"
  19.289  proof -
  19.290    have oj: "Ord(j)" by (rule lt_Ord2 [OF j])
  19.291    show ?thesis using i
  19.292    proof (induct i rule: trans_induct3)
  19.293 -    case 0 thus ?case 
  19.294 +    case 0 thus ?case
  19.295        by simp
  19.296    next
  19.297 -    case (succ i) 
  19.298 -    have "j \<times>\<times> i ++ 0 < j \<times>\<times> i ++ j" 
  19.299 -      by (rule oadd_lt_mono2 [OF j]) 
  19.300 -    with succ.hyps show ?case 
  19.301 +    case (succ i)
  19.302 +    have "j \<times>\<times> i ++ 0 < j \<times>\<times> i ++ j"
  19.303 +      by (rule oadd_lt_mono2 [OF j])
  19.304 +    with succ.hyps show ?case
  19.305        by (simp add: oj j omult_succ ) (rule lt_trans1)
  19.306    next
  19.307      case (limit l)
  19.308 -    hence "l = (\<Union>x\<in>l. x)" 
  19.309 +    hence "l = (\<Union>x\<in>l. x)"
  19.310        by (simp add: Union_eq_UN [symmetric] Limit_Union_eq)
  19.311 -    also have "... \<le> (\<Union>x\<in>l. j**x)" 
  19.312 -      by (rule le_implies_UN_le_UN) (rule limit.hyps) 
  19.313 +    also have "... \<le> (\<Union>x\<in>l. j**x)"
  19.314 +      by (rule le_implies_UN_le_UN) (rule limit.hyps)
  19.315      finally have "l \<le> (\<Union>x\<in>l. j**x)" .
  19.316      thus ?case using limit.hyps by (simp add: oj omult_Limit)
  19.317    qed
  19.318 -qed    
  19.319 +qed
  19.320  
  19.321  
  19.322  text{*Further properties of ordinal multiplication *}
    20.1 --- a/src/ZF/Ordinal.thy	Thu Mar 15 15:54:22 2012 +0000
    20.2 +++ b/src/ZF/Ordinal.thy	Thu Mar 15 16:35:02 2012 +0000
    20.3 @@ -66,11 +66,11 @@
    20.4  done
    20.5  
    20.6  lemma Transset_includes_domain:
    20.7 -    "[| Transset(C); A*B \<subseteq> C; b: B |] ==> A \<subseteq> C"
    20.8 +    "[| Transset(C); A*B \<subseteq> C; b \<in> B |] ==> A \<subseteq> C"
    20.9  by (blast dest: Transset_Pair_D)
   20.10  
   20.11  lemma Transset_includes_range:
   20.12 -    "[| Transset(C); A*B \<subseteq> C; a: A |] ==> B \<subseteq> C"
   20.13 +    "[| Transset(C); A*B \<subseteq> C; a \<in> A |] ==> B \<subseteq> C"
   20.14  by (blast dest: Transset_Pair_D)
   20.15  
   20.16  subsubsection{*Closure Properties*}
   20.17 @@ -276,12 +276,12 @@
   20.18  lemma Memrel_iff [simp]: "<a,b> \<in> Memrel(A) <-> a\<in>b & a\<in>A & b\<in>A"
   20.19  by (unfold Memrel_def, blast)
   20.20  
   20.21 -lemma MemrelI [intro!]: "[| a: b;  a: A;  b: A |] ==> <a,b> \<in> Memrel(A)"
   20.22 +lemma MemrelI [intro!]: "[| a \<in> b;  a \<in> A;  b \<in> A |] ==> <a,b> \<in> Memrel(A)"
   20.23  by auto
   20.24  
   20.25  lemma MemrelE [elim!]:
   20.26      "[| <a,b> \<in> Memrel(A);
   20.27 -        [| a: A;  b: A;  a\<in>b |]  ==> P |]
   20.28 +        [| a \<in> A;  b \<in> A;  a\<in>b |]  ==> P |]
   20.29       ==> P"
   20.30  by auto
   20.31  
   20.32 @@ -327,8 +327,8 @@
   20.33  
   20.34  (*Epsilon induction over a transitive set*)
   20.35  lemma Transset_induct:
   20.36 -    "[| i: k;  Transset(k);
   20.37 -        !!x.[| x: k;  \<forall>y\<in>x. P(y) |] ==> P(x) |]
   20.38 +    "[| i \<in> k;  Transset(k);
   20.39 +        !!x.[| x \<in> k;  \<forall>y\<in>x. P(y) |] ==> P(x) |]
   20.40       ==>  P(i)"
   20.41  apply (simp add: Transset_def)
   20.42  apply (erule wf_Memrel [THEN wf_induct2], blast+)
   20.43 @@ -364,7 +364,7 @@
   20.44  text{*The trichotomy law for ordinals*}
   20.45  lemma Ord_linear_lt:
   20.46   assumes o: "Ord(i)" "Ord(j)"
   20.47 - obtains (lt) "i<j" | (eq) "i=j" | (gt) "j<i" 
   20.48 + obtains (lt) "i<j" | (eq) "i=j" | (gt) "j<i"
   20.49  apply (simp add: lt_def)
   20.50  apply (rule_tac i1=i and j1=j in Ord_linear [THEN disjE])
   20.51  apply (blast intro: o)+
   20.52 @@ -372,14 +372,14 @@
   20.53  
   20.54  lemma Ord_linear2:
   20.55   assumes o: "Ord(i)" "Ord(j)"
   20.56 - obtains (lt) "i<j" | (ge) "j \<le> i" 
   20.57 + obtains (lt) "i<j" | (ge) "j \<le> i"
   20.58  apply (rule_tac i = i and j = j in Ord_linear_lt)
   20.59  apply (blast intro: leI le_eqI sym o) +
   20.60  done
   20.61  
   20.62  lemma Ord_linear_le:
   20.63   assumes o: "Ord(i)" "Ord(j)"
   20.64 - obtains (le) "i \<le> j" | (ge) "j \<le> i" 
   20.65 + obtains (le) "i \<le> j" | (ge) "j \<le> i"
   20.66  apply (rule_tac i = i and j = j in Ord_linear_lt)
   20.67  apply (blast intro: leI le_eqI o) +
   20.68  done
   20.69 @@ -598,7 +598,7 @@
   20.70  by (unfold lt_def, blast)
   20.71  
   20.72  lemma UN_upper_le:
   20.73 -     "[| a: A;  i \<le> b(a);  Ord(\<Union>x\<in>A. b(x)) |] ==> i \<le> (\<Union>x\<in>A. b(x))"
   20.74 +     "[| a \<in> A;  i \<le> b(a);  Ord(\<Union>x\<in>A. b(x)) |] ==> i \<le> (\<Union>x\<in>A. b(x))"
   20.75  apply (frule ltD)
   20.76  apply (rule le_imp_subset [THEN subset_trans, THEN subset_imp_le])
   20.77  apply (blast intro: lt_Ord UN_upper)+
   20.78 @@ -608,7 +608,7 @@
   20.79  by (auto simp: lt_def Ord_Union)
   20.80  
   20.81  lemma Union_upper_le:
   20.82 -     "[| j: J;  i\<le>j;  Ord(\<Union>(J)) |] ==> i \<le> \<Union>J"
   20.83 +     "[| j \<in> J;  i\<le>j;  Ord(\<Union>(J)) |] ==> i \<le> \<Union>J"
   20.84  apply (subst Union_eq_UN)
   20.85  apply (rule UN_upper_le, auto)
   20.86  done
   20.87 @@ -677,10 +677,10 @@
   20.88    { fix y
   20.89      assume yi: "y<i"
   20.90      hence Osy: "Ord(succ(y))" by (simp add: lt_Ord Ord_succ)
   20.91 -    have "~ i \<le> y" using yi by (blast dest: le_imp_not_lt) 
   20.92 -    hence "succ(y) < i" using nsucc [of y] 
   20.93 +    have "~ i \<le> y" using yi by (blast dest: le_imp_not_lt)
   20.94 +    hence "succ(y) < i" using nsucc [of y]
   20.95        by (blast intro: Ord_linear_lt [OF Osy Oi]) }
   20.96 -  thus ?thesis using i Oi by (auto simp add: Limit_def) 
   20.97 +  thus ?thesis using i Oi by (auto simp add: Limit_def)
   20.98  qed
   20.99  
  20.100  lemma succ_LimitE [elim!]: "Limit(succ(i)) ==> P"
  20.101 @@ -703,7 +703,7 @@
  20.102  
  20.103  lemma Ord_cases:
  20.104   assumes i: "Ord(i)"
  20.105 - obtains (0) "i=0" | (succ) j where "Ord(j)" "i=succ(j)" | (limit) "Limit(i)" 
  20.106 + obtains (0) "i=0" | (succ) j where "Ord(j)" "i=succ(j)" | (limit) "Limit(i)"
  20.107  by (insert Ord_cases_disj [OF i], auto)
  20.108  
  20.109  lemma trans_induct3_raw:
  20.110 @@ -722,7 +722,7 @@
  20.111  union is a limit ordinal.*}
  20.112  
  20.113  lemma Union_le: "[| !!x. x\<in>I ==> x\<le>j; Ord(j) |] ==> \<Union>(I) \<le> j"
  20.114 -  by (auto simp add: le_subset_iff Union_least) 
  20.115 +  by (auto simp add: le_subset_iff Union_least)
  20.116  
  20.117  lemma Ord_set_cases:
  20.118    assumes I: "\<forall>i\<in>I. Ord(i)"
  20.119 @@ -734,20 +734,20 @@
  20.120  next
  20.121    fix j
  20.122    assume j: "Ord(j)" and UIj:"\<Union>(I) = succ(j)"
  20.123 -  { assume "\<forall>i\<in>I. i\<le>j" 
  20.124 -    hence "\<Union>(I) \<le> j" 
  20.125 -      by (simp add: Union_le j) 
  20.126 -    hence False 
  20.127 +  { assume "\<forall>i\<in>I. i\<le>j"
  20.128 +    hence "\<Union>(I) \<le> j"
  20.129 +      by (simp add: Union_le j)
  20.130 +    hence False
  20.131        by (simp add: UIj lt_not_refl) }
  20.132    then obtain i where i: "i \<in> I" "succ(j) \<le> i" using I j
  20.133 -    by (atomize, auto simp add: not_le_iff_lt) 
  20.134 +    by (atomize, auto simp add: not_le_iff_lt)
  20.135    have "\<Union>(I) \<le> succ(j)" using UIj j by auto
  20.136    hence "i \<le> succ(j)" using i
  20.137 -    by (simp add: le_subset_iff Union_subset_iff) 
  20.138 -  hence "succ(j) = i" using i 
  20.139 -    by (blast intro: le_anti_sym) 
  20.140 +    by (simp add: le_subset_iff Union_subset_iff)
  20.141 +  hence "succ(j) = i" using i
  20.142 +    by (blast intro: le_anti_sym)
  20.143    hence "succ(j) \<in> I" by (simp add: i)
  20.144 -  thus ?thesis by (simp add: UIj) 
  20.145 +  thus ?thesis by (simp add: UIj)
  20.146  next
  20.147    assume "Limit(\<Union>I)" thus ?thesis by auto
  20.148  qed
    21.1 --- a/src/ZF/Perm.thy	Thu Mar 15 15:54:22 2012 +0000
    21.2 +++ b/src/ZF/Perm.thy	Thu Mar 15 16:35:02 2012 +0000
    21.3 @@ -26,12 +26,12 @@
    21.4  definition
    21.5    (*one-to-one functions from A to B*)
    21.6    inj   :: "[i,i]=>i"  where
    21.7 -    "inj(A,B) == { f: A->B. \<forall>w\<in>A. \<forall>x\<in>A. f`w=f`x \<longrightarrow> w=x}"
    21.8 +    "inj(A,B) == { f \<in> A->B. \<forall>w\<in>A. \<forall>x\<in>A. f`w=f`x \<longrightarrow> w=x}"
    21.9  
   21.10  definition
   21.11    (*onto functions from A to B*)
   21.12    surj  :: "[i,i]=>i"  where
   21.13 -    "surj(A,B) == { f: A->B . \<forall>y\<in>B. \<exists>x\<in>A. f`x=y}"
   21.14 +    "surj(A,B) == { f \<in> A->B . \<forall>y\<in>B. \<exists>x\<in>A. f`x=y}"
   21.15  
   21.16  definition
   21.17    (*one-to-one and onto functions*)
   21.18 @@ -41,17 +41,17 @@
   21.19  
   21.20  subsection{*Surjective Function Space*}
   21.21  
   21.22 -lemma surj_is_fun: "f: surj(A,B) ==> f: A->B"
   21.23 +lemma surj_is_fun: "f \<in> surj(A,B) ==> f \<in> A->B"
   21.24  apply (unfold surj_def)
   21.25  apply (erule CollectD1)
   21.26  done
   21.27  
   21.28 -lemma fun_is_surj: "f \<in> Pi(A,B) ==> f: surj(A,range(f))"
   21.29 +lemma fun_is_surj: "f \<in> Pi(A,B) ==> f \<in> surj(A,range(f))"
   21.30  apply (unfold surj_def)
   21.31  apply (blast intro: apply_equality range_of_fun domain_type)
   21.32  done
   21.33  
   21.34 -lemma surj_range: "f: surj(A,B) ==> range(f)=B"
   21.35 +lemma surj_range: "f \<in> surj(A,B) ==> range(f)=B"
   21.36  apply (unfold surj_def)
   21.37  apply (best intro: apply_Pair elim: range_type)
   21.38  done
   21.39 @@ -59,14 +59,14 @@
   21.40  text{* A function with a right inverse is a surjection *}
   21.41  
   21.42  lemma f_imp_surjective:
   21.43 -    "[| f: A->B;  !!y. y:B ==> d(y): A;  !!y. y:B ==> f`d(y) = y |]
   21.44 -     ==> f: surj(A,B)"
   21.45 +    "[| f \<in> A->B;  !!y. y \<in> B ==> d(y): A;  !!y. y \<in> B ==> f`d(y) = y |]
   21.46 +     ==> f \<in> surj(A,B)"
   21.47    by (simp add: surj_def, blast)
   21.48  
   21.49  lemma lam_surjective:
   21.50 -    "[| !!x. x:A ==> c(x): B;
   21.51 -        !!y. y:B ==> d(y): A;
   21.52 -        !!y. y:B ==> c(d(y)) = y
   21.53 +    "[| !!x. x \<in> A ==> c(x): B;
   21.54 +        !!y. y \<in> B ==> d(y): A;
   21.55 +        !!y. y \<in> B ==> c(d(y)) = y
   21.56       |] ==> (\<lambda>x\<in>A. c(x)) \<in> surj(A,B)"
   21.57  apply (rule_tac d = d in f_imp_surjective)
   21.58  apply (simp_all add: lam_type)
   21.59 @@ -82,31 +82,31 @@
   21.60  
   21.61  subsection{*Injective Function Space*}
   21.62  
   21.63 -lemma inj_is_fun: "f: inj(A,B) ==> f: A->B"
   21.64 +lemma inj_is_fun: "f \<in> inj(A,B) ==> f \<in> A->B"
   21.65  apply (unfold inj_def)
   21.66  apply (erule CollectD1)
   21.67  done
   21.68  
   21.69  text{*Good for dealing with sets of pairs, but a bit ugly in use [used in AC]*}
   21.70  lemma inj_equality:
   21.71 -    "[| <a,b>:f;  <c,b>:f;  f: inj(A,B) |] ==> a=c"
   21.72 +    "[| <a,b>:f;  <c,b>:f;  f \<in> inj(A,B) |] ==> a=c"
   21.73  apply (unfold inj_def)
   21.74  apply (blast dest: Pair_mem_PiD)
   21.75  done
   21.76  
   21.77 -lemma inj_apply_equality: "[| f:inj(A,B);  f`a=f`b;  a:A;  b:A |] ==> a=b"
   21.78 +lemma inj_apply_equality: "[| f \<in> inj(A,B);  f`a=f`b;  a \<in> A;  b \<in> A |] ==> a=b"
   21.79  by (unfold inj_def, blast)
   21.80  
   21.81  text{* A function with a left inverse is an injection *}
   21.82  
   21.83 -lemma f_imp_injective: "[| f: A->B;  \<forall>x\<in>A. d(f`x)=x |] ==> f: inj(A,B)"
   21.84 +lemma f_imp_injective: "[| f \<in> A->B;  \<forall>x\<in>A. d(f`x)=x |] ==> f \<in> inj(A,B)"
   21.85  apply (simp (no_asm_simp) add: inj_def)
   21.86  apply (blast intro: subst_context [THEN box_equals])
   21.87  done
   21.88  
   21.89  lemma lam_injective:
   21.90 -    "[| !!x. x:A ==> c(x): B;
   21.91 -        !!x. x:A ==> d(c(x)) = x |]
   21.92 +    "[| !!x. x \<in> A ==> c(x): B;
   21.93 +        !!x. x \<in> A ==> d(c(x)) = x |]
   21.94       ==> (\<lambda>x\<in>A. c(x)) \<in> inj(A,B)"
   21.95  apply (rule_tac d = d in f_imp_injective)
   21.96  apply (simp_all add: lam_type)
   21.97 @@ -114,31 +114,31 @@
   21.98  
   21.99  subsection{*Bijections*}
  21.100  
  21.101 -lemma bij_is_inj: "f: bij(A,B) ==> f: inj(A,B)"
  21.102 +lemma bij_is_inj: "f \<in> bij(A,B) ==> f \<in> inj(A,B)"
  21.103  apply (unfold bij_def)
  21.104  apply (erule IntD1)
  21.105  done
  21.106  
  21.107 -lemma bij_is_surj: "f: bij(A,B) ==> f: surj(A,B)"
  21.108 +lemma bij_is_surj: "f \<in> bij(A,B) ==> f \<in> surj(A,B)"
  21.109  apply (unfold bij_def)
  21.110  apply (erule IntD2)
  21.111  done
  21.112  
  21.113 -text{* f: bij(A,B) ==> f: A->B *}
  21.114 -lemmas bij_is_fun = bij_is_inj [THEN inj_is_fun]
  21.115 +lemma bij_is_fun: "f \<in> bij(A,B) ==> f \<in> A->B"
  21.116 +  by (rule bij_is_inj [THEN inj_is_fun])
  21.117  
  21.118  lemma lam_bijective:
  21.119 -    "[| !!x. x:A ==> c(x): B;
  21.120 -        !!y. y:B ==> d(y): A;
  21.121 -        !!x. x:A ==> d(c(x)) = x;
  21.122 -        !!y. y:B ==> c(d(y)) = y
  21.123 +    "[| !!x. x \<in> A ==> c(x): B;
  21.124 +        !!y. y \<in> B ==> d(y): A;
  21.125 +        !!x. x \<in> A ==> d(c(x)) = x;
  21.126 +        !!y. y \<in> B ==> c(d(y)) = y
  21.127       |] ==> (\<lambda>x\<in>A. c(x)) \<in> bij(A,B)"
  21.128  apply (unfold bij_def)
  21.129  apply (blast intro!: lam_injective lam_surjective)
  21.130  done
  21.131  
  21.132  lemma RepFun_bijective: "(\<forall>y\<in>x. EX! y'. f(y') = f(y))
  21.133 -      ==> (\<lambda>z\<in>{f(y). y:x}. THE y. f(y) = z) \<in> bij({f(y). y:x}, x)"
  21.134 +      ==> (\<lambda>z\<in>{f(y). y \<in> x}. THE y. f(y) = z) \<in> bij({f(y). y \<in> x}, x)"
  21.135  apply (rule_tac d = f in lam_bijective)
  21.136  apply (auto simp add: the_equality2)
  21.137  done
  21.138 @@ -146,12 +146,12 @@
  21.139  
  21.140  subsection{*Identity Function*}
  21.141  
  21.142 -lemma idI [intro!]: "a:A ==> <a,a> \<in> id(A)"
  21.143 +lemma idI [intro!]: "a \<in> A ==> <a,a> \<in> id(A)"
  21.144  apply (unfold id_def)
  21.145  apply (erule lamI)
  21.146  done
  21.147  
  21.148 -lemma idE [elim!]: "[| p: id(A);  !!x.[| x:A; p=<x,x> |] ==> P |] ==>  P"
  21.149 +lemma idE [elim!]: "[| p \<in> id(A);  !!x.[| x \<in> A; p=<x,x> |] ==> P |] ==>  P"
  21.150  by (simp add: id_def lam_def, blast)
  21.151  
  21.152  lemma id_type: "id(A) \<in> A->A"
  21.153 @@ -159,7 +159,7 @@
  21.154  apply (rule lam_type, assumption)
  21.155  done
  21.156  
  21.157 -lemma id_conv [simp]: "x:A ==> id(A)`x = x"
  21.158 +lemma id_conv [simp]: "x \<in> A ==> id(A)`x = x"
  21.159  apply (unfold id_def)
  21.160  apply (simp (no_asm_simp))
  21.161  done
  21.162 @@ -198,7 +198,7 @@
  21.163  
  21.164  subsection{*Converse of a Function*}
  21.165  
  21.166 -lemma inj_converse_fun: "f: inj(A,B) ==> converse(f) \<in> range(f)->A"
  21.167 +lemma inj_converse_fun: "f \<in> inj(A,B) ==> converse(f) \<in> range(f)->A"
  21.168  apply (unfold inj_def)
  21.169  apply (simp (no_asm_simp) add: Pi_iff function_def)
  21.170  apply (erule CollectE)
  21.171 @@ -210,10 +210,10 @@
  21.172  
  21.173  text{*The premises are equivalent to saying that f is injective...*}
  21.174  lemma left_inverse_lemma:
  21.175 -     "[| f: A->B;  converse(f): C->A;  a: A |] ==> converse(f)`(f`a) = a"
  21.176 +     "[| f \<in> A->B;  converse(f): C->A;  a \<in> A |] ==> converse(f)`(f`a) = a"
  21.177  by (blast intro: apply_Pair apply_equality converseI)
  21.178  
  21.179 -lemma left_inverse [simp]: "[| f: inj(A,B);  a: A |] ==> converse(f)`(f`a) = a"
  21.180 +lemma left_inverse [simp]: "[| f \<in> inj(A,B);  a \<in> A |] ==> converse(f)`(f`a) = a"
  21.181  by (blast intro: left_inverse_lemma inj_converse_fun inj_is_fun)
  21.182  
  21.183  lemma left_inverse_eq:
  21.184 @@ -223,21 +223,21 @@
  21.185  lemmas left_inverse_bij = bij_is_inj [THEN left_inverse]
  21.186  
  21.187  lemma right_inverse_lemma:
  21.188 -     "[| f: A->B;  converse(f): C->A;  b: C |] ==> f`(converse(f)`b) = b"
  21.189 +     "[| f \<in> A->B;  converse(f): C->A;  b \<in> C |] ==> f`(converse(f)`b) = b"
  21.190  by (rule apply_Pair [THEN converseD [THEN apply_equality]], auto)
  21.191  
  21.192 -(*Should the premises be f:surj(A,B), b:B for symmetry with left_inverse?
  21.193 +(*Should the premises be f \<in> surj(A,B), b \<in> B for symmetry with left_inverse?
