some x-symbols
authorpaulson
Tue Feb 04 18:12:40 2003 +0100 (2003-02-04)
changeset 138053786b2fd6808
parent 13804 d643300e4fc0
child 13806 fd40c9d9076b
some x-symbols
src/HOL/UNITY/Comp.thy
src/HOL/UNITY/Constrains.thy
src/HOL/UNITY/Detects.thy
src/HOL/UNITY/Extend.thy
src/HOL/UNITY/Follows.thy
src/HOL/UNITY/Guar.thy
src/HOL/UNITY/Lift_prog.thy
src/HOL/UNITY/PPROD.thy
src/HOL/UNITY/Rename.thy
src/HOL/UNITY/SubstAx.thy
src/HOL/UNITY/UNITY.thy
src/HOL/UNITY/Union.thy
src/HOL/UNITY/WFair.thy
     1.1 --- a/src/HOL/UNITY/Comp.thy	Mon Feb 03 11:45:05 2003 +0100
     1.2 +++ b/src/HOL/UNITY/Comp.thy	Tue Feb 04 18:12:40 2003 +0100
     1.3 @@ -9,7 +9,7 @@
     1.4  
     1.5  Revised by Sidi Ehmety on January  2001 
     1.6  
     1.7 -Added: a strong form of the <= relation (component_of) and localize 
     1.8 +Added: a strong form of the \<subseteq> relation (component_of) and localize 
     1.9  
    1.10  *)
    1.11  
    1.12 @@ -20,33 +20,32 @@
    1.13  instance program :: (type) ord ..
    1.14  
    1.15  defs
    1.16 -  component_def:          "F <= H == EX G. F Join G = H"
    1.17 -  strict_component_def:   "(F < (H::'a program)) == (F <= H & F ~= H)"
    1.18 +  component_def:          "F \<le> H == \<exists>G. F Join G = H"
    1.19 +  strict_component_def:   "(F < (H::'a program)) == (F \<le> H & F \<noteq> H)"
    1.20  
    1.21  
    1.22  constdefs
    1.23 -  component_of :: "'a program=>'a program=> bool"
    1.24 +  component_of :: "'a program =>'a program=> bool"
    1.25                                      (infixl "component'_of" 50)
    1.26 -  "F component_of H == EX G. F ok G & F Join G = H"
    1.27 +  "F component_of H == \<exists>G. F ok G & F Join G = H"
    1.28  
    1.29    strict_component_of :: "'a program\<Rightarrow>'a program=> bool"
    1.30                                      (infixl "strict'_component'_of" 50)
    1.31 -  "F strict_component_of H == F component_of H & F~=H"
    1.32 +  "F strict_component_of H == F component_of H & F\<noteq>H"
    1.33    
    1.34    preserves :: "('a=>'b) => 'a program set"
    1.35 -    "preserves v == INT z. stable {s. v s = z}"
    1.36 +    "preserves v == \<Inter>z. stable {s. v s = z}"
    1.37  
    1.38    localize  :: "('a=>'b) => 'a program => 'a program"
    1.39    "localize v F == mk_program(Init F, Acts F,
    1.40 -			      AllowedActs F Int (UN G:preserves v. Acts G))"
    1.41 +			      AllowedActs F \<inter> (\<Union>G \<in> preserves v. Acts G))"
    1.42  
    1.43    funPair      :: "['a => 'b, 'a => 'c, 'a] => 'b * 'c"
    1.44    "funPair f g == %x. (f x, g x)"
    1.45  
    1.46  
    1.47  subsection{*The component relation*}
    1.48 -lemma componentI: 
    1.49 -     "H <= F | H <= G ==> H <= (F Join G)"
    1.50 +lemma componentI: "H \<le> F | H \<le> G ==> H \<le> (F Join G)"
    1.51  apply (unfold component_def, auto)
    1.52  apply (rule_tac x = "G Join Ga" in exI)
    1.53  apply (rule_tac [2] x = "G Join F" in exI)
    1.54 @@ -54,61 +53,61 @@
    1.55  done
    1.56  
    1.57  lemma component_eq_subset: 
    1.58 -     "(F <= G) =  
    1.59 -      (Init G <= Init F & Acts F <= Acts G & AllowedActs G <= AllowedActs F)"
    1.60 +     "(F \<le> G) =  
    1.61 +      (Init G \<subseteq> Init F & Acts F \<subseteq> Acts G & AllowedActs G \<subseteq> AllowedActs F)"
    1.62  apply (unfold component_def)
    1.63  apply (force intro!: exI program_equalityI)
    1.64  done
    1.65  
    1.66 -lemma component_SKIP [iff]: "SKIP <= F"
    1.67 +lemma component_SKIP [iff]: "SKIP \<le> F"
    1.68  apply (unfold component_def)
    1.69  apply (force intro: Join_SKIP_left)
    1.70  done
    1.71  
    1.72 -lemma component_refl [iff]: "F <= (F :: 'a program)"
    1.73 +lemma component_refl [iff]: "F \<le> (F :: 'a program)"
    1.74  apply (unfold component_def)
    1.75  apply (blast intro: Join_SKIP_right)
    1.76  done
    1.77  
    1.78 -lemma SKIP_minimal: "F <= SKIP ==> F = SKIP"
    1.79 +lemma SKIP_minimal: "F \<le> SKIP ==> F = SKIP"
    1.80  by (auto intro!: program_equalityI simp add: component_eq_subset)
    1.81  
    1.82 -lemma component_Join1: "F <= (F Join G)"
    1.83 +lemma component_Join1: "F \<le> (F Join G)"
    1.84  by (unfold component_def, blast)
    1.85  
    1.86 -lemma component_Join2: "G <= (F Join G)"
    1.87 +lemma component_Join2: "G \<le> (F Join G)"
    1.88  apply (unfold component_def)
    1.89  apply (simp add: Join_commute, blast)
    1.90  done
    1.91  
    1.92 -lemma Join_absorb1: "F<=G ==> F Join G = G"
    1.93 +lemma Join_absorb1: "F \<le> G ==> F Join G = G"
    1.94  by (auto simp add: component_def Join_left_absorb)
    1.95  
    1.96 -lemma Join_absorb2: "G<=F ==> F Join G = F"
    1.97 +lemma Join_absorb2: "G \<le> F ==> F Join G = F"
    1.98  by (auto simp add: Join_ac component_def)
    1.99  
   1.100 -lemma JN_component_iff: "((JOIN I F) <= H) = (ALL i: I. F i <= H)"
   1.101 +lemma JN_component_iff: "((JOIN I F) \<le> H) = (\<forall>i \<in> I. F i \<le> H)"
   1.102  by (simp add: component_eq_subset, blast)
   1.103  
   1.104 -lemma component_JN: "i : I ==> (F i) <= (JN i:I. (F i))"
   1.105 +lemma component_JN: "i \<in> I ==> (F i) \<le> (\<Squnion>i \<in> I. (F i))"
   1.106  apply (unfold component_def)
   1.107  apply (blast intro: JN_absorb)
   1.108  done
   1.109  
   1.110 -lemma component_trans: "[| F <= G; G <= H |] ==> F <= (H :: 'a program)"
   1.111 +lemma component_trans: "[| F \<le> G; G \<le> H |] ==> F \<le> (H :: 'a program)"
   1.112  apply (unfold component_def)
   1.113  apply (blast intro: Join_assoc [symmetric])
   1.114  done
   1.115  
   1.116 -lemma component_antisym: "[| F <= G; G <= F |] ==> F = (G :: 'a program)"
   1.117 +lemma component_antisym: "[| F \<le> G; G \<le> F |] ==> F = (G :: 'a program)"
   1.118  apply (simp (no_asm_use) add: component_eq_subset)
   1.119  apply (blast intro!: program_equalityI)
   1.120  done
   1.121  
   1.122 -lemma Join_component_iff: "((F Join G) <= H) = (F <= H & G <= H)"
   1.123 +lemma Join_component_iff: "((F Join G) \<le> H) = (F \<le> H & G \<le> H)"
   1.124  by (simp add: component_eq_subset, blast)
   1.125  
   1.126 -lemma component_constrains: "[| F <= G; G : A co B |] ==> F : A co B"
   1.127 +lemma component_constrains: "[| F \<le> G; G \<in> A co B |] ==> F \<in> A co B"
   1.128  by (auto simp add: constrains_def component_eq_subset)
   1.129  
   1.130  (*Used in Guar.thy to show that programs are partially ordered*)
   1.131 @@ -117,34 +116,34 @@
   1.132  
   1.133  subsection{*The preserves property*}
   1.134  
   1.135 -lemma preservesI: "(!!z. F : stable {s. v s = z}) ==> F : preserves v"
   1.136 +lemma preservesI: "(!!z. F \<in> stable {s. v s = z}) ==> F \<in> preserves v"
   1.137  by (unfold preserves_def, blast)
   1.138  
   1.139  lemma preserves_imp_eq: 
   1.140 -     "[| F : preserves v;  act : Acts F;  (s,s') : act |] ==> v s = v s'"
   1.141 +     "[| F \<in> preserves v;  act \<in> Acts F;  (s,s') \<in> act |] ==> v s = v s'"
   1.142  apply (unfold preserves_def stable_def constrains_def, force)
   1.143  done
   1.144  
   1.145  lemma Join_preserves [iff]: 
   1.146 -     "(F Join G : preserves v) = (F : preserves v & G : preserves v)"
   1.147 +     "(F Join G \<in> preserves v) = (F \<in> preserves v & G \<in> preserves v)"
   1.148  apply (unfold preserves_def, auto)
   1.149  done
   1.150  
   1.151  lemma JN_preserves [iff]:
   1.152 -     "(JOIN I F : preserves v) = (ALL i:I. F i : preserves v)"
   1.153 +     "(JOIN I F \<in> preserves v) = (\<forall>i \<in> I. F i \<in> preserves v)"
   1.154  apply (simp add: JN_stable preserves_def, blast)
   1.155  done
   1.156  
   1.157 -lemma SKIP_preserves [iff]: "SKIP : preserves v"
   1.158 +lemma SKIP_preserves [iff]: "SKIP \<in> preserves v"
   1.159  by (auto simp add: preserves_def)
   1.160  
   1.161  lemma funPair_apply [simp]: "(funPair f g) x = (f x, g x)"
   1.162  by (simp add:  funPair_def)
   1.163  
   1.164 -lemma preserves_funPair: "preserves (funPair v w) = preserves v Int preserves w"
   1.165 +lemma preserves_funPair: "preserves (funPair v w) = preserves v \<inter> preserves w"
   1.166  by (auto simp add: preserves_def stable_def constrains_def, blast)
   1.167  
   1.168 -(* (F : preserves (funPair v w)) = (F : preserves v Int preserves w) *)
   1.169 +(* (F \<in> preserves (funPair v w)) = (F \<in> preserves v \<inter> preserves w) *)
   1.170  declare preserves_funPair [THEN eqset_imp_iff, iff]
   1.171  
   1.172  
   1.173 @@ -157,20 +156,20 @@
   1.174  lemma snd_o_funPair [simp]: "snd o (funPair f g) = g"
   1.175  by (simp add: funPair_def o_def)
   1.176  
   1.177 -lemma subset_preserves_o: "preserves v <= preserves (w o v)"
   1.178 +lemma subset_preserves_o: "preserves v \<subseteq> preserves (w o v)"
   1.179  by (force simp add: preserves_def stable_def constrains_def)
   1.180  
   1.181 -lemma preserves_subset_stable: "preserves v <= stable {s. P (v s)}"
   1.182 +lemma preserves_subset_stable: "preserves v \<subseteq> stable {s. P (v s)}"
   1.183  apply (auto simp add: preserves_def stable_def constrains_def)
   1.184  apply (rename_tac s' s)
   1.185  apply (subgoal_tac "v s = v s'")
   1.186  apply (force+)
   1.187  done
   1.188  
   1.189 -lemma preserves_subset_increasing: "preserves v <= increasing v"
   1.190 +lemma preserves_subset_increasing: "preserves v \<subseteq> increasing v"
   1.191  by (auto simp add: preserves_subset_stable [THEN subsetD] increasing_def)
   1.192  
   1.193 -lemma preserves_id_subset_stable: "preserves id <= stable A"
   1.194 +lemma preserves_id_subset_stable: "preserves id \<subseteq> stable A"
   1.195  by (force simp add: preserves_def stable_def constrains_def)
   1.196  
   1.197  
   1.198 @@ -183,27 +182,27 @@
   1.199  (** Some lemmas used only in Client.ML **)
   1.200  
   1.201  lemma stable_localTo_stable2:
   1.202 -     "[| F : stable {s. P (v s) (w s)};    
   1.203 -         G : preserves v;  G : preserves w |]                
   1.204 -      ==> F Join G : stable {s. P (v s) (w s)}"
   1.205 -apply (simp (no_asm_simp))
   1.206 -apply (subgoal_tac "G: preserves (funPair v w) ")
   1.207 +     "[| F \<in> stable {s. P (v s) (w s)};    
   1.208 +         G \<in> preserves v;  G \<in> preserves w |]                
   1.209 +      ==> F Join G \<in> stable {s. P (v s) (w s)}"
   1.210 +apply (simp)
   1.211 +apply (subgoal_tac "G \<in> preserves (funPair v w) ")
   1.212   prefer 2 apply simp 
   1.213 -apply (drule_tac P1 = "split ?Q" in  preserves_subset_stable [THEN subsetD], auto)
   1.214 +apply (drule_tac P1 = "split ?Q" in preserves_subset_stable [THEN subsetD], auto)
   1.215  done
   1.216  
   1.217  lemma Increasing_preserves_Stable:
   1.218 -     "[| F : stable {s. v s <= w s};  G : preserves v;        
   1.219 -         F Join G : Increasing w |]                
   1.220 -      ==> F Join G : Stable {s. v s <= w s}"
   1.221 +     "[| F \<in> stable {s. v s \<le> w s};  G \<in> preserves v;        
   1.222 +         F Join G \<in> Increasing w |]                
   1.223 +      ==> F Join G \<in> Stable {s. v s \<le> w s}"
   1.224  apply (auto simp add: stable_def Stable_def Increasing_def Constrains_def all_conj_distrib)
   1.225  apply (blast intro: constrains_weaken)
   1.226  (*The G case remains*)
   1.227  apply (auto simp add: preserves_def stable_def constrains_def)
   1.228  apply (case_tac "act: Acts F", blast)
   1.229  (*We have a G-action, so delete assumptions about F-actions*)
   1.230 -apply (erule_tac V = "ALL act:Acts F. ?P act" in thin_rl)
   1.231 -apply (erule_tac V = "ALL z. ALL act:Acts F. ?P z act" in thin_rl)
   1.232 +apply (erule_tac V = "\<forall>act \<in> Acts F. ?P act" in thin_rl)
   1.233 +apply (erule_tac V = "\<forall>z. \<forall>act \<in> Acts F. ?P z act" in thin_rl)
   1.234  apply (subgoal_tac "v x = v xa")
   1.235  prefer 2 apply blast
   1.236  apply auto
   1.237 @@ -212,12 +211,12 @@
   1.238  
   1.239  (** component_of **)
   1.240  
   1.241 -(*  component_of is stronger than <= *)
   1.242 -lemma component_of_imp_component: "F component_of H ==> F <= H"
   1.243 +(*  component_of is stronger than \<le> *)
   1.244 +lemma component_of_imp_component: "F component_of H ==> F \<le> H"
   1.245  by (unfold component_def component_of_def, blast)
   1.246  
   1.247  
   1.248 -(* component_of satisfies many of the <='s properties *)
   1.249 +(* component_of satisfies many of the same properties as \<le> *)
   1.250  lemma component_of_refl [simp]: "F component_of F"
   1.251  apply (unfold component_of_def)
   1.252  apply (rule_tac x = SKIP in exI, auto)
   1.253 @@ -243,7 +242,7 @@
   1.254  by (simp add: localize_def)
   1.255  
   1.256  lemma localize_AllowedActs_eq [simp]: 
   1.257 - "AllowedActs (localize v F) = AllowedActs F Int (UN G:(preserves v). Acts G)"
   1.258 + "AllowedActs (localize v F) = AllowedActs F \<inter> (\<Union>G \<in> preserves v. Acts G)"
   1.259  by (unfold localize_def, auto)
   1.260  
   1.261  end
     2.1 --- a/src/HOL/UNITY/Constrains.thy	Mon Feb 03 11:45:05 2003 +0100
     2.2 +++ b/src/HOL/UNITY/Constrains.thy	Tue Feb 04 18:12:40 2003 +0100
     2.3 @@ -18,65 +18,65 @@
     2.4  inductive "traces init acts"  
     2.5    intros 
     2.6           (*Initial trace is empty*)
     2.7 -    Init:  "s: init ==> (s,[]) : traces init acts"
     2.8 +    Init:  "s \<in> init ==> (s,[]) \<in> traces init acts"
     2.9  
    2.10 -    Acts:  "[| act: acts;  (s,evs) : traces init acts;  (s,s'): act |]
    2.11 -	    ==> (s', s#evs) : traces init acts"
    2.12 +    Acts:  "[| act: acts;  (s,evs) \<in> traces init acts;  (s,s'): act |]
    2.13 +	    ==> (s', s#evs) \<in> traces init acts"
    2.14  
    2.15  
    2.16  consts reachable :: "'a program => 'a set"
    2.17  
    2.18  inductive "reachable F"
    2.19    intros 
    2.20 -    Init:  "s: Init F ==> s : reachable F"
    2.21 +    Init:  "s \<in> Init F ==> s \<in> reachable F"
    2.22  
    2.23 -    Acts:  "[| act: Acts F;  s : reachable F;  (s,s'): act |]
    2.24 -	    ==> s' : reachable F"
    2.25 +    Acts:  "[| act: Acts F;  s \<in> reachable F;  (s,s'): act |]
    2.26 +	    ==> s' \<in> reachable F"
    2.27  
    2.28  constdefs
    2.29    Constrains :: "['a set, 'a set] => 'a program set"  (infixl "Co" 60)
    2.30 -    "A Co B == {F. F : (reachable F Int A)  co  B}"
    2.31 +    "A Co B == {F. F \<in> (reachable F \<inter> A)  co  B}"
    2.32  
    2.33    Unless  :: "['a set, 'a set] => 'a program set"     (infixl "Unless" 60)
    2.34 -    "A Unless B == (A-B) Co (A Un B)"
    2.35 +    "A Unless B == (A-B) Co (A \<union> B)"
    2.36  
    2.37    Stable     :: "'a set => 'a program set"
    2.38      "Stable A == A Co A"
    2.39  
    2.40    (*Always is the weak form of "invariant"*)
    2.41    Always :: "'a set => 'a program set"
    2.42 -    "Always A == {F. Init F <= A} Int Stable A"
    2.43 +    "Always A == {F. Init F \<subseteq> A} \<inter> Stable A"
    2.44  
    2.45 -  (*Polymorphic in both states and the meaning of <= *)
    2.46 +  (*Polymorphic in both states and the meaning of \<le> *)
    2.47    Increasing :: "['a => 'b::{order}] => 'a program set"
    2.48 -    "Increasing f == INT z. Stable {s. z <= f s}"
    2.49 +    "Increasing f == \<Inter>z. Stable {s. z \<le> f s}"
    2.50  
    2.51  
    2.52  subsection{*traces and reachable*}
    2.53  
    2.54  lemma reachable_equiv_traces:
    2.55 -     "reachable F = {s. EX evs. (s,evs): traces (Init F) (Acts F)}"
    2.56 +     "reachable F = {s. \<exists>evs. (s,evs): traces (Init F) (Acts F)}"
    2.57  apply safe
    2.58  apply (erule_tac [2] traces.induct)
    2.59  apply (erule reachable.induct)
    2.60  apply (blast intro: reachable.intros traces.intros)+
    2.61  done
    2.62  
    2.63 -lemma Init_subset_reachable: "Init F <= reachable F"
    2.64 +lemma Init_subset_reachable: "Init F \<subseteq> reachable F"
    2.65  by (blast intro: reachable.intros)
    2.66  
    2.67  lemma stable_reachable [intro!,simp]:
    2.68 -     "Acts G <= Acts F ==> G : stable (reachable F)"
    2.69 +     "Acts G \<subseteq> Acts F ==> G \<in> stable (reachable F)"
    2.70  by (blast intro: stableI constrainsI reachable.intros)
    2.71  
    2.72  (*The set of all reachable states is an invariant...*)
    2.73 -lemma invariant_reachable: "F : invariant (reachable F)"
    2.74 +lemma invariant_reachable: "F \<in> invariant (reachable F)"
    2.75  apply (simp add: invariant_def)
    2.76  apply (blast intro: reachable.intros)
    2.77  done
    2.78  
    2.79  (*...in fact the strongest invariant!*)
    2.80 -lemma invariant_includes_reachable: "F : invariant A ==> reachable F <= A"
    2.81 +lemma invariant_includes_reachable: "F \<in> invariant A ==> reachable F \<subseteq> A"
    2.82  apply (simp add: stable_def constrains_def invariant_def)
    2.83  apply (rule subsetI)
    2.84  apply (erule reachable.induct)
    2.85 @@ -86,55 +86,55 @@
    2.86  
    2.87  subsection{*Co*}
    2.88  
    2.89 -(*F : B co B' ==> F : (reachable F Int B) co (reachable F Int B')*)
    2.90 +(*F \<in> B co B' ==> F \<in> (reachable F \<inter> B) co (reachable F \<inter> B')*)
    2.91  lemmas constrains_reachable_Int =  
    2.92      subset_refl [THEN stable_reachable [unfolded stable_def], 
    2.93                   THEN constrains_Int, standard]
    2.94  
    2.95  (*Resembles the previous definition of Constrains*)
    2.96  lemma Constrains_eq_constrains: 
    2.97 -     "A Co B = {F. F : (reachable F  Int  A) co (reachable F  Int  B)}"
    2.98 +     "A Co B = {F. F \<in> (reachable F  \<inter>  A) co (reachable F  \<inter>  B)}"
    2.99  apply (unfold Constrains_def)
   2.100  apply (blast dest: constrains_reachable_Int intro: constrains_weaken)
   2.101  done
   2.102  
   2.103 -lemma constrains_imp_Constrains: "F : A co A' ==> F : A Co A'"
   2.104 +lemma constrains_imp_Constrains: "F \<in> A co A' ==> F \<in> A Co A'"
   2.105  apply (unfold Constrains_def)
   2.106  apply (blast intro: constrains_weaken_L)
   2.107  done
   2.108  
   2.109 -lemma stable_imp_Stable: "F : stable A ==> F : Stable A"
   2.110 +lemma stable_imp_Stable: "F \<in> stable A ==> F \<in> Stable A"
   2.111  apply (unfold stable_def Stable_def)
   2.112  apply (erule constrains_imp_Constrains)
   2.113  done
   2.114  
   2.115  lemma ConstrainsI: 
   2.116 -    "(!!act s s'. [| act: Acts F;  (s,s') : act;  s: A |] ==> s': A')  
   2.117 -     ==> F : A Co A'"
   2.118 +    "(!!act s s'. [| act: Acts F;  (s,s') \<in> act;  s \<in> A |] ==> s': A')  
   2.119 +     ==> F \<in> A Co A'"
   2.120  apply (rule constrains_imp_Constrains)
   2.121  apply (blast intro: constrainsI)
   2.122  done
   2.123  
   2.124 -lemma Constrains_empty [iff]: "F : {} Co B"
   2.125 +lemma Constrains_empty [iff]: "F \<in> {} Co B"
   2.126  by (unfold Constrains_def constrains_def, blast)
   2.127  
   2.128 -lemma Constrains_UNIV [iff]: "F : A Co UNIV"
   2.129 +lemma Constrains_UNIV [iff]: "F \<in> A Co UNIV"
   2.130  by (blast intro: ConstrainsI)
   2.131  
   2.132  lemma Constrains_weaken_R: 
   2.133 -    "[| F : A Co A'; A'<=B' |] ==> F : A Co B'"
   2.134 +    "[| F \<in> A Co A'; A'<=B' |] ==> F \<in> A Co B'"
   2.135  apply (unfold Constrains_def)
   2.136  apply (blast intro: constrains_weaken_R)
   2.137  done
   2.138  
   2.139  lemma Constrains_weaken_L: 
   2.140 -    "[| F : A Co A'; B<=A |] ==> F : B Co A'"
   2.141 +    "[| F \<in> A Co A'; B \<subseteq> A |] ==> F \<in> B Co A'"
   2.142  apply (unfold Constrains_def)
   2.143  apply (blast intro: constrains_weaken_L)
   2.144  done
   2.145  
   2.146  lemma Constrains_weaken: 
   2.147 -   "[| F : A Co A'; B<=A; A'<=B' |] ==> F : B Co B'"
   2.148 +   "[| F \<in> A Co A'; B \<subseteq> A; A'<=B' |] ==> F \<in> B Co B'"
   2.149  apply (unfold Constrains_def)
   2.150  apply (blast intro: constrains_weaken)
   2.151  done
   2.152 @@ -142,14 +142,14 @@
   2.153  (** Union **)
   2.154  
   2.155  lemma Constrains_Un: 
   2.156 -    "[| F : A Co A'; F : B Co B' |] ==> F : (A Un B) Co (A' Un B')"
   2.157 +    "[| F \<in> A Co A'; F \<in> B Co B' |] ==> F \<in> (A \<union> B) Co (A' \<union> B')"
   2.158  apply (unfold Constrains_def)
   2.159  apply (blast intro: constrains_Un [THEN constrains_weaken])
   2.160  done
   2.161  
   2.162  lemma Constrains_UN: 
   2.163 -  assumes Co: "!!i. i:I ==> F : (A i) Co (A' i)"
   2.164 -  shows "F : (UN i:I. A i) Co (UN i:I. A' i)"
   2.165 +  assumes Co: "!!i. i \<in> I ==> F \<in> (A i) Co (A' i)"
   2.166 +  shows "F \<in> (\<Union>i \<in> I. A i) Co (\<Union>i \<in> I. A' i)"
   2.167  apply (unfold Constrains_def)
   2.168  apply (rule CollectI)
   2.169  apply (rule Co [unfolded Constrains_def, THEN CollectD, THEN constrains_UN, 
   2.170 @@ -159,83 +159,83 @@
   2.171  (** Intersection **)
   2.172  
   2.173  lemma Constrains_Int: 
   2.174 -    "[| F : A Co A'; F : B Co B' |] ==> F : (A Int B) Co (A' Int B')"
   2.175 +    "[| F \<in> A Co A'; F \<in> B Co B' |] ==> F \<in> (A \<inter> B) Co (A' \<inter> B')"
   2.176  apply (unfold Constrains_def)
   2.177  apply (blast intro: constrains_Int [THEN constrains_weaken])
   2.178  done
   2.179  
   2.180  lemma Constrains_INT: 
   2.181 -  assumes Co: "!!i. i:I ==> F : (A i) Co (A' i)"
   2.182 -  shows "F : (INT i:I. A i) Co (INT i:I. A' i)"
   2.183 +  assumes Co: "!!i. i \<in> I ==> F \<in> (A i) Co (A' i)"
   2.184 +  shows "F \<in> (\<Inter>i \<in> I. A i) Co (\<Inter>i \<in> I. A' i)"
   2.185  apply (unfold Constrains_def)
   2.186  apply (rule CollectI)
   2.187  apply (rule Co [unfolded Constrains_def, THEN CollectD, THEN constrains_INT, 
   2.188                  THEN constrains_weaken],   auto)
   2.189  done
   2.190  
   2.191 -lemma Constrains_imp_subset: "F : A Co A' ==> reachable F Int A <= A'"
   2.192 +lemma Constrains_imp_subset: "F \<in> A Co A' ==> reachable F \<inter> A \<subseteq> A'"
   2.193  by (simp add: constrains_imp_subset Constrains_def)
   2.194  
   2.195 -lemma Constrains_trans: "[| F : A Co B; F : B Co C |] ==> F : A Co C"
   2.196 +lemma Constrains_trans: "[| F \<in> A Co B; F \<in> B Co C |] ==> F \<in> A Co C"
   2.197  apply (simp add: Constrains_eq_constrains)
   2.198  apply (blast intro: constrains_trans constrains_weaken)
   2.199  done
   2.200  
   2.201  lemma Constrains_cancel:
   2.202 -     "[| F : A Co (A' Un B); F : B Co B' |] ==> F : A Co (A' Un B')"
   2.203 +     "[| F \<in> A Co (A' \<union> B); F \<in> B Co B' |] ==> F \<in> A Co (A' \<union> B')"
   2.204  by (simp add: Constrains_eq_constrains constrains_def, blast)
   2.205  
   2.206  
   2.207  subsection{*Stable*}
   2.208  
   2.209  (*Useful because there's no Stable_weaken.  [Tanja Vos]*)
   2.210 -lemma Stable_eq: "[| F: Stable A; A = B |] ==> F : Stable B"
   2.211 +lemma Stable_eq: "[| F \<in> Stable A; A = B |] ==> F \<in> Stable B"
   2.212  by blast
   2.213  
   2.214 -lemma Stable_eq_stable: "(F : Stable A) = (F : stable (reachable F Int A))"
   2.215 +lemma Stable_eq_stable: "(F \<in> Stable A) = (F \<in> stable (reachable F \<inter> A))"
   2.216  by (simp add: Stable_def Constrains_eq_constrains stable_def)
   2.217  
   2.218 -lemma StableI: "F : A Co A ==> F : Stable A"
   2.219 +lemma StableI: "F \<in> A Co A ==> F \<in> Stable A"
   2.220  by (unfold Stable_def, assumption)
   2.221  
   2.222 -lemma StableD: "F : Stable A ==> F : A Co A"
   2.223 +lemma StableD: "F \<in> Stable A ==> F \<in> A Co A"
   2.224  by (unfold Stable_def, assumption)
   2.225  
   2.226  lemma Stable_Un: 
   2.227 -    "[| F : Stable A; F : Stable A' |] ==> F : Stable (A Un A')"
   2.228 +    "[| F \<in> Stable A; F \<in> Stable A' |] ==> F \<in> Stable (A \<union> A')"
   2.229  apply (unfold Stable_def)
   2.230  apply (blast intro: Constrains_Un)
   2.231  done
   2.232  
   2.233  lemma Stable_Int: 
   2.234 -    "[| F : Stable A; F : Stable A' |] ==> F : Stable (A Int A')"
   2.235 +    "[| F \<in> Stable A; F \<in> Stable A' |] ==> F \<in> Stable (A \<inter> A')"
   2.236  apply (unfold Stable_def)
   2.237  apply (blast intro: Constrains_Int)
   2.238  done
   2.239  
   2.240  lemma Stable_Constrains_Un: 
   2.241 -    "[| F : Stable C; F : A Co (C Un A') |]    
   2.242 -     ==> F : (C Un A) Co (C Un A')"
   2.243 +    "[| F \<in> Stable C; F \<in> A Co (C \<union> A') |]    
   2.244 +     ==> F \<in> (C \<union> A) Co (C \<union> A')"
   2.245  apply (unfold Stable_def)
   2.246  apply (blast intro: Constrains_Un [THEN Constrains_weaken])
   2.247  done
   2.248  
   2.249  lemma Stable_Constrains_Int: 
   2.250 -    "[| F : Stable C; F : (C Int A) Co A' |]    
   2.251 -     ==> F : (C Int A) Co (C Int A')"
   2.252 +    "[| F \<in> Stable C; F \<in> (C \<inter> A) Co A' |]    
   2.253 +     ==> F \<in> (C \<inter> A) Co (C \<inter> A')"
   2.254  apply (unfold Stable_def)
   2.255  apply (blast intro: Constrains_Int [THEN Constrains_weaken])
   2.256  done
   2.257  
   2.258  lemma Stable_UN: 
   2.259 -    "(!!i. i:I ==> F : Stable (A i)) ==> F : Stable (UN i:I. A i)"
   2.260 +    "(!!i. i \<in> I ==> F \<in> Stable (A i)) ==> F \<in> Stable (\<Union>i \<in> I. A i)"
   2.261  by (simp add: Stable_def Constrains_UN) 
   2.262  
   2.263  lemma Stable_INT: 
   2.264 -    "(!!i. i:I ==> F : Stable (A i)) ==> F : Stable (INT i:I. A i)"
   2.265 +    "(!!i. i \<in> I ==> F \<in> Stable (A i)) ==> F \<in> Stable (\<Inter>i \<in> I. A i)"
   2.266  by (simp add: Stable_def Constrains_INT) 
   2.267  
   2.268 -lemma Stable_reachable: "F : Stable (reachable F)"
   2.269 +lemma Stable_reachable: "F \<in> Stable (reachable F)"
   2.270  by (simp add: Stable_eq_stable)
   2.271  
   2.272  
   2.273 @@ -243,22 +243,22 @@
   2.274  subsection{*Increasing*}
   2.275  
   2.276  lemma IncreasingD: 
   2.277 -     "F : Increasing f ==> F : Stable {s. x <= f s}"
   2.278 +     "F \<in> Increasing f ==> F \<in> Stable {s. x \<le> f s}"
   2.279  by (unfold Increasing_def, blast)
   2.280  
   2.281  lemma mono_Increasing_o: 
   2.282 -     "mono g ==> Increasing f <= Increasing (g o f)"
   2.283 +     "mono g ==> Increasing f \<subseteq> Increasing (g o f)"
   2.284  apply (simp add: Increasing_def Stable_def Constrains_def stable_def 
   2.285                   constrains_def)
   2.286  apply (blast intro: monoD order_trans)
   2.287  done
   2.288  
   2.289  lemma strict_IncreasingD: 
   2.290 -     "!!z::nat. F : Increasing f ==> F: Stable {s. z < f s}"
   2.291 +     "!!z::nat. F \<in> Increasing f ==> F \<in> Stable {s. z < f s}"
   2.292  by (simp add: Increasing_def Suc_le_eq [symmetric])
   2.293  
   2.294  lemma increasing_imp_Increasing: 
   2.295 -     "F : increasing f ==> F : Increasing f"
   2.296 +     "F \<in> increasing f ==> F \<in> Increasing f"
   2.297  apply (unfold increasing_def Increasing_def)
   2.298  apply (blast intro: stable_imp_Stable)
   2.299  done
   2.300 @@ -270,17 +270,17 @@
   2.301  subsection{*The Elimination Theorem*}
   2.302  
   2.303  (*The "free" m has become universally quantified! Should the premise be !!m
   2.304 -instead of ALL m ?  Would make it harder to use in forward proof.*)
   2.305 +instead of \<forall>m ?  Would make it harder to use in forward proof.*)
   2.306  
   2.307  lemma Elimination: 
   2.308 -    "[| ALL m. F : {s. s x = m} Co (B m) |]  
   2.309 -     ==> F : {s. s x : M} Co (UN m:M. B m)"
   2.310 +    "[| \<forall>m. F \<in> {s. s x = m} Co (B m) |]  
   2.311 +     ==> F \<in> {s. s x \<in> M} Co (\<Union>m \<in> M. B m)"
   2.312  by (unfold Constrains_def constrains_def, blast)
   2.313  
   2.314  (*As above, but for the trivial case of a one-variable state, in which the
   2.315    state is identified with its one variable.*)
   2.316  lemma Elimination_sing: 
   2.317 -    "(ALL m. F : {m} Co (B m)) ==> F : M Co (UN m:M. B m)"
   2.318 +    "(\<forall>m. F \<in> {m} Co (B m)) ==> F \<in> M Co (\<Union>m \<in> M. B m)"
   2.319  by (unfold Constrains_def constrains_def, blast)
   2.320  
   2.321  
   2.322 @@ -288,10 +288,10 @@
   2.323  
   2.324  (** Natural deduction rules for "Always A" **)
   2.325  
   2.326 -lemma AlwaysI: "[| Init F<=A;  F : Stable A |] ==> F : Always A"
   2.327 +lemma AlwaysI: "[| Init F \<subseteq> A;  F \<in> Stable A |] ==> F \<in> Always A"
   2.328  by (simp add: Always_def)
   2.329  
   2.330 -lemma AlwaysD: "F : Always A ==> Init F<=A & F : Stable A"
   2.331 +lemma AlwaysD: "F \<in> Always A ==> Init F \<subseteq> A & F \<in> Stable A"
   2.332  by (simp add: Always_def)
   2.333  
   2.334  lemmas AlwaysE = AlwaysD [THEN conjE, standard]
   2.335 @@ -299,7 +299,7 @@
   2.336  
   2.337  
   2.338  (*The set of all reachable states is Always*)
   2.339 -lemma Always_includes_reachable: "F : Always A ==> reachable F <= A"
   2.340 +lemma Always_includes_reachable: "F \<in> Always A ==> reachable F \<subseteq> A"
   2.341  apply (simp add: Stable_def Constrains_def constrains_def Always_def)
   2.342  apply (rule subsetI)
   2.343  apply (erule reachable.induct)
   2.344 @@ -307,7 +307,7 @@
   2.345  done
   2.346  
   2.347  lemma invariant_imp_Always: 
   2.348 -     "F : invariant A ==> F : Always A"
   2.349 +     "F \<in> invariant A ==> F \<in> Always A"
   2.350  apply (unfold Always_def invariant_def Stable_def stable_def)
   2.351  apply (blast intro: constrains_imp_Constrains)
   2.352  done
   2.353 @@ -316,55 +316,55 @@
   2.354      invariant_reachable [THEN invariant_imp_Always, standard]
   2.355  
   2.356  lemma Always_eq_invariant_reachable:
   2.357 -     "Always A = {F. F : invariant (reachable F Int A)}"
   2.358 +     "Always A = {F. F \<in> invariant (reachable F \<inter> A)}"
   2.359  apply (simp add: Always_def invariant_def Stable_def Constrains_eq_constrains
   2.360                   stable_def)
   2.361  apply (blast intro: reachable.intros)
   2.362  done
   2.363  
   2.364  (*the RHS is the traditional definition of the "always" operator*)
   2.365 -lemma Always_eq_includes_reachable: "Always A = {F. reachable F <= A}"
   2.366 +lemma Always_eq_includes_reachable: "Always A = {F. reachable F \<subseteq> A}"
   2.367  by (auto dest: invariant_includes_reachable simp add: Int_absorb2 invariant_reachable Always_eq_invariant_reachable)
   2.368  
   2.369  lemma Always_UNIV_eq [simp]: "Always UNIV = UNIV"
   2.370  by (auto simp add: Always_eq_includes_reachable)
   2.371  
   2.372 -lemma UNIV_AlwaysI: "UNIV <= A ==> F : Always A"
   2.373 +lemma UNIV_AlwaysI: "UNIV \<subseteq> A ==> F \<in> Always A"
   2.374  by (auto simp add: Always_eq_includes_reachable)
   2.375  
   2.376 -lemma Always_eq_UN_invariant: "Always A = (UN I: Pow A. invariant I)"
   2.377 +lemma Always_eq_UN_invariant: "Always A = (\<Union>I \<in> Pow A. invariant I)"
   2.378  apply (simp add: Always_eq_includes_reachable)
   2.379  apply (blast intro: invariantI Init_subset_reachable [THEN subsetD] 
   2.380                      invariant_includes_reachable [THEN subsetD])
   2.381  done
   2.382  
   2.383 -lemma Always_weaken: "[| F : Always A; A <= B |] ==> F : Always B"
   2.384 +lemma Always_weaken: "[| F \<in> Always A; A \<subseteq> B |] ==> F \<in> Always B"