  21.194    No: they would not imply that converse(f) was a function! *)
  21.195  lemma right_inverse [simp]:
  21.196 -     "[| f: inj(A,B);  b: range(f) |] ==> f`(converse(f)`b) = b"
  21.197 +     "[| f \<in> inj(A,B);  b \<in> range(f) |] ==> f`(converse(f)`b) = b"
  21.198  by (blast intro: right_inverse_lemma inj_converse_fun inj_is_fun)
  21.199  
  21.200 -lemma right_inverse_bij: "[| f: bij(A,B);  b: B |] ==> f`(converse(f)`b) = b"
  21.201 +lemma right_inverse_bij: "[| f \<in> bij(A,B);  b \<in> B |] ==> f`(converse(f)`b) = b"
  21.202  by (force simp add: bij_def surj_range)
  21.203  
  21.204  subsection{*Converses of Injections, Surjections, Bijections*}
  21.205  
  21.206 -lemma inj_converse_inj: "f: inj(A,B) ==> converse(f): inj(range(f), A)"
  21.207 +lemma inj_converse_inj: "f \<in> inj(A,B) ==> converse(f): inj(range(f), A)"
  21.208  apply (rule f_imp_injective)
  21.209  apply (erule inj_converse_fun, clarify)
  21.210  apply (rule right_inverse)
  21.211 @@ -245,12 +245,12 @@
  21.212  apply blast
  21.213  done
  21.214  
  21.215 -lemma inj_converse_surj: "f: inj(A,B) ==> converse(f): surj(range(f), A)"
  21.216 +lemma inj_converse_surj: "f \<in> inj(A,B) ==> converse(f): surj(range(f), A)"
  21.217  by (blast intro: f_imp_surjective inj_converse_fun left_inverse inj_is_fun
  21.218                   range_of_fun [THEN apply_type])
  21.219  
  21.220  text{*Adding this as an intro! rule seems to cause looping*}
  21.221 -lemma bij_converse_bij [TC]: "f: bij(A,B) ==> converse(f): bij(B,A)"
  21.222 +lemma bij_converse_bij [TC]: "f \<in> bij(A,B) ==> converse(f): bij(B,A)"
  21.223  apply (unfold bij_def)
  21.224  apply (fast elim: surj_range [THEN subst] inj_converse_inj inj_converse_surj)
  21.225  done
  21.226 @@ -298,10 +298,10 @@
  21.227  lemma image_comp: "(r O s)``A = r``(s``A)"
  21.228  by blast
  21.229  
  21.230 -lemma inj_inj_range: "f: inj(A,B) ==> f \<in> inj(A,range(f))"
  21.231 +lemma inj_inj_range: "f \<in> inj(A,B) ==> f \<in> inj(A,range(f))"
  21.232    by (auto simp add: inj_def Pi_iff function_def)
  21.233  
  21.234 -lemma inj_bij_range: "f: inj(A,B) ==> f \<in> bij(A,range(f))"
  21.235 +lemma inj_bij_range: "f \<in> inj(A,B) ==> f \<in> bij(A,range(f))"
  21.236    by (auto simp add: bij_def intro: inj_inj_range inj_is_fun fun_is_surj)
  21.237  
  21.238  
  21.239 @@ -337,14 +337,14 @@
  21.240  by (unfold function_def, blast)
  21.241  
  21.242  text{*Don't think the premises can be weakened much*}
  21.243 -lemma comp_fun: "[| g: A->B;  f: B->C |] ==> (f O g) \<in> A->C"
  21.244 +lemma comp_fun: "[| g \<in> A->B;  f \<in> B->C |] ==> (f O g) \<in> A->C"
  21.245  apply (auto simp add: Pi_def comp_function Pow_iff comp_rel)
  21.246  apply (subst range_rel_subset [THEN domain_comp_eq], auto)
  21.247  done
  21.248  
  21.249 -(*Thanks to the new definition of "apply", the premise f: B->C is gone!*)
  21.250 +(*Thanks to the new definition of "apply", the premise f \<in> B->C is gone!*)
  21.251  lemma comp_fun_apply [simp]:
  21.252 -     "[| g: A->B;  a:A |] ==> (f O g)`a = f`(g`a)"
  21.253 +     "[| g \<in> A->B;  a \<in> A |] ==> (f O g)`a = f`(g`a)"
  21.254  apply (frule apply_Pair, assumption)
  21.255  apply (simp add: apply_def image_comp)
  21.256  apply (blast dest: apply_equality)
  21.257 @@ -352,7 +352,7 @@
  21.258  
  21.259  text{*Simplifies compositions of lambda-abstractions*}
  21.260  lemma comp_lam:
  21.261 -    "[| !!x. x:A ==> b(x): B |]
  21.262 +    "[| !!x. x \<in> A ==> b(x): B |]
  21.263       ==> (\<lambda>y\<in>B. c(y)) O (\<lambda>x\<in>A. b(x)) = (\<lambda>x\<in>A. c(b(x)))"
  21.264  apply (subgoal_tac "(\<lambda>x\<in>A. b(x)) \<in> A -> B")
  21.265   apply (rule fun_extension)
  21.266 @@ -363,7 +363,7 @@
  21.267  done
  21.268  
  21.269  lemma comp_inj:
  21.270 -     "[| g: inj(A,B);  f: inj(B,C) |] ==> (f O g) \<in> inj(A,C)"
  21.271 +     "[| g \<in> inj(A,B);  f \<in> inj(B,C) |] ==> (f O g) \<in> inj(A,C)"
  21.272  apply (frule inj_is_fun [of g])
  21.273  apply (frule inj_is_fun [of f])
  21.274  apply (rule_tac d = "%y. converse (g) ` (converse (f) ` y)" in f_imp_injective)
  21.275 @@ -371,13 +371,13 @@
  21.276  done
  21.277  
  21.278  lemma comp_surj:
  21.279 -    "[| g: surj(A,B);  f: surj(B,C) |] ==> (f O g) \<in> surj(A,C)"
  21.280 +    "[| g \<in> surj(A,B);  f \<in> surj(B,C) |] ==> (f O g) \<in> surj(A,C)"
  21.281  apply (unfold surj_def)
  21.282  apply (blast intro!: comp_fun comp_fun_apply)
  21.283  done
  21.284  
  21.285  lemma comp_bij:
  21.286 -    "[| g: bij(A,B);  f: bij(B,C) |] ==> (f O g) \<in> bij(A,C)"
  21.287 +    "[| g \<in> bij(A,B);  f \<in> bij(B,C) |] ==> (f O g) \<in> bij(A,C)"
  21.288  apply (unfold bij_def)
  21.289  apply (blast intro: comp_inj comp_surj)
  21.290  done
  21.291 @@ -390,11 +390,11 @@
  21.292      Artificial Intelligence, 10:1--27, 1978.*}
  21.293  
  21.294  lemma comp_mem_injD1:
  21.295 -    "[| (f O g): inj(A,C);  g: A->B;  f: B->C |] ==> g: inj(A,B)"
  21.296 +    "[| (f O g): inj(A,C);  g \<in> A->B;  f \<in> B->C |] ==> g \<in> inj(A,B)"
  21.297  by (unfold inj_def, force)
  21.298  
  21.299  lemma comp_mem_injD2:
  21.300 -    "[| (f O g): inj(A,C);  g: surj(A,B);  f: B->C |] ==> f: inj(B,C)"
  21.301 +    "[| (f O g): inj(A,C);  g \<in> surj(A,B);  f \<in> B->C |] ==> f \<in> inj(B,C)"
  21.302  apply (unfold inj_def surj_def, safe)
  21.303  apply (rule_tac x1 = x in bspec [THEN bexE])
  21.304  apply (erule_tac [3] x1 = w in bspec [THEN bexE], assumption+, safe)
  21.305 @@ -404,14 +404,14 @@
  21.306  done
  21.307  
  21.308  lemma comp_mem_surjD1:
  21.309 -    "[| (f O g): surj(A,C);  g: A->B;  f: B->C |] ==> f: surj(B,C)"
  21.310 +    "[| (f O g): surj(A,C);  g \<in> A->B;  f \<in> B->C |] ==> f \<in> surj(B,C)"
  21.311  apply (unfold surj_def)
  21.312  apply (blast intro!: comp_fun_apply [symmetric] apply_funtype)
  21.313  done
  21.314  
  21.315  
  21.316  lemma comp_mem_surjD2:
  21.317 -    "[| (f O g): surj(A,C);  g: A->B;  f: inj(B,C) |] ==> g: surj(A,B)"
  21.318 +    "[| (f O g): surj(A,C);  g \<in> A->B;  f \<in> inj(B,C) |] ==> g \<in> surj(A,B)"
  21.319  apply (unfold inj_def surj_def, safe)
  21.320  apply (drule_tac x = "f`y" in bspec, auto)
  21.321  apply (blast intro: apply_funtype)
  21.322 @@ -420,17 +420,17 @@
  21.323  subsubsection{*Inverses of Composition*}
  21.324  
  21.325  text{*left inverse of composition; one inclusion is
  21.326 -        @{term "f: A->B ==> id(A) \<subseteq> converse(f) O f"} *}
  21.327 -lemma left_comp_inverse: "f: inj(A,B) ==> converse(f) O f = id(A)"
  21.328 +        @{term "f \<in> A->B ==> id(A) \<subseteq> converse(f) O f"} *}
  21.329 +lemma left_comp_inverse: "f \<in> inj(A,B) ==> converse(f) O f = id(A)"
  21.330  apply (unfold inj_def, clarify)
  21.331  apply (rule equalityI)
  21.332   apply (auto simp add: apply_iff, blast)
  21.333  done
  21.334  
  21.335  text{*right inverse of composition; one inclusion is
  21.336 -                @{term "f: A->B ==> f O converse(f) \<subseteq> id(B)"} *}
  21.337 +                @{term "f \<in> A->B ==> f O converse(f) \<subseteq> id(B)"} *}
  21.338  lemma right_comp_inverse:
  21.339 -    "f: surj(A,B) ==> f O converse(f) = id(B)"
  21.340 +    "f \<in> surj(A,B) ==> f O converse(f) = id(B)"
  21.341  apply (simp add: surj_def, clarify)
  21.342  apply (rule equalityI)
  21.343  apply (best elim: domain_type range_type dest: apply_equality2)
  21.344 @@ -441,7 +441,7 @@
  21.345  subsubsection{*Proving that a Function is a Bijection*}
  21.346  
  21.347  lemma comp_eq_id_iff:
  21.348 -    "[| f: A->B;  g: B->A |] ==> f O g = id(B) \<longleftrightarrow> (\<forall>y\<in>B. f`(g`y)=y)"
  21.349 +    "[| f \<in> A->B;  g \<in> B->A |] ==> f O g = id(B) \<longleftrightarrow> (\<forall>y\<in>B. f`(g`y)=y)"
  21.350  apply (unfold id_def, safe)
  21.351   apply (drule_tac t = "%h. h`y " in subst_context)
  21.352   apply simp
  21.353 @@ -451,17 +451,17 @@
  21.354  done
  21.355  
  21.356  lemma fg_imp_bijective:
  21.357 -    "[| f: A->B;  g: B->A;  f O g = id(B);  g O f = id(A) |] ==> f \<in> bij(A,B)"
  21.358 +    "[| f \<in> A->B;  g \<in> B->A;  f O g = id(B);  g O f = id(A) |] ==> f \<in> bij(A,B)"
  21.359  apply (unfold bij_def)
  21.360  apply (simp add: comp_eq_id_iff)
  21.361  apply (blast intro: f_imp_injective f_imp_surjective apply_funtype)
  21.362  done
  21.363  
  21.364 -lemma nilpotent_imp_bijective: "[| f: A->A;  f O f = id(A) |] ==> f \<in> bij(A,A)"
  21.365 +lemma nilpotent_imp_bijective: "[| f \<in> A->A;  f O f = id(A) |] ==> f \<in> bij(A,A)"
  21.366  by (blast intro: fg_imp_bijective)
  21.367  
  21.368  lemma invertible_imp_bijective:
  21.369 -     "[| converse(f): B->A;  f: A->B |] ==> f \<in> bij(A,B)"
  21.370 +     "[| converse(f): B->A;  f \<in> A->B |] ==> f \<in> bij(A,B)"
  21.371  by (simp add: fg_imp_bijective comp_eq_id_iff
  21.372                left_inverse_lemma right_inverse_lemma)
  21.373  
  21.374 @@ -471,15 +471,15 @@
  21.375  
  21.376  text{*Theorem by KG, proof by LCP*}
  21.377  lemma inj_disjoint_Un:
  21.378 -     "[| f: inj(A,B);  g: inj(C,D);  B \<inter> D = 0 |]
  21.379 -      ==> (\<lambda>a\<in>A \<union> C. if a:A then f`a else g`a) \<in> inj(A \<union> C, B \<union> D)"
  21.380 -apply (rule_tac d = "%z. if z:B then converse (f) `z else converse (g) `z"
  21.381 +     "[| f \<in> inj(A,B);  g \<in> inj(C,D);  B \<inter> D = 0 |]
  21.382 +      ==> (\<lambda>a\<in>A \<union> C. if a \<in> A then f`a else g`a) \<in> inj(A \<union> C, B \<union> D)"
  21.383 +apply (rule_tac d = "%z. if z \<in> B then converse (f) `z else converse (g) `z"
  21.384         in lam_injective)
  21.385  apply (auto simp add: inj_is_fun [THEN apply_type])
  21.386  done
  21.387  
  21.388  lemma surj_disjoint_Un:
  21.389 -    "[| f: surj(A,B);  g: surj(C,D);  A \<inter> C = 0 |]
  21.390 +    "[| f \<in> surj(A,B);  g \<in> surj(C,D);  A \<inter> C = 0 |]
  21.391       ==> (f \<union> g) \<in> surj(A \<union> C, B \<union> D)"
  21.392  apply (simp add: surj_def fun_disjoint_Un)
  21.393  apply (blast dest!: domain_of_fun
  21.394 @@ -487,9 +487,9 @@
  21.395  done
  21.396  
  21.397  text{*A simple, high-level proof; the version for injections follows from it,
  21.398 -  using  @{term "f:inj(A,B) \<longleftrightarrow> f:bij(A,range(f))"}  *}
  21.399 +  using  @{term "f \<in> inj(A,B) \<longleftrightarrow> f \<in> bij(A,range(f))"}  *}
  21.400  lemma bij_disjoint_Un:
  21.401 -     "[| f: bij(A,B);  g: bij(C,D);  A \<inter> C = 0;  B \<inter> D = 0 |]
  21.402 +     "[| f \<in> bij(A,B);  g \<in> bij(C,D);  A \<inter> C = 0;  B \<inter> D = 0 |]
  21.403        ==> (f \<union> g) \<in> bij(A \<union> C, B \<union> D)"
  21.404  apply (rule invertible_imp_bijective)
  21.405  apply (subst converse_Un)
  21.406 @@ -500,7 +500,7 @@
  21.407  subsubsection{*Restrictions as Surjections and Bijections*}
  21.408  
  21.409  lemma surj_image:
  21.410 -    "f: Pi(A,B) ==> f: surj(A, f``A)"
  21.411 +    "f \<in> Pi(A,B) ==> f \<in> surj(A, f``A)"
  21.412  apply (simp add: surj_def)
  21.413  apply (blast intro: apply_equality apply_Pair Pi_type)
  21.414  done
  21.415 @@ -509,18 +509,18 @@
  21.416  by (auto simp add: restrict_def)
  21.417  
  21.418  lemma restrict_inj:
  21.419 -    "[| f: inj(A,B);  C<=A |] ==> restrict(f,C): inj(C,B)"
  21.420 +    "[| f \<in> inj(A,B);  C<=A |] ==> restrict(f,C): inj(C,B)"
  21.421  apply (unfold inj_def)
  21.422  apply (safe elim!: restrict_type2, auto)
  21.423  done
  21.424  
  21.425 -lemma restrict_surj: "[| f: Pi(A,B);  C<=A |] ==> restrict(f,C): surj(C, f``C)"
  21.426 +lemma restrict_surj: "[| f \<in> Pi(A,B);  C<=A |] ==> restrict(f,C): surj(C, f``C)"
  21.427  apply (insert restrict_type2 [THEN surj_image])
  21.428  apply (simp add: restrict_image)
  21.429  done
  21.430  
  21.431  lemma restrict_bij:
  21.432 -    "[| f: inj(A,B);  C<=A |] ==> restrict(f,C): bij(C, f``C)"
  21.433 +    "[| f \<in> inj(A,B);  C<=A |] ==> restrict(f,C): bij(C, f``C)"
  21.434  apply (simp add: inj_def bij_def)
  21.435  apply (blast intro: restrict_surj surj_is_fun)
  21.436  done
  21.437 @@ -528,13 +528,13 @@
  21.438  
  21.439  subsubsection{*Lemmas for Ramsey's Theorem*}
  21.440  
  21.441 -lemma inj_weaken_type: "[| f: inj(A,B);  B<=D |] ==> f: inj(A,D)"
  21.442 +lemma inj_weaken_type: "[| f \<in> inj(A,B);  B<=D |] ==> f \<in> inj(A,D)"
  21.443  apply (unfold inj_def)
  21.444  apply (blast intro: fun_weaken_type)
  21.445  done
  21.446  
  21.447  lemma inj_succ_restrict:
  21.448 -     "[| f: inj(succ(m), A) |] ==> restrict(f,m) \<in> inj(m, A-{f`m})"
  21.449 +     "[| f \<in> inj(succ(m), A) |] ==> restrict(f,m) \<in> inj(m, A-{f`m})"
  21.450  apply (rule restrict_bij [THEN bij_is_inj, THEN inj_weaken_type], assumption, blast)
  21.451  apply (unfold inj_def)
  21.452  apply (fast elim: range_type mem_irrefl dest: apply_equality)
  21.453 @@ -542,7 +542,7 @@
  21.454  
  21.455  
  21.456  lemma inj_extend:
  21.457 -    "[| f: inj(A,B);  a\<notin>A;  b\<notin>B |]
  21.458 +    "[| f \<in> inj(A,B);  a\<notin>A;  b\<notin>B |]
  21.459       ==> cons(<a,b>,f) \<in> inj(cons(a,A), cons(b,B))"
  21.460  apply (unfold inj_def)
  21.461  apply (force intro: apply_type  simp add: fun_extend)
    22.1 --- a/src/ZF/QPair.thy	Thu Mar 15 15:54:22 2012 +0000
    22.2 +++ b/src/ZF/QPair.thy	Thu Mar 15 16:35:02 2012 +0000
    22.3 @@ -5,7 +5,7 @@
    22.4  Many proofs are borrowed from pair.thy and sum.thy
    22.5  
    22.6  Do we EVER have rank(a) < rank(<a;b>) ?  Perhaps if the latter rank
    22.7 -is not a limit ordinal? 
    22.8 +is not a limit ordinal?
    22.9  *)
   22.10  
   22.11  header{*Quine-Inspired Ordered Pairs and Disjoint Sums*}
   22.12 @@ -38,16 +38,16 @@
   22.13  
   22.14  definition
   22.15    qconverse :: "i => i"  where
   22.16 -    "qconverse(r) == {z. w:r, \<exists>x y. w=<x;y> & z=<y;x>}"
   22.17 +    "qconverse(r) == {z. w \<in> r, \<exists>x y. w=<x;y> & z=<y;x>}"
   22.18  
   22.19  definition
   22.20    QSigma    :: "[i, i => i] => i"  where
   22.21      "QSigma(A,B)  ==  \<Union>x\<in>A. \<Union>y\<in>B(x). {<x;y>}"
   22.22  
   22.23  syntax
   22.24 -  "_QSUM"   :: "[idt, i, i] => i"               ("(3QSUM _:_./ _)" 10)
   22.25 +  "_QSUM"   :: "[idt, i, i] => i"               ("(3QSUM _ \<in> _./ _)" 10)
   22.26  translations
   22.27 -  "QSUM x:A. B"  => "CONST QSigma(A, %x. B)"
   22.28 +  "QSUM x \<in> A. B"  => "CONST QSigma(A, %x. B)"
   22.29  
   22.30  abbreviation
   22.31    qprod  (infixr "<*>" 80) where
   22.32 @@ -94,21 +94,21 @@
   22.33  subsubsection{*QSigma: Disjoint union of a family of sets
   22.34       Generalizes Cartesian product*}
   22.35  
   22.36 -lemma QSigmaI [intro!]: "[| a:A;  b:B(a) |] ==> <a;b> \<in> QSigma(A,B)"
   22.37 +lemma QSigmaI [intro!]: "[| a \<in> A;  b \<in> B(a) |] ==> <a;b> \<in> QSigma(A,B)"
   22.38  by (simp add: QSigma_def)
   22.39  
   22.40  
   22.41  (** Elimination rules for <a;b>:A*B -- introducing no eigenvariables **)
   22.42  
   22.43  lemma QSigmaE [elim!]:
   22.44 -    "[| c: QSigma(A,B);   
   22.45 -        !!x y.[| x:A;  y:B(x);  c=<x;y> |] ==> P  
   22.46 +    "[| c \<in> QSigma(A,B);
   22.47 +        !!x y.[| x \<in> A;  y \<in> B(x);  c=<x;y> |] ==> P
   22.48       |] ==> P"
   22.49 -by (simp add: QSigma_def, blast) 
   22.50 +by (simp add: QSigma_def, blast)
   22.51  
   22.52  lemma QSigmaE2 [elim!]:
   22.53 -    "[| <a;b>: QSigma(A,B); [| a:A;  b:B(a) |] ==> P |] ==> P"
   22.54 -by (simp add: QSigma_def) 
   22.55 +    "[| <a;b>: QSigma(A,B); [| a \<in> A;  b \<in> B(a) |] ==> P |] ==> P"
   22.56 +by (simp add: QSigma_def)
   22.57  
   22.58  lemma QSigmaD1: "<a;b> \<in> QSigma(A,B) ==> a \<in> A"
   22.59  by blast
   22.60 @@ -117,9 +117,9 @@
   22.61  by blast
   22.62  
   22.63  lemma QSigma_cong:
   22.64 -    "[| A=A';  !!x. x:A' ==> B(x)=B'(x) |] ==>  
   22.65 +    "[| A=A';  !!x. x \<in> A' ==> B(x)=B'(x) |] ==>
   22.66       QSigma(A,B) = QSigma(A',B')"
   22.67 -by (simp add: QSigma_def) 
   22.68 +by (simp add: QSigma_def)
   22.69  
   22.70  lemma QSigma_empty1 [simp]: "QSigma(0,B) = 0"
   22.71  by blast
   22.72 @@ -136,13 +136,13 @@
   22.73  lemma qsnd_conv [simp]: "qsnd(<a;b>) = b"
   22.74  by (simp add: qsnd_def)
   22.75  
   22.76 -lemma qfst_type [TC]: "p:QSigma(A,B) ==> qfst(p) \<in> A"
   22.77 +lemma qfst_type [TC]: "p \<in> QSigma(A,B) ==> qfst(p) \<in> A"
   22.78  by auto
   22.79  
   22.80 -lemma qsnd_type [TC]: "p:QSigma(A,B) ==> qsnd(p) \<in> B(qfst(p))"
   22.81 +lemma qsnd_type [TC]: "p \<in> QSigma(A,B) ==> qsnd(p) \<in> B(qfst(p))"
   22.82  by auto
   22.83  
   22.84 -lemma QPair_qfst_qsnd_eq: "a: QSigma(A,B) ==> <qfst(a); qsnd(a)> = a"
   22.85 +lemma QPair_qfst_qsnd_eq: "a \<in> QSigma(A,B) ==> <qfst(a); qsnd(a)> = a"
   22.86  by auto
   22.87  
   22.88  
   22.89 @@ -154,13 +154,13 @@
   22.90  
   22.91  
   22.92  lemma qsplit_type [elim!]:
   22.93 -    "[|  p:QSigma(A,B);    
   22.94 -         !!x y.[| x:A; y:B(x) |] ==> c(x,y):C(<x;y>)  
   22.95 +    "[|  p \<in> QSigma(A,B);
   22.96 +         !!x y.[| x \<in> A; y \<in> B(x) |] ==> c(x,y):C(<x;y>)
   22.97       |] ==> qsplit(%x y. c(x,y), p) \<in> C(p)"
   22.98 -by auto 
   22.99 +by auto
  22.100  
  22.101 -lemma expand_qsplit: 
  22.102 - "u: A<*>B ==> R(qsplit(c,u)) \<longleftrightarrow> (\<forall>x\<in>A. \<forall>y\<in>B. u = <x;y> \<longrightarrow> R(c(x,y)))"
  22.103 +lemma expand_qsplit:
  22.104 + "u \<in> A<*>B ==> R(qsplit(c,u)) \<longleftrightarrow> (\<forall>x\<in>A. \<forall>y\<in>B. u = <x;y> \<longrightarrow> R(c(x,y)))"
  22.105  apply (simp add: qsplit_def, auto)
  22.106  done
  22.107  
  22.108 @@ -172,10 +172,10 @@
  22.109  
  22.110  
  22.111  lemma qsplitE:
  22.112 -    "[| qsplit(R,z);  z:QSigma(A,B);                     
  22.113 -        !!x y. [| z = <x;y>;  R(x,y) |] ==> P            
  22.114 +    "[| qsplit(R,z);  z \<in> QSigma(A,B);
  22.115 +        !!x y. [| z = <x;y>;  R(x,y) |] ==> P
  22.116      |] ==> P"
  22.117 -by (simp add: qsplit_def, auto) 
  22.118 +by (simp add: qsplit_def, auto)
  22.119  
  22.120  lemma qsplitD: "qsplit(R,<a;b>) ==> R(a,b)"
  22.121  by (simp add: qsplit_def)
  22.122 @@ -190,10 +190,10 @@
  22.123  by (simp add: qconverse_def, blast)
  22.124  
  22.125  lemma qconverseE [elim!]:
  22.126 -    "[| yx \<in> qconverse(r);   
  22.127 -        !!x y. [| yx=<y;x>;  <x;y>:r |] ==> P  
  22.128 +    "[| yx \<in> qconverse(r);
  22.129 +        !!x y. [| yx=<y;x>;  <x;y>:r |] ==> P
  22.130       |] ==> P"
  22.131 -by (simp add: qconverse_def, blast) 
  22.132 +by (simp add: qconverse_def, blast)
  22.133  
  22.134  lemma qconverse_qconverse: "r<=QSigma(A,B) ==> qconverse(qconverse(r)) = r"
  22.135  by blast
  22.136 @@ -223,11 +223,11 @@
  22.137  (** Elimination rules **)
  22.138  
  22.139  lemma qsumE [elim!]:
  22.140 -    "[| u: A <+> B;   
  22.141 -        !!x. [| x:A;  u=QInl(x) |] ==> P;  
  22.142 -        !!y. [| y:B;  u=QInr(y) |] ==> P  
  22.143 +    "[| u \<in> A <+> B;
  22.144 +        !!x. [| x \<in> A;  u=QInl(x) |] ==> P;
  22.145 +        !!y. [| y \<in> B;  u=QInr(y) |] ==> P
  22.146       |] ==> P"
  22.147 -by (simp add: qsum_defs, blast) 
  22.148 +by (simp add: qsum_defs, blast)
  22.149  
  22.150  
  22.151  (** Injection and freeness equivalences, for rewriting **)
  22.152 @@ -254,16 +254,16 @@
  22.153  lemmas QInl_neq_QInr = QInl_QInr_iff [THEN iffD1, THEN FalseE, elim!]
  22.154  lemmas QInr_neq_QInl = QInr_QInl_iff [THEN iffD1, THEN FalseE, elim!]
  22.155  
  22.156 -lemma QInlD: "QInl(a): A<+>B ==> a: A"
  22.157 +lemma QInlD: "QInl(a): A<+>B ==> a \<in> A"
  22.158  by blast
  22.159  
  22.160 -lemma QInrD: "QInr(b): A<+>B ==> b: B"
  22.161 +lemma QInrD: "QInr(b): A<+>B ==> b \<in> B"
  22.162  by blast
  22.163  
  22.164  (** <+> is itself injective... who cares?? **)
  22.165  
  22.166  lemma qsum_iff:
  22.167 -     "u: A <+> B \<longleftrightarrow> (\<exists>x. x:A & u=QInl(x)) | (\<exists>y. y:B & u=QInr(y))"
  22.168 +     "u \<in> A <+> B \<longleftrightarrow> (\<exists>x. x \<in> A & u=QInl(x)) | (\<exists>y. y \<in> B & u=QInr(y))"
  22.169  by blast
  22.170  
  22.171  lemma qsum_subset_iff: "A <+> B \<subseteq> C <+> D \<longleftrightarrow> A<=C & B<=D"
  22.172 @@ -284,21 +284,21 @@
  22.173  by (simp add: qsum_defs )
  22.174  
  22.175  lemma qcase_type:
  22.176 -    "[| u: A <+> B;  
  22.177 -        !!x. x: A ==> c(x): C(QInl(x));    
  22.178 -        !!y. y: B ==> d(y): C(QInr(y))  
  22.179 +    "[| u \<in> A <+> B;
  22.180 +        !!x. x \<in> A ==> c(x): C(QInl(x));
  22.181 +        !!y. y \<in> B ==> d(y): C(QInr(y))
  22.182       |] ==> qcase(c,d,u) \<in> C(u)"
  22.183 -by (simp add: qsum_defs, auto) 
  22.184 +by (simp add: qsum_defs, auto)
  22.185  
  22.186  (** Rules for the Part primitive **)
  22.187  
  22.188 -lemma Part_QInl: "Part(A <+> B,QInl) = {QInl(x). x: A}"
  22.189 +lemma Part_QInl: "Part(A <+> B,QInl) = {QInl(x). x \<in> A}"
  22.190  by blast
  22.191  
  22.192 -lemma Part_QInr: "Part(A <+> B,QInr) = {QInr(y). y: B}"
  22.193 +lemma Part_QInr: "Part(A <+> B,QInr) = {QInr(y). y \<in> B}"
  22.194  by blast
  22.195  
  22.196 -lemma Part_QInr2: "Part(A <+> B, %x. QInr(h(x))) = {QInr(y). y: Part(B,h)}"
  22.197 +lemma Part_QInr2: "Part(A <+> B, %x. QInr(h(x))) = {QInr(y). y \<in> Part(B,h)}"
  22.198  by blast
  22.199  
  22.200  lemma Part_qsum_equality: "C \<subseteq> A <+> B ==> Part(C,QInl) \<union> Part(C,QInr) = C"
    23.1 --- a/src/ZF/Sum.thy	Thu Mar 15 15:54:22 2012 +0000
    23.2 +++ b/src/ZF/Sum.thy	Thu Mar 15 16:35:02 2012 +0000
    23.3 @@ -23,24 +23,24 @@
    23.4  
    23.5    (*operator for selecting out the various summands*)
    23.6  definition Part :: "[i,i=>i] => i" where
    23.7 -     "Part(A,h) == {x: A. \<exists>z. x = h(z)}"
    23.8 +     "Part(A,h) == {x \<in> A. \<exists>z. x = h(z)}"
    23.9  
   23.10  subsection{*Rules for the @{term Part} Primitive*}
   23.11  
   23.12 -lemma Part_iff: 
   23.13 -    "a \<in> Part(A,h) \<longleftrightarrow> a:A & (\<exists>y. a=h(y))"
   23.14 +lemma Part_iff:
   23.15 +    "a \<in> Part(A,h) \<longleftrightarrow> a \<in> A & (\<exists>y. a=h(y))"
   23.16  apply (unfold Part_def)
   23.17  apply (rule separation)
   23.18  done
   23.19  
   23.20 -lemma Part_eqI [intro]: 
   23.21 +lemma Part_eqI [intro]:
   23.22      "[| a \<in> A;  a=h(b) |] ==> a \<in> Part(A,h)"
   23.23  by (unfold Part_def, blast)
   23.24  
   23.25  lemmas PartI = refl [THEN [2] Part_eqI]
   23.26  
   23.27 -lemma PartE [elim!]: 
   23.28 -    "[| a \<in> Part(A,h);  !!z. [| a \<in> A;  a=h(z) |] ==> P   
   23.29 +lemma PartE [elim!]:
   23.30 +    "[| a \<in> Part(A,h);  !!z. [| a \<in> A;  a=h(z) |] ==> P
   23.31       |] ==> P"
   23.32  apply (unfold Part_def, blast)
   23.33  done
   23.34 @@ -69,11 +69,11 @@
   23.35  (** Elimination rules **)
   23.36  
   23.37  lemma sumE [elim!]:
   23.38 -    "[| u: A+B;   
   23.39 -        !!x. [| x:A;  u=Inl(x) |] ==> P;  
   23.40 -        !!y. [| y:B;  u=Inr(y) |] ==> P  
   23.41 +    "[| u \<in> A+B;
   23.42 +        !!x. [| x \<in> A;  u=Inl(x) |] ==> P;
   23.43 +        !!y. [| y \<in> B;  u=Inr(y) |] ==> P
   23.44       |] ==> P"
   23.45 -by (unfold sum_defs, blast) 
   23.46 +by (unfold sum_defs, blast)
   23.47  
   23.48  (** Injection and freeness equivalences, for rewriting **)
   23.49  
   23.50 @@ -100,13 +100,13 @@
   23.51  lemmas Inr_neq_Inl = Inr_Inl_iff [THEN iffD1, THEN FalseE, elim!]
   23.52  
   23.53  
   23.54 -lemma InlD: "Inl(a): A+B ==> a: A"
   23.55 +lemma InlD: "Inl(a): A+B ==> a \<in> A"
   23.56  by blast
   23.57  
   23.58 -lemma InrD: "Inr(b): A+B ==> b: B"
   23.59 +lemma InrD: "Inr(b): A+B ==> b \<in> B"
   23.60  by blast
   23.61  
   23.62 -lemma sum_iff: "u: A+B \<longleftrightarrow> (\<exists>x. x:A & u=Inl(x)) | (\<exists>y. y:B & u=Inr(y))"
   23.63 +lemma sum_iff: "u \<in> A+B \<longleftrightarrow> (\<exists>x. x \<in> A & u=Inl(x)) | (\<exists>y. y \<in> B & u=Inr(y))"
   23.64  by blast
   23.65  
   23.66  lemma Inl_in_sum_iff [simp]: "(Inl(x) \<in> A+B) \<longleftrightarrow> (x \<in> A)";
   23.67 @@ -134,27 +134,27 @@
   23.68  by (simp add: sum_defs)
   23.69  
   23.70  lemma case_type [TC]:
   23.71 -    "[| u: A+B;  
   23.72 -        !!x. x: A ==> c(x): C(Inl(x));    
   23.73 -        !!y. y: B ==> d(y): C(Inr(y))  
   23.74 +    "[| u \<in> A+B;
   23.75 +        !!x. x \<in> A ==> c(x): C(Inl(x));
   23.76 +        !!y. y \<in> B ==> d(y): C(Inr(y))
   23.77       |] ==> case(c,d,u) \<in> C(u)"
   23.78  by auto
   23.79  
   23.80 -lemma expand_case: "u: A+B ==>    
   23.81 -        R(case(c,d,u)) \<longleftrightarrow>  
   23.82 -        ((\<forall>x\<in>A. u = Inl(x) \<longrightarrow> R(c(x))) &  
   23.83 +lemma expand_case: "u \<in> A+B ==>
   23.84 +        R(case(c,d,u)) \<longleftrightarrow>
   23.85 +        ((\<forall>x\<in>A. u = Inl(x) \<longrightarrow> R(c(x))) &
   23.86          (\<forall>y\<in>B. u = Inr(y) \<longrightarrow> R(d(y))))"
   23.87  by auto
   23.88  
   23.89  lemma case_cong:
   23.90 -  "[| z: A+B;    
   23.91 -      !!x. x:A ==> c(x)=c'(x);   
   23.92 -      !!y. y:B ==> d(y)=d'(y)    
   23.93 +  "[| z \<in> A+B;
   23.94 +      !!x. x \<in> A ==> c(x)=c'(x);
   23.95 +      !!y. y \<in> B ==> d(y)=d'(y)
   23.96     |] ==> case(c,d,z) = case(c',d',z)"
   23.97 -by auto 
   23.98 +by auto
   23.99  
  23.100 -lemma case_case: "z: A+B ==>    
  23.101 -        case(c, d, case(%x. Inl(c'(x)), %y. Inr(d'(y)), z)) =  
  23.102 +lemma case_case: "z \<in> A+B ==>
  23.103 +        case(c, d, case(%x. Inl(c'(x)), %y. Inr(d'(y)), z)) =
  23.104          case(%x. c(c'(x)), %y. d(d'(y)), z)"
  23.105  by auto
  23.106  
  23.107 @@ -170,10 +170,10 @@
  23.108  lemmas Part_CollectE =
  23.109       Part_Collect [THEN equalityD1, THEN subsetD, THEN CollectE]
  23.110  
  23.111 -lemma Part_Inl: "Part(A+B,Inl) = {Inl(x). x: A}"
  23.112 +lemma Part_Inl: "Part(A+B,Inl) = {Inl(x). x \<in> A}"
  23.113  by blast
  23.114  
  23.115 -lemma Part_Inr: "Part(A+B,Inr) = {Inr(y). y: B}"
  23.116 +lemma Part_Inr: "Part(A+B,Inr) = {Inr(y). y \<in> B}"
  23.117  by blast
  23.118  
  23.119  lemma PartD1: "a \<in> Part(A,h) ==> a \<in> A"
  23.120 @@ -182,7 +182,7 @@
  23.121  lemma Part_id: "Part(A,%x. x) = A"
  23.122  by blast
  23.123  
  23.124 -lemma Part_Inr2: "Part(A+B, %x. Inr(h(x))) = {Inr(y). y: Part(B,h)}"
  23.125 +lemma Part_Inr2: "Part(A+B, %x. Inr(h(x))) = {Inr(y). y \<in> Part(B,h)}"
  23.126  by blast
  23.127  
  23.128  lemma Part_sum_equality: "C \<subseteq> A+B ==> Part(C,Inl) \<union> Part(C,Inr) = C"
    24.1 --- a/src/ZF/Trancl.thy	Thu Mar 15 15:54:22 2012 +0000
    24.2 +++ b/src/ZF/Trancl.thy	Thu Mar 15 16:35:02 2012 +0000
    24.3 @@ -54,10 +54,10 @@
    24.4  subsubsection{*irreflexivity*}
    24.5  
    24.6  lemma irreflI:
    24.7 -    "[| !!x. x:A ==> <x,x> \<notin> r |] ==> irrefl(A,r)"
    24.8 +    "[| !!x. x \<in> A ==> <x,x> \<notin> r |] ==> irrefl(A,r)"
    24.9  by (simp add: irrefl_def)
   24.10  
   24.11 -lemma irreflE: "[| irrefl(A,r);  x:A |] ==>  <x,x> \<notin> r"
   24.12 +lemma irreflE: "[| irrefl(A,r);  x \<in> A |] ==>  <x,x> \<notin> r"
   24.13  by (simp add: irrefl_def)
   24.14  
   24.15  subsubsection{*symmetry*}
   24.16 @@ -84,7 +84,7 @@
   24.17  by (unfold trans_def, blast)
   24.18  
   24.19  lemma trans_onD:
   24.20 -    "[| trans[A](r);  <a,b>:r;  <b,c>:r;  a:A;  b:A;  c:A |] ==> <a,c>:r"
   24.21 +    "[| trans[A](r);  <a,b>:r;  <b,c>:r;  a \<in> A;  b \<in> A;  c \<in> A |] ==> <a,c>:r"
   24.22  by (unfold trans_on_def, blast)
   24.23  
   24.24  lemma trans_imp_trans_on: "trans(r) ==> trans[A](r)"
   24.25 @@ -122,7 +122,7 @@
   24.26  done
   24.27  
   24.28  (*Reflexivity of rtrancl*)
   24.29 -lemma rtrancl_refl: "[| a: field(r) |] ==> <a,a> \<in> r^*"
   24.30 +lemma rtrancl_refl: "[| a \<in> field(r) |] ==> <a,a> \<in> r^*"
   24.31  apply (rule rtrancl_unfold [THEN ssubst])
   24.32  apply (erule idI [THEN UnI1])
   24.33  done
   24.34 @@ -149,13 +149,13 @@
   24.35  
   24.36  lemma rtrancl_full_induct [case_names initial step, consumes 1]:
   24.37    "[| <a,b> \<in> r^*;
   24.38 -      !!x. x: field(r) ==> P(<x,x>);
   24.39 +      !!x. x \<in> field(r) ==> P(<x,x>);
   24.40        !!x y z.[| P(<x,y>); <x,y>: r^*; <y,z>: r |]  ==>  P(<x,z>) |]
   24.41     ==>  P(<a,b>)"
   24.42  by (erule def_induct [OF rtrancl_def rtrancl_bnd_mono], blast)
   24.43  
   24.44  (*nice induction rule.