   2.385  by (auto simp add: Always_eq_includes_reachable)
   2.386  
   2.387  
   2.388  subsection{*"Co" rules involving Always*}
   2.389  
   2.390  lemma Always_Constrains_pre:
   2.391 -     "F : Always INV ==> (F : (INV Int A) Co A') = (F : A Co A')"
   2.392 +     "F \<in> Always INV ==> (F \<in> (INV \<inter> A) Co A') = (F \<in> A Co A')"
   2.393  by (simp add: Always_includes_reachable [THEN Int_absorb2] Constrains_def 
   2.394                Int_assoc [symmetric])
   2.395  
   2.396  lemma Always_Constrains_post:
   2.397 -     "F : Always INV ==> (F : A Co (INV Int A')) = (F : A Co A')"
   2.398 +     "F \<in> Always INV ==> (F \<in> A Co (INV \<inter> A')) = (F \<in> A Co A')"
   2.399  by (simp add: Always_includes_reachable [THEN Int_absorb2] 
   2.400                Constrains_eq_constrains Int_assoc [symmetric])
   2.401  
   2.402 -(* [| F : Always INV;  F : (INV Int A) Co A' |] ==> F : A Co A' *)
   2.403 +(* [| F \<in> Always INV;  F \<in> (INV \<inter> A) Co A' |] ==> F \<in> A Co A' *)
   2.404  lemmas Always_ConstrainsI = Always_Constrains_pre [THEN iffD1, standard]
   2.405  
   2.406 -(* [| F : Always INV;  F : A Co A' |] ==> F : A Co (INV Int A') *)
   2.407 +(* [| F \<in> Always INV;  F \<in> A Co A' |] ==> F \<in> A Co (INV \<inter> A') *)
   2.408  lemmas Always_ConstrainsD = Always_Constrains_post [THEN iffD2, standard]
   2.409  
   2.410  (*The analogous proof of Always_LeadsTo_weaken doesn't terminate*)
   2.411  lemma Always_Constrains_weaken:
   2.412 -     "[| F : Always C;  F : A Co A';    
   2.413 -         C Int B <= A;   C Int A' <= B' |]  
   2.414 -      ==> F : B Co B'"
   2.415 +     "[| F \<in> Always C;  F \<in> A Co A';    
   2.416 +         C \<inter> B \<subseteq> A;   C \<inter> A' \<subseteq> B' |]  
   2.417 +      ==> F \<in> B Co B'"
   2.418  apply (rule Always_ConstrainsI, assumption)
   2.419  apply (drule Always_ConstrainsD, assumption)
   2.420  apply (blast intro: Constrains_weaken)
   2.421 @@ -373,23 +373,23 @@
   2.422  
   2.423  (** Conjoining Always properties **)
   2.424  
   2.425 -lemma Always_Int_distrib: "Always (A Int B) = Always A Int Always B"
   2.426 +lemma Always_Int_distrib: "Always (A \<inter> B) = Always A \<inter> Always B"
   2.427  by (auto simp add: Always_eq_includes_reachable)
   2.428  
   2.429 -lemma Always_INT_distrib: "Always (INTER I A) = (INT i:I. Always (A i))"
   2.430 +lemma Always_INT_distrib: "Always (INTER I A) = (\<Inter>i \<in> I. Always (A i))"
   2.431  by (auto simp add: Always_eq_includes_reachable)
   2.432  
   2.433  lemma Always_Int_I:
   2.434 -     "[| F : Always A;  F : Always B |] ==> F : Always (A Int B)"
   2.435 +     "[| F \<in> Always A;  F \<in> Always B |] ==> F \<in> Always (A \<inter> B)"
   2.436  by (simp add: Always_Int_distrib)
   2.437  
   2.438  (*Allows a kind of "implication introduction"*)
   2.439  lemma Always_Compl_Un_eq:
   2.440 -     "F : Always A ==> (F : Always (-A Un B)) = (F : Always B)"
   2.441 +     "F \<in> Always A ==> (F \<in> Always (-A \<union> B)) = (F \<in> Always B)"
   2.442  by (auto simp add: Always_eq_includes_reachable)
   2.443  
   2.444  (*Delete the nearest invariance assumption (which will be the second one
   2.445    used by Always_Int_I) *)
   2.446 -lemmas Always_thin = thin_rl [of "F : Always A", standard]
   2.447 +lemmas Always_thin = thin_rl [of "F \<in> Always A", standard]
   2.448  
   2.449  end
     3.1 --- a/src/HOL/UNITY/Detects.thy	Mon Feb 03 11:45:05 2003 +0100
     3.2 +++ b/src/HOL/UNITY/Detects.thy	Tue Feb 04 18:12:40 2003 +0100
     3.3 @@ -15,47 +15,47 @@
     3.4     op_Equality :: "['a set, 'a set] => 'a set"          (infixl "<==>" 60)
     3.5     
     3.6  defs
     3.7 -  Detects_def:  "A Detects B == (Always (-A Un B)) Int (B LeadsTo A)"
     3.8 -  Equality_def: "A <==> B == (-A Un B) Int (A Un -B)"
     3.9 +  Detects_def:  "A Detects B == (Always (-A \<union> B)) \<inter> (B LeadsTo A)"
    3.10 +  Equality_def: "A <==> B == (-A \<union> B) \<inter> (A \<union> -B)"
    3.11  
    3.12  
    3.13  (* Corollary from Sectiom 3.6.4 *)
    3.14  
    3.15 -lemma Always_at_FP: "F: A LeadsTo B ==> F : Always (-((FP F) Int A Int -B))"
    3.16 +lemma Always_at_FP: "F \<in> A LeadsTo B ==> F \<in> Always (-((FP F) \<inter> A \<inter> -B))"
    3.17  apply (rule LeadsTo_empty)
    3.18 -apply (subgoal_tac "F : (FP F Int A Int - B) LeadsTo (B Int (FP F Int -B))")
    3.19 -apply (subgoal_tac [2] " (FP F Int A Int - B) = (A Int (FP F Int -B))")
    3.20 -apply (subgoal_tac "(B Int (FP F Int -B)) = {}")
    3.21 +apply (subgoal_tac "F \<in> (FP F \<inter> A \<inter> - B) LeadsTo (B \<inter> (FP F \<inter> -B))")
    3.22 +apply (subgoal_tac [2] " (FP F \<inter> A \<inter> - B) = (A \<inter> (FP F \<inter> -B))")
    3.23 +apply (subgoal_tac "(B \<inter> (FP F \<inter> -B)) = {}")
    3.24  apply auto
    3.25  apply (blast intro: PSP_Stable stable_imp_Stable stable_FP_Int)
    3.26  done
    3.27  
    3.28  
    3.29  lemma Detects_Trans: 
    3.30 -     "[| F : A Detects B; F : B Detects C |] ==> F : A Detects C"
    3.31 +     "[| F \<in> A Detects B; F \<in> B Detects C |] ==> F \<in> A Detects C"
    3.32  apply (unfold Detects_def Int_def)
    3.33  apply (simp (no_asm))
    3.34  apply safe
    3.35  apply (rule_tac [2] LeadsTo_Trans)
    3.36  apply auto
    3.37 -apply (subgoal_tac "F : Always ((-A Un B) Int (-B Un C))")
    3.38 +apply (subgoal_tac "F \<in> Always ((-A \<union> B) \<inter> (-B \<union> C))")
    3.39   apply (blast intro: Always_weaken)
    3.40  apply (simp add: Always_Int_distrib)
    3.41  done
    3.42  
    3.43 -lemma Detects_refl: "F : A Detects A"
    3.44 +lemma Detects_refl: "F \<in> A Detects A"
    3.45  apply (unfold Detects_def)
    3.46  apply (simp (no_asm) add: Un_commute Compl_partition subset_imp_LeadsTo)
    3.47  done
    3.48  
    3.49 -lemma Detects_eq_Un: "(A<==>B) = (A Int B) Un (-A Int -B)"
    3.50 +lemma Detects_eq_Un: "(A<==>B) = (A \<inter> B) \<union> (-A \<inter> -B)"
    3.51  apply (unfold Equality_def)
    3.52  apply blast
    3.53  done
    3.54  
    3.55  (*Not quite antisymmetry: sets A and B agree in all reachable states *)
    3.56  lemma Detects_antisym: 
    3.57 -     "[| F : A Detects B;  F : B Detects A|] ==> F : Always (A <==> B)"
    3.58 +     "[| F \<in> A Detects B;  F \<in> B Detects A|] ==> F \<in> Always (A <==> B)"
    3.59  apply (unfold Detects_def Equality_def)
    3.60  apply (simp add: Always_Int_I Un_commute)
    3.61  done
    3.62 @@ -64,7 +64,7 @@
    3.63  (* Theorem from Section 3.8 *)
    3.64  
    3.65  lemma Detects_Always: 
    3.66 -     "F : A Detects B ==> F : Always ((-(FP F)) Un (A <==> B))"
    3.67 +     "F \<in> A Detects B ==> F \<in> Always ((-(FP F)) \<union> (A <==> B))"
    3.68  apply (unfold Detects_def Equality_def)
    3.69  apply (simp (no_asm) add: Un_Int_distrib Always_Int_distrib)
    3.70  apply (blast dest: Always_at_FP intro: Always_weaken)
    3.71 @@ -73,11 +73,11 @@
    3.72  (* Theorem from exercise 11.1 Section 11.3.1 *)
    3.73  
    3.74  lemma Detects_Imp_LeadstoEQ: 
    3.75 -     "F : A Detects B ==> F : UNIV LeadsTo (A <==> B)"
    3.76 +     "F \<in> A Detects B ==> F \<in> UNIV LeadsTo (A <==> B)"
    3.77  apply (unfold Detects_def Equality_def)
    3.78  apply (rule_tac B = "B" in LeadsTo_Diff)
    3.79 -prefer 2 apply (blast intro: Always_LeadsTo_weaken)
    3.80 -apply (blast intro: Always_LeadsToI subset_imp_LeadsTo)
    3.81 + apply (blast intro: Always_LeadsToI subset_imp_LeadsTo)
    3.82 +apply (blast intro: Always_LeadsTo_weaken)
    3.83  done
    3.84  
    3.85  
     4.1 --- a/src/HOL/UNITY/Extend.thy	Mon Feb 03 11:45:05 2003 +0100
     4.2 +++ b/src/HOL/UNITY/Extend.thy	Tue Feb 04 18:12:40 2003 +0100
     4.3 @@ -16,23 +16,23 @@
     4.4  
     4.5    (*MOVE to Relation.thy?*)
     4.6    Restrict :: "[ 'a set, ('a*'b) set] => ('a*'b) set"
     4.7 -    "Restrict A r == r Int (A <*> UNIV)"
     4.8 +    "Restrict A r == r \<inter> (A <*> UNIV)"
     4.9  
    4.10    good_map :: "['a*'b => 'c] => bool"
    4.11 -    "good_map h == surj h & (ALL x y. fst (inv h (h (x,y))) = x)"
    4.12 +    "good_map h == surj h & (\<forall>x y. fst (inv h (h (x,y))) = x)"
    4.13       (*Using the locale constant "f", this is  f (h (x,y))) = x*)
    4.14    
    4.15    extend_set :: "['a*'b => 'c, 'a set] => 'c set"
    4.16      "extend_set h A == h ` (A <*> UNIV)"
    4.17  
    4.18    project_set :: "['a*'b => 'c, 'c set] => 'a set"
    4.19 -    "project_set h C == {x. EX y. h(x,y) : C}"
    4.20 +    "project_set h C == {x. \<exists>y. h(x,y) \<in> C}"
    4.21  
    4.22    extend_act :: "['a*'b => 'c, ('a*'a) set] => ('c*'c) set"
    4.23 -    "extend_act h == %act. UN (s,s'): act. UN y. {(h(s,y), h(s',y))}"
    4.24 +    "extend_act h == %act. \<Union>(s,s') \<in> act. \<Union>y. {(h(s,y), h(s',y))}"
    4.25  
    4.26    project_act :: "['a*'b => 'c, ('c*'c) set] => ('a*'a) set"
    4.27 -    "project_act h act == {(x,x'). EX y y'. (h(x,y), h(x',y')) : act}"
    4.28 +    "project_act h act == {(x,x'). \<exists>y y'. (h(x,y), h(x',y')) \<in> act}"
    4.29  
    4.30    extend :: "['a*'b => 'c, 'a program] => 'c program"
    4.31      "extend h F == mk_program (extend_set h (Init F),
    4.32 @@ -56,7 +56,7 @@
    4.33      good_h:  "good_map h"
    4.34    defines f_def: "f z == fst (inv h z)"
    4.35        and g_def: "g z == snd (inv h z)"
    4.36 -      and slice_def: "slice Z y == {x. h(x,y) : Z}"
    4.37 +      and slice_def: "slice Z y == {x. h(x,y) \<in> Z}"
    4.38  
    4.39  
    4.40  (** These we prove OUTSIDE the locale. **)
    4.41 @@ -65,7 +65,7 @@
    4.42  subsection{*Restrict*}
    4.43  (*MOVE to Relation.thy?*)
    4.44  
    4.45 -lemma Restrict_iff [iff]: "((x,y): Restrict A r) = ((x,y): r & x: A)"
    4.46 +lemma Restrict_iff [iff]: "((x,y): Restrict A r) = ((x,y): r & x \<in> A)"
    4.47  by (unfold Restrict_def, blast)
    4.48  
    4.49  lemma Restrict_UNIV [simp]: "Restrict UNIV = id"
    4.50 @@ -76,29 +76,29 @@
    4.51  lemma Restrict_empty [simp]: "Restrict {} r = {}"
    4.52  by (auto simp add: Restrict_def)
    4.53  
    4.54 -lemma Restrict_Int [simp]: "Restrict A (Restrict B r) = Restrict (A Int B) r"
    4.55 +lemma Restrict_Int [simp]: "Restrict A (Restrict B r) = Restrict (A \<inter> B) r"
    4.56  by (unfold Restrict_def, blast)
    4.57  
    4.58 -lemma Restrict_triv: "Domain r <= A ==> Restrict A r = r"
    4.59 +lemma Restrict_triv: "Domain r \<subseteq> A ==> Restrict A r = r"
    4.60  by (unfold Restrict_def, auto)
    4.61  
    4.62 -lemma Restrict_subset: "Restrict A r <= r"
    4.63 +lemma Restrict_subset: "Restrict A r \<subseteq> r"
    4.64  by (unfold Restrict_def, auto)
    4.65  
    4.66  lemma Restrict_eq_mono: 
    4.67 -     "[| A <= B;  Restrict B r = Restrict B s |]  
    4.68 +     "[| A \<subseteq> B;  Restrict B r = Restrict B s |]  
    4.69        ==> Restrict A r = Restrict A s"
    4.70  by (unfold Restrict_def, blast)
    4.71  
    4.72  lemma Restrict_imageI: 
    4.73 -     "[| s : RR;  Restrict A r = Restrict A s |]  
    4.74 -      ==> Restrict A r : Restrict A ` RR"
    4.75 +     "[| s \<in> RR;  Restrict A r = Restrict A s |]  
    4.76 +      ==> Restrict A r \<in> Restrict A ` RR"
    4.77  by (unfold Restrict_def image_def, auto)
    4.78  
    4.79 -lemma Domain_Restrict [simp]: "Domain (Restrict A r) = A Int Domain r"
    4.80 +lemma Domain_Restrict [simp]: "Domain (Restrict A r) = A \<inter> Domain r"
    4.81  by blast
    4.82  
    4.83 -lemma Image_Restrict [simp]: "(Restrict A r) `` B = r `` (A Int B)"
    4.84 +lemma Image_Restrict [simp]: "(Restrict A r) `` B = r `` (A \<inter> B)"
    4.85  by blast
    4.86  
    4.87  lemma insert_Id_image_Acts: "f Id = Id ==> insert Id (f`Acts F) = f ` Acts F"
    4.88 @@ -169,19 +169,19 @@
    4.89  subsection{*@{term extend_set}: basic properties*}
    4.90  
    4.91  lemma project_set_iff [iff]:
    4.92 -     "(x : project_set h C) = (EX y. h(x,y) : C)"
    4.93 +     "(x \<in> project_set h C) = (\<exists>y. h(x,y) \<in> C)"
    4.94  by (simp add: project_set_def)
    4.95  
    4.96 -lemma extend_set_mono: "A<=B ==> extend_set h A <= extend_set h B"
    4.97 +lemma extend_set_mono: "A \<subseteq> B ==> extend_set h A \<subseteq> extend_set h B"
    4.98  by (unfold extend_set_def, blast)
    4.99  
   4.100 -lemma (in Extend) mem_extend_set_iff [iff]: "z : extend_set h A = (f z : A)"
   4.101 +lemma (in Extend) mem_extend_set_iff [iff]: "z \<in> extend_set h A = (f z \<in> A)"
   4.102  apply (unfold extend_set_def)
   4.103  apply (force intro: h_f_g_eq [symmetric])
   4.104  done
   4.105  
   4.106  lemma (in Extend) extend_set_strict_mono [iff]:
   4.107 -     "(extend_set h A <= extend_set h B) = (A <= B)"
   4.108 +     "(extend_set h A \<subseteq> extend_set h B) = (A \<subseteq> B)"
   4.109  by (unfold extend_set_def, force)
   4.110  
   4.111  lemma extend_set_empty [simp]: "extend_set h {} = {}"
   4.112 @@ -198,7 +198,7 @@
   4.113  by (unfold extend_set_def, auto)
   4.114  
   4.115  lemma (in Extend) extend_set_project_set:
   4.116 -     "C <= extend_set h (project_set h C)"
   4.117 +     "C \<subseteq> extend_set h (project_set h C)"
   4.118  apply (unfold extend_set_def)
   4.119  apply (auto simp add: split_extended_all, blast)
   4.120  done
   4.121 @@ -220,7 +220,7 @@
   4.122  by (auto intro: f_h_eq [symmetric] simp add: split_extended_all)
   4.123  
   4.124  (*Converse appears to fail*)
   4.125 -lemma (in Extend) project_set_I: "!!z. z : C ==> f z : project_set h C"
   4.126 +lemma (in Extend) project_set_I: "!!z. z \<in> C ==> f z \<in> project_set h C"
   4.127  by (auto simp add: split_extended_all)
   4.128  
   4.129  
   4.130 @@ -228,31 +228,31 @@
   4.131  
   4.132  (*Because A and B could differ on the "other" part of the state, 
   4.133     cannot generalize to 
   4.134 -      project_set h (A Int B) = project_set h A Int project_set h B
   4.135 +      project_set h (A \<inter> B) = project_set h A \<inter> project_set h B
   4.136  *)
   4.137  lemma (in Extend) project_set_extend_set_Int:
   4.138 -     "project_set h ((extend_set h A) Int B) = A Int (project_set h B)"
   4.139 +     "project_set h ((extend_set h A) \<inter> B) = A \<inter> (project_set h B)"
   4.140  by auto
   4.141  
   4.142  (*Unused, but interesting?*)
   4.143  lemma (in Extend) project_set_extend_set_Un:
   4.144 -     "project_set h ((extend_set h A) Un B) = A Un (project_set h B)"
   4.145 +     "project_set h ((extend_set h A) \<union> B) = A \<union> (project_set h B)"
   4.146  by auto
   4.147  
   4.148  lemma project_set_Int_subset:
   4.149 -     "project_set h (A Int B) <= (project_set h A) Int (project_set h B)"
   4.150 +     "project_set h (A \<inter> B) \<subseteq> (project_set h A) \<inter> (project_set h B)"
   4.151  by auto
   4.152  
   4.153  lemma (in Extend) extend_set_Un_distrib:
   4.154 -     "extend_set h (A Un B) = extend_set h A Un extend_set h B"
   4.155 +     "extend_set h (A \<union> B) = extend_set h A \<union> extend_set h B"
   4.156  by auto
   4.157  
   4.158  lemma (in Extend) extend_set_Int_distrib:
   4.159 -     "extend_set h (A Int B) = extend_set h A Int extend_set h B"
   4.160 +     "extend_set h (A \<inter> B) = extend_set h A \<inter> extend_set h B"
   4.161  by auto
   4.162  
   4.163  lemma (in Extend) extend_set_INT_distrib:
   4.164 -     "extend_set h (INTER A B) = (INT x:A. extend_set h (B x))"