   24.45 -  Tried adding the typing hypotheses y,z:field(r), but these
   24.46 +  Tried adding the typing hypotheses y,z \<in> field(r), but these
   24.47    caused expensive case splits!*)
   24.48  lemma rtrancl_induct [case_names initial step, induct set: rtrancl]:
   24.49    "[| <a,b> \<in> r^*;
    25.1 --- a/src/ZF/UNITY/ClientImpl.thy	Thu Mar 15 15:54:22 2012 +0000
    25.2 +++ b/src/ZF/UNITY/ClientImpl.thy	Thu Mar 15 16:35:02 2012 +0000
    25.3 @@ -14,10 +14,10 @@
    25.4  
    25.5  axiomatization where
    25.6    type_assumes:
    25.7 -  "type_of(ask) = list(tokbag) & type_of(giv) = list(tokbag) & 
    25.8 +  "type_of(ask) = list(tokbag) & type_of(giv) = list(tokbag) &
    25.9     type_of(rel) = list(tokbag) & type_of(tok) = nat" and
   25.10    default_val_assumes:
   25.11 -  "default_val(ask) = Nil & default_val(giv) = Nil & 
   25.12 +  "default_val(ask) = Nil & default_val(giv) = Nil &
   25.13     default_val(rel) = Nil & default_val(tok) = 0"
   25.14  
   25.15  
   25.16 @@ -31,7 +31,7 @@
   25.17                     t = s(rel:=(s`rel)@[nth(nrel, s`giv)]) &
   25.18                     nrel < length(s`giv) &
   25.19                     nth(nrel, s`ask) \<le> nth(nrel, s`giv)}"
   25.20 -  
   25.21 +
   25.22    (** Choose a new token requirement **)
   25.23    (** Including t=s suppresses fairness, allowing the non-trivial part
   25.24        of the action to be ignored **)
   25.25 @@ -41,7 +41,7 @@
   25.26  
   25.27  definition
   25.28    "client_ask_act == {<s,t> \<in> state*state. t=s | (t=s(ask:=s`ask@[s`tok]))}"
   25.29 -  
   25.30 +
   25.31  definition
   25.32    "client_prog ==
   25.33     mk_program({s \<in> state. s`tok \<le> NbT & s`giv = Nil &
   25.34 @@ -91,8 +91,8 @@
   25.35  declare  client_ask_act_def [THEN def_act_simp, simp]
   25.36  
   25.37  lemma client_prog_ok_iff:
   25.38 -  "\<forall>G \<in> program. (client_prog ok G) \<longleftrightarrow>  
   25.39 -   (G \<in> preserves(lift(rel)) & G \<in> preserves(lift(ask)) &  
   25.40 +  "\<forall>G \<in> program. (client_prog ok G) \<longleftrightarrow>
   25.41 +   (G \<in> preserves(lift(rel)) & G \<in> preserves(lift(ask)) &
   25.42      G \<in> preserves(lift(tok)) &  client_prog \<in> Allowed(G))"
   25.43  by (auto simp add: ok_iff_Allowed client_prog_def [THEN def_prg_Allowed])
   25.44  
   25.45 @@ -107,19 +107,19 @@
   25.46  lemma preserves_lift_imp_stable:
   25.47       "G \<in> preserves(lift(ff)) ==> G \<in> stable({s \<in> state. P(s`ff)})";
   25.48  apply (drule preserves_imp_stable)
   25.49 -apply (simp add: lift_def) 
   25.50 +apply (simp add: lift_def)
   25.51  done
   25.52  
   25.53  lemma preserves_imp_prefix:
   25.54 -     "G \<in> preserves(lift(ff)) 
   25.55 +     "G \<in> preserves(lift(ff))
   25.56        ==> G \<in> stable({s \<in> state. \<langle>k, s`ff\<rangle> \<in> prefix(nat)})";
   25.57 -by (erule preserves_lift_imp_stable) 
   25.58 +by (erule preserves_lift_imp_stable)
   25.59  
   25.60 -(*Safety property 1: ask, rel are increasing: (24) *)
   25.61 -lemma client_prog_Increasing_ask_rel: 
   25.62 +(*Safety property 1 \<in> ask, rel are increasing: (24) *)
   25.63 +lemma client_prog_Increasing_ask_rel:
   25.64  "client_prog: program guarantees Incr(lift(ask)) \<inter> Incr(lift(rel))"
   25.65  apply (unfold guar_def)
   25.66 -apply (auto intro!: increasing_imp_Increasing 
   25.67 +apply (auto intro!: increasing_imp_Increasing
   25.68              simp add: client_prog_ok_iff Increasing.increasing_def preserves_imp_prefix)
   25.69  apply (safety, force, force)+
   25.70  done
   25.71 @@ -131,17 +131,17 @@
   25.72  apply (rule Ord_0_lt, auto)
   25.73  done
   25.74  
   25.75 -(*Safety property 2: the client never requests too many tokens.
   25.76 +(*Safety property 2 \<in> the client never requests too many tokens.
   25.77  With no Substitution Axiom, we must prove the two invariants simultaneously. *)
   25.78  
   25.79 -lemma ask_Bounded_lemma: 
   25.80 -"[| client_prog ok G; G \<in> program |] 
   25.81 -      ==> client_prog \<squnion> G \<in>    
   25.82 -              Always({s \<in> state. s`tok \<le> NbT}  \<inter>   
   25.83 +lemma ask_Bounded_lemma:
   25.84 +"[| client_prog ok G; G \<in> program |]
   25.85 +      ==> client_prog \<squnion> G \<in>
   25.86 +              Always({s \<in> state. s`tok \<le> NbT}  \<inter>
   25.87                        {s \<in> state. \<forall>elt \<in> set_of_list(s`ask). elt \<le> NbT})"
   25.88  apply (rotate_tac -1)
   25.89  apply (auto simp add: client_prog_ok_iff)
   25.90 -apply (rule invariantI [THEN stable_Join_Always2], force) 
   25.91 +apply (rule invariantI [THEN stable_Join_Always2], force)
   25.92   prefer 2
   25.93   apply (fast intro: stable_Int preserves_lift_imp_stable, safety)
   25.94  apply (auto dest: ActsD)
   25.95 @@ -152,8 +152,8 @@
   25.96  
   25.97  (* Export version, with no mention of tok in the postcondition, but
   25.98    unfortunately tok must be declared local.*)
   25.99 -lemma client_prog_ask_Bounded: 
  25.100 -    "client_prog \<in> program guarantees  
  25.101 +lemma client_prog_ask_Bounded:
  25.102 +    "client_prog \<in> program guarantees
  25.103                     Always({s \<in> state. \<forall>elt \<in> set_of_list(s`ask). elt \<le> NbT})"
  25.104  apply (rule guaranteesI)
  25.105  apply (erule ask_Bounded_lemma [THEN Always_weaken], auto)
  25.106 @@ -161,19 +161,19 @@
  25.107  
  25.108  (*** Towards proving the liveness property ***)
  25.109  
  25.110 -lemma client_prog_stable_rel_le_giv: 
  25.111 +lemma client_prog_stable_rel_le_giv:
  25.112      "client_prog \<in> stable({s \<in> state. <s`rel, s`giv> \<in> prefix(nat)})"
  25.113  by (safety, auto)
  25.114  
  25.115 -lemma client_prog_Join_Stable_rel_le_giv: 
  25.116 -"[| client_prog \<squnion> G \<in> Incr(lift(giv)); G \<in> preserves(lift(rel)) |]  
  25.117 +lemma client_prog_Join_Stable_rel_le_giv:
  25.118 +"[| client_prog \<squnion> G \<in> Incr(lift(giv)); G \<in> preserves(lift(rel)) |]
  25.119      ==> client_prog \<squnion> G \<in> Stable({s \<in> state. <s`rel, s`giv> \<in> prefix(nat)})"
  25.120  apply (rule client_prog_stable_rel_le_giv [THEN Increasing_preserves_Stable])
  25.121  apply (auto simp add: lift_def)
  25.122  done
  25.123  
  25.124  lemma client_prog_Join_Always_rel_le_giv:
  25.125 -     "[| client_prog \<squnion> G \<in> Incr(lift(giv)); G \<in> preserves(lift(rel)) |]  
  25.126 +     "[| client_prog \<squnion> G \<in> Incr(lift(giv)); G \<in> preserves(lift(rel)) |]
  25.127      ==> client_prog \<squnion> G  \<in> Always({s \<in> state. <s`rel, s`giv> \<in> prefix(nat)})"
  25.128  by (force intro!: AlwaysI client_prog_Join_Stable_rel_le_giv)
  25.129  
  25.130 @@ -184,9 +184,9 @@
  25.131  lemma act_subset: "A={<s,t> \<in> state*state. P(s, t)} ==> A<=state*state"
  25.132  by auto
  25.133  
  25.134 -lemma transient_lemma: 
  25.135 -"client_prog \<in>  
  25.136 -  transient({s \<in> state. s`rel = k & <k, h> \<in> strict_prefix(nat)  
  25.137 +lemma transient_lemma:
  25.138 +"client_prog \<in>
  25.139 +  transient({s \<in> state. s`rel = k & <k, h> \<in> strict_prefix(nat)
  25.140     & <h, s`giv> \<in> prefix(nat) & h pfixGe s`ask})"
  25.141  apply (rule_tac act = client_rel_act in transientI)
  25.142  apply (simp (no_asm) add: client_prog_def [THEN def_prg_Acts])
  25.143 @@ -208,20 +208,20 @@
  25.144  apply (auto simp add: id_def lam_def)
  25.145  done
  25.146  
  25.147 -lemma strict_prefix_is_prefix: 
  25.148 +lemma strict_prefix_is_prefix:
  25.149      "<xs, ys> \<in> strict_prefix(A) \<longleftrightarrow>  <xs, ys> \<in> prefix(A) & xs\<noteq>ys"
  25.150  apply (unfold strict_prefix_def id_def lam_def)
  25.151  apply (auto dest: prefix_type [THEN subsetD])
  25.152  done
  25.153  
  25.154 -lemma induct_lemma: 
  25.155 -"[| client_prog \<squnion> G \<in> Incr(lift(giv)); client_prog ok G; G \<in> program |]  
  25.156 -  ==> client_prog \<squnion> G \<in>  
  25.157 -  {s \<in> state. s`rel = k & <k,h> \<in> strict_prefix(nat)  
  25.158 -   & <h, s`giv> \<in> prefix(nat) & h pfixGe s`ask}   
  25.159 -        LeadsTo {s \<in> state. <k, s`rel> \<in> strict_prefix(nat)  
  25.160 -                          & <s`rel, s`giv> \<in> prefix(nat) &  
  25.161 -                                  <h, s`giv> \<in> prefix(nat) &  
  25.162 +lemma induct_lemma:
  25.163 +"[| client_prog \<squnion> G \<in> Incr(lift(giv)); client_prog ok G; G \<in> program |]
  25.164 +  ==> client_prog \<squnion> G \<in>
  25.165 +  {s \<in> state. s`rel = k & <k,h> \<in> strict_prefix(nat)
  25.166 +   & <h, s`giv> \<in> prefix(nat) & h pfixGe s`ask}
  25.167 +        LeadsTo {s \<in> state. <k, s`rel> \<in> strict_prefix(nat)
  25.168 +                          & <s`rel, s`giv> \<in> prefix(nat) &
  25.169 +                                  <h, s`giv> \<in> prefix(nat) &
  25.170                  h pfixGe s`ask}"
  25.171  apply (rule single_LeadsTo_I)
  25.172   prefer 2 apply simp
  25.173 @@ -239,68 +239,68 @@
  25.174  apply (erule client_prog_Join_Stable_rel_le_giv, blast, simp_all)
  25.175   prefer 2
  25.176   apply (blast intro: sym strict_prefix_is_prefix [THEN iffD2] prefix_trans prefix_imp_pfixGe pfixGe_trans)
  25.177 -apply (auto intro: strict_prefix_is_prefix [THEN iffD1, THEN conjunct1] 
  25.178 +apply (auto intro: strict_prefix_is_prefix [THEN iffD1, THEN conjunct1]
  25.179                     prefix_trans)
  25.180  done
  25.181  
  25.182 -lemma rel_progress_lemma: 
  25.183 -"[| client_prog \<squnion> G  \<in> Incr(lift(giv)); client_prog ok G; G \<in> program |]  
  25.184 -  ==> client_prog \<squnion> G  \<in>  
  25.185 -     {s \<in> state. <s`rel, h> \<in> strict_prefix(nat)  
  25.186 -           & <h, s`giv> \<in> prefix(nat) & h pfixGe s`ask}   
  25.187 +lemma rel_progress_lemma:
  25.188 +"[| client_prog \<squnion> G  \<in> Incr(lift(giv)); client_prog ok G; G \<in> program |]
  25.189 +  ==> client_prog \<squnion> G  \<in>
  25.190 +     {s \<in> state. <s`rel, h> \<in> strict_prefix(nat)
  25.191 +           & <h, s`giv> \<in> prefix(nat) & h pfixGe s`ask}
  25.192                        LeadsTo {s \<in> state. <h, s`rel> \<in> prefix(nat)}"
  25.193 -apply (rule_tac f = "\<lambda>x \<in> state. length(h) #- length(x`rel)" 
  25.194 +apply (rule_tac f = "\<lambda>x \<in> state. length(h) #- length(x`rel)"
  25.195         in LessThan_induct)
  25.196  apply (auto simp add: vimage_def)
  25.197 - prefer 2 apply (force simp add: lam_def) 
  25.198 + prefer 2 apply (force simp add: lam_def)
  25.199  apply (rule single_LeadsTo_I)
  25.200 - prefer 2 apply simp 
  25.201 + prefer 2 apply simp
  25.202  apply (subgoal_tac "h \<in> list(nat)")
  25.203 - prefer 2 apply (blast dest: prefix_type [THEN subsetD]) 
  25.204 + prefer 2 apply (blast dest: prefix_type [THEN subsetD])
  25.205  apply (rule induct_lemma [THEN LeadsTo_weaken])
  25.206      apply (simp add: length_type lam_def)
  25.207  apply (auto intro: strict_prefix_is_prefix [THEN iffD2]
  25.208              dest: common_prefix_linear  prefix_type [THEN subsetD])
  25.209  apply (erule swap)
  25.210  apply (rule imageI)
  25.211 - apply (force dest!: simp add: lam_def) 
  25.212 -apply (simp add: length_type lam_def, clarify) 
  25.213 + apply (force dest!: simp add: lam_def)
  25.214 +apply (simp add: length_type lam_def, clarify)
  25.215  apply (drule strict_prefix_length_lt)+
  25.216  apply (drule less_imp_succ_add, simp)+
  25.217 -apply clarify 
  25.218 -apply simp 
  25.219 +apply clarify
  25.220 +apply simp
  25.221  apply (erule diff_le_self [THEN ltD])
  25.222  done
  25.223  
  25.224 -lemma progress_lemma: 
  25.225 -"[| client_prog \<squnion> G \<in> Incr(lift(giv)); client_prog ok G; G \<in> program |] 
  25.226 +lemma progress_lemma:
  25.227 +"[| client_prog \<squnion> G \<in> Incr(lift(giv)); client_prog ok G; G \<in> program |]
  25.228   ==> client_prog \<squnion> G
  25.229 -       \<in> {s \<in> state. <h, s`giv> \<in> prefix(nat) & h pfixGe s`ask}   
  25.230 +       \<in> {s \<in> state. <h, s`giv> \<in> prefix(nat) & h pfixGe s`ask}
  25.231           LeadsTo  {s \<in> state. <h, s`rel> \<in> prefix(nat)}"
  25.232 -apply (rule client_prog_Join_Always_rel_le_giv [THEN Always_LeadsToI], 
  25.233 +apply (rule client_prog_Join_Always_rel_le_giv [THEN Always_LeadsToI],
  25.234         assumption)
  25.235  apply (force simp add: client_prog_ok_iff)
  25.236 -apply (rule LeadsTo_weaken_L) 
  25.237 -apply (rule LeadsTo_Un [OF rel_progress_lemma 
  25.238 +apply (rule LeadsTo_weaken_L)
  25.239 +apply (rule LeadsTo_Un [OF rel_progress_lemma
  25.240                             subset_refl [THEN subset_imp_LeadsTo]])
  25.241  apply (auto intro: strict_prefix_is_prefix [THEN iffD2]
  25.242              dest: common_prefix_linear prefix_type [THEN subsetD])
  25.243  done
  25.244  
  25.245  (*Progress property: all tokens that are given will be released*)
  25.246 -lemma client_prog_progress: 
  25.247 -"client_prog \<in> Incr(lift(giv))  guarantees   
  25.248 -      (\<Inter>h \<in> list(nat). {s \<in> state. <h, s`giv> \<in> prefix(nat) & 
  25.249 +lemma client_prog_progress:
  25.250 +"client_prog \<in> Incr(lift(giv))  guarantees
  25.251 +      (\<Inter>h \<in> list(nat). {s \<in> state. <h, s`giv> \<in> prefix(nat) &
  25.252                h pfixGe s`ask} LeadsTo {s \<in> state. <h, s`rel> \<in> prefix(nat)})"
  25.253  apply (rule guaranteesI)
  25.254  apply (blast intro: progress_lemma, auto)
  25.255  done
  25.256  
  25.257  lemma client_prog_Allowed:
  25.258 -     "Allowed(client_prog) =  
  25.259 +     "Allowed(client_prog) =
  25.260        preserves(lift(rel)) \<inter> preserves(lift(ask)) \<inter> preserves(lift(tok))"
  25.261  apply (cut_tac v = "lift (ask)" in preserves_type)
  25.262 -apply (auto simp add: Allowed_def client_prog_def [THEN def_prg_Allowed] 
  25.263 +apply (auto simp add: Allowed_def client_prog_def [THEN def_prg_Allowed]
  25.264                        cons_Int_distrib safety_prop_Acts_iff)
  25.265  done
  25.266  
    26.1 --- a/src/ZF/UNITY/GenPrefix.thy	Thu Mar 15 15:54:22 2012 +0000
    26.2 +++ b/src/ZF/UNITY/GenPrefix.thy	Thu Mar 15 16:35:02 2012 +0000
    26.3 @@ -30,7 +30,7 @@
    26.4    intros
    26.5      Nil:     "<[],[]>:gen_prefix(A, r)"
    26.6  
    26.7 -    prepend: "[| <xs,ys>:gen_prefix(A, r);  <x,y>:r; x:A; y:A |]
    26.8 +    prepend: "[| <xs,ys>:gen_prefix(A, r);  <x,y>:r; x \<in> A; y \<in> A |]
    26.9                ==> <Cons(x,xs), Cons(y,ys)>: gen_prefix(A, r)"
   26.10  
   26.11      append:  "[| <xs,ys>:gen_prefix(A, r); zs:list(A) |]
    27.1 --- a/src/ZF/UNITY/SubstAx.thy	Thu Mar 15 15:54:22 2012 +0000
    27.2 +++ b/src/ZF/UNITY/SubstAx.thy	Thu Mar 15 16:35:02 2012 +0000
    27.3 @@ -8,17 +8,17 @@
    27.4  header{*Weak LeadsTo relation (restricted to the set of reachable states)*}
    27.5  
    27.6  theory SubstAx
    27.7 -imports WFair Constrains 
    27.8 +imports WFair Constrains
    27.9  begin
   27.10  
   27.11  definition
   27.12    (* The definitions below are not `conventional', but yield simpler rules *)
   27.13    Ensures :: "[i,i] => i"            (infixl "Ensures" 60)  where
   27.14 -  "A Ensures B == {F:program. F \<in> (reachable(F) \<inter> A) ensures (reachable(F) \<inter> B) }"
   27.15 +  "A Ensures B == {F \<in> program. F \<in> (reachable(F) \<inter> A) ensures (reachable(F) \<inter> B) }"
   27.16  
   27.17  definition
   27.18    LeadsTo :: "[i, i] => i"            (infixl "LeadsTo" 60)  where
   27.19 -  "A LeadsTo B == {F:program. F:(reachable(F) \<inter> A) leadsTo (reachable(F) \<inter> B)}"
   27.20 +  "A LeadsTo B == {F \<in> program. F:(reachable(F) \<inter> A) leadsTo (reachable(F) \<inter> B)}"
   27.21  
   27.22  notation (xsymbols)
   27.23    LeadsTo  (infixl " \<longmapsto>w " 60)
   27.24 @@ -28,7 +28,7 @@
   27.25  (*Resembles the previous definition of LeadsTo*)
   27.26  
   27.27  (* Equivalence with the HOL-like definition *)
   27.28 -lemma LeadsTo_eq: 
   27.29 +lemma LeadsTo_eq:
   27.30  "st_set(B)==> A LeadsTo B = {F \<in> program. F:(reachable(F) \<inter> A) leadsTo B}"
   27.31  apply (unfold LeadsTo_def)
   27.32  apply (blast dest: psp_stable2 leadsToD2 constrainsD2 intro: leadsTo_weaken)
   27.33 @@ -107,7 +107,7 @@
   27.34  done
   27.35  
   27.36  (*Lets us look at the starting state*)
   27.37 -lemma single_LeadsTo_I: 
   27.38 +lemma single_LeadsTo_I:
   27.39      "[|(!!s. s \<in> A ==> F:{s} LeadsTo B); F \<in> program|]==>F \<in> A LeadsTo B"
   27.40  apply (subst UN_singleton [symmetric], rule LeadsTo_UN, auto)
   27.41  done
   27.42 @@ -117,7 +117,7 @@
   27.43  apply (blast intro: subset_imp_leadsTo)
   27.44  done
   27.45  
   27.46 -lemma empty_LeadsTo: "F:0 LeadsTo A \<longleftrightarrow> F \<in> program"
   27.47 +lemma empty_LeadsTo: "F \<in> 0 LeadsTo A \<longleftrightarrow> F \<in> program"
   27.48  by (auto dest: LeadsTo_type [THEN subsetD]
   27.49              intro: empty_subsetI [THEN subset_imp_LeadsTo])
   27.50  declare empty_LeadsTo [iff]
   27.51 @@ -139,8 +139,8 @@
   27.52  lemma LeadsTo_weaken: "[| F \<in> A LeadsTo A'; B<=A; A'<=B' |] ==> F \<in> B LeadsTo B'"
   27.53  by (blast intro: LeadsTo_weaken_R LeadsTo_weaken_L LeadsTo_Trans)
   27.54  
   27.55 -lemma Always_LeadsTo_weaken: 
   27.56 -"[| F \<in> Always(C);  F \<in> A LeadsTo A'; C \<inter> B \<subseteq> A;   C \<inter> A' \<subseteq> B' |]  
   27.57 +lemma Always_LeadsTo_weaken:
   27.58 +"[| F \<in> Always(C);  F \<in> A LeadsTo A'; C \<inter> B \<subseteq> A;   C \<inter> A' \<subseteq> B' |]
   27.59        ==> F \<in> B LeadsTo B'"
   27.60  apply (blast dest: Always_LeadsToI intro: LeadsTo_weaken Always_LeadsToD)
   27.61  done
   27.62 @@ -151,7 +151,7 @@
   27.63  by (blast dest: LeadsTo_type [THEN subsetD]
   27.64               intro: LeadsTo_Un subset_imp_LeadsTo)
   27.65  
   27.66 -lemma LeadsTo_Trans_Un: "[| F \<in> A LeadsTo B;  F \<in> B LeadsTo C |]  
   27.67 +lemma LeadsTo_Trans_Un: "[| F \<in> A LeadsTo B;  F \<in> B LeadsTo C |]
   27.68        ==> F \<in> (A \<union> B) LeadsTo C"
   27.69  apply (blast intro: LeadsTo_Un subset_imp_LeadsTo LeadsTo_weaken_L LeadsTo_Trans dest: LeadsTo_type [THEN subsetD])
   27.70  done
   27.71 @@ -175,8 +175,8 @@
   27.72  apply (blast intro: ensuresI constrains_weaken transient_strengthen dest: constrainsD2)
   27.73  done
   27.74  
   27.75 -lemma Always_LeadsTo_Basis: "[| F \<in> Always(I); F \<in> (I \<inter> (A-A')) Co (A \<union> A');  
   27.76 -         F \<in> transient (I \<inter> (A-A')) |]    
   27.77 +lemma Always_LeadsTo_Basis: "[| F \<in> Always(I); F \<in> (I \<inter> (A-A')) Co (A \<union> A');
   27.78 +         F \<in> transient (I \<inter> (A-A')) |]
   27.79    ==> F \<in> A LeadsTo A'"
   27.80  apply (rule Always_LeadsToI, assumption)
   27.81  apply (blast intro: EnsuresI LeadsTo_Basis Always_ConstrainsD [THEN Constrains_weaken] transient_strengthen)
   27.82 @@ -188,10 +188,10 @@
   27.83       "[| F \<in> (A-B) LeadsTo C;  F \<in> (A \<inter> B) LeadsTo C |] ==> F \<in> A LeadsTo C"
   27.84  by (blast intro: LeadsTo_Un LeadsTo_weaken)
   27.85  
   27.86 -lemma LeadsTo_UN_UN:  
   27.87 -     "[|(!!i. i \<in> I ==> F \<in> A(i) LeadsTo A'(i)); F \<in> program |]  
   27.88 +lemma LeadsTo_UN_UN:
   27.89 +     "[|(!!i. i \<in> I ==> F \<in> A(i) LeadsTo A'(i)); F \<in> program |]
   27.90        ==> F \<in> (\<Union>i \<in> I. A(i)) LeadsTo (\<Union>i \<in> I. A'(i))"
   27.91 -apply (rule LeadsTo_Union, auto) 
   27.92 +apply (rule LeadsTo_Union, auto)
   27.93  apply (blast intro: LeadsTo_weaken_R)
   27.94  done
   27.95  
   27.96 @@ -258,7 +258,7 @@
   27.97  lemma PSP2: "[| F \<in> A LeadsTo A'; F \<in> B Co B' |]==> F:(B' \<inter> A) LeadsTo ((B \<inter> A') \<union> (B' - B))"
   27.98  by (simp (no_asm_simp) add: PSP Int_ac)
   27.99  
  27.100 -lemma PSP_Unless: 
  27.101 +lemma PSP_Unless:
  27.102  "[| F \<in> A LeadsTo A'; F \<in> B Unless B'|]==> F:(A \<inter> B) LeadsTo ((A' \<inter> B) \<union> B')"
  27.103  apply (unfold op_Unless_def)
  27.104  apply (drule PSP, assumption)
  27.105 @@ -268,21 +268,21 @@
  27.106  (*** Induction rules ***)
  27.107  
  27.108  (** Meta or object quantifier ????? **)
  27.109 -lemma LeadsTo_wf_induct: "[| wf(r);      
  27.110 -         \<forall>m \<in> I. F \<in> (A \<inter> f-``{m}) LeadsTo                      
  27.111 -                            ((A \<inter> f-``(converse(r) `` {m})) \<union> B);  
  27.112 -         field(r)<=I; A<=f-``I; F \<in> program |]  
  27.113 +lemma LeadsTo_wf_induct: "[| wf(r);
  27.114 +         \<forall>m \<in> I. F \<in> (A \<inter> f-``{m}) LeadsTo
  27.115 +                            ((A \<inter> f-``(converse(r) `` {m})) \<union> B);
  27.116 +         field(r)<=I; A<=f-``I; F \<in> program |]
  27.117        ==> F \<in> A LeadsTo B"
  27.118  apply (simp (no_asm_use) add: LeadsTo_def)
  27.119  apply auto
  27.120  apply (erule_tac I = I and f = f in leadsTo_wf_induct, safe)
  27.121  apply (drule_tac [2] x = m in bspec, safe)
  27.122  apply (rule_tac [2] A' = "reachable (F) \<inter> (A \<inter> f -`` (converse (r) ``{m}) \<union> B) " in leadsTo_weaken_R)
  27.123 -apply (auto simp add: Int_assoc) 
  27.124 +apply (auto simp add: Int_assoc)
  27.125  done
  27.126  
  27.127  
  27.128 -lemma LessThan_induct: "[| \<forall>m \<in> nat. F:(A \<inter> f-``{m}) LeadsTo ((A \<inter> f-``m) \<union> B);  
  27.129 +lemma LessThan_induct: "[| \<forall>m \<in> nat. F:(A \<inter> f-``{m}) LeadsTo ((A \<inter> f-``m) \<union> B);
  27.130        A<=f-``nat; F \<in> program |] ==> F \<in> A LeadsTo B"
  27.131  apply (rule_tac A1 = nat and f1 = "%x. x" in wf_measure [THEN LeadsTo_wf_induct])
  27.132  apply (simp_all add: nat_measure_field)