   4.165 +     "extend_set h (INTER A B) = (\<Inter>x \<in> A. extend_set h (B x))"
   4.166  by auto
   4.167  
   4.168  lemma (in Extend) extend_set_Diff_distrib:
   4.169 @@ -260,26 +260,26 @@
   4.170  by auto
   4.171  
   4.172  lemma (in Extend) extend_set_Union:
   4.173 -     "extend_set h (Union A) = (UN X:A. extend_set h X)"
   4.174 +     "extend_set h (Union A) = (\<Union>X \<in> A. extend_set h X)"
   4.175  by blast
   4.176  
   4.177  lemma (in Extend) extend_set_subset_Compl_eq:
   4.178 -     "(extend_set h A <= - extend_set h B) = (A <= - B)"
   4.179 +     "(extend_set h A \<subseteq> - extend_set h B) = (A \<subseteq> - B)"
   4.180  by (unfold extend_set_def, auto)
   4.181  
   4.182  
   4.183  subsection{*@{term extend_act}*}
   4.184  
   4.185  (*Can't strengthen it to
   4.186 -  ((h(s,y), h(s',y')) : extend_act h act) = ((s, s') : act & y=y')
   4.187 +  ((h(s,y), h(s',y')) \<in> extend_act h act) = ((s, s') \<in> act & y=y')
   4.188    because h doesn't have to be injective in the 2nd argument*)
   4.189  lemma (in Extend) mem_extend_act_iff [iff]: 
   4.190 -     "((h(s,y), h(s',y)) : extend_act h act) = ((s, s') : act)"
   4.191 +     "((h(s,y), h(s',y)) \<in> extend_act h act) = ((s, s') \<in> act)"
   4.192  by (unfold extend_act_def, auto)
   4.193  
   4.194  (*Converse fails: (z,z') would include actions that changed the g-part*)
   4.195  lemma (in Extend) extend_act_D: 
   4.196 -     "(z, z') : extend_act h act ==> (f z, f z') : act"
   4.197 +     "(z, z') \<in> extend_act h act ==> (f z, f z') \<in> act"
   4.198  by (unfold extend_act_def, auto)
   4.199  
   4.200  lemma (in Extend) extend_act_inverse [simp]: 
   4.201 @@ -292,7 +292,7 @@
   4.202  by (unfold extend_act_def project_act_def, blast)
   4.203  
   4.204  lemma (in Extend) subset_extend_act_D: 
   4.205 -     "act' <= extend_act h act ==> project_act h act' <= act"
   4.206 +     "act' \<subseteq> extend_act h act ==> project_act h act' \<subseteq> act"
   4.207  by (unfold extend_act_def project_act_def, force)
   4.208  
   4.209  lemma (in Extend) inj_extend_act: "inj (extend_act h)"
   4.210 @@ -305,7 +305,7 @@
   4.211  by (unfold extend_set_def extend_act_def, force)
   4.212  
   4.213  lemma (in Extend) extend_act_strict_mono [iff]:
   4.214 -     "(extend_act h act' <= extend_act h act) = (act'<=act)"
   4.215 +     "(extend_act h act' \<subseteq> extend_act h act) = (act'<=act)"
   4.216  by (unfold extend_act_def, auto)
   4.217  
   4.218  declare (in Extend) inj_extend_act [THEN inj_eq, iff]
   4.219 @@ -322,7 +322,7 @@
   4.220  done
   4.221  
   4.222  lemma (in Extend) project_act_I: 
   4.223 -     "!!z z'. (z, z') : act ==> (f z, f z') : project_act h act"
   4.224 +     "!!z z'. (z, z') \<in> act ==> (f z, f z') \<in> project_act h act"
   4.225  apply (unfold project_act_def)
   4.226  apply (force simp add: split_extended_all)
   4.227  done
   4.228 @@ -365,7 +365,7 @@
   4.229  lemma (in Extend) AllowedActs_project [simp]:
   4.230       "AllowedActs(project h C F) =  
   4.231          {act. Restrict (project_set h C) act  
   4.232 -               : project_act h ` Restrict C ` AllowedActs F}"
   4.233 +               \<in> project_act h ` Restrict C ` AllowedActs F}"
   4.234  apply (simp (no_asm) add: project_def image_iff)
   4.235  apply (subst insert_absorb)
   4.236  apply (auto intro!: bexI [of _ Id] simp add: project_act_def)
   4.237 @@ -386,14 +386,14 @@
   4.238  by auto
   4.239  
   4.240  lemma project_set_Union:
   4.241 -     "project_set h (Union A) = (UN X:A. project_set h X)"
   4.242 +     "project_set h (Union A) = (\<Union>X \<in> A. project_set h X)"
   4.243  by blast
   4.244  
   4.245  
   4.246  (*Converse FAILS: the extended state contributing to project_set h C
   4.247    may not coincide with the one contributing to project_act h act*)
   4.248  lemma (in Extend) project_act_Restrict_subset:
   4.249 -     "project_act h (Restrict C act) <=  
   4.250 +     "project_act h (Restrict C act) \<subseteq>  
   4.251        Restrict (project_set h C) (project_act h act)"
   4.252  by (auto simp add: project_act_def)
   4.253  
   4.254 @@ -405,7 +405,7 @@
   4.255       "project h C (extend h F) =  
   4.256        mk_program (Init F, Restrict (project_set h C) ` Acts F,  
   4.257                    {act. Restrict (project_set h C) act 
   4.258 -                          : project_act h ` Restrict C ` 
   4.259 +                          \<in> project_act h ` Restrict C ` 
   4.260                                       (project_act h -` AllowedActs F)})"
   4.261  apply (rule program_equalityI)
   4.262    apply simp
   4.263 @@ -439,7 +439,7 @@
   4.264  done
   4.265  
   4.266  lemma (in Extend) extend_JN [simp]:
   4.267 -     "extend h (JOIN I F) = (JN i:I. extend h (F i))"
   4.268 +     "extend h (JOIN I F) = (\<Squnion>i \<in> I. extend h (F i))"
   4.269  apply (rule program_equalityI)
   4.270    apply (simp (no_asm) add: extend_set_INT_distrib)
   4.271   apply (simp add: image_UN, auto)
   4.272 @@ -447,49 +447,49 @@
   4.273  
   4.274  (** These monotonicity results look natural but are UNUSED **)
   4.275  
   4.276 -lemma (in Extend) extend_mono: "F <= G ==> extend h F <= extend h G"
   4.277 +lemma (in Extend) extend_mono: "F \<le> G ==> extend h F \<le> extend h G"
   4.278  by (force simp add: component_eq_subset)
   4.279  
   4.280 -lemma (in Extend) project_mono: "F <= G ==> project h C F <= project h C G"
   4.281 +lemma (in Extend) project_mono: "F \<le> G ==> project h C F \<le> project h C G"
   4.282  by (simp add: component_eq_subset, blast)
   4.283  
   4.284  
   4.285  subsection{*Safety: co, stable*}
   4.286  
   4.287  lemma (in Extend) extend_constrains:
   4.288 -     "(extend h F : (extend_set h A) co (extend_set h B)) =  
   4.289 -      (F : A co B)"
   4.290 +     "(extend h F \<in> (extend_set h A) co (extend_set h B)) =  
   4.291 +      (F \<in> A co B)"
   4.292  by (simp add: constrains_def)
   4.293  
   4.294  lemma (in Extend) extend_stable:
   4.295 -     "(extend h F : stable (extend_set h A)) = (F : stable A)"
   4.296 +     "(extend h F \<in> stable (extend_set h A)) = (F \<in> stable A)"
   4.297  by (simp add: stable_def extend_constrains)
   4.298  
   4.299  lemma (in Extend) extend_invariant:
   4.300 -     "(extend h F : invariant (extend_set h A)) = (F : invariant A)"
   4.301 +     "(extend h F \<in> invariant (extend_set h A)) = (F \<in> invariant A)"
   4.302  by (simp add: invariant_def extend_stable)
   4.303  
   4.304  (*Projects the state predicates in the property satisfied by  extend h F.
   4.305    Converse fails: A and B may differ in their extra variables*)
   4.306  lemma (in Extend) extend_constrains_project_set:
   4.307 -     "extend h F : A co B ==> F : (project_set h A) co (project_set h B)"
   4.308 +     "extend h F \<in> A co B ==> F \<in> (project_set h A) co (project_set h B)"
   4.309  by (auto simp add: constrains_def, force)
   4.310  
   4.311  lemma (in Extend) extend_stable_project_set:
   4.312 -     "extend h F : stable A ==> F : stable (project_set h A)"
   4.313 +     "extend h F \<in> stable A ==> F \<in> stable (project_set h A)"
   4.314  by (simp add: stable_def extend_constrains_project_set)
   4.315  
   4.316  
   4.317  subsection{*Weak safety primitives: Co, Stable*}
   4.318  
   4.319  lemma (in Extend) reachable_extend_f:
   4.320 -     "p : reachable (extend h F) ==> f p : reachable F"
   4.321 +     "p \<in> reachable (extend h F) ==> f p \<in> reachable F"
   4.322  apply (erule reachable.induct)
   4.323  apply (auto intro: reachable.intros simp add: extend_act_def image_iff)
   4.324  done
   4.325  
   4.326  lemma (in Extend) h_reachable_extend:
   4.327 -     "h(s,y) : reachable (extend h F) ==> s : reachable F"
   4.328 +     "h(s,y) \<in> reachable (extend h F) ==> s \<in> reachable F"
   4.329  by (force dest!: reachable_extend_f)
   4.330  
   4.331  lemma (in Extend) reachable_extend_eq: 
   4.332 @@ -502,17 +502,17 @@
   4.333  done
   4.334  
   4.335  lemma (in Extend) extend_Constrains:
   4.336 -     "(extend h F : (extend_set h A) Co (extend_set h B)) =   
   4.337 -      (F : A Co B)"
   4.338 +     "(extend h F \<in> (extend_set h A) Co (extend_set h B)) =   
   4.339 +      (F \<in> A Co B)"
   4.340  by (simp add: Constrains_def reachable_extend_eq extend_constrains 
   4.341                extend_set_Int_distrib [symmetric])
   4.342  
   4.343  lemma (in Extend) extend_Stable:
   4.344 -     "(extend h F : Stable (extend_set h A)) = (F : Stable A)"
   4.345 +     "(extend h F \<in> Stable (extend_set h A)) = (F \<in> Stable A)"
   4.346  by (simp add: Stable_def extend_Constrains)
   4.347  
   4.348  lemma (in Extend) extend_Always:
   4.349 -     "(extend h F : Always (extend_set h A)) = (F : Always A)"
   4.350 +     "(extend h F \<in> Always (extend_set h A)) = (F \<in> Always A)"
   4.351  by (simp (no_asm_simp) add: Always_def extend_Stable)
   4.352  
   4.353  
   4.354 @@ -521,24 +521,24 @@
   4.355  (** projection: monotonicity for safety **)
   4.356  
   4.357  lemma project_act_mono:
   4.358 -     "D <= C ==>  
   4.359 -      project_act h (Restrict D act) <= project_act h (Restrict C act)"
   4.360 +     "D \<subseteq> C ==>  
   4.361 +      project_act h (Restrict D act) \<subseteq> project_act h (Restrict C act)"
   4.362  by (auto simp add: project_act_def)
   4.363  
   4.364  lemma (in Extend) project_constrains_mono:
   4.365 -     "[| D <= C; project h C F : A co B |] ==> project h D F : A co B"
   4.366 +     "[| D \<subseteq> C; project h C F \<in> A co B |] ==> project h D F \<in> A co B"
   4.367  apply (auto simp add: constrains_def)
   4.368  apply (drule project_act_mono, blast)
   4.369  done
   4.370  
   4.371  lemma (in Extend) project_stable_mono:
   4.372 -     "[| D <= C;  project h C F : stable A |] ==> project h D F : stable A"
   4.373 +     "[| D \<subseteq> C;  project h C F \<in> stable A |] ==> project h D F \<in> stable A"
   4.374  by (simp add: stable_def project_constrains_mono)
   4.375  
   4.376  (*Key lemma used in several proofs about project and co*)
   4.377  lemma (in Extend) project_constrains: 
   4.378 -     "(project h C F : A co B)  =   
   4.379 -      (F : (C Int extend_set h A) co (extend_set h B) & A <= B)"
   4.380 +     "(project h C F \<in> A co B)  =   
   4.381 +      (F \<in> (C \<inter> extend_set h A) co (extend_set h B) & A \<subseteq> B)"
   4.382  apply (unfold constrains_def)
   4.383  apply (auto intro!: project_act_I simp add: ball_Un)
   4.384  apply (force intro!: project_act_I dest!: subsetD)
   4.385 @@ -548,46 +548,46 @@
   4.386  done
   4.387  
   4.388  lemma (in Extend) project_stable: 
   4.389 -     "(project h UNIV F : stable A) = (F : stable (extend_set h A))"
   4.390 +     "(project h UNIV F \<in> stable A) = (F \<in> stable (extend_set h A))"
   4.391  apply (unfold stable_def)
   4.392  apply (simp (no_asm) add: project_constrains)
   4.393  done
   4.394  
   4.395  lemma (in Extend) project_stable_I:
   4.396 -     "F : stable (extend_set h A) ==> project h C F : stable A"
   4.397 +     "F \<in> stable (extend_set h A) ==> project h C F \<in> stable A"
   4.398  apply (drule project_stable [THEN iffD2])
   4.399  apply (blast intro: project_stable_mono)
   4.400  done
   4.401  
   4.402  lemma (in Extend) Int_extend_set_lemma:
   4.403 -     "A Int extend_set h ((project_set h A) Int B) = A Int extend_set h B"
   4.404 +     "A \<inter> extend_set h ((project_set h A) \<inter> B) = A \<inter> extend_set h B"
   4.405  by (auto simp add: split_extended_all)
   4.406  
   4.407  (*Strange (look at occurrences of C) but used in leadsETo proofs*)
   4.408  lemma project_constrains_project_set:
   4.409 -     "G : C co B ==> project h C G : project_set h C co project_set h B"
   4.410 +     "G \<in> C co B ==> project h C G \<in> project_set h C co project_set h B"
   4.411  by (simp add: constrains_def project_def project_act_def, blast)
   4.412  
   4.413  lemma project_stable_project_set:
   4.414 -     "G : stable C ==> project h C G : stable (project_set h C)"
   4.415 +     "G \<in> stable C ==> project h C G \<in> stable (project_set h C)"
   4.416  by (simp add: stable_def project_constrains_project_set)
   4.417  
   4.418  
   4.419  subsection{*Progress: transient, ensures*}
   4.420  
   4.421  lemma (in Extend) extend_transient:
   4.422 -     "(extend h F : transient (extend_set h A)) = (F : transient A)"
   4.423 +     "(extend h F \<in> transient (extend_set h A)) = (F \<in> transient A)"
   4.424  by (auto simp add: transient_def extend_set_subset_Compl_eq Domain_extend_act)
   4.425  
   4.426  lemma (in Extend) extend_ensures:
   4.427 -     "(extend h F : (extend_set h A) ensures (extend_set h B)) =  
   4.428 -      (F : A ensures B)"
   4.429 +     "(extend h F \<in> (extend_set h A) ensures (extend_set h B)) =  
   4.430 +      (F \<in> A ensures B)"
   4.431  by (simp add: ensures_def extend_constrains extend_transient 
   4.432          extend_set_Un_distrib [symmetric] extend_set_Diff_distrib [symmetric])
   4.433  
   4.434  lemma (in Extend) leadsTo_imp_extend_leadsTo:
   4.435 -     "F : A leadsTo B  
   4.436 -      ==> extend h F : (extend_set h A) leadsTo (extend_set h B)"
   4.437 +     "F \<in> A leadsTo B  
   4.438 +      ==> extend h F \<in> (extend_set h A) leadsTo (extend_set h B)"
   4.439  apply (erule leadsTo_induct)
   4.440    apply (simp add: leadsTo_Basis extend_ensures)
   4.441   apply (blast intro: leadsTo_Trans)
   4.442 @@ -596,21 +596,21 @@
   4.443  
   4.444  subsection{*Proving the converse takes some doing!*}
   4.445  
   4.446 -lemma (in Extend) slice_iff [iff]: "(x : slice C y) = (h(x,y) : C)"
   4.447 +lemma (in Extend) slice_iff [iff]: "(x \<in> slice C y) = (h(x,y) \<in> C)"
   4.448  by (simp (no_asm) add: slice_def)
   4.449  
   4.450 -lemma (in Extend) slice_Union: "slice (Union S) y = (UN x:S. slice x y)"
   4.451 +lemma (in Extend) slice_Union: "slice (Union S) y = (\<Union>x \<in> S. slice x y)"
   4.452  by auto
   4.453  
   4.454  lemma (in Extend) slice_extend_set: "slice (extend_set h A) y = A"
   4.455  by auto
   4.456  
   4.457  lemma (in Extend) project_set_is_UN_slice:
   4.458 -     "project_set h A = (UN y. slice A y)"
   4.459 +     "project_set h A = (\<Union>y. slice A y)"
   4.460  by auto
   4.461  
   4.462  lemma (in Extend) extend_transient_slice:
   4.463 -     "extend h F : transient A ==> F : transient (slice A y)"
   4.464 +     "extend h F \<in> transient A ==> F \<in> transient (slice A y)"
   4.465  apply (unfold transient_def, auto)
   4.466  apply (rule bexI, auto)
   4.467  apply (force simp add: extend_act_def)
   4.468 @@ -618,25 +618,25 @@
   4.469  
   4.470  (*Converse?*)
   4.471  lemma (in Extend) extend_constrains_slice:
   4.472 -     "extend h F : A co B ==> F : (slice A y) co (slice B y)"
   4.473 +     "extend h F \<in> A co B ==> F \<in> (slice A y) co (slice B y)"
   4.474  by (auto simp add: constrains_def)
   4.475  
   4.476  lemma (in Extend) extend_ensures_slice:
   4.477 -     "extend h F : A ensures B ==> F : (slice A y) ensures (project_set h B)"
   4.478 +     "extend h F \<in> A ensures B ==> F \<in> (slice A y) ensures (project_set h B)"
   4.479  apply (auto simp add: ensures_def extend_constrains extend_transient)
   4.480  apply (erule_tac [2] extend_transient_slice [THEN transient_strengthen])
   4.481  apply (erule extend_constrains_slice [THEN constrains_weaken], auto)
   4.482  done
   4.483  
   4.484  lemma (in Extend) leadsTo_slice_project_set:
   4.485 -     "ALL y. F : (slice B y) leadsTo CU ==> F : (project_set h B) leadsTo CU"
   4.486 +     "\<forall>y. F \<in> (slice B y) leadsTo CU ==> F \<in> (project_set h B) leadsTo CU"
   4.487  apply (simp (no_asm) add: project_set_is_UN_slice)
   4.488  apply (blast intro: leadsTo_UN)
   4.489  done
   4.490  
   4.491  lemma (in Extend) extend_leadsTo_slice [rule_format]:
   4.492 -     "extend h F : AU leadsTo BU  
   4.493 -      ==> ALL y. F : (slice AU y) leadsTo (project_set h BU)"
   4.494 +     "extend h F \<in> AU leadsTo BU  
   4.495 +      ==> \<forall>y. F \<in> (slice AU y) leadsTo (project_set h BU)"
   4.496  apply (erule leadsTo_induct)
   4.497    apply (blast intro: extend_ensures_slice leadsTo_Basis)
   4.498   apply (blast intro: leadsTo_slice_project_set leadsTo_Trans)
   4.499 @@ -644,8 +644,8 @@
   4.500  done
   4.501  
   4.502  lemma (in Extend) extend_leadsTo:
   4.503 -     "(extend h F : (extend_set h A) leadsTo (extend_set h B)) =  
   4.504 -      (F : A leadsTo B)"
   4.505 +     "(extend h F \<in> (extend_set h A) leadsTo (extend_set h B)) =  
   4.506 +      (F \<in> A leadsTo B)"
   4.507  apply safe
   4.508  apply (erule_tac [2] leadsTo_imp_extend_leadsTo)
   4.509  apply (drule extend_leadsTo_slice)
   4.510 @@ -653,8 +653,8 @@
   4.511  done
   4.512  
   4.513  lemma (in Extend) extend_LeadsTo:
   4.514 -     "(extend h F : (extend_set h A) LeadsTo (extend_set h B)) =   
   4.515 -      (F : A LeadsTo B)"
   4.516 +     "(extend h F \<in> (extend_set h A) LeadsTo (extend_set h B)) =   
   4.517 +      (F \<in> A LeadsTo B)"
   4.518  by (simp add: LeadsTo_def reachable_extend_eq extend_leadsTo
   4.519                extend_set_Int_distrib [symmetric])
   4.520  
   4.521 @@ -662,20 +662,20 @@
   4.522  subsection{*preserves*}
   4.523  
   4.524  lemma (in Extend) project_preserves_I:
   4.525 -     "G : preserves (v o f) ==> project h C G : preserves v"
   4.526 +     "G \<in> preserves (v o f) ==> project h C G \<in> preserves v"
   4.527  by (auto simp add: preserves_def project_stable_I extend_set_eq_Collect)
   4.528  
   4.529  (*to preserve f is to preserve the whole original state*)
   4.530  lemma (in Extend) project_preserves_id_I:
   4.531 -     "G : preserves f ==> project h C G : preserves id"
   4.532 +     "G \<in> preserves f ==> project h C G \<in> preserves id"
   4.533  by (simp add: project_preserves_I)
   4.534  
   4.535  lemma (in Extend) extend_preserves:
   4.536 -     "(extend h G : preserves (v o f)) = (G : preserves v)"
   4.537 +     "(extend h G \<in> preserves (v o f)) = (G \<in> preserves v)"
   4.538  by (auto simp add: preserves_def extend_stable [symmetric] 
   4.539                     extend_set_eq_Collect)
   4.540  
   4.541 -lemma (in Extend) inj_extend_preserves: "inj h ==> (extend h G : preserves g)"
   4.542 +lemma (in Extend) inj_extend_preserves: "inj h ==> (extend h G \<in> preserves g)"
   4.543  by (auto simp add: preserves_def extend_def extend_act_def stable_def 
   4.544                     constrains_def g_def)
   4.545  
   4.546 @@ -719,16 +719,16 @@
   4.547  done
   4.548  
   4.549  lemma (in Extend) guarantees_imp_extend_guarantees:
   4.550 -     "F : X guarantees Y ==>  
   4.551 -      extend h F : (extend h ` X) guarantees (extend h ` Y)"
   4.552 +     "F \<in> X guarantees Y ==>  
   4.553 +      extend h F \<in> (extend h ` X) guarantees (extend h ` Y)"
   4.554  apply (rule guaranteesI, clarify)
   4.555  apply (blast dest: ok_extend_imp_ok_project extend_Join_eq_extend_D 
   4.556                     guaranteesD)
   4.557  done
   4.558  
   4.559  lemma (in Extend) extend_guarantees_imp_guarantees:
   4.560 -     "extend h F : (extend h ` X) guarantees (extend h ` Y)  
   4.561 -      ==> F : X guarantees Y"
   4.562 +     "extend h F \<in> (extend h ` X) guarantees (extend h ` Y)  
   4.563 +      ==> F \<in> X guarantees Y"
   4.564  apply (auto simp add: guar_def)
   4.565  apply (drule_tac x = "extend h G" in spec)
   4.566  apply (simp del: extend_Join 
   4.567 @@ -737,8 +737,8 @@
   4.568  done
   4.569  
   4.570  lemma (in Extend) extend_guarantees_eq:
   4.571 -     "(extend h F : (extend h ` X) guarantees (extend h ` Y)) =  
   4.572 -      (F : X guarantees Y)"
   4.573 +     "(extend h F \<in> (extend h ` X) guarantees (extend h ` Y)) =  
   4.574 +      (F \<in> X guarantees Y)"
   4.575  by (blast intro: guarantees_imp_extend_guarantees 
   4.576                   extend_guarantees_imp_guarantees)
   4.577  
     5.1 --- a/src/HOL/UNITY/Follows.thy	Mon Feb 03 11:45:05 2003 +0100
     5.2 +++ b/src/HOL/UNITY/Follows.thy	Tue Feb 04 18:12:40 2003 +0100
     5.3 @@ -12,22 +12,22 @@
     5.4  
     5.5    Follows :: "['a => 'b::{order}, 'a => 'b::{order}] => 'a program set"
     5.6                   (infixl "Fols" 65)
     5.7 -   "f Fols g == Increasing g Int Increasing f Int
     5.8 -                Always {s. f s <= g s} Int
     5.9 -                (INT k. {s. k <= g s} LeadsTo {s. k <= f s})"
    5.10 +   "f Fols g == Increasing g \<inter> Increasing f Int
    5.11 +                Always {s. f s \<le> g s} Int
    5.12 +                (\<Inter>k. {s. k \<le> g s} LeadsTo {s. k \<le> f s})"
    5.13  
    5.14  
    5.15  (*Does this hold for "invariant"?*)
    5.16  lemma mono_Always_o:
    5.17 -     "mono h ==> Always {s. f s <= g s} <= Always {s. h (f s) <= h (g s)}"
    5.18 +     "mono h ==> Always {s. f s \<le> g s} \<subseteq> Always {s. h (f s) \<le> h (g s)}"
    5.19  apply (simp add: Always_eq_includes_reachable)
    5.20  apply (blast intro: monoD)
    5.21  done
    5.22  
    5.23  lemma mono_LeadsTo_o:
    5.24       "mono (h::'a::order => 'b::order)  
    5.25 -      ==> (INT j. {s. j <= g s} LeadsTo {s. j <= f s}) <=  
    5.26 -          (INT k. {s. k <= h (g s)} LeadsTo {s. k <= h (f s)})"
    5.27 +      ==> (\<Inter>j. {s. j \<le> g s} LeadsTo {s. j \<le> f s}) \<subseteq>  
    5.28 +          (\<Inter>k. {s. k \<le> h (g s)} LeadsTo {s. k \<le> h (f s)})"
    5.29  apply auto
    5.30  apply (rule single_LeadsTo_I)
    5.31  apply (drule_tac x = "g s" in spec)
    5.32 @@ -35,10 +35,10 @@
    5.33  apply (blast intro: monoD order_trans)+
    5.34  done
    5.35  
    5.36 -lemma Follows_constant [iff]: "F : (%s. c) Fols (%s. c)"
    5.37 +lemma Follows_constant [iff]: "F \<in> (%s. c) Fols (%s. c)"
    5.38  by (unfold Follows_def, auto)
    5.39  
    5.40 -lemma mono_Follows_o: "mono h ==> f Fols g <= (h o f) Fols (h o g)"
    5.41 +lemma mono_Follows_o: "mono h ==> f Fols g \<subseteq> (h o f) Fols (h o g)"
    5.42  apply (unfold Follows_def, clarify)
    5.43  apply (simp add: mono_Increasing_o [THEN [2] rev_subsetD]
    5.44                   mono_Always_o [THEN [2] rev_subsetD]
    5.45 @@ -46,13 +46,13 @@
    5.46  done
    5.47  
    5.48  lemma mono_Follows_apply:
    5.49 -     "mono h ==> f Fols g <= (%x. h (f x)) Fols (%x. h (g x))"
    5.50 +     "mono h ==> f Fols g \<subseteq> (%x. h (f x)) Fols (%x. h (g x))"
    5.51  apply (drule mono_Follows_o)
    5.52  apply (force simp add: o_def)
    5.53  done
    5.54  
    5.55  lemma Follows_trans: 
    5.56 -     "[| F : f Fols g;  F: g Fols h |] ==> F : f Fols h"
    5.57 +     "[| F \<in> f Fols g;  F \<in> g Fols h |] ==> F \<in> f Fols h"
    5.58  apply (unfold Follows_def)
    5.59  apply (simp add: Always_eq_includes_reachable)
    5.60  apply (blast intro: order_trans LeadsTo_Trans)
    5.61 @@ -61,24 +61,24 @@
    5.62  
    5.63  subsection{*Destruction rules*}
    5.64  
    5.65 -lemma Follows_Increasing1: "F : f Fols g ==> F : Increasing f"
    5.66 +lemma Follows_Increasing1: "F \<in> f Fols g ==> F \<in> Increasing f"
    5.67  apply (unfold Follows_def, blast)
    5.68  done
    5.69  
    5.70 -lemma Follows_Increasing2: "F : f Fols g ==> F : Increasing g"
    5.71 +lemma Follows_Increasing2: "F \<in> f Fols g ==> F \<in> Increasing g"
    5.72  apply (unfold Follows_def, blast)
    5.73  done
    5.74  
    5.75 -lemma Follows_Bounded: "F : f Fols g ==> F : Always {s. f s <= g s}"
    5.76 +lemma Follows_Bounded: "F \<in> f Fols g ==> F \<in> Always {s. f s \<subseteq> g s}"
    5.77  apply (unfold Follows_def, blast)
    5.78  done
    5.79  
    5.80  lemma Follows_LeadsTo: 
    5.81 -     "F : f Fols g ==> F : {s. k <= g s} LeadsTo {s. k <= f s}"
    5.82 +     "F \<in> f Fols g ==> F \<in> {s. k \<le> g s} LeadsTo {s. k \<le> f s}"
    5.83  by (unfold Follows_def, blast)
    5.84  
    5.85  lemma Follows_LeadsTo_pfixLe:
    5.86 -     "F : f Fols g ==> F : {s. k pfixLe g s} LeadsTo {s. k pfixLe f s}"
    5.87 +     "F \<in> f Fols g ==> F \<in> {s. k pfixLe g s} LeadsTo {s. k pfixLe f s}"
    5.88  apply (rule single_LeadsTo_I, clarify)
    5.89  apply (drule_tac k="g s" in Follows_LeadsTo)
    5.90  apply (erule LeadsTo_weaken)
    5.91 @@ -87,7 +87,7 @@
    5.92  done
    5.93  
    5.94  lemma Follows_LeadsTo_pfixGe:
    5.95 -     "F : f Fols g ==> F : {s. k pfixGe g s} LeadsTo {s. k pfixGe f s}"
    5.96 +     "F \<in> f Fols g ==> F \<in> {s. k pfixGe g s} LeadsTo {s. k pfixGe f s}"
    5.97  apply (rule single_LeadsTo_I, clarify)
    5.98  apply (drule_tac k="g s" in Follows_LeadsTo)
    5.99  apply (erule LeadsTo_weaken)
   5.100 @@ -97,21 +97,21 @@
   5.101  
   5.102  
   5.103  lemma Always_Follows1: 
   5.104 -     "[| F : Always {s. f s = f' s}; F : f Fols g |] ==> F : f' Fols g"
   5.105 +     "[| F \<in> Always {s. f s = f' s}; F \<in> f Fols g |] ==> F \<in> f' Fols g"
   5.106  
   5.107  apply (unfold Follows_def Increasing_def Stable_def, auto)
   5.108  apply (erule_tac [3] Always_LeadsTo_weaken)
   5.109 -apply (erule_tac A = "{s. z <= f s}" and A' = "{s. z <= f s}" 
   5.110 +apply (erule_tac A = "{s. z \<le> f s}" and A' = "{s. z \<le> f s}" 
   5.111         in Always_Constrains_weaken, auto)
   5.112  apply (drule Always_Int_I, assumption)
   5.113  apply (force intro: Always_weaken)
   5.114  done
   5.115  
   5.116  lemma Always_Follows2: 
   5.117 -     "[| F : Always {s. g s = g' s}; F : f Fols g |] ==> F : f Fols g'"
   5.118 +     "[| F \<in> Always {s. g s = g' s}; F \<in> f Fols g |] ==> F \<in> f Fols g'"
   5.119  apply (unfold Follows_def Increasing_def Stable_def, auto)
   5.120  apply (erule_tac [3] Always_LeadsTo_weaken)
   5.121 -apply (erule_tac A = "{s. z <= g s}" and A' = "{s. z <= g s}"
   5.122 +apply (erule_tac A = "{s. z \<le> g s}" and A' = "{s. z \<le> g s}"
   5.123         in Always_Constrains_weaken, auto)
   5.124  apply (drule Always_Int_I, assumption)
   5.125  apply (force intro: Always_weaken)
   5.126 @@ -122,8 +122,8 @@
   5.127  
   5.128  (*Can replace "Un" by any sup.  But existing max only works for linorders.*)
   5.129  lemma increasing_Un: 
   5.130 -    "[| F : increasing f;  F: increasing g |]  
   5.131 -     ==> F : increasing (%s. (f s) Un (g s))"
   5.132 +    "[| F \<in> increasing f;  F \<in> increasing g |]  
   5.133 +     ==> F \<in> increasing (%s. (f s) \<union> (g s))"
   5.134  apply (unfold increasing_def stable_def constrains_def, auto)
   5.135  apply (drule_tac x = "f xa" in spec)
   5.136  apply (drule_tac x = "g xa" in spec)
   5.137 @@ -131,8 +131,8 @@
   5.138  done
   5.139  
   5.140  lemma Increasing_Un: 
   5.141 -    "[| F : Increasing f;  F: Increasing g |]  
   5.142 -     ==> F : Increasing (%s. (f s) Un (g s))"
   5.143 +    "[| F \<in> Increasing f;  F \<in> Increasing g |]  
   5.144 +     ==> F \<in> Increasing (%s. (f s) \<union> (g s))"
   5.145  apply (auto simp add: Increasing_def Stable_def Constrains_def
   5.146                        stable_def constrains_def)
   5.147  apply (drule_tac x = "f xa" in spec)
   5.148 @@ -142,17 +142,17 @@
   5.149  
   5.150  
   5.151  lemma Always_Un:
   5.152 -     "[| F : Always {s. f' s <= f s}; F : Always {s. g' s <= g s} |]  
   5.153 -      ==> F : Always {s. f' s Un g' s <= f s Un g s}"
   5.154 +     "[| F \<in> Always {s. f' s \<le> f s}; F \<in> Always {s. g' s \<le> g s} |]  
   5.155 +      ==> F \<in> Always {s. f' s \<union> g' s \<le> f s \<union> g s}"
   5.156  by (simp add: Always_eq_includes_reachable, blast)
   5.157  
   5.158  (*Lemma to re-use the argument that one variable increases (progress)
   5.159    while the other variable doesn't decrease (safety)*)
   5.160  lemma Follows_Un_lemma:
   5.161 -     "[| F : Increasing f; F : Increasing g;  
   5.162 -         F : Increasing g'; F : Always {s. f' s <= f s}; 
   5.163 -         ALL k. F : {s. k <= f s} LeadsTo {s. k <= f' s} |] 
   5.164 -      ==> F : {s. k <= f s Un g s} LeadsTo {s. k <= f' s Un g s}"
   5.165 +     "[| F \<in> Increasing f; F \<in> Increasing g;  
   5.166 +         F \<in> Increasing g'; F \<in> Always {s. f' s \<le> f s}; 
   5.167 +         \<forall>k. F \<in> {s. k \<le> f s} LeadsTo {s. k \<le> f' s} |] 
   5.168 +      ==> F \<in> {s. k \<le> f s \<union> g s} LeadsTo {s. k \<le> f' s \<union> g s}"
   5.169  apply (rule single_LeadsTo_I)
   5.170  apply (drule_tac x = "f s" in IncreasingD)
   5.171  apply (drule_tac x = "g s" in IncreasingD)
   5.172 @@ -164,8 +164,8 @@
   5.173  done
   5.174  
   5.175  lemma Follows_Un: 
   5.176 -    "[| F : f' Fols f;  F: g' Fols g |]  
   5.177 -     ==> F : (%s. (f' s) Un (g' s)) Fols (%s. (f s) Un (g s))"
   5.178 +    "[| F \<in> f' Fols f;  F \<in> g' Fols g |]  
   5.179 +     ==> F \<in> (%s. (f' s) \<union> (g' s)) Fols (%s. (f s) \<union> (g s))"
   5.180  apply (unfold Follows_def)
   5.181  apply (simp add: Increasing_Un Always_Un, auto)
   5.182  apply (rule LeadsTo_Trans)
   5.183 @@ -178,8 +178,8 @@
   5.184  subsection{*Multiset union properties (with the multiset ordering)*}
   5.185  
   5.186  lemma increasing_union: 
   5.187 -    "[| F : increasing f;  F: increasing g |]  
   5.188 -     ==> F : increasing (%s. (f s) + (g s :: ('a::order) multiset))"
   5.189 +    "[| F \<in> increasing f;  F \<in> increasing g |]  
   5.190 +     ==> F \<in> increasing (%s. (f s) + (g s :: ('a::order) multiset))"
   5.191  apply (unfold increasing_def stable_def constrains_def, auto)
   5.192  apply (drule_tac x = "f xa" in spec)
   5.193  apply (drule_tac x = "g xa" in spec)
   5.194 @@ -188,8 +188,8 @@
   5.195  done
   5.196  
   5.197  lemma Increasing_union: 
   5.198 -    "[| F : Increasing f;  F: Increasing g |]  
   5.199 -     ==> F : Increasing (%s. (f s) + (g s :: ('a::order) multiset))"
   5.200 +    "[| F \<in> Increasing f;  F \<in> Increasing g |]  
   5.201 +     ==> F \<in> Increasing (%s. (f s) + (g s :: ('a::order) multiset))"
   5.202  apply (auto simp add: Increasing_def Stable_def Constrains_def
   5.203                        stable_def constrains_def)
   5.204  apply (drule_tac x = "f xa" in spec)
   5.205 @@ -199,19 +199,19 @@
   5.206  done
   5.207  
   5.208  lemma Always_union:
   5.209 -     "[| F : Always {s. f' s <= f s}; F : Always {s. g' s <= g s} |]  
   5.210 -      ==> F : Always {s. f' s + g' s <= f s + (g s :: ('a::order) multiset)}"
   5.211 +     "[| F \<in> Always {s. f' s \<le> f s}; F \<in> Always {s. g' s \<le> g s} |]  
   5.212 +      ==> F \<in> Always {s. f' s + g' s \<le> f s + (g s :: ('a::order) multiset)}"
   5.213  apply (simp add: Always_eq_includes_reachable)
   5.214  apply (blast intro: union_le_mono)
   5.215  done
   5.216  
   5.217  (*Except the last line, IDENTICAL to the proof script for Follows_Un_lemma*)
   5.218  lemma Follows_union_lemma:
   5.219 -     "[| F : Increasing f; F : Increasing g;  
   5.220 -         F : Increasing g'; F : Always {s. f' s <= f s}; 
   5.221 -         ALL k::('a::order) multiset.  