  27.133 @@ -290,7 +290,7 @@
  27.134  done
  27.135  
  27.136  
  27.137 -(****** 
  27.138 +(******
  27.139   To be ported ??? I am not sure.
  27.140  
  27.141    integ_0_le_induct
  27.142 @@ -301,51 +301,51 @@
  27.143  
  27.144  (*** Completion \<in> Binary and General Finite versions ***)
  27.145  
  27.146 -lemma Completion: "[| F \<in> A LeadsTo (A' \<union> C);  F \<in> A' Co (A' \<union> C);  
  27.147 -         F \<in> B LeadsTo (B' \<union> C);  F \<in> B' Co (B' \<union> C) |]  
  27.148 +lemma Completion: "[| F \<in> A LeadsTo (A' \<union> C);  F \<in> A' Co (A' \<union> C);
  27.149 +         F \<in> B LeadsTo (B' \<union> C);  F \<in> B' Co (B' \<union> C) |]
  27.150        ==> F \<in> (A \<inter> B) LeadsTo ((A' \<inter> B') \<union> C)"
  27.151  apply (simp (no_asm_use) add: LeadsTo_def Constrains_eq_constrains Int_Un_distrib)
  27.152  apply (blast intro: completion leadsTo_weaken)
  27.153  done
  27.154  
  27.155  lemma Finite_completion_aux:
  27.156 -     "[| I \<in> Fin(X);F \<in> program |]  
  27.157 -      ==> (\<forall>i \<in> I. F \<in> (A(i)) LeadsTo (A'(i) \<union> C)) \<longrightarrow>   
  27.158 -          (\<forall>i \<in> I. F \<in> (A'(i)) Co (A'(i) \<union> C)) \<longrightarrow>  
  27.159 +     "[| I \<in> Fin(X);F \<in> program |]
  27.160 +      ==> (\<forall>i \<in> I. F \<in> (A(i)) LeadsTo (A'(i) \<union> C)) \<longrightarrow>
  27.161 +          (\<forall>i \<in> I. F \<in> (A'(i)) Co (A'(i) \<union> C)) \<longrightarrow>
  27.162            F \<in> (\<Inter>i \<in> I. A(i)) LeadsTo ((\<Inter>i \<in> I. A'(i)) \<union> C)"
  27.163  apply (erule Fin_induct)
  27.164  apply (auto simp del: INT_simps simp add: Inter_0)
  27.165 -apply (rule Completion, auto) 
  27.166 +apply (rule Completion, auto)
  27.167  apply (simp del: INT_simps add: INT_extend_simps)
  27.168  apply (blast intro: Constrains_INT)
  27.169  done
  27.170  
  27.171 -lemma Finite_completion: 
  27.172 -     "[| I \<in> Fin(X); !!i. i \<in> I ==> F \<in> A(i) LeadsTo (A'(i) \<union> C);  
  27.173 -         !!i. i \<in> I ==> F \<in> A'(i) Co (A'(i) \<union> C);  
  27.174 -         F \<in> program |]    
  27.175 +lemma Finite_completion:
  27.176 +     "[| I \<in> Fin(X); !!i. i \<in> I ==> F \<in> A(i) LeadsTo (A'(i) \<union> C);
  27.177 +         !!i. i \<in> I ==> F \<in> A'(i) Co (A'(i) \<union> C);
  27.178 +         F \<in> program |]
  27.179        ==> F \<in> (\<Inter>i \<in> I. A(i)) LeadsTo ((\<Inter>i \<in> I. A'(i)) \<union> C)"
  27.180  by (blast intro: Finite_completion_aux [THEN mp, THEN mp])
  27.181  
  27.182 -lemma Stable_completion: 
  27.183 -     "[| F \<in> A LeadsTo A';  F \<in> Stable(A');    
  27.184 -         F \<in> B LeadsTo B';  F \<in> Stable(B') |]  
  27.185 +lemma Stable_completion:
  27.186 +     "[| F \<in> A LeadsTo A';  F \<in> Stable(A');
  27.187 +         F \<in> B LeadsTo B';  F \<in> Stable(B') |]
  27.188      ==> F \<in> (A \<inter> B) LeadsTo (A' \<inter> B')"
  27.189  apply (unfold Stable_def)
  27.190  apply (rule_tac C1 = 0 in Completion [THEN LeadsTo_weaken_R])
  27.191      prefer 5
  27.192 -    apply blast 
  27.193 -apply auto 
  27.194 +    apply blast
  27.195 +apply auto
  27.196  done
  27.197  
  27.198 -lemma Finite_stable_completion: 
  27.199 -     "[| I \<in> Fin(X);  
  27.200 -         (!!i. i \<in> I ==> F \<in> A(i) LeadsTo A'(i));  
  27.201 -         (!!i. i \<in> I ==>F \<in> Stable(A'(i)));   F \<in> program  |]  
  27.202 +lemma Finite_stable_completion:
  27.203 +     "[| I \<in> Fin(X);
  27.204 +         (!!i. i \<in> I ==> F \<in> A(i) LeadsTo A'(i));
  27.205 +         (!!i. i \<in> I ==>F \<in> Stable(A'(i)));   F \<in> program  |]
  27.206        ==> F \<in> (\<Inter>i \<in> I. A(i)) LeadsTo (\<Inter>i \<in> I. A'(i))"
  27.207  apply (unfold Stable_def)
  27.208  apply (rule_tac C1 = 0 in Finite_completion [THEN LeadsTo_weaken_R], simp_all)
  27.209 -apply (rule_tac [3] subset_refl, auto) 
  27.210 +apply (rule_tac [3] subset_refl, auto)
  27.211  done
  27.212  
  27.213  ML {*
  27.214 @@ -354,7 +354,7 @@
  27.215    let val ss = simpset_of ctxt in
  27.216      SELECT_GOAL
  27.217        (EVERY [REPEAT (Always_Int_tac 1),
  27.218 -              etac @{thm Always_LeadsTo_Basis} 1 
  27.219 +              etac @{thm Always_LeadsTo_Basis} 1
  27.220                    ORELSE   (*subgoal may involve LeadsTo, leadsTo or ensures*)
  27.221                    REPEAT (ares_tac [@{thm LeadsTo_Basis}, @{thm leadsTo_Basis},
  27.222                                      @{thm EnsuresI}, @{thm ensuresI}] 1),
  27.223 @@ -362,7 +362,7 @@
  27.224                simp_tac (ss addsimps (Program_Defs.get ctxt)) 2,
  27.225                res_inst_tac ctxt [(("act", 0), sact)] @{thm transientI} 2,
  27.226                   (*simplify the command's domain*)
  27.227 -              simp_tac (ss addsimps [@{thm domain_def}]) 3, 
  27.228 +              simp_tac (ss addsimps [@{thm domain_def}]) 3,
  27.229                (* proving the domain part *)
  27.230               clarify_tac ctxt 3, dtac @{thm swap} 3, force_tac ctxt 4,
  27.231               rtac @{thm ReplaceI} 3, force_tac ctxt 3, force_tac ctxt 4,
    28.1 --- a/src/ZF/UNITY/Union.thy	Thu Mar 15 15:54:22 2012 +0000
    28.2 +++ b/src/ZF/UNITY/Union.thy	Thu Mar 15 16:35:02 2012 +0000
    28.3 @@ -4,7 +4,7 @@
    28.4  
    28.5  Unions of programs
    28.6  
    28.7 -Partly from Misra's Chapter 5: Asynchronous Compositions of Programs
    28.8 +Partly from Misra's Chapter 5 \<in> Asynchronous Compositions of Programs
    28.9  
   28.10  Theory ported form HOL..
   28.11  
   28.12 @@ -14,13 +14,13 @@
   28.13  begin
   28.14  
   28.15  definition
   28.16 -  (*FIXME: conjoin Init(F) \<inter> Init(G) \<noteq> 0 *) 
   28.17 +  (*FIXME: conjoin Init(F) \<inter> Init(G) \<noteq> 0 *)
   28.18    ok :: "[i, i] => o"     (infixl "ok" 65)  where
   28.19      "F ok G == Acts(F) \<subseteq> AllowedActs(G) &
   28.20                 Acts(G) \<subseteq> AllowedActs(F)"
   28.21  
   28.22  definition
   28.23 -  (*FIXME: conjoin (\<Inter>i \<in> I. Init(F(i))) \<noteq> 0 *) 
   28.24 +  (*FIXME: conjoin (\<Inter>i \<in> I. Init(F(i))) \<noteq> 0 *)
   28.25    OK  :: "[i, i=>i] => o"  where
   28.26      "OK(I,F) == (\<forall>i \<in> I. \<forall>j \<in> I-{i}. Acts(F(i)) \<subseteq> AllowedActs(F(j)))"
   28.27  
   28.28 @@ -39,20 +39,20 @@
   28.29    safety_prop :: "i => o"  where
   28.30    "safety_prop(X) == X\<subseteq>program &
   28.31        SKIP \<in> X & (\<forall>G \<in> program. Acts(G) \<subseteq> (\<Union>F \<in> X. Acts(F)) \<longrightarrow> G \<in> X)"
   28.32 -  
   28.33 +
   28.34  notation (xsymbols)
   28.35    SKIP  ("\<bottom>") and
   28.36    Join  (infixl "\<squnion>" 65)
   28.37  
   28.38  syntax
   28.39    "_JOIN1"     :: "[pttrns, i] => i"         ("(3JN _./ _)" 10)
   28.40 -  "_JOIN"      :: "[pttrn, i, i] => i"       ("(3JN _:_./ _)" 10)
   28.41 +  "_JOIN"      :: "[pttrn, i, i] => i"       ("(3JN _ \<in> _./ _)" 10)
   28.42  syntax (xsymbols)
   28.43    "_JOIN1"  :: "[pttrns, i] => i"     ("(3\<Squnion> _./ _)" 10)
   28.44    "_JOIN"   :: "[pttrn, i, i] => i"   ("(3\<Squnion> _ \<in> _./ _)" 10)
   28.45  
   28.46  translations
   28.47 -  "JN x:A. B"   == "CONST JOIN(A, (%x. B))"
   28.48 +  "JN x \<in> A. B"   == "CONST JOIN(A, (%x. B))"
   28.49    "JN x y. B"   == "JN x. JN y. B"
   28.50    "JN x. B"     == "CONST JOIN(CONST state,(%x. B))"
   28.51  
   28.52 @@ -105,7 +105,7 @@
   28.53  lemma Acts_Join [simp]: "Acts(F Join G) = Acts(F) \<union> Acts(G)"
   28.54  by (simp add: Int_Un_distrib2 cons_absorb Join_def)
   28.55  
   28.56 -lemma AllowedActs_Join [simp]: "AllowedActs(F Join G) =  
   28.57 +lemma AllowedActs_Join [simp]: "AllowedActs(F Join G) =
   28.58    AllowedActs(F) \<inter> AllowedActs(G)"
   28.59  apply (simp add: Int_assoc cons_absorb Join_def)
   28.60  done
   28.61 @@ -164,7 +164,7 @@
   28.62       "Init(\<Squnion>i \<in> I. F(i)) = (if I=0 then state else (\<Inter>i \<in> I. Init(F(i))))"
   28.63  by (simp add: JOIN_def INT_extend_simps del: INT_simps)
   28.64  
   28.65 -lemma Acts_JN [simp]: 
   28.66 +lemma Acts_JN [simp]:
   28.67       "Acts(JOIN(I,F)) = cons(id(state), \<Union>i \<in> I.  Acts(F(i)))"
   28.68  apply (unfold JOIN_def)
   28.69  apply (auto simp del: INT_simps UN_simps)
   28.70 @@ -172,8 +172,8 @@
   28.71  apply (auto dest: Acts_type [THEN subsetD])
   28.72  done
   28.73  
   28.74 -lemma AllowedActs_JN [simp]: 
   28.75 -     "AllowedActs(\<Squnion>i \<in> I. F(i)) = 
   28.76 +lemma AllowedActs_JN [simp]:
   28.77 +     "AllowedActs(\<Squnion>i \<in> I. F(i)) =
   28.78        (if I=0 then Pow(state*state) else (\<Inter>i \<in> I. AllowedActs(F(i))))"
   28.79  apply (unfold JOIN_def, auto)
   28.80  apply (rule equalityI)
   28.81 @@ -184,7 +184,7 @@
   28.82  by (rule program_equalityI, auto)
   28.83  
   28.84  lemma JN_cong [cong]:
   28.85 -    "[| I=J;  !!i. i \<in> J ==> F(i) = G(i) |] ==>  
   28.86 +    "[| I=J;  !!i. i \<in> J ==> F(i) = G(i) |] ==>
   28.87       (\<Squnion>i \<in> I. F(i)) = (\<Squnion>i \<in> J. G(i))"
   28.88  by (simp add: JOIN_def)
   28.89  
   28.90 @@ -208,7 +208,7 @@
   28.91  lemma JN_Join_distrib:
   28.92       "(\<Squnion>i \<in> I. F(i) Join G(i)) = (\<Squnion>i \<in> I. F(i))  Join  (\<Squnion>i \<in> I. G(i))"
   28.93  apply (rule program_equalityI)
   28.94 -apply (simp_all add: INT_Int_distrib, blast) 
   28.95 +apply (simp_all add: INT_Int_distrib, blast)
   28.96  done
   28.97  
   28.98  lemma JN_Join_miniscope: "(\<Squnion>i \<in> I. F(i) Join G) = ((\<Squnion>i \<in> I. F(i) Join G))"
   28.99 @@ -227,7 +227,7 @@
  28.100    alternative precondition is A\<subseteq>B, but most proofs using this rule require
  28.101    I to be nonempty for other reasons anyway.*)
  28.102  
  28.103 -lemma JN_constrains: 
  28.104 +lemma JN_constrains:
  28.105   "i \<in> I==>(\<Squnion>i \<in> I. F(i)) \<in> A co B \<longleftrightarrow> (\<forall>i \<in> I. programify(F(i)) \<in> A co B)"
  28.106  
  28.107  apply (unfold constrains_def JOIN_def st_set_def, auto)
  28.108 @@ -242,7 +242,7 @@
  28.109  by (auto simp add: constrains_def)
  28.110  
  28.111  lemma Join_unless [iff]:
  28.112 -     "(F Join G \<in> A unless B) \<longleftrightarrow>  
  28.113 +     "(F Join G \<in> A unless B) \<longleftrightarrow>
  28.114      (programify(F) \<in> A unless B & programify(G) \<in> A unless B)"
  28.115  by (simp add: Join_constrains unless_def)
  28.116  
  28.117 @@ -252,7 +252,7 @@
  28.118  *)
  28.119  
  28.120  lemma Join_constrains_weaken:
  28.121 -     "[| F \<in> A co A';  G \<in> B co B' |]  
  28.122 +     "[| F \<in> A co A';  G \<in> B co B' |]
  28.123        ==> F Join G \<in> (A \<inter> B) co (A' \<union> B')"
  28.124  apply (subgoal_tac "st_set (A) & st_set (B) & F \<in> program & G \<in> program")
  28.125  prefer 2 apply (blast dest: constrainsD2, simp)
  28.126 @@ -280,17 +280,17 @@
  28.127  apply (drule_tac x = act in bspec, auto)
  28.128  done
  28.129  
  28.130 -lemma initially_JN_I: 
  28.131 +lemma initially_JN_I:
  28.132    assumes major: "(!!i. i \<in> I ==>F(i) \<in> initially(A))"
  28.133        and minor: "i \<in> I"
  28.134    shows  "(\<Squnion>i \<in> I. F(i)) \<in> initially(A)"
  28.135  apply (cut_tac minor)
  28.136 -apply (auto elim!: not_emptyE simp add: Inter_iff initially_def) 
  28.137 +apply (auto elim!: not_emptyE simp add: Inter_iff initially_def)
  28.138  apply (frule_tac i = x in major)
  28.139 -apply (auto simp add: initially_def) 
  28.140 +apply (auto simp add: initially_def)
  28.141  done
  28.142  
  28.143 -lemma invariant_JN_I: 
  28.144 +lemma invariant_JN_I:
  28.145    assumes major: "(!!i. i \<in> I ==> F(i) \<in> invariant(A))"
  28.146        and minor: "i \<in> I"
  28.147    shows "(\<Squnion>i \<in> I. F(i)) \<in> invariant(A)"
  28.148 @@ -304,7 +304,7 @@
  28.149  done
  28.150  
  28.151  lemma Join_stable [iff]:
  28.152 -     " (F Join G \<in> stable(A)) \<longleftrightarrow>   
  28.153 +     " (F Join G \<in> stable(A)) \<longleftrightarrow>
  28.154        (programify(F) \<in> stable(A) & programify(G) \<in>  stable(A))"
  28.155  by (simp add: stable_def)
  28.156  
  28.157 @@ -313,7 +313,7 @@
  28.158  by (unfold initially_def, auto)
  28.159  
  28.160  lemma invariant_JoinI:
  28.161 -     "[| F \<in> invariant(A); G \<in> invariant(A) |]   
  28.162 +     "[| F \<in> invariant(A); G \<in> invariant(A) |]
  28.163        ==> F Join G \<in> invariant(A)"
  28.164  apply (subgoal_tac "F \<in> program&G \<in> program")
  28.165  prefer 2 apply (blast dest: invariantD2)
  28.166 @@ -329,7 +329,7 @@
  28.167  subsection{*Progress: transient, ensures*}
  28.168  
  28.169  lemma JN_transient:
  28.170 -     "i \<in> I ==> 
  28.171 +     "i \<in> I ==>
  28.172        (\<Squnion>i \<in> I. F(i)) \<in> transient(A) \<longleftrightarrow> (\<exists>i \<in> I. programify(F(i)) \<in> transient(A))"
  28.173  apply (auto simp add: transient_def JOIN_def)
  28.174  apply (unfold st_set_def)
  28.175 @@ -338,7 +338,7 @@
  28.176  done
  28.177  
  28.178  lemma Join_transient [iff]:
  28.179 -     "F Join G \<in> transient(A) \<longleftrightarrow>  
  28.180 +     "F Join G \<in> transient(A) \<longleftrightarrow>
  28.181        (programify(F) \<in> transient(A) | programify(G) \<in> transient(A))"
  28.182  apply (auto simp add: transient_def Join_def Int_Un_distrib2)
  28.183  done
  28.184 @@ -352,28 +352,28 @@
  28.185  
  28.186  (*If I=0 it degenerates to (SKIP \<in> A ensures B) = False, i.e. to ~(A\<subseteq>B) *)
  28.187  lemma JN_ensures:
  28.188 -     "i \<in> I ==>  
  28.189 -      (\<Squnion>i \<in> I. F(i)) \<in> A ensures B \<longleftrightarrow>  
  28.190 -      ((\<forall>i \<in> I. programify(F(i)) \<in> (A-B) co (A \<union> B)) &   
  28.191 +     "i \<in> I ==>
  28.192 +      (\<Squnion>i \<in> I. F(i)) \<in> A ensures B \<longleftrightarrow>
  28.193 +      ((\<forall>i \<in> I. programify(F(i)) \<in> (A-B) co (A \<union> B)) &
  28.194        (\<exists>i \<in> I. programify(F(i)) \<in> A ensures B))"
  28.195  by (auto simp add: ensures_def JN_constrains JN_transient)
  28.196  
  28.197  
  28.198 -lemma Join_ensures: 
  28.199 -     "F Join G \<in> A ensures B  \<longleftrightarrow>      
  28.200 -      (programify(F) \<in> (A-B) co (A \<union> B) & programify(G) \<in> (A-B) co (A \<union> B) &  
  28.201 +lemma Join_ensures:
  28.202 +     "F Join G \<in> A ensures B  \<longleftrightarrow>
  28.203 +      (programify(F) \<in> (A-B) co (A \<union> B) & programify(G) \<in> (A-B) co (A \<union> B) &
  28.204         (programify(F) \<in>  transient (A-B) | programify(G) \<in> transient (A-B)))"
  28.205  
  28.206  apply (unfold ensures_def)
  28.207  apply (auto simp add: Join_transient)
  28.208  done
  28.209  
  28.210 -lemma stable_Join_constrains: 
  28.211 -    "[| F \<in> stable(A);  G \<in> A co A' |]  
  28.212 +lemma stable_Join_constrains:
  28.213 +    "[| F \<in> stable(A);  G \<in> A co A' |]
  28.214       ==> F Join G \<in> A co A'"
  28.215  apply (unfold stable_def constrains_def Join_def st_set_def)
  28.216  apply (cut_tac F = F in Acts_type)
  28.217 -apply (cut_tac F = G in Acts_type, force) 
  28.218 +apply (cut_tac F = G in Acts_type, force)
  28.219  done
  28.220  
  28.221  (*Premise for G cannot use Always because  F \<in> Stable A  is
  28.222 @@ -462,10 +462,10 @@
  28.223  by (simp add: OK_def)
  28.224  
  28.225  lemma OK_cons_iff:
  28.226 -     "OK(cons(i, I), F) \<longleftrightarrow>  
  28.227 +     "OK(cons(i, I), F) \<longleftrightarrow>
  28.228        (i \<in> I & OK(I, F)) | (i\<notin>I & OK(I, F) & F(i) ok JOIN(I,F))"
  28.229  apply (simp add: OK_iff_ok)
  28.230 -apply (blast intro: ok_sym) 
  28.231 +apply (blast intro: ok_sym)
  28.232  done
  28.233  
  28.234  
  28.235 @@ -475,25 +475,25 @@
  28.236  by (auto dest: Acts_type [THEN subsetD] simp add: Allowed_def)
  28.237  
  28.238  lemma Allowed_Join [simp]:
  28.239 -     "Allowed(F Join G) =  
  28.240 +     "Allowed(F Join G) =
  28.241     Allowed(programify(F)) \<inter> Allowed(programify(G))"
  28.242  apply (auto simp add: Allowed_def)
  28.243  done
  28.244  
  28.245  lemma Allowed_JN [simp]:
  28.246 -     "i \<in> I ==>  
  28.247 +     "i \<in> I ==>
  28.248     Allowed(JOIN(I,F)) = (\<Inter>i \<in> I. Allowed(programify(F(i))))"
  28.249  apply (auto simp add: Allowed_def, blast)
  28.250  done
  28.251  
  28.252  lemma ok_iff_Allowed:
  28.253 -     "F ok G \<longleftrightarrow> (programify(F) \<in> Allowed(programify(G)) &  
  28.254 +     "F ok G \<longleftrightarrow> (programify(F) \<in> Allowed(programify(G)) &
  28.255     programify(G) \<in> Allowed(programify(F)))"
  28.256  by (simp add: ok_def Allowed_def)
  28.257  
  28.258  
  28.259  lemma OK_iff_Allowed:
  28.260 -     "OK(I,F) \<longleftrightarrow>  
  28.261 +     "OK(I,F) \<longleftrightarrow>
  28.262    (\<forall>i \<in> I. \<forall>j \<in> I-{i}. programify(F(i)) \<in> Allowed(programify(F(j))))"
  28.263  apply (auto simp add: OK_iff_ok ok_iff_Allowed)
  28.264  done
  28.265 @@ -510,10 +510,10 @@
  28.266  done
  28.267  
  28.268  lemma safety_prop_AllowedActs_iff_Allowed:
  28.269 -     "safety_prop(X) ==>  
  28.270 +     "safety_prop(X) ==>
  28.271    (\<Union>G \<in> X. Acts(G)) \<subseteq> AllowedActs(F) \<longleftrightarrow> (X \<subseteq> Allowed(programify(F)))"
  28.272 -apply (simp add: Allowed_def safety_prop_Acts_iff [THEN iff_sym] 
  28.273 -                 safety_prop_def, blast) 
  28.274 +apply (simp add: Allowed_def safety_prop_Acts_iff [THEN iff_sym]
  28.275 +                 safety_prop_def, blast)
  28.276  done
  28.277  
  28.278  
  28.279 @@ -526,7 +526,7 @@
  28.280  done
  28.281  
  28.282  lemma def_prg_Allowed:
  28.283 -     "[| F == mk_program (init, acts, \<Union>F \<in> X. Acts(F)); safety_prop(X) |]  
  28.284 +     "[| F == mk_program (init, acts, \<Union>F \<in> X. Acts(F)); safety_prop(X) |]
  28.285        ==> Allowed(F) = X"
  28.286  by (simp add: Allowed_eq)
  28.287  
  28.288 @@ -571,8 +571,8 @@
  28.289  apply blast+
  28.290  done
  28.291  
  28.292 -lemma def_UNION_ok_iff: 
  28.293 -"[| F == mk_program(init,acts, \<Union>G \<in> X. Acts(G)); safety_prop(X) |]  
  28.294 +lemma def_UNION_ok_iff:
  28.295 +"[| F == mk_program(init,acts, \<Union>G \<in> X. Acts(G)); safety_prop(X) |]
  28.296        ==> F ok G \<longleftrightarrow> (programify(G) \<in> X & acts \<inter> Pow(state*state) \<subseteq> AllowedActs(G))"
  28.297  apply (unfold ok_def)
  28.298  apply (drule_tac G = G in safety_prop_Acts_iff)
    29.1 --- a/src/ZF/UNITY/WFair.thy	Thu Mar 15 15:54:22 2012 +0000
    29.2 +++ b/src/ZF/UNITY/WFair.thy	Thu Mar 15 16:35:02 2012 +0000
    29.3 @@ -15,41 +15,41 @@
    29.4  
    29.5  definition
    29.6    (* This definition specifies weak fairness.  The rest of the theory
    29.7 -    is generic to all forms of fairness.*) 
    29.8 +    is generic to all forms of fairness.*)
    29.9    transient :: "i=>i"  where
   29.10 -  "transient(A) =={F:program. (\<exists>act\<in>Acts(F). A<=domain(act) &
   29.11 +  "transient(A) =={F \<in> program. (\<exists>act\<in>Acts(F). A<=domain(act) &
   29.12                                 act``A \<subseteq> state-A) & st_set(A)}"
   29.13  
   29.14  definition
   29.15    ensures :: "[i,i] => i"       (infixl "ensures" 60)  where
   29.16    "A ensures B == ((A-B) co (A \<union> B)) \<inter> transient(A-B)"
   29.17 -  
   29.18 +
   29.19  consts
   29.20  
   29.21    (*LEADS-TO constant for the inductive definition*)
   29.22    leads :: "[i, i]=>i"
   29.23  
   29.24 -inductive 
   29.25 +inductive
   29.26    domains
   29.27       "leads(D, F)" \<subseteq> "Pow(D)*Pow(D)"
   29.28 -  intros 
   29.29 -    Basis:  "[| F:A ensures B;  A:Pow(D); B:Pow(D) |] ==> <A,B>:leads(D, F)"
   29.30 +  intros
   29.31 +    Basis:  "[| F \<in> A ensures B;  A \<in> Pow(D); B \<in> Pow(D) |] ==> <A,B>:leads(D, F)"
   29.32      Trans:  "[| <A,B> \<in> leads(D, F); <B,C> \<in> leads(D, F) |] ==>  <A,C>:leads(D, F)"
   29.33 -    Union:   "[| S:Pow({A:S. <A, B>:leads(D, F)}); B:Pow(D); S:Pow(Pow(D)) |] ==> 
   29.34 +    Union:   "[| S \<in> Pow({A \<in> S. <A, B>:leads(D, F)}); B \<in> Pow(D); S \<in> Pow(Pow(D)) |] ==>
   29.35                <\<Union>(S),B>:leads(D, F)"
   29.36  
   29.37    monos        Pow_mono
   29.38    type_intros  Union_Pow_iff [THEN iffD2] UnionI PowI
   29.39 - 
   29.40 +
   29.41  definition
   29.42    (* The Visible version of the LEADS-TO relation*)
   29.43    leadsTo :: "[i, i] => i"       (infixl "leadsTo" 60)  where
   29.44 -  "A leadsTo B == {F:program. <A,B>:leads(state, F)}"
   29.45 -  
   29.46 +  "A leadsTo B == {F \<in> program. <A,B>:leads(state, F)}"
   29.47 +
   29.48  definition
   29.49    (* wlt(F, B) is the largest set that leads to B*)
   29.50    wlt :: "[i, i] => i"  where
   29.51 -    "wlt(F, B) == \<Union>({A:Pow(state). F: A leadsTo B})"
   29.52 +    "wlt(F, B) == \<Union>({A \<in> Pow(state). F \<in> A leadsTo B})"
   29.53  
   29.54  notation (xsymbols)
   29.55    leadsTo  (infixl "\<longmapsto>" 60)
   29.56 @@ -67,7 +67,7 @@
   29.57  lemma transient_type: "transient(A)<=program"
   29.58  by (unfold transient_def, auto)
   29.59  
   29.60 -lemma transientD2: 
   29.61 +lemma transientD2:
   29.62  "F \<in> transient(A) ==> F \<in> program & st_set(A)"
   29.63  apply (unfold transient_def, auto)
   29.64  done
   29.65 @@ -80,20 +80,20 @@
   29.66  apply (blast intro!: rev_bexI)
   29.67  done
   29.68  
   29.69 -lemma transientI: 
   29.70 -"[|act \<in> Acts(F); A \<subseteq> domain(act); act``A \<subseteq> state-A;  
   29.71 +lemma transientI:
   29.72 +"[|act \<in> Acts(F); A \<subseteq> domain(act); act``A \<subseteq> state-A;
   29.73      F \<in> program; st_set(A)|] ==> F \<in> transient(A)"
   29.74  by (simp add: transient_def, blast)
   29.75  
   29.76 -lemma transientE: 
   29.77 -     "[| F \<in> transient(A);  
   29.78 +lemma transientE:
   29.79 +     "[| F \<in> transient(A);
   29.80           !!act. [| act \<in> Acts(F);  A \<subseteq> domain(act); act``A \<subseteq> state-A|]==>P|]
   29.81        ==>P"
   29.82  by (simp add: transient_def, blast)
   29.83  
   29.84  lemma transient_state: "transient(state) = 0"
   29.85  apply (simp add: transient_def)
   29.86 -apply (rule equalityI, auto) 
   29.87 +apply (rule equalityI, auto)
   29.88  apply (cut_tac F = x in Acts_type)
   29.89  apply (simp add: Diff_cancel)
   29.90  apply (auto intro: st0_in_state)
   29.91 @@ -117,7 +117,7 @@
   29.92  lemma ensures_type: "A ensures B <=program"
   29.93  by (simp add: ensures_def constrains_def, auto)
   29.94  
   29.95 -lemma ensuresI: 
   29.96 +lemma ensuresI:
   29.97  "[|F:(A-B) co (A \<union> B); F \<in> transient(A-B)|]==>F \<in> A ensures B"
   29.98  apply (unfold ensures_def)
   29.99  apply (auto simp add: transient_type [THEN subsetD])
  29.100 @@ -138,10 +138,10 @@
  29.101  apply (blast intro: transient_strengthen constrains_weaken)
  29.102  done
  29.103  
  29.104 -(*The L-version (precondition strengthening) fails, but we have this*) 
  29.105 -lemma stable_ensures_Int: 
  29.106 +(*The L-version (precondition strengthening) fails, but we have this*)
  29.107 +lemma stable_ensures_Int:
  29.108       "[| F \<in> stable(C);  F \<in> A ensures B |] ==> F:(C \<inter> A) ensures (C \<inter> B)"
  29.109 - 
  29.110 +
  29.111  apply (unfold ensures_def)
  29.112  apply (simp (no_asm) add: Int_Un_distrib [symmetric] Diff_Int_distrib [symmetric])
  29.113  apply (blast intro: transient_strengthen stable_constrains_Int constrains_weaken)
  29.114 @@ -166,13 +166,13 @@
  29.115  lemma leadsTo_type: "A leadsTo B \<subseteq> program"
  29.116  by (unfold leadsTo_def, auto)
  29.117  
  29.118 -lemma leadsToD2: 
  29.119 +lemma leadsToD2:
  29.120  "F \<in> A leadsTo B ==> F \<in> program & st_set(A) & st_set(B)"
  29.121  apply (unfold leadsTo_def st_set_def)
  29.122  apply (blast dest: leads_left leads_right)
  29.123  done
  29.124  
  29.125 -lemma leadsTo_Basis: 
  29.126 +lemma leadsTo_Basis:
  29.127      "[|F \<in> A ensures B; st_set(A); st_set(B)|] ==> F \<in> A leadsTo B"
  29.128  apply (unfold leadsTo_def st_set_def)
  29.129  apply (cut_tac ensures_type)
  29.130 @@ -204,22 +204,22 @@
  29.131  by (simp add: Un_ac)
  29.132  
  29.133  (*The Union introduction rule as we should have liked to state it*)
  29.134 -lemma leadsTo_Union: 
  29.135 +lemma leadsTo_Union:
  29.136      "[|!!A. A \<in> S ==> F \<in> A leadsTo B; F \<in> program; st_set(B)|]
  29.137       ==> F \<in> \<Union>(S) leadsTo B"
  29.138  apply (unfold leadsTo_def st_set_def)
  29.139  apply (blast intro: leads.Union dest: leads_left)
  29.140  done
  29.141  
  29.142 -lemma leadsTo_Union_Int: 
  29.143 -    "[|!!A. A \<in> S ==>F \<in> (A \<inter> C) leadsTo B; F \<in> program; st_set(B)|]  
  29.144 +lemma leadsTo_Union_Int:
  29.145 +    "[|!!A. A \<in> S ==>F \<in> (A \<inter> C) leadsTo B; F \<in> program; st_set(B)|]
  29.146       ==> F \<in> (\<Union>(S)Int C)leadsTo B"
  29.147  apply (unfold leadsTo_def st_set_def)
  29.148  apply (simp only: Int_Union_Union)
  29.149  apply (blast dest: leads_left intro: leads.Union)
  29.150  done
  29.151  
  29.152 -lemma leadsTo_UN: 
  29.153 +lemma leadsTo_UN:
  29.154      "[| !!i. i \<in> I ==> F \<in> A(i) leadsTo B; F \<in> program; st_set(B)|]
  29.155       ==> F:(\<Union>i \<in> I. A(i)) leadsTo B"
  29.156  apply (simp add: Int_Union_Union leadsTo_def st_set_def)
  29.157 @@ -234,10 +234,10 @@
  29.158  done
  29.159  
  29.160  lemma single_leadsTo_I:
  29.161 -    "[|!!x. x \<in> A==> F:{x} leadsTo B; F \<in> program; st_set(B) |] 
  29.162 +    "[|!!x. x \<in> A==> F:{x} leadsTo B; F \<in> program; st_set(B) |]
  29.163       ==> F \<in> A leadsTo B"
  29.164  apply (rule_tac b = A in UN_singleton [THEN subst])
  29.165 -apply (rule leadsTo_UN, auto) 
  29.166 +apply (rule leadsTo_UN, auto)
  29.167  done
  29.168  
  29.169  lemma leadsTo_refl: "[| F \<in> program; st_set(A) |] ==> F \<in> A leadsTo A"
  29.170 @@ -278,7 +278,7 @@
  29.171  lemma leadsTo_Un_distrib: "F:(A \<union> B) leadsTo C  \<longleftrightarrow>  (F \<in> A leadsTo C & F \<in> B leadsTo C)"
  29.172  by (blast intro: leadsTo_Un leadsTo_weaken_L)
  29.173  
  29.174 -lemma leadsTo_UN_distrib: 
  29.175 +lemma leadsTo_UN_distrib:
  29.176  "(F:(\<Union>i \<in> I. A(i)) leadsTo B)\<longleftrightarrow> ((\<forall>i \<in> I. F \<in> A(i) leadsTo B) & F \<in> program & st_set(B))"
  29.177  apply (blast dest: leadsToD2 intro: leadsTo_UN leadsTo_weaken_L)
  29.178  done
  29.179 @@ -293,10 +293,10 @@
  29.180  by (blast intro: leadsTo_Un leadsTo_weaken dest: leadsToD2)
  29.181  
  29.182  lemma leadsTo_UN_UN:
  29.183 -    "[|!!i. i \<in> I ==> F \<in> A(i) leadsTo A'(i); F \<in> program |]  
  29.184 +    "[|!!i. i \<in> I ==> F \<in> A(i) leadsTo A'(i); F \<in> program |]
  29.185       ==> F: (\<Union>i \<in> I. A(i)) leadsTo (\<Union>i \<in> I. A'(i))"
  29.186  apply (rule leadsTo_Union)
  29.187 -apply (auto intro: leadsTo_weaken_R dest: leadsToD2) 
  29.188 +apply (auto intro: leadsTo_weaken_R dest: leadsToD2)
  29.189  done
  29.190  
  29.191  (*Binary union version*)
  29.192 @@ -336,17 +336,17 @@
  29.193  lemma leadsTo_induct:
  29.194    assumes major: "F \<in> za leadsTo zb"
  29.195        and basis: "!!A B. [|F \<in> A ensures B; st_set(A); st_set(B)|] ==> P(A,B)"
  29.196 -      and trans: "!!A B C. [| F \<in> A leadsTo B; P(A, B);  
  29.197 +      and trans: "!!A B C. [| F \<in> A leadsTo B; P(A, B);
  29.198                                F \<in> B leadsTo C; P(B, C) |] ==> P(A,C)"
  29.199 -      and union: "!!B S. [| \<forall>A \<in> S. F \<in> A leadsTo B; \<forall>A \<in> S. P(A,B); 
  29.200 +      and union: "!!B S. [| \<forall>A \<in> S. F \<in> A leadsTo B; \<forall>A \<in> S. P(A,B);
  29.201                             st_set(B); \<forall>A \<in> S. st_set(A)|] ==> P(\<Union>(S), B)"
  29.202    shows "P(za, zb)"
  29.203  apply (cut_tac major)
  29.204 -apply (unfold leadsTo_def, clarify) 
  29.205 -apply (erule leads.induct) 
  29.206 +apply (unfold leadsTo_def, clarify)
  29.207 +apply (erule leads.induct)
  29.208    apply (blast intro: basis [unfolded st_set_def])
  29.209 - apply (blast intro: trans [unfolded leadsTo_def]) 
  29.210 -apply (force intro: union [unfolded st_set_def leadsTo_def]) 
  29.211 + apply (blast intro: trans [unfolded leadsTo_def])
  29.212 +apply (force intro: union [unfolded st_set_def leadsTo_def])
  29.213  done
  29.214  
  29.215  
  29.216 @@ -354,11 +354,11 @@
  29.217  lemma leadsTo_induct2:
  29.218    assumes major: "F \<in> za leadsTo zb"
  29.219        and basis1: "!!A B. [| A<=B; st_set(B) |] ==> P(A, B)"
  29.220 -      and basis2: "!!A B. [| F \<in> A co A \<union> B; F \<in> transient(A); st_set(B) |] 
  29.221 +      and basis2: "!!A B. [| F \<in> A co A \<union> B; F \<in> transient(A); st_set(B) |]
  29.222                            ==> P(A, B)"
  29.223 -      and trans: "!!A B C. [| F \<in> A leadsTo B; P(A, B);  
  29.224 +      and trans: "!!A B C. [| F \<in> A leadsTo B; P(A, B);
  29.225                                F \<in> B leadsTo C; P(B, C) |] ==> P(A,C)"
  29.226 -      and union: "!!B S. [| \<forall>A \<in> S. F \<in> A leadsTo B; \<forall>A \<in> S. P(A,B); 
  29.227 +      and union: "!!B S. [| \<forall>A \<in> S. F \<in> A leadsTo B; \<forall>A \<in> S. P(A,B);
  29.228                             st_set(B); \<forall>A \<in> S. st_set(A)|] ==> P(\<Union>(S), B)"
  29.229    shows "P(za, zb)"
  29.230  apply (cut_tac major)
  29.231 @@ -381,11 +381,11 @@
  29.232  
  29.233  (** Variant induction rule: on the preconditions for B **)
  29.234  (*Lemma is the weak version: can't see how to do it in one step*)
  29.235 -lemma leadsTo_induct_pre_aux: 
  29.236 -  "[| F \<in> za leadsTo zb;   
  29.237 -      P(zb);  
  29.238 -      !!A B. [| F \<in> A ensures B;  P(B); st_set(A); st_set(B) |] ==> P(A);  
  29.239 -      !!S. [| \<forall>A \<in> S. P(A); \<forall>A \<in> S. st_set(A) |] ==> P(\<Union>(S))  
  29.240 +lemma leadsTo_induct_pre_aux:
  29.241 +  "[| F \<in> za leadsTo zb;
  29.242 +      P(zb);
  29.243 +      !!A B. [| F \<in> A ensures B;  P(B); st_set(A); st_set(B) |] ==> P(A);
  29.244 +      !!S. [| \<forall>A \<in> S. P(A); \<forall>A \<in> S. st_set(A) |] ==> P(\<Union>(S))
  29.245     |] ==> P(za)"
  29.246  txt{*by induction on this formula*}
  29.247  apply (subgoal_tac "P (zb) \<longrightarrow> P (za) ")
  29.248 @@ -396,15 +396,15 @@
  29.249  done
  29.250  
  29.251  
  29.252 -lemma leadsTo_induct_pre: 
  29.253 -  "[| F \<in> za leadsTo zb;   
  29.254 -      P(zb);  
  29.255 -      !!A B. [| F \<in> A ensures B;  F \<in> B leadsTo zb;  P(B); st_set(A) |] ==> P(A);  
  29.256 -      !!S. \<forall>A \<in> S. F \<in> A leadsTo zb & P(A) & st_set(A) ==> P(\<Union>(S))  
  29.257 +lemma leadsTo_induct_pre:
  29.258 +  "[| F \<in> za leadsTo zb;
  29.259 +      P(zb);
  29.260 +      !!A B. [| F \<in> A ensures B;  F \<in> B leadsTo zb;  P(B); st_set(A) |] ==> P(A);
  29.261 +      !!S. \<forall>A \<in> S. F \<in> A leadsTo zb & P(A) & st_set(A) ==> P(\<Union>(S))
  29.262     |] ==> P(za)"
  29.263  apply (subgoal_tac " (F \<in> za leadsTo zb) & P (za) ")
  29.264  apply (erule conjunct2)
  29.265 -apply (frule leadsToD2) 
  29.266 +apply (frule leadsToD2)
  29.267  apply (erule leadsTo_induct_pre_aux)
  29.268  prefer 3 apply (blast dest: leadsToD2 intro: leadsTo_Union)
  29.269  prefer 2 apply (blast intro: leadsTo_Trans leadsTo_Basis)
  29.270 @@ -412,7 +412,7 @@
  29.271  done
  29.272  
  29.273  (** The impossibility law **)
  29.274 -lemma leadsTo_empty: 
  29.275 +lemma leadsTo_empty:
  29.276     "F \<in> A leadsTo 0 ==> A=0"
  29.277  apply (erule leadsTo_induct_pre)
  29.278  apply (auto simp add: ensures_def constrains_def transient_def st_set_def)
  29.279 @@ -425,10 +425,10 @@
  29.280  
  29.281  text{*Special case of PSP: Misra's "stable conjunction"*}
  29.282  
  29.283 -lemma psp_stable: 
  29.284 +lemma psp_stable:
  29.285     "[| F \<in> A leadsTo A'; F \<in> stable(B) |] ==> F:(A \<inter> B) leadsTo (A' \<inter> B)"
  29.286  apply (unfold stable_def)
  29.287 -apply (frule leadsToD2) 
  29.288 +apply (frule leadsToD2)
  29.289  apply (erule leadsTo_induct)
  29.290  prefer 3 apply (blast intro: leadsTo_Union_Int)
  29.291  prefer 2 apply (blast intro: leadsTo_Trans)
  29.292 @@ -442,7 +442,7 @@
  29.293  apply (simp (no_asm_simp) add: psp_stable Int_ac)
  29.294  done
  29.295  
  29.296 -lemma psp_ensures: 
  29.297 +lemma psp_ensures:
  29.298  "[| F \<in> A ensures A'; F \<in> B co B' |]==> F: (A \<inter> B') ensures ((A' \<inter> B) \<union> (B' - B))"
  29.299  apply (unfold ensures_def constrains_def st_set_def)
  29.300  (*speeds up the proof*)
  29.301 @@ -450,7 +450,7 @@
  29.302  apply (blast intro: transient_strengthen)
  29.303  done
  29.304  
  29.305 -lemma psp: 
  29.306 +lemma psp:
  29.307  "[|F \<in> A leadsTo A'; F \<in> B co B'; st_set(B')|]==> F:(A \<inter> B') leadsTo ((A' \<inter> B) \<union> (B' - B))"
  29.308  apply (subgoal_tac "F \<in> program & st_set (A) & st_set (A') & st_set (B) ")
  29.309  prefer 2 apply (blast dest!: constrainsD2 leadsToD2)
  29.310 @@ -466,12 +466,12 @@
  29.311  done
  29.312  
  29.313  
  29.314 -lemma psp2: "[| F \<in> A leadsTo A'; F \<in> B co B'; st_set(B') |]  
  29.315 +lemma psp2: "[| F \<in> A leadsTo A'; F \<in> B co B'; st_set(B') |]
  29.316      ==> F \<in> (B' \<inter> A) leadsTo ((B \<inter> A') \<union> (B' - B))"
  29.317  by (simp (no_asm_simp) add: psp Int_ac)
  29.318  
  29.319 -lemma psp_unless: 
  29.320 -   "[| F \<in> A leadsTo A';  F \<in> B unless B'; st_set(B); st_set(B') |]  
  29.321 +lemma psp_unless:
  29.322 +   "[| F \<in> A leadsTo A';  F \<in> B unless B'; st_set(B); st_set(B') |]
  29.323      ==> F \<in> (A \<inter> B) leadsTo ((A' \<inter> B) \<union> B')"
  29.324  apply (unfold unless_def)
  29.325  apply (subgoal_tac "st_set (A) &st_set (A') ")
  29.326 @@ -484,12 +484,12 @@
  29.327  subsection{*Proving the induction rules*}
  29.328  
  29.329  (** The most general rule \<in> r is any wf relation; f is any variant function **)
  29.330 -lemma leadsTo_wf_induct_aux: "[| wf(r);  
  29.331 -         m \<in> I;  
  29.332 -         field(r)<=I;  
  29.333 -         F \<in> program; st_set(B); 
  29.334 -         \<forall>m \<in> I. F \<in> (A \<inter> f-``{m}) leadsTo                      
  29.335 -                    ((A \<inter> f-``(converse(r)``{m})) \<union> B) |]  
  29.336 +lemma leadsTo_wf_induct_aux: "[| wf(r);
  29.337 +         m \<in> I;
  29.338 +         field(r)<=I;
  29.339 +         F \<in> program; st_set(B);
  29.340 +         \<forall>m \<in> I. F \<in> (A \<inter> f-``{m}) leadsTo
  29.341 +                    ((A \<inter> f-``(converse(r)``{m})) \<union> B) |]
  29.342        ==> F \<in> (A \<inter> f-``{m}) leadsTo B"
  29.343  apply (erule_tac a = m in wf_induct2, simp_all)
  29.344  apply (subgoal_tac "F \<in> (A \<inter> (f-`` (converse (r) ``{x}))) leadsTo B")
  29.345 @@ -500,17 +500,17 @@
  29.346  done
  29.347  
  29.348  (** Meta or object quantifier ? **)
  29.349 -lemma leadsTo_wf_induct: "[| wf(r);  
  29.350 -         field(r)<=I;  
  29.351 -         A<=f-``I;  
  29.352 -         F \<in> program; st_set(A); st_set(B);  
  29.353 -         \<forall>m \<in> I. F \<in> (A \<inter> f-``{m}) leadsTo                      
  29.354 -                    ((A \<inter> f-``(converse(r)``{m})) \<union> B) |]  
  29.355 +lemma leadsTo_wf_induct: "[| wf(r);
  29.356 +         field(r)<=I;
  29.357 +         A<=f-``I;
  29.358 +         F \<in> program; st_set(A); st_set(B);
  29.359 +         \<forall>m \<in> I. F \<in> (A \<inter> f-``{m}) leadsTo
  29.360 +                    ((A \<inter> f-``(converse(r)``{m})) \<union> B) |]
  29.361        ==> F \<in> A leadsTo B"
  29.362  apply (rule_tac b = A in subst)
  29.363   defer 1
  29.364   apply (rule_tac I = I in leadsTo_UN)
  29.365 - apply (erule_tac I = I in leadsTo_wf_induct_aux, assumption+, best) 
  29.366 + apply (erule_tac I = I in leadsTo_wf_induct_aux, assumption+, best)
  29.367  done
  29.368  
  29.369  lemma nat_measure_field: "field(measure(nat, %x. x)) = nat"
  29.370 @@ -536,12 +536,12 @@
  29.371  done
  29.372  
  29.373  (*Alternative proof is via the lemma F \<in> (A \<inter> f-`(lessThan m)) leadsTo B*)
  29.374 -lemma lessThan_induct: 
  29.375 - "[| A<=f-``nat;  
  29.376 -     F \<in> program; st_set(A); st_set(B);  
  29.377 -     \<forall>m \<in> nat. F:(A \<inter> f-``{m}) leadsTo ((A \<inter> f -`` m) \<union> B) |]  
  29.378 +lemma lessThan_induct:
  29.379 + "[| A<=f-``nat;
  29.380 +     F \<in> program; st_set(A); st_set(B);
  29.381 +     \<forall>m \<in> nat. F:(A \<inter> f-``{m}) leadsTo ((A \<inter> f -`` m) \<union> B) |]
  29.382        ==> F \<in> A leadsTo B"
  29.383 -apply (rule_tac A1 = nat and f1 = "%x. x" in wf_measure [THEN leadsTo_wf_induct]) 
  29.384 +apply (rule_tac A1 = nat and f1 = "%x. x" in wf_measure [THEN leadsTo_wf_induct])
  29.385  apply (simp_all add: nat_measure_field)
  29.386  apply (simp add: ltI Image_inverse_lessThan vimage_def [symmetric])
  29.387  done
  29.388 @@ -586,17 +586,17 @@
  29.389  done
  29.390  
  29.391  (*Used in the Trans case below*)
  29.392 -lemma leadsTo_123_aux: 
  29.393 -   "[| B \<subseteq> A2;  
  29.394 -       F \<in> (A1 - B) co (A1 \<union> B);  
  29.395 -       F \<in> (A2 - C) co (A2 \<union> C) |]  
  29.396 +lemma leadsTo_123_aux:
  29.397 +   "[| B \<subseteq> A2;
  29.398 +       F \<in> (A1 - B) co (A1 \<union> B);
  29.399 +       F \<in> (A2 - C) co (A2 \<union> C) |]
  29.400      ==> F \<in> (A1 \<union> A2 - C) co (A1 \<union> A2 \<union> C)"
  29.401  apply (unfold constrains_def st_set_def, blast)
  29.402  done
  29.403  
  29.404  (*Lemma (1,2,3) of Misra's draft book, Chapter 4, "Progress"*)
  29.405  (* slightly different from the HOL one \<in> B here is bounded *)
  29.406 -lemma leadsTo_123: "F \<in> A leadsTo A'  
  29.407 +lemma leadsTo_123: "F \<in> A leadsTo A'
  29.408        ==> \<exists>B \<in> Pow(state). A<=B & F \<in> B leadsTo A' & F \<in> (B-A') co (B \<union> A')"
  29.409  apply (frule leadsToD2)
  29.410  apply (erule leadsTo_induct)
  29.411 @@ -612,7 +612,7 @@
  29.412  defer 1
  29.413  apply (rule AC_ball_Pi, safe)
  29.414  apply (rotate_tac 1)
  29.415 -apply (drule_tac x = x in bspec, blast, blast) 
  29.416 +apply (drule_tac x = x in bspec, blast, blast)
  29.417  apply (rule_tac x = "\<Union>A \<in> S. y`A" in bexI, safe)
  29.418  apply (rule_tac [3] I1 = S in constrains_UN [THEN constrains_weaken])
  29.419  apply (rule_tac [2] leadsTo_Union)
  29.420 @@ -633,13 +633,13 @@
  29.421  
  29.422  subsection{*Completion: Binary and General Finite versions*}
  29.423  
  29.424 -lemma completion_aux: "[| W = wlt(F, (B' \<union> C));      
  29.425 -       F \<in> A leadsTo (A' \<union> C);  F \<in> A' co (A' \<union> C);    
  29.426 -       F \<in> B leadsTo (B' \<union> C);  F \<in> B' co (B' \<union> C) |]  
  29.427 +lemma completion_aux: "[| W = wlt(F, (B' \<union> C));
  29.428 +       F \<in> A leadsTo (A' \<union> C);  F \<in> A' co (A' \<union> C);
  29.429 +       F \<in> B leadsTo (B' \<union> C);  F \<in> B' co (B' \<union> C) |]
  29.430      ==> F \<in> (A \<inter> B) leadsTo ((A' \<inter> B') \<union> C)"
  29.431  apply (subgoal_tac "st_set (C) &st_set (W) &st_set (W-C) &st_set (A') &st_set (A) & st_set (B) & st_set (B') & F \<in> program")
  29.432 - prefer 2 
  29.433 - apply simp 
  29.434 + prefer 2
  29.435 + apply simp
  29.436   apply (blast dest!: leadsToD2)
  29.437  apply (subgoal_tac "F \<in> (W-C) co (W \<union> B' \<union> C) ")
  29.438   prefer 2
  29.439 @@ -668,9 +668,9 @@
  29.440  lemmas completion = refl [THEN completion_aux]
  29.441  
  29.442  lemma finite_completion_aux:
  29.443 -     "[| I \<in> Fin(X); F \<in> program; st_set(C) |] ==>  
  29.444 -       (\<forall>i \<in> I. F \<in> (A(i)) leadsTo (A'(i) \<union> C)) \<longrightarrow>   
  29.445 -                     (\<forall>i \<in> I. F \<in> (A'(i)) co (A'(i) \<union> C)) \<longrightarrow>  
  29.446 +     "[| I \<in> Fin(X); F \<in> program; st_set(C) |] ==>
  29.447 +       (\<forall>i \<in> I. F \<in> (A(i)) leadsTo (A'(i) \<union> C)) \<longrightarrow>
  29.448 +                     (\<forall>i \<in> I. F \<in> (A'(i)) co (A'(i) \<union> C)) \<longrightarrow>
  29.449                     F \<in> (\<Inter>i \<in> I. A(i)) leadsTo ((\<Inter>i \<in> I. A'(i)) \<union> C)"
  29.450  apply (erule Fin_induct)
  29.451  apply (auto simp add: Inter_0)
  29.452 @@ -679,16 +679,16 @@
  29.453  apply (blast intro: constrains_INT)
  29.454  done
  29.455  
  29.456 -lemma finite_completion: 
  29.457 -     "[| I \<in> Fin(X);   
  29.458 -         !!i. i \<in> I ==> F \<in> A(i) leadsTo (A'(i) \<union> C);  
  29.459 -         !!i. i \<in> I ==> F \<in> A'(i) co (A'(i) \<union> C); F \<in> program; st_set(C)|]    
  29.460 +lemma finite_completion:
  29.461 +     "[| I \<in> Fin(X);
  29.462 +         !!i. i \<in> I ==> F \<in> A(i) leadsTo (A'(i) \<union> C);
  29.463 +         !!i. i \<in> I ==> F \<in> A'(i) co (A'(i) \<union> C); F \<in> program; st_set(C)|]
  29.464        ==> F \<in> (\<Inter>i \<in> I. A(i)) leadsTo ((\<Inter>i \<in> I. A'(i)) \<union> C)"
  29.465  by (blast intro: finite_completion_aux [THEN mp, THEN mp])
  29.466  
  29.467 -lemma stable_completion: 
  29.468 -     "[| F \<in> A leadsTo A';  F \<in> stable(A');    
  29.469 -         F \<in> B leadsTo B';  F \<in> stable(B') |]  
  29.470 +lemma stable_completion:
  29.471 +     "[| F \<in> A leadsTo A';  F \<in> stable(A');
  29.472 +         F \<in> B leadsTo B';  F \<in> stable(B') |]
  29.473      ==> F \<in> (A \<inter> B) leadsTo (A' \<inter> B')"
  29.474  apply (unfold stable_def)
  29.475  apply (rule_tac C1 = 0 in completion [THEN leadsTo_weaken_R], simp+)
  29.476 @@ -696,15 +696,15 @@
  29.477  done
  29.478  
  29.479  
  29.480 -lemma finite_stable_completion: 
  29.481 -     "[| I \<in> Fin(X);  
  29.482 -         (!!i. i \<in> I ==> F \<in> A(i) leadsTo A'(i));  
  29.483 -         (!!i. i \<in> I ==> F \<in> stable(A'(i)));  F \<in> program |]  
  29.484 +lemma finite_stable_completion:
  29.485 +     "[| I \<in> Fin(X);
  29.486 +         (!!i. i \<in> I ==> F \<in> A(i) leadsTo A'(i));
  29.487 +         (!!i. i \<in> I ==> F \<in> stable(A'(i)));  F \<in> program |]
  29.488        ==> F \<in> (\<Inter>i \<in> I. A(i)) leadsTo (\<Inter>i \<in> I. A'(i))"
  29.489  apply (unfold stable_def)
  29.490  apply (subgoal_tac "st_set (\<Inter>i \<in> I. A' (i))")
  29.491  prefer 2 apply (blast dest: leadsToD2)
  29.492 -apply (rule_tac C1 = 0 in finite_completion [THEN leadsTo_weaken_R], auto) 
  29.493 +apply (rule_tac C1 = 0 in finite_completion [THEN leadsTo_weaken_R], auto)
  29.494  done
  29.495  
  29.496  end
    30.1 --- a/src/ZF/WF.thy	Thu Mar 15 15:54:22 2012 +0000
    30.2 +++ b/src/ZF/WF.thy	Thu Mar 15 16:35:02 2012 +0000
    30.3 @@ -21,7 +21,7 @@
    30.4  definition
    30.5    wf           :: "i=>o"  where
    30.6      (*r is a well-founded relation*)
    30.7 -    "wf(r) == \<forall>Z. Z=0 | (\<exists>x\<in>Z. \<forall>y. <y,x>:r \<longrightarrow> ~ y:Z)"
    30.8 +    "wf(r) == \<forall>Z. Z=0 | (\<exists>x\<in>Z. \<forall>y. <y,x>:r \<longrightarrow> ~ y \<in> Z)"
    30.9  
   30.10  definition
   30.11    wf_on        :: "[i,i]=>o"                      ("wf[_]'(_')")  where
   30.12 @@ -80,7 +80,7 @@
   30.13  text{*If every non-empty subset of @{term A} has an @{term r}-minimal element
   30.14     then we have @{term "wf[A](r)"}.*}
   30.15  lemma wf_onI:
   30.16 - assumes prem: "!!Z u. [| Z<=A;  u:Z;  \<forall>x\<in>Z. \<exists>y\<in>Z. <y,x>:r |] ==> False"
   30.17 + assumes prem: "!!Z u. [| Z<=A;  u \<in> Z;  \<forall>x\<in>Z. \<exists>y\<in>Z. <y,x>:r |] ==> False"
   30.18   shows         "wf[A](r)"
   30.19  apply (unfold wf_on_def wf_def)
   30.20  apply (rule equals0I [THEN disjCI, THEN allI])
   30.21 @@ -89,10 +89,10 @@
   30.22  
   30.23  text{*If @{term r} allows well-founded induction over @{term A}
   30.24     then we have @{term "wf[A](r)"}.   Premise is equivalent to
   30.25 -  @{prop "!!B. \<forall>x\<in>A. (\<forall>y. <y,x>: r \<longrightarrow> y:B) \<longrightarrow> x:B ==> A<=B"} *}
   30.26 +  @{prop "!!B. \<forall>x\<in>A. (\<forall>y. <y,x>: r \<longrightarrow> y \<in> B) \<longrightarrow> x \<in> B ==> A<=B"} *}
   30.27  lemma wf_onI2:
   30.28 - assumes prem: "!!y B. [| \<forall>x\<in>A. (\<forall>y\<in>A. <y,x>:r \<longrightarrow> y:B) \<longrightarrow> x:B;   y:A |]
   30.29 -                       ==> y:B"
   30.30 + assumes prem: "!!y B. [| \<forall>x\<in>A. (\<forall>y\<in>A. <y,x>:r \<longrightarrow> y \<in> B) \<longrightarrow> x \<in> B;   y \<in> A |]
   30.31 +                       ==> y \<in> B"
   30.32   shows         "wf[A](r)"
   30.33  apply (rule wf_onI)
   30.34  apply (rule_tac c=u in prem [THEN DiffE])
   30.35 @@ -118,10 +118,10 @@
   30.36  
   30.37  text{*The form of this rule is designed to match @{text wfI}*}
   30.38  lemma wf_induct2:
   30.39 -    "[| wf(r);  a:A;  field(r)<=A;
   30.40 -        !!x.[| x: A;  \<forall>y. <y,x>: r \<longrightarrow> P(y) |] ==> P(x) |]
   30.41 +    "[| wf(r);  a \<in> A;  field(r)<=A;
   30.42 +        !!x.[| x \<in> A;  \<forall>y. <y,x>: r \<longrightarrow> P(y) |] ==> P(x) |]