   5.222 -           F : {s. k <= f s} LeadsTo {s. k <= f' s} |] 
   5.223 -      ==> F : {s. k <= f s + g s} LeadsTo {s. k <= f' s + g s}"
   5.224 +     "[| F \<in> Increasing f; F \<in> Increasing g;  
   5.225 +         F \<in> Increasing g'; F \<in> Always {s. f' s \<le> f s}; 
   5.226 +         \<forall>k::('a::order) multiset.  
   5.227 +           F \<in> {s. k \<le> f s} LeadsTo {s. k \<le> f' s} |] 
   5.228 +      ==> F \<in> {s. k \<le> f s + g s} LeadsTo {s. k \<le> f' s + g s}"
   5.229  apply (rule single_LeadsTo_I)
   5.230  apply (drule_tac x = "f s" in IncreasingD)
   5.231  apply (drule_tac x = "g s" in IncreasingD)
   5.232 @@ -226,8 +226,8 @@
   5.233  (*The !! is there to influence to effect of permutative rewriting at the end*)
   5.234  lemma Follows_union: 
   5.235       "!!g g' ::'b => ('a::order) multiset.  
   5.236 -        [| F : f' Fols f;  F: g' Fols g |]  
   5.237 -        ==> F : (%s. (f' s) + (g' s)) Fols (%s. (f s) + (g s))"
   5.238 +        [| F \<in> f' Fols f;  F \<in> g' Fols g |]  
   5.239 +        ==> F \<in> (%s. (f' s) + (g' s)) Fols (%s. (f s) + (g s))"
   5.240  apply (unfold Follows_def)
   5.241  apply (simp add: Increasing_union Always_union, auto)
   5.242  apply (rule LeadsTo_Trans)
   5.243 @@ -239,8 +239,8 @@
   5.244  
   5.245  lemma Follows_setsum:
   5.246       "!!f ::['c,'b] => ('a::order) multiset.  
   5.247 -        [| ALL i: I. F : f' i Fols f i;  finite I |]  
   5.248 -        ==> F : (%s. \<Sum>i:I. f' i s) Fols (%s. \<Sum>i:I. f i s)"
   5.249 +        [| \<forall>i \<in> I. F \<in> f' i Fols f i;  finite I |]  
   5.250 +        ==> F \<in> (%s. \<Sum>i \<in> I. f' i s) Fols (%s. \<Sum>i \<in> I. f i s)"
   5.251  apply (erule rev_mp)
   5.252  apply (erule finite_induct, simp) 
   5.253  apply (simp add: Follows_union)
   5.254 @@ -249,7 +249,7 @@
   5.255  
   5.256  (*Currently UNUSED, but possibly of interest*)
   5.257  lemma Increasing_imp_Stable_pfixGe:
   5.258 -     "F : Increasing func ==> F : Stable {s. h pfixGe (func s)}"
   5.259 +     "F \<in> Increasing func ==> F \<in> Stable {s. h pfixGe (func s)}"
   5.260  apply (simp add: Increasing_def Stable_def Constrains_def constrains_def)
   5.261  apply (blast intro: trans_Ge [THEN trans_genPrefix, THEN transD] 
   5.262                      prefix_imp_pfixGe)
   5.263 @@ -257,8 +257,8 @@
   5.264  
   5.265  (*Currently UNUSED, but possibly of interest*)
   5.266  lemma LeadsTo_le_imp_pfixGe:
   5.267 -     "ALL z. F : {s. z <= f s} LeadsTo {s. z <= g s}  
   5.268 -      ==> F : {s. z pfixGe f s} LeadsTo {s. z pfixGe g s}"
   5.269 +     "\<forall>z. F \<in> {s. z \<le> f s} LeadsTo {s. z \<le> g s}  
   5.270 +      ==> F \<in> {s. z pfixGe f s} LeadsTo {s. z pfixGe g s}"
   5.271  apply (rule single_LeadsTo_I)
   5.272  apply (drule_tac x = "f s" in spec)
   5.273  apply (erule LeadsTo_weaken)
     6.1 --- a/src/HOL/UNITY/Guar.thy	Mon Feb 03 11:45:05 2003 +0100
     6.2 +++ b/src/HOL/UNITY/Guar.thy	Tue Feb 04 18:12:40 2003 +0100
     6.3 @@ -32,57 +32,57 @@
     6.4      case, proving equivalence with Chandy and Sanders's n-ary definitions*)
     6.5  
     6.6    ex_prop  :: "'a program set => bool"
     6.7 -   "ex_prop X == \<forall>F G. F ok G -->F:X | G: X --> (F Join G) : X"
     6.8 +   "ex_prop X == \<forall>F G. F ok G -->F \<in> X | G \<in> X --> (F Join G) \<in> X"
     6.9  
    6.10    strict_ex_prop  :: "'a program set => bool"
    6.11 -   "strict_ex_prop X == \<forall>F G.  F ok G --> (F:X | G: X) = (F Join G : X)"
    6.12 +   "strict_ex_prop X == \<forall>F G.  F ok G --> (F \<in> X | G \<in> X) = (F Join G \<in> X)"
    6.13  
    6.14    uv_prop  :: "'a program set => bool"
    6.15 -   "uv_prop X == SKIP : X & (\<forall>F G. F ok G --> F:X & G: X --> (F Join G) : X)"
    6.16 +   "uv_prop X == SKIP \<in> X & (\<forall>F G. F ok G --> F \<in> X & G \<in> X --> (F Join G) \<in> X)"
    6.17  
    6.18    strict_uv_prop  :: "'a program set => bool"
    6.19     "strict_uv_prop X == 
    6.20 -      SKIP : X & (\<forall>F G. F ok G --> (F:X & G: X) = (F Join G : X))"
    6.21 +      SKIP \<in> X & (\<forall>F G. F ok G --> (F \<in> X & G \<in> X) = (F Join G \<in> X))"
    6.22  
    6.23    guar :: "['a program set, 'a program set] => 'a program set"
    6.24            (infixl "guarantees" 55)  (*higher than membership, lower than Co*)
    6.25 -   "X guarantees Y == {F. \<forall>G. F ok G --> F Join G : X --> F Join G : Y}"
    6.26 +   "X guarantees Y == {F. \<forall>G. F ok G --> F Join G \<in> X --> F Join G \<in> Y}"
    6.27    
    6.28  
    6.29    (* Weakest guarantees *)
    6.30     wg :: "['a program, 'a program set] =>  'a program set"
    6.31 -  "wg F Y == Union({X. F:X guarantees Y})"
    6.32 +  "wg F Y == Union({X. F \<in> X guarantees Y})"
    6.33  
    6.34     (* Weakest existential property stronger than X *)
    6.35     wx :: "('a program) set => ('a program)set"
    6.36 -   "wx X == Union({Y. Y<=X & ex_prop Y})"
    6.37 +   "wx X == Union({Y. Y \<subseteq> X & ex_prop Y})"
    6.38    
    6.39    (*Ill-defined programs can arise through "Join"*)
    6.40    welldef :: "'a program set"
    6.41 -  "welldef == {F. Init F ~= {}}"
    6.42 +  "welldef == {F. Init F \<noteq> {}}"
    6.43    
    6.44    refines :: "['a program, 'a program, 'a program set] => bool"
    6.45  			("(3_ refines _ wrt _)" [10,10,10] 10)
    6.46    "G refines F wrt X ==
    6.47 -     \<forall>H. (F ok H  & G ok H & F Join H : welldef Int X) --> 
    6.48 -         (G Join H : welldef Int X)"
    6.49 +     \<forall>H. (F ok H  & G ok H & F Join H \<in> welldef \<inter> X) --> 
    6.50 +         (G Join H \<in> welldef \<inter> X)"
    6.51  
    6.52    iso_refines :: "['a program, 'a program, 'a program set] => bool"
    6.53                                ("(3_ iso'_refines _ wrt _)" [10,10,10] 10)
    6.54    "G iso_refines F wrt X ==
    6.55 -   F : welldef Int X --> G : welldef Int X"
    6.56 +   F \<in> welldef \<inter> X --> G \<in> welldef \<inter> X"
    6.57  
    6.58  
    6.59  lemma OK_insert_iff:
    6.60       "(OK (insert i I) F) = 
    6.61 -      (if i:I then OK I F else OK I F & (F i ok JOIN I F))"
    6.62 +      (if i \<in> I then OK I F else OK I F & (F i ok JOIN I F))"
    6.63  by (auto intro: ok_sym simp add: OK_iff_ok)
    6.64  
    6.65  
    6.66  (*** existential properties ***)
    6.67  lemma ex1 [rule_format]: 
    6.68   "[| ex_prop X; finite GG |] ==>  
    6.69 -     GG Int X ~= {}--> OK GG (%G. G) -->(JN G:GG. G) : X"
    6.70 +     GG \<inter> X \<noteq> {}--> OK GG (%G. G) --> (\<Squnion>G \<in> GG. G) \<in> X"
    6.71  apply (unfold ex_prop_def)
    6.72  apply (erule finite_induct)
    6.73  apply (auto simp add: OK_insert_iff Int_insert_left)
    6.74 @@ -90,7 +90,7 @@
    6.75  
    6.76  
    6.77  lemma ex2: 
    6.78 -     "\<forall>GG. finite GG & GG Int X ~= {} --> OK GG (%G. G) -->(JN G:GG. G):X 
    6.79 +     "\<forall>GG. finite GG & GG \<inter> X \<noteq> {} --> OK GG (%G. G) -->(\<Squnion>G \<in> GG. G):X 
    6.80        ==> ex_prop X"
    6.81  apply (unfold ex_prop_def, clarify)
    6.82  apply (drule_tac x = "{F,G}" in spec)
    6.83 @@ -101,13 +101,13 @@
    6.84  (*Chandy & Sanders take this as a definition*)
    6.85  lemma ex_prop_finite:
    6.86       "ex_prop X = 
    6.87 -      (\<forall>GG. finite GG & GG Int X ~= {} & OK GG (%G. G)--> (JN G:GG. G) : X)"
    6.88 +      (\<forall>GG. finite GG & GG \<inter> X \<noteq> {} & OK GG (%G. G)--> (\<Squnion>G \<in> GG. G) \<in> X)"
    6.89  by (blast intro: ex1 ex2)
    6.90  
    6.91  
    6.92  (*Their "equivalent definition" given at the end of section 3*)
    6.93  lemma ex_prop_equiv: 
    6.94 -     "ex_prop X = (\<forall>G. G:X = (\<forall>H. (G component_of H) --> H: X))"
    6.95 +     "ex_prop X = (\<forall>G. G \<in> X = (\<forall>H. (G component_of H) --> H \<in> X))"
    6.96  apply auto
    6.97  apply (unfold ex_prop_def component_of_def, safe)
    6.98  apply blast 
    6.99 @@ -120,14 +120,14 @@
   6.100  (*** universal properties ***)
   6.101  lemma uv1 [rule_format]: 
   6.102       "[| uv_prop X; finite GG |] 
   6.103 -      ==> GG <= X & OK GG (%G. G) --> (JN G:GG. G) : X"
   6.104 +      ==> GG \<subseteq> X & OK GG (%G. G) --> (\<Squnion>G \<in> GG. G) \<in> X"
   6.105  apply (unfold uv_prop_def)
   6.106  apply (erule finite_induct)
   6.107  apply (auto simp add: Int_insert_left OK_insert_iff)
   6.108  done
   6.109  
   6.110  lemma uv2: 
   6.111 -     "\<forall>GG. finite GG & GG <= X & OK GG (%G. G) --> (JN G:GG. G) : X  
   6.112 +     "\<forall>GG. finite GG & GG \<subseteq> X & OK GG (%G. G) --> (\<Squnion>G \<in> GG. G) \<in> X  
   6.113        ==> uv_prop X"
   6.114  apply (unfold uv_prop_def)
   6.115  apply (rule conjI)
   6.116 @@ -141,37 +141,37 @@
   6.117  (*Chandy & Sanders take this as a definition*)
   6.118  lemma uv_prop_finite:
   6.119       "uv_prop X = 
   6.120 -      (\<forall>GG. finite GG & GG <= X & OK GG (%G. G) --> (JN G:GG. G): X)"
   6.121 +      (\<forall>GG. finite GG & GG \<subseteq> X & OK GG (%G. G) --> (\<Squnion>G \<in> GG. G): X)"
   6.122  by (blast intro: uv1 uv2)
   6.123  
   6.124  (*** guarantees ***)
   6.125  
   6.126  lemma guaranteesI:
   6.127 -     "(!!G. [| F ok G; F Join G : X |] ==> F Join G : Y)  
   6.128 -      ==> F : X guarantees Y"
   6.129 +     "(!!G. [| F ok G; F Join G \<in> X |] ==> F Join G \<in> Y)  
   6.130 +      ==> F \<in> X guarantees Y"
   6.131  by (simp add: guar_def component_def)
   6.132  
   6.133  lemma guaranteesD: 
   6.134 -     "[| F : X guarantees Y;  F ok G;  F Join G : X |]  
   6.135 -      ==> F Join G : Y"
   6.136 +     "[| F \<in> X guarantees Y;  F ok G;  F Join G \<in> X |]  
   6.137 +      ==> F Join G \<in> Y"
   6.138  by (unfold guar_def component_def, blast)
   6.139  
   6.140  (*This version of guaranteesD matches more easily in the conclusion
   6.141 -  The major premise can no longer be  F<=H since we need to reason about G*)
   6.142 +  The major premise can no longer be  F \<subseteq> H since we need to reason about G*)
   6.143  lemma component_guaranteesD: 
   6.144 -     "[| F : X guarantees Y;  F Join G = H;  H : X;  F ok G |]  
   6.145 -      ==> H : Y"
   6.146 +     "[| F \<in> X guarantees Y;  F Join G = H;  H \<in> X;  F ok G |]  
   6.147 +      ==> H \<in> Y"
   6.148  by (unfold guar_def, blast)
   6.149  
   6.150  lemma guarantees_weaken: 
   6.151 -     "[| F: X guarantees X'; Y <= X; X' <= Y' |] ==> F: Y guarantees Y'"
   6.152 +     "[| F \<in> X guarantees X'; Y \<subseteq> X; X' \<subseteq> Y' |] ==> F \<in> Y guarantees Y'"
   6.153  by (unfold guar_def, blast)
   6.154  
   6.155 -lemma subset_imp_guarantees_UNIV: "X <= Y ==> X guarantees Y = UNIV"
   6.156 +lemma subset_imp_guarantees_UNIV: "X \<subseteq> Y ==> X guarantees Y = UNIV"
   6.157  by (unfold guar_def, blast)
   6.158  
   6.159  (*Equivalent to subset_imp_guarantees_UNIV but more intuitive*)
   6.160 -lemma subset_imp_guarantees: "X <= Y ==> F : X guarantees Y"
   6.161 +lemma subset_imp_guarantees: "X \<subseteq> Y ==> F \<in> X guarantees Y"
   6.162  by (unfold guar_def, blast)
   6.163  
   6.164  (*Remark at end of section 4.1 *)
   6.165 @@ -201,31 +201,31 @@
   6.166  (** Distributive laws.  Re-orient to perform miniscoping **)
   6.167  
   6.168  lemma guarantees_UN_left: 
   6.169 -     "(UN i:I. X i) guarantees Y = (INT i:I. X i guarantees Y)"
   6.170 +     "(\<Union>i \<in> I. X i) guarantees Y = (\<Inter>i \<in> I. X i guarantees Y)"
   6.171  by (unfold guar_def, blast)
   6.172  
   6.173  lemma guarantees_Un_left: 
   6.174 -     "(X Un Y) guarantees Z = (X guarantees Z) Int (Y guarantees Z)"
   6.175 +     "(X \<union> Y) guarantees Z = (X guarantees Z) \<inter> (Y guarantees Z)"
   6.176  by (unfold guar_def, blast)
   6.177  
   6.178  lemma guarantees_INT_right: 
   6.179 -     "X guarantees (INT i:I. Y i) = (INT i:I. X guarantees Y i)"
   6.180 +     "X guarantees (\<Inter>i \<in> I. Y i) = (\<Inter>i \<in> I. X guarantees Y i)"
   6.181  by (unfold guar_def, blast)
   6.182  
   6.183  lemma guarantees_Int_right: 
   6.184 -     "Z guarantees (X Int Y) = (Z guarantees X) Int (Z guarantees Y)"
   6.185 +     "Z guarantees (X \<inter> Y) = (Z guarantees X) \<inter> (Z guarantees Y)"
   6.186  by (unfold guar_def, blast)
   6.187  
   6.188  lemma guarantees_Int_right_I:
   6.189 -     "[| F : Z guarantees X;  F : Z guarantees Y |]  
   6.190 -     ==> F : Z guarantees (X Int Y)"
   6.191 +     "[| F \<in> Z guarantees X;  F \<in> Z guarantees Y |]  
   6.192 +     ==> F \<in> Z guarantees (X \<inter> Y)"
   6.193  by (simp add: guarantees_Int_right)
   6.194  
   6.195  lemma guarantees_INT_right_iff:
   6.196 -     "(F : X guarantees (INTER I Y)) = (\<forall>i\<in>I. F : X guarantees (Y i))"
   6.197 +     "(F \<in> X guarantees (INTER I Y)) = (\<forall>i\<in>I. F \<in> X guarantees (Y i))"
   6.198  by (simp add: guarantees_INT_right)
   6.199  
   6.200 -lemma shunting: "(X guarantees Y) = (UNIV guarantees (-X Un Y))"
   6.201 +lemma shunting: "(X guarantees Y) = (UNIV guarantees (-X \<union> Y))"
   6.202  by (unfold guar_def, blast)
   6.203  
   6.204  lemma contrapositive: "(X guarantees Y) = -Y guarantees -X"
   6.205 @@ -236,35 +236,35 @@
   6.206  **)
   6.207  
   6.208  lemma combining1: 
   6.209 -    "[| F : V guarantees X;  F : (X Int Y) guarantees Z |] 
   6.210 -     ==> F : (V Int Y) guarantees Z"
   6.211 +    "[| F \<in> V guarantees X;  F \<in> (X \<inter> Y) guarantees Z |] 
   6.212 +     ==> F \<in> (V \<inter> Y) guarantees Z"
   6.213  
   6.214  by (unfold guar_def, blast)
   6.215  
   6.216  lemma combining2: 
   6.217 -    "[| F : V guarantees (X Un Y);  F : Y guarantees Z |] 
   6.218 -     ==> F : V guarantees (X Un Z)"
   6.219 +    "[| F \<in> V guarantees (X \<union> Y);  F \<in> Y guarantees Z |] 
   6.220 +     ==> F \<in> V guarantees (X \<union> Z)"
   6.221  by (unfold guar_def, blast)
   6.222  
   6.223  (** The following two follow Chandy-Sanders, but the use of object-quantifiers
   6.224      does not suit Isabelle... **)
   6.225  
   6.226 -(*Premise should be (!!i. i: I ==> F: X guarantees Y i) *)
   6.227 +(*Premise should be (!!i. i \<in> I ==> F \<in> X guarantees Y i) *)
   6.228  lemma all_guarantees: 
   6.229 -     "\<forall>i\<in>I. F : X guarantees (Y i) ==> F : X guarantees (INT i:I. Y i)"
   6.230 +     "\<forall>i\<in>I. F \<in> X guarantees (Y i) ==> F \<in> X guarantees (\<Inter>i \<in> I. Y i)"
   6.231  by (unfold guar_def, blast)
   6.232  
   6.233 -(*Premises should be [| F: X guarantees Y i; i: I |] *)
   6.234 +(*Premises should be [| F \<in> X guarantees Y i; i \<in> I |] *)
   6.235  lemma ex_guarantees: 
   6.236 -     "\<exists>i\<in>I. F : X guarantees (Y i) ==> F : X guarantees (UN i:I. Y i)"
   6.237 +     "\<exists>i\<in>I. F \<in> X guarantees (Y i) ==> F \<in> X guarantees (\<Union>i \<in> I. Y i)"
   6.238  by (unfold guar_def, blast)
   6.239  
   6.240  
   6.241  (*** Additional guarantees laws, by lcp ***)
   6.242  
   6.243  lemma guarantees_Join_Int: 
   6.244 -    "[| F: U guarantees V;  G: X guarantees Y; F ok G |]  
   6.245 -     ==> F Join G: (U Int X) guarantees (V Int Y)"
   6.246 +    "[| F \<in> U guarantees V;  G \<in> X guarantees Y; F ok G |]  
   6.247 +     ==> F Join G \<in> (U \<inter> X) guarantees (V \<inter> Y)"
   6.248  apply (unfold guar_def)
   6.249  apply (simp (no_asm))
   6.250  apply safe
   6.251 @@ -275,8 +275,8 @@
   6.252  done
   6.253  
   6.254  lemma guarantees_Join_Un: 
   6.255 -    "[| F: U guarantees V;  G: X guarantees Y; F ok G |]   
   6.256 -     ==> F Join G: (U Un X) guarantees (V Un Y)"
   6.257 +    "[| F \<in> U guarantees V;  G \<in> X guarantees Y; F ok G |]   
   6.258 +     ==> F Join G \<in> (U \<union> X) guarantees (V \<union> Y)"
   6.259  apply (unfold guar_def)
   6.260  apply (simp (no_asm))
   6.261  apply safe
   6.262 @@ -287,8 +287,8 @@
   6.263  done
   6.264  
   6.265  lemma guarantees_JN_INT: 
   6.266 -     "[| \<forall>i\<in>I. F i : X i guarantees Y i;  OK I F |]  
   6.267 -      ==> (JOIN I F) : (INTER I X) guarantees (INTER I Y)"
   6.268 +     "[| \<forall>i\<in>I. F i \<in> X i guarantees Y i;  OK I F |]  
   6.269 +      ==> (JOIN I F) \<in> (INTER I X) guarantees (INTER I Y)"
   6.270  apply (unfold guar_def, auto)
   6.271  apply (drule bspec, assumption)
   6.272  apply (rename_tac "i")
   6.273 @@ -298,8 +298,8 @@
   6.274  done
   6.275  
   6.276  lemma guarantees_JN_UN: 
   6.277 -    "[| \<forall>i\<in>I. F i : X i guarantees Y i;  OK I F |]  
   6.278 -     ==> (JOIN I F) : (UNION I X) guarantees (UNION I Y)"
   6.279 +    "[| \<forall>i\<in>I. F i \<in> X i guarantees Y i;  OK I F |]  
   6.280 +     ==> (JOIN I F) \<in> (UNION I X) guarantees (UNION I Y)"
   6.281  apply (unfold guar_def, auto)
   6.282  apply (drule bspec, assumption)
   6.283  apply (rename_tac "i")
   6.284 @@ -312,7 +312,7 @@
   6.285  (*** guarantees laws for breaking down the program, by lcp ***)
   6.286  
   6.287  lemma guarantees_Join_I1: 
   6.288 -     "[| F: X guarantees Y;  F ok G |] ==> F Join G: X guarantees Y"
   6.289 +     "[| F \<in> X guarantees Y;  F ok G |] ==> F Join G \<in> X guarantees Y"
   6.290  apply (unfold guar_def)
   6.291  apply (simp (no_asm))
   6.292  apply safe
   6.293 @@ -320,14 +320,14 @@
   6.294  done
   6.295  
   6.296  lemma guarantees_Join_I2:
   6.297 -     "[| G: X guarantees Y;  F ok G |] ==> F Join G: X guarantees Y"
   6.298 +     "[| G \<in> X guarantees Y;  F ok G |] ==> F Join G \<in> X guarantees Y"
   6.299  apply (simp add: Join_commute [of _ G] ok_commute [of _ G])
   6.300  apply (blast intro: guarantees_Join_I1)
   6.301  done
   6.302  
   6.303  lemma guarantees_JN_I: 
   6.304 -     "[| i : I;  F i: X guarantees Y;  OK I F |]  
   6.305 -      ==> (JN i:I. (F i)) : X guarantees Y"
   6.306 +     "[| i \<in> I;  F i \<in> X guarantees Y;  OK I F |]  
   6.307 +      ==> (\<Squnion>i \<in> I. (F i)) \<in> X guarantees Y"
   6.308  apply (unfold guar_def, clarify)
   6.309  apply (drule_tac x = "JOIN (I-{i}) F Join G" in spec)
   6.310  apply (auto intro: OK_imp_ok simp add: JN_Join_diff JN_Join_diff Join_assoc [symmetric])
   6.311 @@ -336,10 +336,10 @@
   6.312  
   6.313  (*** well-definedness ***)
   6.314  
   6.315 -lemma Join_welldef_D1: "F Join G: welldef ==> F: welldef"
   6.316 +lemma Join_welldef_D1: "F Join G \<in> welldef ==> F \<in> welldef"
   6.317  by (unfold welldef_def, auto)
   6.318  
   6.319 -lemma Join_welldef_D2: "F Join G: welldef ==> G: welldef"
   6.320 +lemma Join_welldef_D2: "F Join G \<in> welldef ==> G \<in> welldef"
   6.321  by (unfold welldef_def, auto)
   6.322  
   6.323  (*** refinement ***)
   6.324 @@ -357,14 +357,14 @@
   6.325  
   6.326  lemma strict_ex_refine_lemma: 
   6.327       "strict_ex_prop X  
   6.328 -      ==> (\<forall>H. F ok H & G ok H & F Join H : X --> G Join H : X)  
   6.329 -              = (F:X --> G:X)"
   6.330 +      ==> (\<forall>H. F ok H & G ok H & F Join H \<in> X --> G Join H \<in> X)  
   6.331 +              = (F \<in> X --> G \<in> X)"
   6.332  by (unfold strict_ex_prop_def, auto)
   6.333  
   6.334  lemma strict_ex_refine_lemma_v: 
   6.335       "strict_ex_prop X  
   6.336 -      ==> (\<forall>H. F ok H & G ok H & F Join H : welldef & F Join H : X --> G Join H : X) =  
   6.337 -          (F: welldef Int X --> G:X)"
   6.338 +      ==> (\<forall>H. F ok H & G ok H & F Join H \<in> welldef & F Join H \<in> X --> G Join H \<in> X) =  
   6.339 +          (F \<in> welldef \<inter> X --> G \<in> X)"
   6.340  apply (unfold strict_ex_prop_def, safe)
   6.341  apply (erule_tac x = SKIP and P = "%H. ?PP H --> ?RR H" in allE)
   6.342  apply (auto dest: Join_welldef_D1 Join_welldef_D2)
   6.343 @@ -372,7 +372,7 @@
   6.344  
   6.345  lemma ex_refinement_thm:
   6.346       "[| strict_ex_prop X;   
   6.347 -         \<forall>H. F ok H & G ok H & F Join H : welldef Int X --> G Join H : welldef |]  
   6.348 +         \<forall>H. F ok H & G ok H & F Join H \<in> welldef \<inter> X --> G Join H \<in> welldef |]  
   6.349        ==> (G refines F wrt X) = (G iso_refines F wrt X)"
   6.350  apply (rule_tac x = SKIP in allE, assumption)
   6.351  apply (simp add: refines_def iso_refines_def strict_ex_refine_lemma_v)
   6.352 @@ -381,13 +381,13 @@
   6.353  
   6.354  lemma strict_uv_refine_lemma: 
   6.355       "strict_uv_prop X ==> 
   6.356 -      (\<forall>H. F ok H & G ok H & F Join H : X --> G Join H : X) = (F:X --> G:X)"
   6.357 +      (\<forall>H. F ok H & G ok H & F Join H \<in> X --> G Join H \<in> X) = (F \<in> X --> G \<in> X)"
   6.358  by (unfold strict_uv_prop_def, blast)
   6.359  
   6.360  lemma strict_uv_refine_lemma_v: 
   6.361       "strict_uv_prop X  
   6.362 -      ==> (\<forall>H. F ok H & G ok H & F Join H : welldef & F Join H : X --> G Join H : X) =  
   6.363 -          (F: welldef Int X --> G:X)"
   6.364 +      ==> (\<forall>H. F ok H & G ok H & F Join H \<in> welldef & F Join H \<in> X --> G Join H \<in> X) =  
   6.365 +          (F \<in> welldef \<inter> X --> G \<in> X)"
   6.366  apply (unfold strict_uv_prop_def, safe)
   6.367  apply (erule_tac x = SKIP and P = "%H. ?PP H --> ?RR H" in allE)
   6.368  apply (auto dest: Join_welldef_D1 Join_welldef_D2)
   6.369 @@ -395,8 +395,8 @@
   6.370  
   6.371  lemma uv_refinement_thm:
   6.372       "[| strict_uv_prop X;   
   6.373 -         \<forall>H. F ok H & G ok H & F Join H : welldef Int X --> 
   6.374 -             G Join H : welldef |]  
   6.375 +         \<forall>H. F ok H & G ok H & F Join H \<in> welldef \<inter> X --> 
   6.376 +             G Join H \<in> welldef |]  
   6.377        ==> (G refines F wrt X) = (G iso_refines F wrt X)"
   6.378  apply (rule_tac x = SKIP in allE, assumption)
   6.379  apply (simp add: refines_def iso_refines_def strict_uv_refine_lemma_v)
   6.380 @@ -404,17 +404,17 @@
   6.381  
   6.382  (* Added by Sidi Ehmety from Chandy & Sander, section 6 *)
   6.383  lemma guarantees_equiv: 
   6.384 -    "(F:X guarantees Y) = (\<forall>H. H:X \<longrightarrow> (F component_of H \<longrightarrow> H:Y))"
   6.385 +    "(F \<in> X guarantees Y) = (\<forall>H. H \<in> X \<longrightarrow> (F component_of H \<longrightarrow> H \<in> Y))"
   6.386  by (unfold guar_def component_of_def, auto)
   6.387  
   6.388 -lemma wg_weakest: "!!X. F:(X guarantees Y) ==> X <= (wg F Y)"
   6.389 +lemma wg_weakest: "!!X. F:(X guarantees Y) ==> X \<subseteq> (wg F Y)"
   6.390  by (unfold wg_def, auto)
   6.391  
   6.392  lemma wg_guarantees: "F:((wg F Y) guarantees Y)"
   6.393  by (unfold wg_def guar_def, blast)
   6.394  
   6.395  lemma wg_equiv: 
   6.396 -  "(H: wg F X) = (F component_of H --> H:X)"
   6.397 +  "(H \<in> wg F X) = (F component_of H --> H \<in> X)"
   6.398  apply (unfold wg_def)
   6.399  apply (simp (no_asm) add: guarantees_equiv)
   6.400  apply (rule iffI)
   6.401 @@ -423,21 +423,21 @@
   6.402  done
   6.403  
   6.404  
   6.405 -lemma component_of_wg: "F component_of H ==> (H:wg F X) = (H:X)"
   6.406 +lemma component_of_wg: "F component_of H ==> (H \<in> wg F X) = (H \<in> X)"
   6.407  by (simp add: wg_equiv)
   6.408  
   6.409  lemma wg_finite: 
   6.410 -    "\<forall>FF. finite FF & FF Int X ~= {} --> OK FF (%F. F)  
   6.411 -          --> (\<forall>F\<in>FF. ((JN F:FF. F): wg F X) = ((JN F:FF. F):X))"
   6.412 +    "\<forall>FF. finite FF & FF \<inter> X \<noteq> {} --> OK FF (%F. F)  
   6.413 +          --> (\<forall>F\<in>FF. ((\<Squnion>F \<in> FF. F): wg F X) = ((\<Squnion>F \<in> FF. F):X))"
   6.414  apply clarify
   6.415 -apply (subgoal_tac "F component_of (JN F:FF. F) ")
   6.416 +apply (subgoal_tac "F component_of (\<Squnion>F \<in> FF. F) ")
   6.417  apply (drule_tac X = X in component_of_wg, simp)
   6.418  apply (simp add: component_of_def)
   6.419 -apply (rule_tac x = "JN F: (FF-{F}) . F" in exI)
   6.420 +apply (rule_tac x = "\<Squnion>F \<in> (FF-{F}) . F" in exI)
   6.421  apply (auto intro: JN_Join_diff dest: ok_sym simp add: OK_iff_ok)
   6.422  done
   6.423  
   6.424 -lemma wg_ex_prop: "ex_prop X ==> (F:X) = (\<forall>H. H : wg F X)"
   6.425 +lemma wg_ex_prop: "ex_prop X ==> (F \<in> X) = (\<forall>H. H \<in> wg F X)"
   6.426  apply (simp (no_asm_use) add: ex_prop_equiv wg_equiv)
   6.427  apply blast
   6.428  done
   6.429 @@ -455,11 +455,11 @@
   6.430  apply auto
   6.431  done
   6.432  
   6.433 -lemma wx_weakest: "\<forall>Z. Z<= X --> ex_prop Z --> Z <= wx X"
   6.434 +lemma wx_weakest: "\<forall>Z. Z<= X --> ex_prop Z --> Z \<subseteq> wx X"
   6.435  by (unfold wx_def, auto)
   6.436  
   6.437  (* Proposition 6 *)
   6.438 -lemma wx'_ex_prop: "ex_prop({F. \<forall>G. F ok G --> F Join G:X})"
   6.439 +lemma wx'_ex_prop: "ex_prop({F. \<forall>G. F ok G --> F Join G \<in> X})"
   6.440  apply (unfold ex_prop_def, safe)
   6.441  apply (drule_tac x = "G Join Ga" in spec)
   6.442  apply (force simp add: ok_Join_iff1 Join_assoc)
   6.443 @@ -483,7 +483,7 @@
   6.444  apply (drule_tac x = G in spec)
   6.445  apply (frule_tac c = "x Join G" in subsetD, safe)
   6.446  apply (simp (no_asm))
   6.447 -apply (rule_tac x = "{F. \<forall>G. F ok G --> F Join G:X}" in exI, safe)
   6.448 +apply (rule_tac x = "{F. \<forall>G. F ok G --> F Join G \<in> X}" in exI, safe)
   6.449  apply (rule_tac [2] wx'_ex_prop)
   6.450  apply (rotate_tac 1)
   6.451  apply (drule_tac x = SKIP in spec, auto)
   6.452 @@ -496,7 +496,7 @@
   6.453  (* Proposition 12 *)
   6.454  (* Main result of the paper *)
   6.455  lemma guarantees_wx_eq: 
   6.456 -   "(X guarantees Y) = wx(-X Un Y)"
   6.457 +   "(X guarantees Y) = wx(-X \<union> Y)"
   6.458  apply (unfold guar_def)
   6.459  apply (simp (no_asm) add: wx_equiv)
   6.460  done
   6.461 @@ -511,7 +511,7 @@
   6.462      Reasoning About Program composition paper *)
   6.463  
   6.464  lemma stable_guarantees_Always:
   6.465 -     "Init F <= A ==> F:(stable A) guarantees (Always A)"
   6.466 +     "Init F \<subseteq> A ==> F:(stable A) guarantees (Always A)"
   6.467  apply (rule guaranteesI)