   30.43       ==>  P(a)"
   30.44 -apply (erule_tac P="a:A" in rev_mp)
   30.45 +apply (erule_tac P="a \<in> A" in rev_mp)
   30.46  apply (erule_tac a=a in wf_induct, blast)
   30.47  done
   30.48  
   30.49 @@ -129,8 +129,8 @@
   30.50  by blast
   30.51  
   30.52  lemma wf_on_induct [consumes 2, induct set: wf_on]:
   30.53 -    "[| wf[A](r);  a:A;
   30.54 -        !!x.[| x: A;  \<forall>y\<in>A. <y,x>: r \<longrightarrow> P(y) |] ==> P(x)
   30.55 +    "[| wf[A](r);  a \<in> A;
   30.56 +        !!x.[| x \<in> A;  \<forall>y\<in>A. <y,x>: r \<longrightarrow> P(y) |] ==> P(x)
   30.57       |]  ==>  P(a)"
   30.58  apply (unfold wf_on_def)
   30.59  apply (erule wf_induct2, assumption)
   30.60 @@ -145,8 +145,8 @@
   30.61     then we have @{term "wf(r)"}.*}
   30.62  lemma wfI:
   30.63      "[| field(r)<=A;
   30.64 -        !!y B. [| \<forall>x\<in>A. (\<forall>y\<in>A. <y,x>:r \<longrightarrow> y:B) \<longrightarrow> x:B;  y:A|]
   30.65 -               ==> y:B |]
   30.66 +        !!y B. [| \<forall>x\<in>A. (\<forall>y\<in>A. <y,x>:r \<longrightarrow> y \<in> B) \<longrightarrow> x \<in> B;  y \<in> A|]
   30.67 +               ==> y \<in> B |]
   30.68       ==>  wf(r)"
   30.69  apply (rule wf_on_subset_A [THEN wf_on_field_imp_wf])
   30.70  apply (rule wf_onI2)
   30.71 @@ -166,11 +166,11 @@
   30.72  (* @{term"[| wf(r);  <a,x> \<in> r;  ~P ==> <x,a> \<in> r |] ==> P"} *)
   30.73  lemmas wf_asym = wf_not_sym [THEN swap]
   30.74  
   30.75 -lemma wf_on_not_refl: "[| wf[A](r); a: A |] ==> <a,a> \<notin> r"
   30.76 +lemma wf_on_not_refl: "[| wf[A](r); a \<in> A |] ==> <a,a> \<notin> r"
   30.77  by (erule_tac a=a in wf_on_induct, assumption, blast)
   30.78  
   30.79  lemma wf_on_not_sym [rule_format]:
   30.80 -     "[| wf[A](r);  a:A |] ==> \<forall>b\<in>A. <a,b>:r \<longrightarrow> <b,a>\<notin>r"
   30.81 +     "[| wf[A](r);  a \<in> A |] ==> \<forall>b\<in>A. <a,b>:r \<longrightarrow> <b,a>\<notin>r"
   30.82  apply (erule_tac a=a in wf_on_induct, assumption, blast)
   30.83  done
   30.84  
   30.85 @@ -183,7 +183,7 @@
   30.86  (*Needed to prove well_ordI.  Could also reason that wf[A](r) means
   30.87    wf(r \<inter> A*A);  thus wf( (r \<inter> A*A)^+ ) and use wf_not_refl *)
   30.88  lemma wf_on_chain3:
   30.89 -     "[| wf[A](r); <a,b>:r; <b,c>:r; <c,a>:r; a:A; b:A; c:A |] ==> P"
   30.90 +     "[| wf[A](r); <a,b>:r; <b,c>:r; <c,a>:r; a \<in> A; b \<in> A; c \<in> A |] ==> P"
   30.91  apply (subgoal_tac "\<forall>y\<in>A. \<forall>z\<in>A. <a,y>:r \<longrightarrow> <y,z>:r \<longrightarrow> <z,a>:r \<longrightarrow> P",
   30.92         blast)
   30.93  apply (erule_tac a=a in wf_on_induct, assumption, blast)
   30.94 @@ -218,7 +218,7 @@
   30.95  
   30.96  subsection{*The Predicate @{term is_recfun}*}
   30.97  
   30.98 -lemma is_recfun_type: "is_recfun(r,a,H,f) ==> f: r-``{a} -> range(f)"
   30.99 +lemma is_recfun_type: "is_recfun(r,a,H,f) ==> f \<in> r-``{a} -> range(f)"
  30.100  apply (unfold is_recfun_def)
  30.101  apply (erule ssubst)
  30.102  apply (rule lamI [THEN rangeI, THEN lam_type], assumption)
  30.103 @@ -345,8 +345,8 @@
  30.104  done
  30.105  
  30.106  lemma wfrec_type:
  30.107 -    "[| wf(r);  a:A;  field(r)<=A;
  30.108 -        !!x u. [| x: A;  u: Pi(r-``{x}, B) |] ==> H(x,u) \<in> B(x)
  30.109 +    "[| wf(r);  a \<in> A;  field(r)<=A;
  30.110 +        !!x u. [| x \<in> A;  u \<in> Pi(r-``{x}, B) |] ==> H(x,u) \<in> B(x)
  30.111       |] ==> wfrec(r,a,H) \<in> B(a)"
  30.112  apply (rule_tac a = a in wf_induct2, assumption+)
  30.113  apply (subst wfrec, assumption)
  30.114 @@ -355,7 +355,7 @@
  30.115  
  30.116  
  30.117  lemma wfrec_on:
  30.118 - "[| wf[A](r);  a: A |] ==>
  30.119 + "[| wf[A](r);  a \<in> A |] ==>
  30.120           wfrec[A](r,a,H) = H(a, \<lambda>x\<in>(r-``{a}) \<inter> A. wfrec[A](r,x,H))"
  30.121  apply (unfold wf_on_def wfrec_on_def)
  30.122  apply (erule wfrec [THEN trans])
  30.123 @@ -364,7 +364,7 @@
  30.124  
  30.125  text{*Minimal-element characterization of well-foundedness*}
  30.126  lemma wf_eq_minimal:
  30.127 -     "wf(r) \<longleftrightarrow> (\<forall>Q x. x:Q \<longrightarrow> (\<exists>z\<in>Q. \<forall>y. <y,z>:r \<longrightarrow> y\<notin>Q))"
  30.128 +     "wf(r) \<longleftrightarrow> (\<forall>Q x. x \<in> Q \<longrightarrow> (\<exists>z\<in>Q. \<forall>y. <y,z>:r \<longrightarrow> y\<notin>Q))"
  30.129  by (unfold wf_def, blast)
  30.130  
  30.131  end
    31.1 --- a/src/ZF/ex/Group.thy	Thu Mar 15 15:54:22 2012 +0000
    31.2 +++ b/src/ZF/ex/Group.thy	Thu Mar 15 16:35:02 2012 +0000
    31.3 @@ -11,7 +11,7 @@
    31.4  subsection {* Monoids *}
    31.5  
    31.6  (*First, we must simulate a record declaration:
    31.7 -record monoid = 
    31.8 +record monoid =
    31.9    carrier :: i
   31.10    mult :: "[i,i] => i" (infixl "\<cdot>\<index>" 70)
   31.11    one :: i ("\<one>\<index>")
   31.12 @@ -41,7 +41,7 @@
   31.13    assumes m_closed [intro, simp]:
   31.14           "\<lbrakk>x \<in> carrier(G); y \<in> carrier(G)\<rbrakk> \<Longrightarrow> x \<cdot> y \<in> carrier(G)"
   31.15        and m_assoc:
   31.16 -         "\<lbrakk>x \<in> carrier(G); y \<in> carrier(G); z \<in> carrier(G)\<rbrakk> 
   31.17 +         "\<lbrakk>x \<in> carrier(G); y \<in> carrier(G); z \<in> carrier(G)\<rbrakk>
   31.18            \<Longrightarrow> (x \<cdot> y) \<cdot> z = x \<cdot> (y \<cdot> z)"
   31.19        and one_closed [intro, simp]: "\<one> \<in> carrier(G)"
   31.20        and l_one [simp]: "x \<in> carrier(G) \<Longrightarrow> \<one> \<cdot> x = x"
   31.21 @@ -61,13 +61,13 @@
   31.22    by (simp add: update_carrier_def)
   31.23  
   31.24  lemma carrier_update_carrier [simp]: "carrier(update_carrier(M,B)) = B"
   31.25 -  by (simp add: update_carrier_def) 
   31.26 +  by (simp add: update_carrier_def)
   31.27  
   31.28  lemma mult_update_carrier [simp]: "mmult(update_carrier(M,B),x,y) = mmult(M,x,y)"
   31.29 -  by (simp add: update_carrier_def mmult_def) 
   31.30 +  by (simp add: update_carrier_def mmult_def)
   31.31  
   31.32  lemma one_update_carrier [simp]: "one(update_carrier(M,B)) = one(M)"
   31.33 -  by (simp add: update_carrier_def one_def) 
   31.34 +  by (simp add: update_carrier_def one_def)
   31.35  
   31.36  
   31.37  lemma (in monoid) inv_unique:
   31.38 @@ -109,7 +109,7 @@
   31.39    proof
   31.40      fix x y z
   31.41      assume G: "x \<in> carrier(G)"  "y \<in> carrier(G)"  "z \<in> carrier(G)"
   31.42 -    { 
   31.43 +    {
   31.44        assume eq: "x \<cdot> y = x \<cdot> z"
   31.45        with G l_inv_ex obtain x_inv where xG: "x_inv \<in> carrier(G)"
   31.46          and l_inv: "x_inv \<cdot> x = \<one>" by fast
   31.47 @@ -147,15 +147,15 @@
   31.48        by (fast intro: l_inv r_inv)
   31.49    qed
   31.50    show ?thesis
   31.51 -    by (blast intro: group.intro monoid.intro group_axioms.intro 
   31.52 +    by (blast intro: group.intro monoid.intro group_axioms.intro
   31.53                       assms r_one inv_ex)
   31.54  qed
   31.55  
   31.56  lemma (in group) inv [simp]:
   31.57    "x \<in> carrier(G) \<Longrightarrow> inv x \<in> carrier(G) & inv x \<cdot> x = \<one> & x \<cdot> inv x = \<one>"
   31.58 -  apply (frule inv_ex) 
   31.59 +  apply (frule inv_ex)
   31.60    apply (unfold Bex_def m_inv_def)
   31.61 -  apply (erule exE) 
   31.62 +  apply (erule exE)
   31.63    apply (rule theI)
   31.64    apply (rule ex1I, assumption)
   31.65     apply (blast intro: inv_unique)
   31.66 @@ -221,10 +221,10 @@
   31.67  
   31.68  lemma (in group) inv_one [simp]:
   31.69    "inv \<one> = \<one>"
   31.70 -  by (auto intro: inv_equality) 
   31.71 +  by (auto intro: inv_equality)
   31.72  
   31.73  lemma (in group) inv_inv [simp]: "x \<in> carrier(G) \<Longrightarrow> inv (inv x) = x"
   31.74 -  by (auto intro: inv_equality) 
   31.75 +  by (auto intro: inv_equality)
   31.76  
   31.77  text{*This proof is by cancellation*}
   31.78  lemma (in group) inv_mult_group:
   31.79 @@ -360,7 +360,7 @@
   31.80  
   31.81  lemma (in group) hom_compose:
   31.82       "\<lbrakk>h \<in> hom(G,H); i \<in> hom(H,I)\<rbrakk> \<Longrightarrow> i O h \<in> hom(G,I)"
   31.83 -by (force simp add: hom_def comp_fun) 
   31.84 +by (force simp add: hom_def comp_fun)
   31.85  
   31.86  lemma hom_is_fun:
   31.87    "h \<in> hom(G,H) \<Longrightarrow> h \<in> carrier(G) -> carrier(H)"
   31.88 @@ -374,19 +374,19 @@
   31.89    "G \<cong> H == hom(G,H) \<inter> bij(carrier(G), carrier(H))"
   31.90  
   31.91  lemma (in group) iso_refl: "id(carrier(G)) \<in> G \<cong> G"
   31.92 -  by (simp add: iso_def hom_def id_type id_bij) 
   31.93 +  by (simp add: iso_def hom_def id_type id_bij)
   31.94  
   31.95  
   31.96  lemma (in group) iso_sym:
   31.97       "h \<in> G \<cong> H \<Longrightarrow> converse(h) \<in> H \<cong> G"
   31.98 -apply (simp add: iso_def bij_converse_bij, clarify) 
   31.99 -apply (subgoal_tac "converse(h) \<in> carrier(H) \<rightarrow> carrier(G)") 
  31.100 - prefer 2 apply (simp add: bij_converse_bij bij_is_fun) 
  31.101 -apply (auto intro: left_inverse_eq [of _ "carrier(G)" "carrier(H)"] 
  31.102 -            simp add: hom_def bij_is_inj right_inverse_bij); 
  31.103 +apply (simp add: iso_def bij_converse_bij, clarify)
  31.104 +apply (subgoal_tac "converse(h) \<in> carrier(H) \<rightarrow> carrier(G)")
  31.105 + prefer 2 apply (simp add: bij_converse_bij bij_is_fun)
  31.106 +apply (auto intro: left_inverse_eq [of _ "carrier(G)" "carrier(H)"]
  31.107 +            simp add: hom_def bij_is_inj right_inverse_bij);
  31.108  done
  31.109  
  31.110 -lemma (in group) iso_trans: 
  31.111 +lemma (in group) iso_trans:
  31.112       "\<lbrakk>h \<in> G \<cong> H; i \<in> H \<cong> I\<rbrakk> \<Longrightarrow> i O h \<in> G \<cong> I"
  31.113    by (auto simp add: iso_def hom_compose comp_bij)
  31.114  
  31.115 @@ -408,7 +408,7 @@
  31.116    interpret group H by fact
  31.117    interpret group I by fact
  31.118    show ?thesis
  31.119 -    by (auto intro: lam_type simp add: iso_def hom_def inj_def surj_def bij_def) 
  31.120 +    by (auto intro: lam_type simp add: iso_def hom_def inj_def surj_def bij_def)
  31.121  qed
  31.122  
  31.123  text{*Basis for homomorphism proofs: we assume two groups @{term G} and
  31.124 @@ -482,7 +482,7 @@
  31.125  
  31.126  
  31.127  lemma (in group) subgroup_self: "subgroup (carrier(G),G)"
  31.128 -by (simp add: subgroup_def) 
  31.129 +by (simp add: subgroup_def)
  31.130  
  31.131  lemma (in group) subgroup_imp_group:
  31.132    "subgroup(H,G) \<Longrightarrow> group (update_carrier(G,H))"
  31.133 @@ -512,8 +512,8 @@
  31.134  
  31.135  theorem group_BijGroup: "group(BijGroup(S))"
  31.136  apply (simp add: BijGroup_def)
  31.137 -apply (rule groupI) 
  31.138 -    apply (simp_all add: id_bij comp_bij comp_assoc) 
  31.139 +apply (rule groupI)
  31.140 +    apply (simp_all add: id_bij comp_bij comp_assoc)
  31.141   apply (simp add: id_bij bij_is_fun left_comp_id [of _ S S] fun_is_rel)
  31.142  apply (blast intro: left_comp_inverse bij_is_inj bij_converse_bij)
  31.143  done
  31.144 @@ -521,14 +521,14 @@
  31.145  
  31.146  subsection{*Automorphisms Form a Group*}
  31.147  
  31.148 -lemma Bij_Inv_mem: "\<lbrakk>f \<in> bij(S,S);  x \<in> S\<rbrakk> \<Longrightarrow> converse(f) ` x \<in> S" 
  31.149 +lemma Bij_Inv_mem: "\<lbrakk>f \<in> bij(S,S);  x \<in> S\<rbrakk> \<Longrightarrow> converse(f) ` x \<in> S"
  31.150  by (blast intro: apply_funtype bij_is_fun bij_converse_bij)
  31.151  
  31.152  lemma inv_BijGroup: "f \<in> bij(S,S) \<Longrightarrow> m_inv (BijGroup(S), f) = converse(f)"
  31.153  apply (rule group.inv_equality)
  31.154  apply (rule group_BijGroup)
  31.155 -apply (simp_all add: BijGroup_def bij_converse_bij 
  31.156 -          left_comp_inverse [OF bij_is_inj]) 
  31.157 +apply (simp_all add: BijGroup_def bij_converse_bij
  31.158 +          left_comp_inverse [OF bij_is_inj])
  31.159  done
  31.160  
  31.161  lemma iso_is_bij: "h \<in> G \<cong> H ==> h \<in> bij(carrier(G), carrier(H))"
  31.162 @@ -554,17 +554,17 @@
  31.163      by (auto simp add: auto_def BijGroup_def iso_def)
  31.164  next
  31.165    fix x y
  31.166 -  assume "x \<in> auto(G)" "y \<in> auto(G)" 
  31.167 +  assume "x \<in> auto(G)" "y \<in> auto(G)"
  31.168    thus "x \<cdot>\<^bsub>BijGroup (carrier(G))\<^esub> y \<in> auto(G)"
  31.169 -    by (auto simp add: BijGroup_def auto_def iso_def bij_is_fun 
  31.170 +    by (auto simp add: BijGroup_def auto_def iso_def bij_is_fun
  31.171                         group.hom_compose comp_bij)
  31.172  next
  31.173    show "\<one>\<^bsub>BijGroup (carrier(G))\<^esub> \<in> auto(G)" by (simp add:  BijGroup_def id_in_auto)
  31.174  next
  31.175 -  fix x 
  31.176 -  assume "x \<in> auto(G)" 
  31.177 +  fix x
  31.178 +  assume "x \<in> auto(G)"
  31.179    thus "inv\<^bsub>BijGroup (carrier(G))\<^esub> x \<in> auto(G)"
  31.180 -    by (simp add: auto_def inv_BijGroup iso_is_bij iso_sym) 
  31.181 +    by (simp add: auto_def inv_BijGroup iso_is_bij iso_sym)
  31.182  qed
  31.183  
  31.184  theorem (in group) AutoGroup: "group (AutoGroup(G))"
  31.185 @@ -656,13 +656,13 @@
  31.186  lemma normal_imp_subgroup: "H \<lhd> G ==> subgroup(H,G)"
  31.187    by (simp add: normal_def subgroup_def)
  31.188  
  31.189 -lemma (in group) normalI: 
  31.190 +lemma (in group) normalI:
  31.191    "subgroup(H,G) \<Longrightarrow> (\<forall>x \<in> carrier(G). H #> x = x <# H) \<Longrightarrow> H \<lhd> G";
  31.192    by (simp add: normal_def normal_axioms_def)
  31.193  
  31.194  lemma (in normal) inv_op_closed1:
  31.195       "\<lbrakk>x \<in> carrier(G); h \<in> H\<rbrakk> \<Longrightarrow> (inv x) \<cdot> h \<cdot> x \<in> H"
  31.196 -apply (insert coset_eq) 
  31.197 +apply (insert coset_eq)
  31.198  apply (auto simp add: l_coset_def r_coset_def)
  31.199  apply (drule bspec, assumption)
  31.200  apply (drule equalityD1 [THEN subsetD], blast, clarify)
  31.201 @@ -672,9 +672,9 @@
  31.202  
  31.203  lemma (in normal) inv_op_closed2:
  31.204       "\<lbrakk>x \<in> carrier(G); h \<in> H\<rbrakk> \<Longrightarrow> x \<cdot> h \<cdot> (inv x) \<in> H"
  31.205 -apply (subgoal_tac "inv (inv x) \<cdot> h \<cdot> (inv x) \<in> H") 
  31.206 -apply simp 
  31.207 -apply (blast intro: inv_op_closed1) 
  31.208 +apply (subgoal_tac "inv (inv x) \<cdot> h \<cdot> (inv x) \<in> H")
  31.209 +apply simp
  31.210 +apply (blast intro: inv_op_closed1)
  31.211  done
  31.212  
  31.213  text{*Alternative characterization of normal subgroups*}
  31.214 @@ -685,12 +685,12 @@
  31.215  proof
  31.216    assume N: "N \<lhd> G"
  31.217    show ?rhs
  31.218 -    by (blast intro: N normal.inv_op_closed2 normal_imp_subgroup) 
  31.219 +    by (blast intro: N normal.inv_op_closed2 normal_imp_subgroup)
  31.220  next
  31.221    assume ?rhs
  31.222 -  hence sg: "subgroup(N,G)" 
  31.223 +  hence sg: "subgroup(N,G)"
  31.224      and closed: "\<And>x. x\<in>carrier(G) \<Longrightarrow> \<forall>h\<in>N. x \<cdot> h \<cdot> inv x \<in> N" by auto
  31.225 -  hence sb: "N \<subseteq> carrier(G)" by (simp add: subgroup.subset) 
  31.226 +  hence sb: "N \<subseteq> carrier(G)" by (simp add: subgroup.subset)
  31.227    show "N \<lhd> G"
  31.228    proof (intro normalI [OF sg], simp add: l_coset_def r_coset_def, clarify)
  31.229      fix x
  31.230 @@ -700,9 +700,9 @@
  31.231        show "(\<Union>h\<in>N. {h \<cdot> x}) \<subseteq> (\<Union>h\<in>N. {x \<cdot> h})"
  31.232        proof clarify
  31.233          fix n
  31.234 -        assume n: "n \<in> N" 
  31.235 +        assume n: "n \<in> N"
  31.236          show "n \<cdot> x \<in> (\<Union>h\<in>N. {x \<cdot> h})"
  31.237 -        proof (rule UN_I) 
  31.238 +        proof (rule UN_I)
  31.239            from closed [of "inv x"]
  31.240            show "inv x \<cdot> n \<cdot> x \<in> N" by (simp add: x n)
  31.241            show "n \<cdot> x \<in> {x \<cdot> (inv x \<cdot> n \<cdot> x)}"
  31.242 @@ -713,9 +713,9 @@
  31.243        show "(\<Union>h\<in>N. {x \<cdot> h}) \<subseteq> (\<Union>h\<in>N. {h \<cdot> x})"
  31.244        proof clarify
  31.245          fix n
  31.246 -        assume n: "n \<in> N" 
  31.247 +        assume n: "n \<in> N"
  31.248          show "x \<cdot> n \<in> (\<Union>h\<in>N. {h \<cdot> x})"
  31.249 -        proof (rule UN_I) 
  31.250 +        proof (rule UN_I)
  31.251            show "x \<cdot> n \<cdot> inv x \<in> N" by (simp add: x n closed)
  31.252            show "x \<cdot> n \<in> {x \<cdot> n \<cdot> inv x \<cdot> x}"
  31.253              by (simp add: x n m_assoc sb [THEN subsetD])
  31.254 @@ -779,7 +779,7 @@
  31.255  by (auto simp add: set_mult_def subsetD)
  31.256  
  31.257  lemma (in group) subgroup_mult_id: "subgroup(H,G) \<Longrightarrow> H <#> H = H"
  31.258 -apply (rule equalityI) 
  31.259 +apply (rule equalityI)
  31.260  apply (auto simp add: subgroup.m_closed set_mult_def Sigma_def image_def)
  31.261  apply (rule_tac x = x in bexI)
  31.262  apply (rule bexI [of _ "\<one>"])
  31.263 @@ -870,15 +870,15 @@
  31.264    interpret group G by fact
  31.265    show ?thesis proof (simp add: equiv_def, intro conjI)
  31.266      show "rcong H \<subseteq> carrier(G) \<times> carrier(G)"
  31.267 -      by (auto simp add: r_congruent_def) 
  31.268 +      by (auto simp add: r_congruent_def)
  31.269    next
  31.270      show "refl (carrier(G), rcong H)"
  31.271 -      by (auto simp add: r_congruent_def refl_def) 
  31.272 +      by (auto simp add: r_congruent_def refl_def)
  31.273    next
  31.274      show "sym (rcong H)"
  31.275      proof (simp add: r_congruent_def sym_def, clarify)
  31.276        fix x y
  31.277 -      assume [simp]: "x \<in> carrier(G)" "y \<in> carrier(G)" 
  31.278 +      assume [simp]: "x \<in> carrier(G)" "y \<in> carrier(G)"
  31.279          and "inv x \<cdot> y \<in> H"
  31.280        hence "inv (inv x \<cdot> y) \<in> H" by simp
  31.281        thus "inv y \<cdot> x \<in> H" by (simp add: inv_mult_group)
  31.282 @@ -890,7 +890,7 @@
  31.283        assume [simp]: "x \<in> carrier(G)" "y \<in> carrier(G)" "z \<in> carrier(G)"
  31.284          and "inv x \<cdot> y \<in> H" and "inv y \<cdot> z \<in> H"
  31.285        hence "(inv x \<cdot> y) \<cdot> (inv y \<cdot> z) \<in> H" by simp
  31.286 -      hence "inv x \<cdot> (y \<cdot> inv y) \<cdot> z \<in> H" by (simp add: m_assoc del: inv) 
  31.287 +      hence "inv x \<cdot> (y \<cdot> inv y) \<cdot> z \<in> H" by (simp add: m_assoc del: inv)
  31.288        thus "inv x \<cdot> z \<in> H" by simp
  31.289      qed
  31.290    qed
  31.291 @@ -902,18 +902,18 @@
  31.292  lemma (in subgroup) l_coset_eq_rcong:
  31.293    assumes "group(G)"
  31.294    assumes a: "a \<in> carrier(G)"
  31.295 -  shows "a <# H = (rcong H) `` {a}" 
  31.296 +  shows "a <# H = (rcong H) `` {a}"
  31.297  proof -
  31.298    interpret group G by fact
  31.299    show ?thesis
  31.300      by (force simp add: r_congruent_def l_coset_def m_assoc [symmetric] a
  31.301 -      Collect_image_eq) 
  31.302 +      Collect_image_eq)
  31.303  qed
  31.304  
  31.305  lemma (in group) rcos_equation:
  31.306    assumes "subgroup(H, G)"
  31.307    shows
  31.308 -     "\<lbrakk>ha \<cdot> a = h \<cdot> b; a \<in> carrier(G);  b \<in> carrier(G);  
  31.309 +     "\<lbrakk>ha \<cdot> a = h \<cdot> b; a \<in> carrier(G);  b \<in> carrier(G);
  31.310          h \<in> H;  ha \<in> H;  hb \<in> H\<rbrakk>
  31.311        \<Longrightarrow> hb \<cdot> a \<in> (\<Union>h\<in>H. {h \<cdot> b})" (is "PROP ?P")
  31.312  proof -
  31.313 @@ -982,15 +982,15 @@
  31.314    show "|H #> a| = |H|"
  31.315    proof (rule eqpollI [THEN cardinal_cong])
  31.316      show "H #> a \<lesssim> H"
  31.317 -    proof (simp add: lepoll_def, intro exI) 
  31.318 +    proof (simp add: lepoll_def, intro exI)
  31.319        show "(\<lambda>y \<in> H#>a. y \<cdot> inv a) \<in> inj(H #> a, H)"
  31.320 -        by (auto intro: lam_type 
  31.321 +        by (auto intro: lam_type
  31.322                   simp add: inj_def r_coset_def m_assoc subsetD [OF H] a)
  31.323      qed
  31.324      show "H \<lesssim> H #> a"
  31.325 -    proof (simp add: lepoll_def, intro exI) 
  31.326 +    proof (simp add: lepoll_def, intro exI)
  31.327        show "(\<lambda>y\<in> H. y \<cdot> a) \<in> inj(H, H #> a)"
  31.328 -        by (auto intro: lam_type 
  31.329 +        by (auto intro: lam_type
  31.330                   simp add: inj_def r_coset_def  subsetD [OF H] a)
  31.331      qed
  31.332    qed
  31.333 @@ -1021,7 +1021,7 @@
  31.334  definition
  31.335    FactGroup :: "[i,i] => i" (infixl "Mod" 65) where
  31.336      --{*Actually defined for groups rather than monoids*}
  31.337 -  "G Mod H == 
  31.338 +  "G Mod H ==
  31.339       <rcosets\<^bsub>G\<^esub> H, \<lambda><K1,K2> \<in> (rcosets\<^bsub>G\<^esub> H) \<times> (rcosets\<^bsub>G\<^esub> H). K1 <#>\<^bsub>G\<^esub> K2, H, 0>"
  31.340  
  31.341  lemma (in normal) setmult_closed:
  31.342 @@ -1066,7 +1066,7 @@
  31.343  
  31.344  lemma (in normal) inv_FactGroup:
  31.345       "X \<in> carrier (G Mod H) \<Longrightarrow> inv\<^bsub>G Mod H\<^esub> X = set_inv X"
  31.346 -apply (rule group.inv_equality [OF factorgroup_is_group]) 
  31.347 +apply (rule group.inv_equality [OF factorgroup_is_group])
  31.348  apply (simp_all add: FactGroup_def setinv_closed rcosets_inv_mult_group_eq)
  31.349  done
  31.350  
  31.351 @@ -1074,12 +1074,12 @@
  31.352    @{term "G Mod H"}*}
  31.353  lemma (in normal) r_coset_hom_Mod:
  31.354    "(\<lambda>a \<in> carrier(G). H #> a) \<in> hom(G, G Mod H)"
  31.355 -by (auto simp add: FactGroup_def RCOSETS_def hom_def rcos_sum intro: lam_type) 
  31.356 +by (auto simp add: FactGroup_def RCOSETS_def hom_def rcos_sum intro: lam_type)
  31.357  
  31.358  
  31.359  subsection{*The First Isomorphism Theorem*}
  31.360  
  31.361 -text{*The quotient by the kernel of a homomorphism is isomorphic to the 
  31.362 +text{*The quotient by the kernel of a homomorphism is isomorphic to the
  31.363    range of that homomorphism.*}
  31.364  
  31.365  definition
  31.366 @@ -1088,14 +1088,14 @@
  31.367    "kernel(G,H,h) == {x \<in> carrier(G). h ` x = \<one>\<^bsub>H\<^esub>}";
  31.368  
  31.369  lemma (in group_hom) subgroup_kernel: "subgroup (kernel(G,H,h), G)"
  31.370 -apply (rule subgroup.intro) 
  31.371 +apply (rule subgroup.intro)
  31.372  apply (auto simp add: kernel_def group.intro)
  31.373  done
  31.374  
  31.375  text{*The kernel of a homomorphism is a normal subgroup*}
  31.376  lemma (in group_hom) normal_kernel: "(kernel(G,H,h)) \<lhd> G"
  31.377  apply (simp add: group.normal_inv_iff subgroup_kernel group.intro)
  31.378 -apply (simp add: kernel_def)  
  31.379 +apply (simp add: kernel_def)
  31.380  done
  31.381  
  31.382  lemma (in group_hom) FactGroup_nonempty:
  31.383 @@ -1103,10 +1103,10 @@
  31.384    shows "X \<noteq> 0"
  31.385  proof -
  31.386    from X
  31.387 -  obtain g where "g \<in> carrier(G)" 
  31.388 +  obtain g where "g \<in> carrier(G)"
  31.389               and "X = kernel(G,H,h) #> g"
  31.390      by (auto simp add: FactGroup_def RCOSETS_def)
  31.391 -  thus ?thesis 
  31.392 +  thus ?thesis
  31.393     by (auto simp add: kernel_def r_coset_def image_def intro: hom_one)
  31.394  qed
  31.395  
  31.396 @@ -1116,46 +1116,46 @@
  31.397    shows "contents (h``X) \<in> carrier(H)"
  31.398  proof -
  31.399    from X
  31.400 -  obtain g where g: "g \<in> carrier(G)" 
  31.401 +  obtain g where g: "g \<in> carrier(G)"
  31.402               and "X = kernel(G,H,h) #> g"
  31.403      by (auto simp add: FactGroup_def RCOSETS_def)
  31.404    hence "h `` X = {h ` g}"
  31.405 -    by (auto simp add: kernel_def r_coset_def image_UN 
  31.406 +    by (auto simp add: kernel_def r_coset_def image_UN
  31.407                         image_eq_UN [OF hom_is_fun] g)
  31.408    thus ?thesis by (auto simp add: g)
  31.409  qed
  31.410  
  31.411  lemma mult_FactGroup:
  31.412 -     "[|X \<in> carrier(G Mod H); X' \<in> carrier(G Mod H)|] 
  31.413 +     "[|X \<in> carrier(G Mod H); X' \<in> carrier(G Mod H)|]
  31.414        ==> X \<cdot>\<^bsub>(G Mod H)\<^esub> X' = X <#>\<^bsub>G\<^esub> X'"
  31.415 -by (simp add: FactGroup_def) 
  31.416 +by (simp add: FactGroup_def)
  31.417  
  31.418  lemma (in normal) FactGroup_m_closed:
  31.419 -     "[|X \<in> carrier(G Mod H); X' \<in> carrier(G Mod H)|] 
  31.420 +     "[|X \<in> carrier(G Mod H); X' \<in> carrier(G Mod H)|]
  31.421        ==> X <#>\<^bsub>G\<^esub> X' \<in> carrier(G Mod H)"
  31.422 -by (simp add: FactGroup_def setmult_closed) 
  31.423 +by (simp add: FactGroup_def setmult_closed)
  31.424  
  31.425  lemma (in group_hom) FactGroup_hom:
  31.426       "(\<lambda>X \<in> carrier(G Mod (kernel(G,H,h))). contents (h``X))
  31.427 -      \<in> hom (G Mod (kernel(G,H,h)), H)" 
  31.428 -proof (simp add: hom_def FactGroup_contents_mem lam_type mult_FactGroup normal.FactGroup_m_closed [OF normal_kernel], intro ballI)  
  31.429 +      \<in> hom (G Mod (kernel(G,H,h)), H)"
  31.430 +proof (simp add: hom_def FactGroup_contents_mem lam_type mult_FactGroup normal.FactGroup_m_closed [OF normal_kernel], intro ballI)
  31.431    fix X and X'
  31.432    assume X:  "X  \<in> carrier (G Mod kernel(G,H,h))"
  31.433       and X': "X' \<in> carrier (G Mod kernel(G,H,h))"
  31.434    then
  31.435    obtain g and g'
  31.436 -           where "g \<in> carrier(G)" and "g' \<in> carrier(G)" 
  31.437 +           where "g \<in> carrier(G)" and "g' \<in> carrier(G)"
  31.438               and "X = kernel(G,H,h) #> g" and "X' = kernel(G,H,h) #> g'"
  31.439      by (auto simp add: FactGroup_def RCOSETS_def)
  31.440 -  hence all: "\<forall>x\<in>X. h ` x = h ` g" "\<forall>x\<in>X'. h ` x = h ` g'" 
  31.441 +  hence all: "\<forall>x\<in>X. h ` x = h ` g" "\<forall>x\<in>X'. h ` x = h ` g'"
  31.442      and Xsub: "X \<subseteq> carrier(G)" and X'sub: "X' \<subseteq> carrier(G)"
  31.443      by (force simp add: kernel_def r_coset_def image_def)+
  31.444    hence "h `` (X <#> X') = {h ` g \<cdot>\<^bsub>H\<^esub> h ` g'}" using X X'
  31.445      by (auto dest!: FactGroup_nonempty
  31.446               simp add: set_mult_def image_eq_UN [OF hom_is_fun] image_UN
  31.447 -                       subsetD [OF Xsub] subsetD [OF X'sub]) 
  31.448 +                       subsetD [OF Xsub] subsetD [OF X'sub])
  31.449    thus "contents (h `` (X <#> X')) = contents (h `` X) \<cdot>\<^bsub>H\<^esub> contents (h `` X')"
  31.450 -    by (simp add: all image_eq_UN [OF hom_is_fun] FactGroup_nonempty 
  31.451 +    by (simp add: all image_eq_UN [OF hom_is_fun] FactGroup_nonempty
  31.452                    X X' Xsub X'sub)
  31.453  qed
  31.454  
  31.455 @@ -1165,21 +1165,21 @@
  31.456       "\<lbrakk>g \<in> carrier(G); g' \<in> carrier(G); h ` g = h ` g'\<rbrakk>
  31.457        \<Longrightarrow>  kernel(G,H,h) #> g \<subseteq> kernel(G,H,h) #> g'"
  31.458  apply (clarsimp simp add: kernel_def r_coset_def image_def)
  31.459 -apply (rename_tac y)  
  31.460 -apply (rule_tac x="y \<cdot> g \<cdot> inv g'" in bexI) 
  31.461 -apply (simp_all add: G.m_assoc) 
  31.462 +apply (rename_tac y)
  31.463 +apply (rule_tac x="y \<cdot> g \<cdot> inv g'" in bexI)
  31.464 +apply (simp_all add: G.m_assoc)
  31.465  done
  31.466  
  31.467  lemma (in group_hom) FactGroup_inj:
  31.468       "(\<lambda>X\<in>carrier (G Mod kernel(G,H,h)). contents (h `` X))
  31.469        \<in> inj(carrier (G Mod kernel(G,H,h)), carrier(H))"
  31.470 -proof (simp add: inj_def FactGroup_contents_mem lam_type, clarify) 
  31.471 +proof (simp add: inj_def FactGroup_contents_mem lam_type, clarify)
  31.472    fix X and X'
  31.473    assume X:  "X  \<in> carrier (G Mod kernel(G,H,h))"
  31.474       and X': "X' \<in> carrier (G Mod kernel(G,H,h))"
  31.475    then
  31.476    obtain g and g'
  31.477 -           where gX: "g \<in> carrier(G)"  "g' \<in> carrier(G)" 
  31.478 +           where gX: "g \<in> carrier(G)"  "g' \<in> carrier(G)"
  31.479                "X = kernel(G,H,h) #> g" "X' = kernel(G,H,h) #> g'"
  31.480      by (auto simp add: FactGroup_def RCOSETS_def)
  31.481    hence all: "\<forall>x\<in>X. h ` x = h ` g" "\<forall>x\<in>X'. h ` x = h ` g'"
  31.482 @@ -1187,16 +1187,16 @@
  31.483      by (force simp add: kernel_def r_coset_def image_def)+
  31.484    assume "contents (h `` X) = contents (h `` X')"
  31.485    hence h: "h ` g = h ` g'"
  31.486 -    by (simp add: all image_eq_UN [OF hom_is_fun] FactGroup_nonempty 
  31.487 +    by (simp add: all image_eq_UN [OF hom_is_fun] FactGroup_nonempty
  31.488                    X X' Xsub X'sub)
  31.489 -  show "X=X'" by (rule equalityI) (simp_all add: FactGroup_subset h gX) 
  31.490 +  show "X=X'" by (rule equalityI) (simp_all add: FactGroup_subset h gX)
  31.491  qed
  31.492  
  31.493  
  31.494  lemma (in group_hom) kernel_rcoset_subset:
  31.495    assumes g: "g \<in> carrier(G)"
  31.496    shows "kernel(G,H,h) #> g \<subseteq> carrier (G)"
  31.497 -    by (auto simp add: g kernel_def r_coset_def) 
  31.498 +    by (auto simp add: g kernel_def r_coset_def)
  31.499  
  31.500  
  31.501  
  31.502 @@ -1210,12 +1210,12 @@
  31.503    fix y
  31.504    assume y: "y \<in> carrier(H)"
  31.505    with h obtain g where g: "g \<in> carrier(G)" "h ` g = y"
  31.506 -    by (auto simp add: surj_def) 
  31.507 -  hence "(\<Union>x\<in>kernel(G,H,h) #> g. {h ` x}) = {y}" 
  31.508 -    by (auto simp add: y kernel_def r_coset_def) 
  31.509 +    by (auto simp add: surj_def)
  31.510 +  hence "(\<Union>x\<in>kernel(G,H,h) #> g. {h ` x}) = {y}"
  31.511 +    by (auto simp add: y kernel_def r_coset_def)
  31.512    with g show "\<exists>x\<in>carrier(G Mod kernel(G, H, h)). contents(h `` x) = y"
  31.513          --{*The witness is @{term "kernel(G,H,h) #> g"}*}
  31.514 -    by (force simp add: FactGroup_def RCOSETS_def 
  31.515 +    by (force simp add: FactGroup_def RCOSETS_def
  31.516             image_eq_UN [OF hom_is_fun] kernel_rcoset_subset)
  31.517  qed
  31.518  
  31.519 @@ -1226,5 +1226,5 @@
  31.520    "h \<in> surj(carrier(G), carrier(H))
  31.521     \<Longrightarrow> (\<lambda>X\<in>carrier (G Mod kernel(G,H,h)). contents (h``X)) \<in> (G Mod (kernel(G,H,h))) \<cong> H"
  31.522  by (simp add: iso_def FactGroup_hom FactGroup_inj bij_def FactGroup_surj)
  31.523 - 
  31.524 +
  31.525  end
    32.1 --- a/src/ZF/func.thy	Thu Mar 15 15:54:22 2012 +0000
    32.2 +++ b/src/ZF/func.thy	Thu Mar 15 16:35:02 2012 +0000
    32.3 @@ -14,37 +14,37 @@
    32.4  
    32.5  lemma relation_converse_converse [simp]:
    32.6       "relation(r) ==> converse(converse(r)) = r"
    32.7 -by (simp add: relation_def, blast) 
    32.8 +by (simp add: relation_def, blast)
    32.9  
   32.10  lemma relation_restrict [simp]:  "relation(restrict(r,A))"
   32.11 -by (simp add: restrict_def relation_def, blast) 
   32.12 +by (simp add: restrict_def relation_def, blast)
   32.13  
   32.14  lemma Pi_iff:
   32.15 -    "f: Pi(A,B) \<longleftrightarrow> function(f) & f<=Sigma(A,B) & A<=domain(f)"
   32.16 +    "f \<in> Pi(A,B) \<longleftrightarrow> function(f) & f<=Sigma(A,B) & A<=domain(f)"
   32.17  by (unfold Pi_def, blast)
   32.18  
   32.19  (*For upward compatibility with the former definition*)
   32.20  lemma Pi_iff_old:
   32.21 -    "f: Pi(A,B) \<longleftrightarrow> f<=Sigma(A,B) & (\<forall>x\<in>A. EX! y. <x,y>: f)"
   32.22 +    "f \<in> Pi(A,B) \<longleftrightarrow> f<=Sigma(A,B) & (\<forall>x\<in>A. EX! y. <x,y>: f)"
   32.23  by (unfold Pi_def function_def, blast)
   32.24  
   32.25 -lemma fun_is_function: "f: Pi(A,B) ==> function(f)"
   32.26 +lemma fun_is_function: "f \<in> Pi(A,B) ==> function(f)"
   32.27  by (simp only: Pi_iff)
   32.28  
   32.29  lemma function_imp_Pi:
   32.30       "[|function(f); relation(f)|] ==> f \<in> domain(f) -> range(f)"
   32.31 -by (simp add: Pi_iff relation_def, blast) 
   32.32 +by (simp add: Pi_iff relation_def, blast)
   32.33  
   32.34 -lemma functionI: 
   32.35 +lemma functionI:
   32.36       "[| !!x y y'. [| <x,y>:r; <x,y'>:r |] ==> y=y' |] ==> function(r)"
   32.37 -by (simp add: function_def, blast) 
   32.38 +by (simp add: function_def, blast)
   32.39  
   32.40  (*Functions are relations*)
   32.41 -lemma fun_is_rel: "f: Pi(A,B) ==> f \<subseteq> Sigma(A,B)"
   32.42 +lemma fun_is_rel: "f \<in> Pi(A,B) ==> f \<subseteq> Sigma(A,B)"
   32.43  by (unfold Pi_def, blast)
   32.44  
   32.45  lemma Pi_cong:
   32.46 -    "[| A=A';  !!x. x:A' ==> B(x)=B'(x) |] ==> Pi(A,B) = Pi(A',B')"
   32.47 +    "[| A=A';  !!x. x \<in> A' ==> B(x)=B'(x) |] ==> Pi(A,B) = Pi(A',B')"
   32.48  by (simp add: Pi_def cong add: Sigma_cong)
   32.49  
   32.50  (*Sigma_cong, Pi_cong NOT given to Addcongs: they cause
   32.51 @@ -52,18 +52,18 @@
   32.52    Sigmas and Pis are abbreviated as * or -> *)
   32.53  
   32.54  (*Weakening one function type to another; see also Pi_type*)
   32.55 -lemma fun_weaken_type: "[| f: A->B;  B<=D |] ==> f: A->D"
   32.56 +lemma fun_weaken_type: "[| f \<in> A->B;  B<=D |] ==> f \<in> A->D"
   32.57  by (unfold Pi_def, best)
   32.58  
   32.59  subsection{*Function Application*}
   32.60  
   32.61 -lemma apply_equality2: "[| <a,b>: f;  <a,c>: f;  f: Pi(A,B) |] ==> b=c"
   32.62 +lemma apply_equality2: "[| <a,b>: f;  <a,c>: f;  f \<in> Pi(A,B) |] ==> b=c"
   32.63  by (unfold Pi_def function_def, blast)
   32.64  
   32.65  lemma function_apply_equality: "[| <a,b>: f;  function(f) |] ==> f`a = b"
   32.66  by (unfold apply_def function_def, blast)
   32.67  
   32.68 -lemma apply_equality: "[| <a,b>: f;  f: Pi(A,B) |] ==> f`a = b"
   32.69 +lemma apply_equality: "[| <a,b>: f;  f \<in> Pi(A,B) |] ==> f`a = b"
   32.70  apply (unfold Pi_def)
   32.71  apply (blast intro: function_apply_equality)
   32.72  done
   32.73 @@ -72,72 +72,72 @@
   32.74  lemma apply_0: "a \<notin> domain(f) ==> f`a = 0"
   32.75  by (unfold apply_def, blast)
   32.76  
   32.77 -lemma Pi_memberD: "[| f: Pi(A,B);  c: f |] ==> \<exists>x\<in>A.  c = <x,f`x>"
   32.78 +lemma Pi_memberD: "[| f \<in> Pi(A,B);  c \<in> f |] ==> \<exists>x\<in>A.  c = <x,f`x>"
   32.79  apply (frule fun_is_rel)
   32.80  apply (blast dest: apply_equality)
   32.81  done
   32.82  
   32.83  lemma function_apply_Pair: "[| function(f);  a \<in> domain(f)|] ==> <a,f`a>: f"
   32.84 -apply (simp add: function_def, clarify) 
   32.85 -apply (subgoal_tac "f`a = y", blast) 
   32.86 -apply (simp add: apply_def, blast) 
   32.87 +apply (simp add: function_def, clarify)
   32.88 +apply (subgoal_tac "f`a = y", blast)
   32.89 +apply (simp add: apply_def, blast)
   32.90  done
   32.91  
   32.92 -lemma apply_Pair: "[| f: Pi(A,B);  a:A |] ==> <a,f`a>: f"
   32.93 +lemma apply_Pair: "[| f \<in> Pi(A,B);  a \<in> A |] ==> <a,f`a>: f"
   32.94  apply (simp add: Pi_iff)
   32.95  apply (blast intro: function_apply_Pair)
   32.96  done
   32.97  
   32.98  (*Conclusion is flexible -- use rule_tac or else apply_funtype below!*)
   32.99 -lemma apply_type [TC]: "[| f: Pi(A,B);  a:A |] ==> f`a \<in> B(a)"
  32.100 +lemma apply_type [TC]: "[| f \<in> Pi(A,B);  a \<in> A |] ==> f`a \<in> B(a)"
  32.101  by (blast intro: apply_Pair dest: fun_is_rel)
  32.102  
  32.103  (*This version is acceptable to the simplifier*)
  32.104 -lemma apply_funtype: "[| f: A->B;  a:A |] ==> f`a \<in> B"
  32.105 +lemma apply_funtype: "[| f \<in> A->B;  a \<in> A |] ==> f`a \<in> B"
  32.106  by (blast dest: apply_type)
  32.107  
  32.108 -lemma apply_iff: "f: Pi(A,B) ==> <a,b>: f \<longleftrightarrow> a:A & f`a = b"
  32.109 +lemma apply_iff: "f \<in> Pi(A,B) ==> <a,b>: f \<longleftrightarrow> a \<in> A & f`a = b"
  32.110  apply (frule fun_is_rel)
  32.111  apply (blast intro!: apply_Pair apply_equality)
  32.112  done
  32.113  
  32.114  (*Refining one Pi type to another*)
  32.115 -lemma Pi_type: "[| f: Pi(A,C);  !!x. x:A ==> f`x \<in> B(x) |] ==> f \<in> Pi(A,B)"
  32.116 +lemma Pi_type: "[| f \<in> Pi(A,C);  !!x. x \<in> A ==> f`x \<in> B(x) |] ==> f \<in> Pi(A,B)"
  32.117  apply (simp only: Pi_iff)
  32.118  apply (blast dest: function_apply_equality)
  32.119  done
  32.120  
  32.121  (*Such functions arise in non-standard datatypes, ZF/ex/Ntree for instance*)
  32.122  lemma Pi_Collect_iff:
  32.123 -     "(f \<in> Pi(A, %x. {y:B(x). P(x,y)}))
  32.124 +     "(f \<in> Pi(A, %x. {y \<in> B(x). P(x,y)}))
  32.125        \<longleftrightarrow>  f \<in> Pi(A,B) & (\<forall>x\<in>A. P(x, f`x))"
  32.126  by (blast intro: Pi_type dest: apply_type)
  32.127  
  32.128  lemma Pi_weaken_type:
  32.129 -        "[| f \<in> Pi(A,B);  !!x. x:A ==> B(x)<=C(x) |] ==> f \<in> Pi(A,C)"
  32.130 +        "[| f \<in> Pi(A,B);  !!x. x \<in> A ==> B(x)<=C(x) |] ==> f \<in> Pi(A,C)"
  32.131  by (blast intro: Pi_type dest: apply_type)
  32.132  
  32.133  
  32.134  (** Elimination of membership in a function **)
  32.135  
  32.136 -lemma domain_type: "[| <a,b> \<in> f;  f: Pi(A,B) |] ==> a \<in> A"
  32.137 +lemma domain_type: "[| <a,b> \<in> f;  f \<in> Pi(A,B) |] ==> a \<in> A"
  32.138  by (blast dest: fun_is_rel)
  32.139  
  32.140 -lemma range_type: "[| <a,b> \<in> f;  f: Pi(A,B) |] ==> b \<in> B(a)"
  32.141 +lemma range_type: "[| <a,b> \<in> f;  f \<in> Pi(A,B) |] ==> b \<in> B(a)"
  32.142  by (blast dest: fun_is_rel)
  32.143  
  32.144 -lemma Pair_mem_PiD: "[| <a,b>: f;  f: Pi(A,B) |] ==> a:A & b:B(a) & f`a = b"
  32.145 +lemma Pair_mem_PiD: "[| <a,b>: f;  f \<in> Pi(A,B) |] ==> a \<in> A & b \<in> B(a) & f`a = b"
  32.146  by (blast intro: domain_type range_type apply_equality)
  32.147  
  32.148  subsection{*Lambda Abstraction*}
  32.149  
  32.150 -lemma lamI: "a:A ==> <a,b(a)> \<in> (\<lambda>x\<in>A. b(x))"
  32.151 +lemma lamI: "a \<in> A ==> <a,b(a)> \<in> (\<lambda>x\<in>A. b(x))"
  32.152  apply (unfold lam_def)
  32.153  apply (erule RepFunI)
  32.154  done
  32.155  
  32.156  lemma lamE:
  32.157 -    "[| p: (\<lambda>x\<in>A. b(x));  !!x.[| x:A; p=<x,b(x)> |] ==> P
  32.158 +    "[| p: (\<lambda>x\<in>A. b(x));  !!x.[| x \<in> A; p=<x,b(x)> |] ==> P
  32.159       |] ==>  P"
  32.160  by (simp add: lam_def, blast)
  32.161  
  32.162 @@ -145,17 +145,17 @@
  32.163  by (simp add: lam_def)
  32.164  
  32.165  lemma lam_type [TC]:
  32.166 -    "[| !!x. x:A ==> b(x): B(x) |] ==> (\<lambda>x\<in>A. b(x)) \<in> Pi(A,B)"
  32.167 +    "[| !!x. x \<in> A ==> b(x): B(x) |] ==> (\<lambda>x\<in>A. b(x)) \<in> Pi(A,B)"
  32.168  by (simp add: lam_def Pi_def function_def, blast)
  32.169  
  32.170 -lemma lam_funtype: "(\<lambda>x\<in>A. b(x)) \<in> A -> {b(x). x:A}"
  32.171 +lemma lam_funtype: "(\<lambda>x\<in>A. b(x)) \<in> A -> {b(x). x \<in> A}"
  32.172  by (blast intro: lam_type)
  32.173  
  32.174  lemma function_lam: "function (\<lambda>x\<in>A. b(x))"
  32.175 -by (simp add: function_def lam_def) 
  32.176 +by (simp add: function_def lam_def)
  32.177  
  32.178 -lemma relation_lam: "relation (\<lambda>x\<in>A. b(x))"  
  32.179 -by (simp add: relation_def lam_def) 
  32.180 +lemma relation_lam: "relation (\<lambda>x\<in>A. b(x))"
  32.181 +by (simp add: relation_def lam_def)
  32.182  
  32.183  lemma beta_if [simp]: "(\<lambda>x\<in>A. b(x)) ` a = (if a \<in> A then b(a) else 0)"
  32.184  by (simp add: apply_def lam_def, blast)
  32.185 @@ -171,17 +171,17 @@
  32.186  
  32.187  (*congruence rule for lambda abstraction*)
  32.188  lemma lam_cong [cong]:
  32.189 -    "[| A=A';  !!x. x:A' ==> b(x)=b'(x) |] ==> Lambda(A,b) = Lambda(A',b')"
  32.190 +    "[| A=A';  !!x. x \<in> A' ==> b(x)=b'(x) |] ==> Lambda(A,b) = Lambda(A',b')"
  32.191  by (simp only: lam_def cong add: RepFun_cong)
  32.192  
  32.193  lemma lam_theI:
  32.194 -    "(!!x. x:A ==> EX! y. Q(x,y)) ==> \<exists>f. \<forall>x\<in>A. Q(x, f`x)"
  32.195 +    "(!!x. x \<in> A ==> EX! y. Q(x,y)) ==> \<exists>f. \<forall>x\<in>A. Q(x, f`x)"
  32.196  apply (rule_tac x = "\<lambda>x\<in>A. THE y. Q (x,y)" in exI)
  32.197 -apply simp 
  32.198 +apply simp
  32.199  apply (blast intro: theI)
  32.200  done
  32.201  
  32.202 -lemma lam_eqE: "[| (\<lambda>x\<in>A. f(x)) = (\<lambda>x\<in>A. g(x));  a:A |] ==> f(a)=g(a)"
  32.203 +lemma lam_eqE: "[| (\<lambda>x\<in>A. f(x)) = (\<lambda>x\<in>A. g(x));  a \<in> A |] ==> f(a)=g(a)"
  32.204  by (fast intro!: lamI elim: equalityE lamE)
  32.205  
  32.206  
  32.207 @@ -207,13 +207,13 @@
  32.208  (*Semi-extensionality!*)
  32.209  
  32.210  lemma fun_subset:
  32.211 -    "[| f \<in> Pi(A,B);  g: Pi(C,D);  A<=C;
  32.212 -        !!x. x:A ==> f`x = g`x       |] ==> f<=g"
  32.213 +    "[| f \<in> Pi(A,B);  g \<in> Pi(C,D);  A<=C;
  32.214 +        !!x. x \<in> A ==> f`x = g`x       |] ==> f<=g"
  32.215  by (force dest: Pi_memberD intro: apply_Pair)
  32.216  
  32.217  lemma fun_extension:
  32.218 -    "[| f \<in> Pi(A,B);  g: Pi(A,D);
  32.219 -        !!x. x:A ==> f`x = g`x       |] ==> f=g"
  32.220 +    "[| f \<in> Pi(A,B);  g \<in> Pi(A,D);
  32.221 +        !!x. x \<in> A ==> f`x = g`x       |] ==> f=g"
  32.222  by (blast del: subsetI intro: subset_refl sym fun_subset)
  32.223  
  32.224  lemma eta [simp]: "f \<in> Pi(A,B) ==> (\<lambda>x\<in>A. f`x) = f"
  32.225 @@ -222,18 +222,18 @@
  32.226  done
  32.227  
  32.228  lemma fun_extension_iff:
  32.229 -     "[| f:Pi(A,B); g:Pi(A,C) |] ==> (\<forall>a\<in>A. f`a = g`a) \<longleftrightarrow> f=g"
  32.230 +     "[| f \<in> Pi(A,B); g \<in> Pi(A,C) |] ==> (\<forall>a\<in>A. f`a = g`a) \<longleftrightarrow> f=g"
  32.231  by (blast intro: fun_extension)
  32.232  
  32.233  (*thm by Mark Staples, proof by lcp*)
  32.234 -lemma fun_subset_eq: "[| f:Pi(A,B); g:Pi(A,C) |] ==> f \<subseteq> g \<longleftrightarrow> (f = g)"
  32.235 +lemma fun_subset_eq: "[| f \<in> Pi(A,B); g \<in> Pi(A,C) |] ==> f \<subseteq> g \<longleftrightarrow> (f = g)"
  32.236  by (blast dest: apply_Pair
  32.237            intro: fun_extension apply_equality [symmetric])
  32.238  
  32.239  
  32.240  (*Every element of Pi(A,B) may be expressed as a lambda abstraction!*)
  32.241  lemma Pi_lamE:
  32.242 -  assumes major: "f: Pi(A,B)"
  32.243 +  assumes major: "f \<in> Pi(A,B)"
  32.244        and minor: "!!b. [| \<forall>x\<in>A. b(x):B(x);  f = (\<lambda>x\<in>A. b(x)) |] ==> P"
  32.245    shows "P"
  32.246  apply (rule minor)
  32.247 @@ -244,37 +244,37 @@
  32.248  
  32.249  subsection{*Images of Functions*}
  32.250  
  32.251 -lemma image_lam: "C \<subseteq> A ==> (\<lambda>x\<in>A. b(x)) `` C = {b(x). x:C}"
  32.252 +lemma image_lam: "C \<subseteq> A ==> (\<lambda>x\<in>A. b(x)) `` C = {b(x). x \<in> C}"
  32.253  by (unfold lam_def, blast)
  32.254  
  32.255  lemma Repfun_function_if:
  32.256 -     "function(f) 
  32.257 -      ==> {f`x. x:C} = (if C \<subseteq> domain(f) then f``C else cons(0,f``C))";
  32.258 +     "function(f)
  32.259 +      ==> {f`x. x \<in> C} = (if C \<subseteq> domain(f) then f``C else cons(0,f``C))";
  32.260  apply simp
  32.261 -apply (intro conjI impI)  
  32.262 - apply (blast dest: function_apply_equality intro: function_apply_Pair) 
  32.263 +apply (intro conjI impI)
  32.264 + apply (blast dest: function_apply_equality intro: function_apply_Pair)
  32.265  apply (rule equalityI)
  32.266 - apply (blast intro!: function_apply_Pair apply_0) 
  32.267 -apply (blast dest: function_apply_equality intro: apply_0 [symmetric]) 
  32.268 + apply (blast intro!: function_apply_Pair apply_0)
  32.269 +apply (blast dest: function_apply_equality intro: apply_0 [symmetric])
  32.270  done
  32.271  
  32.272 -(*For this lemma and the next, the right-hand side could equivalently 
  32.273 +(*For this lemma and the next, the right-hand side could equivalently
  32.274    be written \<Union>x\<in>C. {f`x} *)
  32.275  lemma image_function:
  32.276 -     "[| function(f);  C \<subseteq> domain(f) |] ==> f``C = {f`x. x:C}";
  32.277 -by (simp add: Repfun_function_if) 
  32.278 +     "[| function(f);  C \<subseteq> domain(f) |] ==> f``C = {f`x. x \<in> C}";
  32.279 +by (simp add: Repfun_function_if)
  32.280  
  32.281 -lemma image_fun: "[| f \<in> Pi(A,B);  C \<subseteq> A |] ==> f``C = {f`x. x:C}"
  32.282 -apply (simp add: Pi_iff) 
  32.283 -apply (blast intro: image_function) 
  32.284 +lemma image_fun: "[| f \<in> Pi(A,B);  C \<subseteq> A |] ==> f``C = {f`x. x \<in> C}"
  32.285 +apply (simp add: Pi_iff)
  32.286 +apply (blast intro: image_function)
  32.287  done
  32.288  
  32.289 -lemma image_eq_UN: 
  32.290 +lemma image_eq_UN:
  32.291    assumes f: "f \<in> Pi(A,B)" "C \<subseteq> A" shows "f``C = (\<Union>x\<in>C. {f ` x})"
  32.292 -by (auto simp add: image_fun [OF f]) 
  32.293 +by (auto simp add: image_fun [OF f])
  32.294  
  32.295  lemma Pi_image_cons:
  32.296 -     "[| f: Pi(A,B);  x: A |] ==> f `` cons(x,y) = cons(f`x, f``y)"
  32.297 +     "[| f \<in> Pi(A,B);  x \<in> A |] ==> f `` cons(x,y) = cons(f`x, f``y)"
  32.298  by (blast dest: apply_equality apply_Pair)
  32.299  
  32.300  
  32.301 @@ -287,7 +287,7 @@
  32.302      "function(f) ==> function(restrict(f,A))"
  32.303  by (unfold restrict_def function_def, blast)
  32.304  
  32.305 -lemma restrict_type2: "[| f: Pi(C,B);  A<=C |] ==> restrict(f,A) \<in> Pi(A,B)"
  32.306 +lemma restrict_type2: "[| f \<in> Pi(C,B);  A<=C |] ==> restrict(f,A) \<in> Pi(A,B)"
  32.307  by (simp add: Pi_iff function_def restrict_def, blast)
  32.308  
  32.309  lemma restrict: "restrict(f,A) ` a = (if a \<in> A then f`a else 0)"
  32.310 @@ -297,7 +297,7 @@
  32.311  by (unfold restrict_def, simp)
  32.312  
  32.313  lemma restrict_iff: "z \<in> restrict(r,A) \<longleftrightarrow> z \<in> r & (\<exists>x\<in>A. \<exists>y. z = \<langle>x, y\<rangle>)"
  32.314 -by (simp add: restrict_def) 
  32.315 +by (simp add: restrict_def)
  32.316  
  32.317  lemma restrict_restrict [simp]:
  32.318       "restrict(restrict(r,A),B) = restrict(r, A \<inter> B)"
  32.319 @@ -346,10 +346,10 @@
  32.320      "[| \<forall>x\<in>S. function(x);
  32.321          \<forall>x\<in>S. \<forall>y\<in>S. x<=y | y<=x  |]
  32.322       ==> function(\<Union>(S))"
  32.323 -by (unfold function_def, blast) 
  32.324 +by (unfold function_def, blast)
  32.325  
  32.326  lemma fun_Union:
  32.327 -    "[| \<forall>f\<in>S. \<exists>C D. f:C->D;
  32.328 +    "[| \<forall>f\<in>S. \<exists>C D. f \<in> C->D;
  32.329               \<forall>f\<in>S. \<forall>y\<in>S. f<=y | y<=f  |] ==>
  32.330            \<Union>(S) \<in> domain(\<Union>(S)) -> range(\<Union>(S))"
  32.331  apply (unfold Pi_def)
  32.332 @@ -358,7 +358,7 @@
  32.333  
  32.334  lemma gen_relation_Union [rule_format]:
  32.335       "\<forall>f\<in>F. relation(f) \<Longrightarrow> relation(\<Union>(F))"
  32.336 -by (simp add: relation_def) 
  32.337 +by (simp add: relation_def)
  32.338  
  32.339  
  32.340  (** The Union of 2 disjoint functions is a function **)
  32.341 @@ -368,7 +368,7 @@
  32.342                  subset_trans [OF _ Un_upper2]
  32.343  
  32.344  lemma fun_disjoint_Un:
  32.345 -     "[| f: A->B;  g: C->D;  A \<inter> C = 0  |]
  32.346 +     "[| f \<in> A->B;  g \<in> C->D;  A \<inter> C = 0  |]
  32.347        ==> (f \<union> g) \<in> (A \<union> C) -> (B \<union> D)"
  32.348  (*Prove the product and domain subgoals using distributive laws*)
  32.349  apply (simp add: Pi_iff extension Un_rls)
  32.350 @@ -376,17 +376,17 @@
  32.351  done
  32.352  
  32.353  lemma fun_disjoint_apply1: "a \<notin> domain(g) ==> (f \<union> g)`a = f`a"
  32.354 -by (simp add: apply_def, blast) 
  32.355 +by (simp add: apply_def, blast)
  32.356  
  32.357  lemma fun_disjoint_apply2: "c \<notin> domain(f) ==> (f \<union> g)`c = g`c"
  32.358 -by (simp add: apply_def, blast) 
  32.359 +by (simp add: apply_def, blast)
  32.360  
  32.361  subsection{*Domain and Range of a Function or Relation*}
  32.362  
  32.363  lemma domain_of_fun: "f \<in> Pi(A,B) ==> domain(f)=A"
  32.364  by (unfold Pi_def, blast)
  32.365  
  32.366 -lemma apply_rangeI: "[| f \<in> Pi(A,B);  a: A |] ==> f`a \<in> range(f)"
  32.367 +lemma apply_rangeI: "[| f \<in> Pi(A,B);  a \<in> A |] ==> f`a \<in> range(f)"
  32.368  by (erule apply_Pair [THEN rangeI], assumption)
  32.369  
  32.370  lemma range_of_fun: "f \<in> Pi(A,B) ==> f \<in> A->range(f)"
  32.371 @@ -395,23 +395,23 @@
  32.372  subsection{*Extensions of Functions*}
  32.373  
  32.374  lemma fun_extend:
  32.375 -     "[| f: A->B;  c\<notin>A |] ==> cons(<c,b>,f) \<in> cons(c,A) -> cons(b,B)"
  32.376 +     "[| f \<in> A->B;  c\<notin>A |] ==> cons(<c,b>,f) \<in> cons(c,A) -> cons(b,B)"
  32.377  apply (frule singleton_fun [THEN fun_disjoint_Un], blast)
  32.378 -apply (simp add: cons_eq) 
  32.379 +apply (simp add: cons_eq)
  32.380  done
  32.381  
  32.382  lemma fun_extend3:
  32.383 -     "[| f: A->B;  c\<notin>A;  b: B |] ==> cons(<c,b>,f) \<in> cons(c,A) -> B"
  32.384 +     "[| f \<in> A->B;  c\<notin>A;  b \<in> B |] ==> cons(<c,b>,f) \<in> cons(c,A) -> B"
  32.385  by (blast intro: fun_extend [THEN fun_weaken_type])
  32.386  
  32.387  lemma extend_apply:
  32.388       "c \<notin> domain(f) ==> cons(<c,b>,f)`a = (if a=c then b else f`a)"
  32.389 -by (auto simp add: apply_def) 
  32.390 +by (auto simp add: apply_def)
  32.391  
  32.392  lemma fun_extend_apply [simp]:
  32.393 -     "[| f: A->B;  c\<notin>A |] ==> cons(<c,b>,f)`a = (if a=c then b else f`a)" 
  32.394 -apply (rule extend_apply) 
  32.395 -apply (simp add: Pi_def, blast) 
  32.396 +     "[| f \<in> A->B;  c\<notin>A |] ==> cons(<c,b>,f)`a = (if a=c then b else f`a)"
  32.397 +apply (rule extend_apply)
  32.398 +apply (simp add: Pi_def, blast)
  32.399  done
  32.400  
  32.401  lemmas singleton_apply = apply_equality [OF singletonI singleton_fun, simp]
  32.402 @@ -425,13 +425,13 @@
  32.403  apply (subgoal_tac "restrict (x, A) \<in> A -> B")
  32.404   prefer 2 apply (blast intro: restrict_type2)
  32.405  apply (rule UN_I, assumption)
  32.406 -apply (rule apply_funtype [THEN UN_I]) 
  32.407 +apply (rule apply_funtype [THEN UN_I])
  32.408    apply assumption
  32.409 - apply (rule consI1) 
  32.410 + apply (rule consI1)
  32.411  apply (simp (no_asm))
  32.412 -apply (rule fun_extension) 
  32.413 +apply (rule fun_extension)
  32.414    apply assumption
  32.415 - apply (blast intro: fun_extend) 
  32.416 + apply (blast intro: fun_extend)
  32.417  apply (erule consE, simp_all)
  32.418  done
  32.419  
  32.420 @@ -463,11 +463,11 @@
  32.421  
  32.422  lemma update_apply [simp]: "f(x:=y) ` z = (if z=x then y else f`z)"
  32.423  apply (simp add: update_def)
  32.424 -apply (case_tac "z \<in> domain(f)")   
  32.425 +apply (case_tac "z \<in> domain(f)")
  32.426  apply (simp_all add: apply_0)
  32.427  done
  32.428  
  32.429 -lemma update_idem: "[| f`x = y;  f: Pi(A,B);  x: A |] ==> f(x:=y) = f"
  32.430 +lemma update_idem: "[| f`x = y;  f \<in> Pi(A,B);  x \<in> A |] ==> f(x:=y) = f"
  32.431  apply (unfold update_def)
  32.432  apply (simp add: domain_of_fun cons_absorb)
  32.433  apply (rule fun_extension)
  32.434 @@ -475,13 +475,13 @@
  32.435  done
  32.436  
  32.437  
  32.438 -(* [| f: Pi(A, B); x:A |] ==> f(x := f`x) = f *)
  32.439 +(* [| f \<in> Pi(A, B); x \<in> A |] ==> f(x := f`x) = f *)
  32.440  declare refl [THEN update_idem, simp]
  32.441  
  32.442  lemma domain_update [simp]: "domain(f(x:=y)) = cons(x, domain(f))"
  32.443  by (unfold update_def, simp)
  32.444  
  32.445 -lemma update_type: "[| f:Pi(A,B);  x \<in> A;  y: B(x) |] ==> f(x:=y) \<in> Pi(A, B)"
  32.446 +lemma update_type: "[| f \<in> Pi(A,B);  x \<in> A;  y \<in> B(x) |] ==> f(x:=y) \<in> Pi(A, B)"
  32.447  apply (unfold update_def)
  32.448  apply (simp add: domain_of_fun cons_absorb apply_funtype lam_type)
  32.449  done
  32.450 @@ -496,7 +496,7 @@
  32.451  lemma Replace_mono: "A<=B ==> Replace(A,P) \<subseteq> Replace(B,P)"
  32.452  by (blast elim!: ReplaceE)
  32.453  
  32.454 -lemma RepFun_mono: "A<=B ==> {f(x). x:A} \<subseteq> {f(x). x:B}"
  32.455 +lemma RepFun_mono: "A<=B ==> {f(x). x \<in> A} \<subseteq> {f(x). x \<in> B}"
  32.456  by blast
  32.457  
  32.458  lemma Pow_mono: "A<=B ==> Pow(A) \<subseteq> Pow(B)"
  32.459 @@ -506,8 +506,8 @@
  32.460  by blast
  32.461  
  32.462  lemma UN_mono:
  32.463 -    "[| A<=C;  !!x. x:A ==> B(x)<=D(x) |] ==> (\<Union>x\<in>A. B(x)) \<subseteq> (\<Union>x\<in>C. D(x))"
  32.464 -by blast  
  32.465 +    "[| A<=C;  !!x. x \<in> A ==> B(x)<=D(x) |] ==> (\<Union>x\<in>A. B(x)) \<subseteq> (\<Union>x\<in>C. D(x))"
  32.466 +by blast
  32.467  
  32.468  (*Intersection is ANTI-monotonic.  There are TWO premises! *)
  32.469  lemma Inter_anti_mono: "[| A<=B;  A\<noteq>0 |] ==> \<Inter>(B) \<subseteq> \<Inter>(A)"
  32.470 @@ -528,7 +528,7 @@
  32.471  subsubsection{*Standard Products, Sums and Function Spaces *}
  32.472  
  32.473  lemma Sigma_mono [rule_format]:
  32.474 -     "[| A<=C;  !!x. x:A \<longrightarrow> B(x) \<subseteq> D(x) |] ==> Sigma(A,B) \<subseteq> Sigma(C,D)"
  32.475 +     "[| A<=C;  !!x. x \<in> A \<longrightarrow> B(x) \<subseteq> D(x) |] ==> Sigma(A,B) \<subseteq> Sigma(C,D)"
  32.476  by blast
  32.477  
  32.478  lemma sum_mono: "[| A<=C;  B<=D |] ==> A+B \<subseteq> C+D"
  32.479 @@ -569,11 +569,11 @@
  32.480  
  32.481  lemma image_pair_mono:
  32.482      "[| !! x y. <x,y>:r ==> <x,y>:s;  A<=B |] ==> r``A \<subseteq> s``B"
  32.483 -by blast 
  32.484 +by blast
  32.485  
  32.486  lemma vimage_pair_mono:
  32.487      "[| !! x y. <x,y>:r ==> <x,y>:s;  A<=B |] ==> r-``A \<subseteq> s-``B"
  32.488 -by blast 
  32.489 +by blast
  32.490  
  32.491  lemma image_mono: "[| r<=s;  A<=B |] ==> r``A \<subseteq> s``B"
  32.492  by blast
  32.493 @@ -582,11 +582,11 @@
  32.494  by blast
  32.495  
  32.496  lemma Collect_mono:
  32.497 -    "[| A<=B;  !!x. x:A ==> P(x) \<longrightarrow> Q(x) |] ==> Collect(A,P) \<subseteq> Collect(B,Q)"
  32.498 +    "[| A<=B;  !!x. x \<in> A ==> P(x) \<longrightarrow> Q(x) |] ==> Collect(A,P) \<subseteq> Collect(B,Q)"
  32.499  by blast
  32.500  
  32.501  (*Used in intr_elim.ML and in individual datatype definitions*)
  32.502 -lemmas basic_monos = subset_refl imp_refl disj_mono conj_mono ex_mono 
  32.503 +lemmas basic_monos = subset_refl imp_refl disj_mono conj_mono ex_mono
  32.504                       Collect_mono Part_mono in_mono
  32.505  
  32.506  (* Useful with simp; contributed by Clemens Ballarin. *)
    33.1 --- a/src/ZF/pair.thy	Thu Mar 15 15:54:22 2012 +0000
    33.2 +++ b/src/ZF/pair.thy	Thu Mar 15 16:35:02 2012 +0000
    33.3 @@ -63,7 +63,7 @@
    33.4    have  "{a, a} \<in> {{a, a}, {a, b}}" by (rule consI1)
    33.5    hence "{a, a} \<in> a" by (simp add: eq)
    33.6    moreover have "a \<in> {a, a}" by (rule consI1)
    33.7 -  ultimately show "P" by (rule mem_asym) 
    33.8 +  ultimately show "P" by (rule mem_asym)
    33.9  qed
   33.10  
   33.11  lemma Pair_neq_snd: "<a,b>=b ==> P"
   33.12 @@ -72,7 +72,7 @@
   33.13    have  "{a, b} \<in> {{a, a}, {a, b}}" by blast
   33.14    hence "{a, b} \<in> b" by (simp add: eq)
   33.15    moreover have "b \<in> {a, b}" by blast
   33.16 -  ultimately show "P" by (rule mem_asym) 
   33.17 +  ultimately show "P" by (rule mem_asym)
   33.18  qed
   33.19  
   33.20  
   33.21 @@ -80,10 +80,10 @@
   33.22  
   33.23  text{*Generalizes Cartesian product*}
   33.24  
   33.25 -lemma Sigma_iff [simp]: "<a,b>: Sigma(A,B) \<longleftrightarrow> a:A & b:B(a)"
   33.26 +lemma Sigma_iff [simp]: "<a,b>: Sigma(A,B) \<longleftrightarrow> a \<in> A & b \<in> B(a)"
   33.27  by (simp add: Sigma_def)
   33.28  
   33.29 -lemma SigmaI [TC,intro!]: "[| a:A;  b:B(a) |] ==> <a,b> \<in> Sigma(A,B)"
   33.30 +lemma SigmaI [TC,intro!]: "[| a \<in> A;  b \<in> B(a) |] ==> <a,b> \<in> Sigma(A,B)"
   33.31  by simp
   33.32  
   33.33  lemmas SigmaD1 = Sigma_iff [THEN iffD1, THEN conjunct1]
   33.34 @@ -91,19 +91,19 @@
   33.35  
   33.36  (*The general elimination rule*)
   33.37  lemma SigmaE [elim!]:
   33.38 -    "[| c: Sigma(A,B);   
   33.39 -        !!x y.[| x:A;  y:B(x);  c=<x,y> |] ==> P  
   33.40 +    "[| c \<in> Sigma(A,B);
   33.41 +        !!x y.[| x \<in> A;  y \<in> B(x);  c=<x,y> |] ==> P
   33.42       |] ==> P"
   33.43 -by (unfold Sigma_def, blast) 
   33.44 +by (unfold Sigma_def, blast)
   33.45  
   33.46  lemma SigmaE2 [elim!]:
   33.47 -    "[| <a,b> \<in> Sigma(A,B);     
   33.48 -        [| a:A;  b:B(a) |] ==> P    
   33.49 +    "[| <a,b> \<in> Sigma(A,B);
   33.50 +        [| a \<in> A;  b \<in> B(a) |] ==> P
   33.51       |] ==> P"
   33.52 -by (unfold Sigma_def, blast) 
   33.53 +by (unfold Sigma_def, blast)
   33.54  
   33.55  lemma Sigma_cong:
   33.56 -    "[| A=A';  !!x. x:A' ==> B(x)=B'(x) |] ==>  
   33.57 +    "[| A=A';  !!x. x \<in> A' ==> B(x)=B'(x) |] ==>
   33.58       Sigma(A,B) = Sigma(A',B')"
   33.59  by (simp add: Sigma_def)
   33.60  
   33.61 @@ -129,13 +129,13 @@
   33.62  lemma snd_conv [simp]: "snd(<a,b>) = b"
   33.63  by (simp add: snd_def)
   33.64  
   33.65 -lemma fst_type [TC]: "p:Sigma(A,B) ==> fst(p) \<in> A"
   33.66 +lemma fst_type [TC]: "p \<in> Sigma(A,B) ==> fst(p) \<in> A"
   33.67  by auto
   33.68  
   33.69 -lemma snd_type [TC]: "p:Sigma(A,B) ==> snd(p) \<in> B(fst(p))"
   33.70 +lemma snd_type [TC]: "p \<in> Sigma(A,B) ==> snd(p) \<in> B(fst(p))"
   33.71  by auto
   33.72  
   33.73 -lemma Pair_fst_snd_eq: "a: Sigma(A,B) ==> <fst(a),snd(a)> = a"
   33.74 +lemma Pair_fst_snd_eq: "a \<in> Sigma(A,B) ==> <fst(a),snd(a)> = a"
   33.75  by auto
   33.76  
   33.77  
   33.78 @@ -146,13 +146,13 @@
   33.79  by (simp add: split_def)
   33.80  
   33.81  lemma split_type [TC]:
   33.82 -    "[|  p:Sigma(A,B);    
   33.83 -         !!x y.[| x:A; y:B(x) |] ==> c(x,y):C(<x,y>)  
   33.84 +    "[|  p \<in> Sigma(A,B);
   33.85 +         !!x y.[| x \<in> A; y \<in> B(x) |] ==> c(x,y):C(<x,y>)
   33.86       |] ==> split(%x y. c(x,y), p) \<in> C(p)"
   33.87 -by (erule SigmaE, auto) 
   33.88 +by (erule SigmaE, auto)
   33.89  
   33.90 -lemma expand_split: 
   33.91 -  "u: A*B ==>    
   33.92 +lemma expand_split:
   33.93 +  "u \<in> A*B ==>
   33.94          R(split(c,u)) \<longleftrightarrow> (\<forall>x\<in>A. \<forall>y\<in>B. u = <x,y> \<longrightarrow> R(c(x,y)))"
   33.95  by (auto simp add: split_def)
   33.96  
   33.97 @@ -163,8 +163,8 @@
   33.98  by (simp add: split_def)
   33.99  
  33.100  lemma splitE:
  33.101 -    "[| split(R,z);  z:Sigma(A,B);                       
  33.102 -        !!x y. [| z = <x,y>;  R(x,y) |] ==> P            
  33.103 +    "[| split(R,z);  z \<in> Sigma(A,B);
  33.104 +        !!x y. [| z = <x,y>;  R(x,y) |] ==> P
  33.105       |] ==> P"
  33.106  by (auto simp add: split_def)
  33.107  
    34.1 --- a/src/ZF/upair.thy	Thu Mar 15 15:54:22 2012 +0000
    34.2 +++ b/src/ZF/upair.thy	Thu Mar 15 16:35:02 2012 +0000
    34.3 @@ -17,7 +17,7 @@
    34.4  setup TypeCheck.setup
    34.5  
    34.6  lemma atomize_ball [symmetric, rulify]:
    34.7 -     "(!!x. x:A ==> P(x)) == Trueprop (\<forall>x\<in>A. P(x))"
    34.8 +     "(!!x. x \<in> A ==> P(x)) == Trueprop (\<forall>x\<in>A. P(x))"
    34.9  by (simp add: Ball_def atomize_all atomize_imp)
   34.10  
   34.11  
   34.12 @@ -37,7 +37,7 @@
   34.13  
   34.14  subsection{*Rules for Binary Union, Defined via @{term Upair}*}
   34.15  
   34.16 -lemma Un_iff [simp]: "c \<in> A \<union> B \<longleftrightarrow> (c:A | c:B)"
   34.17 +lemma Un_iff [simp]: "c \<in> A \<union> B \<longleftrightarrow> (c \<in> A | c \<in> B)"
   34.18  apply (simp add: Un_def)
   34.19  apply (blast intro: UpairI1 UpairI2 elim: UpairE)
   34.20  done
   34.21 @@ -50,11 +50,11 @@
   34.22  
   34.23  declare UnI1 [elim?]  UnI2 [elim?]
   34.24  
   34.25 -lemma UnE [elim!]: "[| c \<in> A \<union> B;  c:A ==> P;  c:B ==> P |] ==> P"
   34.26 +lemma UnE [elim!]: "[| c \<in> A \<union> B;  c \<in> A ==> P;  c \<in> B ==> P |] ==> P"
   34.27  by (simp, blast)
   34.28  
   34.29  (*Stronger version of the rule above*)
   34.30 -lemma UnE': "[| c \<in> A \<union> B;  c:A ==> P;  [| c:B;  c\<notin>A |] ==> P |] ==> P"
   34.31 +lemma UnE': "[| c \<in> A \<union> B;  c \<in> A ==> P;  [| c \<in> B;  c\<notin>A |] ==> P |] ==> P"
   34.32  by (simp, blast)
   34.33  
   34.34  (*Classical introduction rule: no commitment to A vs B*)
   34.35 @@ -63,7 +63,7 @@
   34.36  
   34.37  subsection{*Rules for Binary Intersection, Defined via @{term Upair}*}
   34.38  
   34.39 -lemma Int_iff [simp]: "c \<in> A \<inter> B \<longleftrightarrow> (c:A & c:B)"
   34.40 +lemma Int_iff [simp]: "c \<in> A \<inter> B \<longleftrightarrow> (c \<in> A & c \<in> B)"
   34.41  apply (unfold Int_def)
   34.42  apply (blast intro: UpairI1 UpairI2 elim: UpairE)
   34.43  done
   34.44 @@ -77,13 +77,13 @@
   34.45  lemma IntD2: "c \<in> A \<inter> B ==> c \<in> B"
   34.46  by simp
   34.47  
   34.48 -lemma IntE [elim!]: "[| c \<in> A \<inter> B;  [| c:A; c:B |] ==> P |] ==> P"
   34.49 +lemma IntE [elim!]: "[| c \<in> A \<inter> B;  [| c \<in> A; c \<in> B |] ==> P |] ==> P"
   34.50  by simp
   34.51  
   34.52  
   34.53  subsection{*Rules for Set Difference, Defined via @{term Upair}*}
   34.54  
   34.55 -lemma Diff_iff [simp]: "c \<in> A-B \<longleftrightarrow> (c:A & c\<notin>B)"
   34.56 +lemma Diff_iff [simp]: "c \<in> A-B \<longleftrightarrow> (c \<in> A & c\<notin>B)"
   34.57  by (unfold Diff_def, blast)
   34.58  
   34.59  lemma DiffI [intro!]: "[| c \<in> A;  c \<notin> B |] ==> c \<in> A - B"
   34.60 @@ -95,13 +95,13 @@
   34.61  lemma DiffD2: "c \<in> A - B ==> c \<notin> B"
   34.62  by simp
   34.63  
   34.64 -lemma DiffE [elim!]: "[| c \<in> A - B;  [| c:A; c\<notin>B |] ==> P |] ==> P"
   34.65 +lemma DiffE [elim!]: "[| c \<in> A - B;  [| c \<in> A; c\<notin>B |] ==> P |] ==> P"
   34.66  by simp
   34.67  
   34.68  
   34.69  subsection{*Rules for @{term cons}*}
   34.70  
   34.71 -lemma cons_iff [simp]: "a \<in> cons(b,A) \<longleftrightarrow> (a=b | a:A)"
   34.72 +lemma cons_iff [simp]: "a \<in> cons(b,A) \<longleftrightarrow> (a=b | a \<in> A)"
   34.73  apply (unfold cons_def)
   34.74  apply (blast intro: UpairI1 UpairI2 elim: UpairE)
   34.75  done
   34.76 @@ -115,16 +115,16 @@
   34.77  lemma consI2: "a \<in> B ==> a \<in> cons(b,B)"
   34.78  by simp
   34.79  
   34.80 -lemma consE [elim!]: "[| a \<in> cons(b,A);  a=b ==> P;  a:A ==> P |] ==> P"
   34.81 +lemma consE [elim!]: "[| a \<in> cons(b,A);  a=b ==> P;  a \<in> A ==> P |] ==> P"
   34.82  by (simp, blast)
   34.83  
   34.84  (*Stronger version of the rule above*)
   34.85  lemma consE':
   34.86 -    "[| a \<in> cons(b,A);  a=b ==> P;  [| a:A;  a\<noteq>b |] ==> P |] ==> P"
   34.87 +    "[| a \<in> cons(b,A);  a=b ==> P;  [| a \<in> A;  a\<noteq>b |] ==> P |] ==> P"
   34.88  by (simp, blast)
   34.89  
   34.90  (*Classical introduction rule*)
   34.91 -lemma consCI [intro!]: "(a\<notin>B ==> a=b) ==> a: cons(b,B)"
   34.92 +lemma consCI [intro!]: "(a\<notin>B ==> a=b) ==> a \<in> cons(b,B)"
   34.93  by (simp, blast)
   34.94  
   34.95  lemma cons_not_0 [simp]: "cons(a,B) \<noteq> 0"
   34.96 @@ -207,7 +207,7 @@
   34.97       ==> (if P then a else b) = (if Q then c else d)"
   34.98  by (simp add: if_def cong add: conj_cong)
   34.99  
  34.100 -(*Prevents simplification of x and y: faster and allows the execution
  34.101 +(*Prevents simplification of x and y \<in> faster and allows the execution
  34.102    of functional programs. NOW THE DEFAULT.*)
  34.103  lemma if_weak_cong: "P\<longleftrightarrow>Q ==> (if P then x else y) = (if Q then x else y)"
  34.104  by simp
  34.105 @@ -236,11 +236,11 @@
  34.106  lemmas split_ifs = split_if_eq1 split_if_eq2 split_if_mem1 split_if_mem2
  34.107  
  34.108  (*Logically equivalent to split_if_mem2*)
  34.109 -lemma if_iff: "a: (if P then x else y) \<longleftrightarrow> P & a:x | ~P & a:y"
  34.110 +lemma if_iff: "a: (if P then x else y) \<longleftrightarrow> P & a \<in> x | ~P & a \<in> y"
  34.111  by simp
  34.112  
  34.113  lemma if_type [TC]:
  34.114 -    "[| P ==> a: A;  ~P ==> b: A |] ==> (if P then a else b): A"
  34.115 +    "[| P ==> a \<in> A;  ~P ==> b \<in> A |] ==> (if P then a else b): A"
  34.116  by simp
  34.117  
  34.118  (** Splitting IFs in the assumptions **)
  34.119 @@ -254,14 +254,14 @@
  34.120  subsection{*Consequences of Foundation*}
  34.121  
  34.122  (*was called mem_anti_sym*)
  34.123 -lemma mem_asym: "[| a:b;  ~P ==> b:a |] ==> P"
  34.124 +lemma mem_asym: "[| a \<in> b;  ~P ==> b \<in> a |] ==> P"
  34.125  apply (rule classical)
  34.126  apply (rule_tac A1 = "{a,b}" in foundation [THEN disjE])
  34.127  apply (blast elim!: equalityE)+
  34.128  done
  34.129  
  34.130  (*was called mem_anti_refl*)
  34.131 -lemma mem_irrefl: "a:a ==> P"
  34.132 +lemma mem_irrefl: "a \<in> a ==> P"
  34.133  by (blast intro: mem_asym)
  34.134  
  34.135  (*mem_irrefl should NOT be added to default databases:
  34.136 @@ -273,7 +273,7 @@
  34.137  done
  34.138  
  34.139  (*Good for proving inequalities by rewriting*)
  34.140 -lemma mem_imp_not_eq: "a:A ==> a \<noteq> A"
  34.141 +lemma mem_imp_not_eq: "a \<in> A ==> a \<noteq> A"
  34.142  by (blast elim!: mem_irrefl)
  34.143  
  34.144  lemma eq_imp_not_mem: "a=A ==> a \<notin> A"
  34.145 @@ -281,7 +281,7 @@
  34.146  
  34.147  subsection{*Rules for Successor*}
  34.148  
  34.149 -lemma succ_iff: "i \<in> succ(j) \<longleftrightarrow> i=j | i:j"
  34.150 +lemma succ_iff: "i \<in> succ(j) \<longleftrightarrow> i=j | i \<in> j"
  34.151  by (unfold succ_def, blast)
  34.152  
  34.153  lemma succI1 [simp]: "i \<in> succ(i)"
  34.154 @@ -291,12 +291,12 @@
  34.155  by (simp add: succ_iff)
  34.156  
  34.157  lemma succE [elim!]:
  34.158 -    "[| i \<in> succ(j);  i=j ==> P;  i:j ==> P |] ==> P"
  34.159 +    "[| i \<in> succ(j);  i=j ==> P;  i \<in> j ==> P |] ==> P"
  34.160  apply (simp add: succ_iff, blast)
  34.161  done
  34.162  
  34.163  (*Classical introduction rule*)
  34.164 -lemma succCI [intro!]: "(i\<notin>j ==> i=j) ==> i: succ(j)"
  34.165 +lemma succCI [intro!]: "(i\<notin>j ==> i=j) ==> i \<in> succ(j)"
  34.166  by (simp add: succ_iff, blast)
  34.167  
  34.168  lemma succ_not_0 [simp]: "succ(n) \<noteq> 0"
  34.169 @@ -383,22 +383,22 @@
  34.170  
  34.171  (** One-point rule for bounded quantifiers: see HOL/Set.ML **)
  34.172  
  34.173 -lemma bex_triv_one_point1 [simp]: "(\<exists>x\<in>A. x=a) \<longleftrightarrow> (a:A)"
  34.174 +lemma bex_triv_one_point1 [simp]: "(\<exists>x\<in>A. x=a) \<longleftrightarrow> (a \<in> A)"
  34.175  by blast
  34.176  
  34.177 -lemma bex_triv_one_point2 [simp]: "(\<exists>x\<in>A. a=x) \<longleftrightarrow> (a:A)"
  34.178 +lemma bex_triv_one_point2 [simp]: "(\<exists>x\<in>A. a=x) \<longleftrightarrow> (a \<in> A)"
  34.179  by blast
  34.180  
  34.181 -lemma bex_one_point1 [simp]: "(\<exists>x\<in>A. x=a & P(x)) \<longleftrightarrow> (a:A & P(a))"
  34.182 +lemma bex_one_point1 [simp]: "(\<exists>x\<in>A. x=a & P(x)) \<longleftrightarrow> (a \<in> A & P(a))"
  34.183  by blast
  34.184  
  34.185 -lemma bex_one_point2 [simp]: "(\<exists>x\<in>A. a=x & P(x)) \<longleftrightarrow> (a:A & P(a))"
  34.186 +lemma bex_one_point2 [simp]: "(\<exists>x\<in>A. a=x & P(x)) \<longleftrightarrow> (a \<in> A & P(a))"
  34.187  by blast
  34.188  
  34.189 -lemma ball_one_point1 [simp]: "(\<forall>x\<in>A. x=a \<longrightarrow> P(x)) \<longleftrightarrow> (a:A \<longrightarrow> P(a))"
  34.190 +lemma ball_one_point1 [simp]: "(\<forall>x\<in>A. x=a \<longrightarrow> P(x)) \<longleftrightarrow> (a \<in> A \<longrightarrow> P(a))"
  34.191  by blast
  34.192  
  34.193 -lemma ball_one_point2 [simp]: "(\<forall>x\<in>A. a=x \<longrightarrow> P(x)) \<longleftrightarrow> (a:A \<longrightarrow> P(a))"
  34.194 +lemma ball_one_point2 [simp]: "(\<forall>x\<in>A. a=x \<longrightarrow> P(x)) \<longleftrightarrow> (a \<in> A \<longrightarrow> P(a))"
  34.195  by blast
  34.196  
  34.197  
  34.198 @@ -406,9 +406,9 @@
  34.199  
  34.200  text{*These cover both @{term Replace} and @{term Collect}*}
  34.201  lemma Rep_simps [simp]:
  34.202 -     "{x. y:0, R(x,y)} = 0"
  34.203 -     "{x:0. P(x)} = 0"
  34.204 -     "{x:A. Q} = (if Q then A else 0)"
  34.205 +     "{x. y \<in> 0, R(x,y)} = 0"
  34.206 +     "{x \<in> 0. P(x)} = 0"
  34.207 +     "{x \<in> A. Q} = (if Q then A else 0)"
  34.208       "RepFun(0,f) = 0"
  34.209       "RepFun(succ(i),f) = cons(f(i), RepFun(i,f))"
  34.210       "RepFun(cons(a,B),f) = cons(f(a), RepFun(B,f))"