   6.468  apply (simp (no_asm) add: Join_commute)
   6.469  apply (rule stable_Join_Always1)
   6.470 @@ -519,7 +519,7 @@
   6.471  done
   6.472  
   6.473  (* To be moved to WFair.ML *)
   6.474 -lemma leadsTo_Basis': "[| F:A co A Un B; F:transient A |] ==> F:A leadsTo B"
   6.475 +lemma leadsTo_Basis': "[| F \<in> A co A \<union> B; F \<in> transient A |] ==> F \<in> A leadsTo B"
   6.476  apply (drule_tac B = "A-B" in constrains_weaken_L)
   6.477  apply (drule_tac [2] B = "A-B" in transient_strengthen)
   6.478  apply (rule_tac [3] ensuresI [THEN leadsTo_Basis])
   6.479 @@ -529,7 +529,7 @@
   6.480  
   6.481  
   6.482  lemma constrains_guarantees_leadsTo:
   6.483 -     "F : transient A ==> F: (A co A Un B) guarantees (A leadsTo (B-A))"
   6.484 +     "F \<in> transient A ==> F \<in> (A co A \<union> B) guarantees (A leadsTo (B-A))"
   6.485  apply (rule guaranteesI)
   6.486  apply (rule leadsTo_Basis')
   6.487  apply (drule constrains_weaken_R)
     7.1 --- a/src/HOL/UNITY/Lift_prog.thy	Mon Feb 03 11:45:05 2003 +0100
     7.2 +++ b/src/HOL/UNITY/Lift_prog.thy	Tue Feb 04 18:12:40 2003 +0100
     7.3 @@ -116,23 +116,23 @@
     7.4  lemma lift_set_empty [simp]: "lift_set i {} = {}"
     7.5  by (unfold lift_set_def, auto)
     7.6  
     7.7 -lemma lift_set_iff: "(lift_map i x : lift_set i A) = (x : A)"
     7.8 +lemma lift_set_iff: "(lift_map i x \<in> lift_set i A) = (x \<in> A)"
     7.9  apply (unfold lift_set_def)
    7.10  apply (rule inj_lift_map [THEN inj_image_mem_iff])
    7.11  done
    7.12  
    7.13  (*Do we really need both this one and its predecessor?*)
    7.14  lemma lift_set_iff2 [iff]:
    7.15 -     "((f,uu) : lift_set i A) = ((f i, (delete_map i f, uu)) : A)"
    7.16 +     "((f,uu) \<in> lift_set i A) = ((f i, (delete_map i f, uu)) \<in> A)"
    7.17  by (simp add: lift_set_def mem_rename_set_iff drop_map_def)
    7.18  
    7.19  
    7.20 -lemma lift_set_mono: "A<=B ==> lift_set i A <= lift_set i B"
    7.21 +lemma lift_set_mono: "A \<subseteq> B ==> lift_set i A \<subseteq> lift_set i B"
    7.22  apply (unfold lift_set_def)
    7.23  apply (erule image_mono)
    7.24  done
    7.25  
    7.26 -lemma lift_set_Un_distrib: "lift_set i (A Un B) = lift_set i A Un lift_set i B"
    7.27 +lemma lift_set_Un_distrib: "lift_set i (A \<union> B) = lift_set i A \<union> lift_set i B"
    7.28  apply (unfold lift_set_def)
    7.29  apply (simp add: image_Un)
    7.30  done
    7.31 @@ -154,39 +154,39 @@
    7.32  lemma lift_Join [simp]: "lift i (F Join G) = lift i F Join lift i G"
    7.33  by (simp add: lift_def)
    7.34  
    7.35 -lemma lift_JN [simp]: "lift j (JOIN I F) = (JN i:I. lift j (F i))"
    7.36 +lemma lift_JN [simp]: "lift j (JOIN I F) = (\<Squnion>i \<in> I. lift j (F i))"
    7.37  by (simp add: lift_def)
    7.38  
    7.39  (*** Safety: co, stable, invariant ***)
    7.40  
    7.41  lemma lift_constrains: 
    7.42 -     "(lift i F : (lift_set i A) co (lift_set i B)) = (F : A co B)"
    7.43 +     "(lift i F \<in> (lift_set i A) co (lift_set i B)) = (F \<in> A co B)"
    7.44  by (simp add: lift_def lift_set_def rename_constrains)
    7.45  
    7.46  lemma lift_stable: 
    7.47 -     "(lift i F : stable (lift_set i A)) = (F : stable A)"
    7.48 +     "(lift i F \<in> stable (lift_set i A)) = (F \<in> stable A)"
    7.49  by (simp add: lift_def lift_set_def rename_stable)
    7.50  
    7.51  lemma lift_invariant: 
    7.52 -     "(lift i F : invariant (lift_set i A)) = (F : invariant A)"
    7.53 +     "(lift i F \<in> invariant (lift_set i A)) = (F \<in> invariant A)"
    7.54  apply (unfold lift_def lift_set_def)
    7.55  apply (simp add: rename_invariant)
    7.56  done
    7.57  
    7.58  lemma lift_Constrains: 
    7.59 -     "(lift i F : (lift_set i A) Co (lift_set i B)) = (F : A Co B)"
    7.60 +     "(lift i F \<in> (lift_set i A) Co (lift_set i B)) = (F \<in> A Co B)"
    7.61  apply (unfold lift_def lift_set_def)
    7.62  apply (simp add: rename_Constrains)
    7.63  done
    7.64  
    7.65  lemma lift_Stable: 
    7.66 -     "(lift i F : Stable (lift_set i A)) = (F : Stable A)"
    7.67 +     "(lift i F \<in> Stable (lift_set i A)) = (F \<in> Stable A)"
    7.68  apply (unfold lift_def lift_set_def)
    7.69  apply (simp add: rename_Stable)
    7.70  done
    7.71  
    7.72  lemma lift_Always: 
    7.73 -     "(lift i F : Always (lift_set i A)) = (F : Always A)"
    7.74 +     "(lift i F \<in> Always (lift_set i A)) = (F \<in> Always A)"
    7.75  apply (unfold lift_def lift_set_def)
    7.76  apply (simp add: rename_Always)
    7.77  done
    7.78 @@ -194,37 +194,37 @@
    7.79  (*** Progress: transient, ensures ***)
    7.80  
    7.81  lemma lift_transient: 
    7.82 -     "(lift i F : transient (lift_set i A)) = (F : transient A)"
    7.83 +     "(lift i F \<in> transient (lift_set i A)) = (F \<in> transient A)"
    7.84  by (simp add: lift_def lift_set_def rename_transient)
    7.85  
    7.86  lemma lift_ensures: 
    7.87 -     "(lift i F : (lift_set i A) ensures (lift_set i B)) =  
    7.88 -      (F : A ensures B)"
    7.89 +     "(lift i F \<in> (lift_set i A) ensures (lift_set i B)) =  
    7.90 +      (F \<in> A ensures B)"
    7.91  by (simp add: lift_def lift_set_def rename_ensures)
    7.92  
    7.93  lemma lift_leadsTo: 
    7.94 -     "(lift i F : (lift_set i A) leadsTo (lift_set i B)) =  
    7.95 -      (F : A leadsTo B)"
    7.96 +     "(lift i F \<in> (lift_set i A) leadsTo (lift_set i B)) =  
    7.97 +      (F \<in> A leadsTo B)"
    7.98  by (simp add: lift_def lift_set_def rename_leadsTo)
    7.99  
   7.100  lemma lift_LeadsTo: 
   7.101 -     "(lift i F : (lift_set i A) LeadsTo (lift_set i B)) =   
   7.102 -      (F : A LeadsTo B)"
   7.103 +     "(lift i F \<in> (lift_set i A) LeadsTo (lift_set i B)) =   
   7.104 +      (F \<in> A LeadsTo B)"
   7.105  by (simp add: lift_def lift_set_def rename_LeadsTo)
   7.106  
   7.107  
   7.108  (** guarantees **)
   7.109  
   7.110  lemma lift_lift_guarantees_eq: 
   7.111 -     "(lift i F : (lift i ` X) guarantees (lift i ` Y)) =  
   7.112 -      (F : X guarantees Y)"
   7.113 +     "(lift i F \<in> (lift i ` X) guarantees (lift i ` Y)) =  
   7.114 +      (F \<in> X guarantees Y)"
   7.115  apply (unfold lift_def)
   7.116  apply (subst bij_lift_map [THEN rename_rename_guarantees_eq, symmetric])
   7.117  apply (simp add: o_def)
   7.118  done
   7.119  
   7.120 -lemma lift_guarantees_eq_lift_inv: "(lift i F : X guarantees Y) =  
   7.121 -      (F : (rename (drop_map i) ` X) guarantees (rename (drop_map i) ` Y))"
   7.122 +lemma lift_guarantees_eq_lift_inv: "(lift i F \<in> X guarantees Y) =  
   7.123 +      (F \<in> (rename (drop_map i) ` X) guarantees (rename (drop_map i) ` Y))"
   7.124  by (simp add: bij_lift_map [THEN rename_guarantees_eq_rename_inv] lift_def)
   7.125  
   7.126  
   7.127 @@ -236,14 +236,14 @@
   7.128  (*To preserve snd means that the second component is there just to allow
   7.129    guarantees properties to be stated.  Converse fails, for lift i F can 
   7.130    change function components other than i*)
   7.131 -lemma lift_preserves_snd_I: "F : preserves snd ==> lift i F : preserves snd"
   7.132 +lemma lift_preserves_snd_I: "F \<in> preserves snd ==> lift i F \<in> preserves snd"
   7.133  apply (drule_tac w1=snd in subset_preserves_o [THEN subsetD])
   7.134  apply (simp add: lift_def rename_preserves)
   7.135  apply (simp add: lift_map_def o_def split_def)
   7.136  done
   7.137  
   7.138  lemma delete_map_eqE':
   7.139 -     "(delete_map i g) = (delete_map i g') ==> EX x. g = g'(i:=x)"
   7.140 +     "(delete_map i g) = (delete_map i g') ==> \<exists>x. g = g'(i:=x)"
   7.141  apply (drule_tac f = "insert_map i (g i) " in arg_cong)
   7.142  apply (simp add: insert_map_delete_map_eq)
   7.143  apply (erule exI)
   7.144 @@ -252,7 +252,7 @@
   7.145  lemmas delete_map_eqE = delete_map_eqE' [THEN exE, elim!]
   7.146  
   7.147  lemma delete_map_neq_apply:
   7.148 -     "[| delete_map j g = delete_map j g';  i~=j |] ==> g i = g' i"
   7.149 +     "[| delete_map j g = delete_map j g';  i\<noteq>j |] ==> g i = g' i"
   7.150  by force
   7.151  
   7.152  (*A set of the form (A <*> UNIV) ignores the second (dummy) state component*)
   7.153 @@ -265,27 +265,27 @@
   7.154  by auto
   7.155  
   7.156  lemma mem_lift_act_iff [iff]: 
   7.157 -     "((s,s') : extend_act (%(x,u::unit). lift_map i x) act) =  
   7.158 -      ((drop_map i s, drop_map i s') : act)"
   7.159 +     "((s,s') \<in> extend_act (%(x,u::unit). lift_map i x) act) =  
   7.160 +      ((drop_map i s, drop_map i s') \<in> act)"
   7.161  apply (unfold extend_act_def, auto)
   7.162  apply (rule bexI, auto)
   7.163  done
   7.164  
   7.165  lemma preserves_snd_lift_stable:
   7.166 -     "[| F : preserves snd;  i~=j |]  
   7.167 -      ==> lift j F : stable (lift_set i (A <*> UNIV))"
   7.168 +     "[| F \<in> preserves snd;  i\<noteq>j |]  
   7.169 +      ==> lift j F \<in> stable (lift_set i (A <*> UNIV))"
   7.170  apply (auto simp add: lift_def lift_set_def stable_def constrains_def 
   7.171                        rename_def extend_def mem_rename_set_iff)
   7.172  apply (auto dest!: preserves_imp_eq simp add: lift_map_def drop_map_def)
   7.173  apply (drule_tac x = i in fun_cong, auto)
   7.174  done
   7.175  
   7.176 -(*If i~=j then lift j F  does nothing to lift_set i, and the 
   7.177 -  premise ensures A<=B.*)
   7.178 +(*If i\<noteq>j then lift j F  does nothing to lift_set i, and the 
   7.179 +  premise ensures A \<subseteq> B.*)
   7.180  lemma constrains_imp_lift_constrains:
   7.181 -    "[| F i : (A <*> UNIV) co (B <*> UNIV);   
   7.182 -        F j : preserves snd |]   
   7.183 -     ==> lift j (F j) : (lift_set i (A <*> UNIV)) co (lift_set i (B <*> UNIV))"
   7.184 +    "[| F i \<in> (A <*> UNIV) co (B <*> UNIV);   
   7.185 +        F j \<in> preserves snd |]   
   7.186 +     ==> lift j (F j) \<in> (lift_set i (A <*> UNIV)) co (lift_set i (B <*> UNIV))"
   7.187  apply (case_tac "i=j")
   7.188  apply (simp add: lift_def lift_set_def rename_constrains)
   7.189  apply (erule preserves_snd_lift_stable[THEN stableD, THEN constrains_weaken_R],
   7.190 @@ -309,24 +309,24 @@
   7.191  done
   7.192  
   7.193  lemma insert_map_eq_diff:
   7.194 -     "[| insert_map i s f = insert_map j t g;  i~=j |]  
   7.195 -      ==> EX g'. insert_map i s' f = insert_map j t g'"
   7.196 +     "[| insert_map i s f = insert_map j t g;  i\<noteq>j |]  
   7.197 +      ==> \<exists>g'. insert_map i s' f = insert_map j t g'"
   7.198  apply (subst insert_map_upd_same [symmetric])
   7.199  apply (erule ssubst)
   7.200  apply (simp only: insert_map_upd if_False split: split_if, blast)
   7.201  done
   7.202  
   7.203  lemma lift_map_eq_diff: 
   7.204 -     "[| lift_map i (s,(f,uu)) = lift_map j (t,(g,vv));  i~=j |]  
   7.205 -      ==> EX g'. lift_map i (s',(f,uu)) = lift_map j (t,(g',vv))"
   7.206 +     "[| lift_map i (s,(f,uu)) = lift_map j (t,(g,vv));  i\<noteq>j |]  
   7.207 +      ==> \<exists>g'. lift_map i (s',(f,uu)) = lift_map j (t,(g',vv))"
   7.208  apply (unfold lift_map_def, auto)
   7.209  apply (blast dest: insert_map_eq_diff)
   7.210  done
   7.211  
   7.212  lemma lift_transient_eq_disj:
   7.213 -     "F : preserves snd  
   7.214 -      ==> (lift i F : transient (lift_set j (A <*> UNIV))) =  
   7.215 -          (i=j & F : transient (A <*> UNIV) | A={})"
   7.216 +     "F \<in> preserves snd  
   7.217 +      ==> (lift i F \<in> transient (lift_set j (A <*> UNIV))) =  
   7.218 +          (i=j & F \<in> transient (A <*> UNIV) | A={})"
   7.219  apply (case_tac "i=j")
   7.220  apply (auto simp add: lift_transient)
   7.221  apply (auto simp add: lift_set_def lift_def transient_def rename_def 
   7.222 @@ -346,21 +346,21 @@
   7.223  
   7.224  (*USELESS??*)
   7.225  lemma lift_map_image_Times: "lift_map i ` (A <*> UNIV) =  
   7.226 -      (UN s:A. UN f. {insert_map i s f}) <*> UNIV"
   7.227 +      (\<Union>s \<in> A. \<Union>f. {insert_map i s f}) <*> UNIV"
   7.228  apply (auto intro!: bexI image_eqI simp add: lift_map_def)
   7.229  apply (rule split_conv [symmetric])
   7.230  done
   7.231  
   7.232  lemma lift_preserves_eq:
   7.233 -     "(lift i F : preserves v) = (F : preserves (v o lift_map i))"
   7.234 +     "(lift i F \<in> preserves v) = (F \<in> preserves (v o lift_map i))"
   7.235  by (simp add: lift_def rename_preserves)
   7.236  
   7.237  (*A useful rewrite.  If o, sub have been rewritten out already then can also
   7.238    use it as   rewrite_rule [sub_def, o_def] lift_preserves_sub*)
   7.239  lemma lift_preserves_sub:
   7.240 -     "F : preserves snd  
   7.241 -      ==> lift i F : preserves (v o sub j o fst) =  
   7.242 -          (if i=j then F : preserves (v o fst) else True)"
   7.243 +     "F \<in> preserves snd  
   7.244 +      ==> lift i F \<in> preserves (v o sub j o fst) =  
   7.245 +          (if i=j then F \<in> preserves (v o fst) else True)"
   7.246  apply (drule subset_preserves_o [THEN subsetD])
   7.247  apply (simp add: lift_preserves_eq o_def drop_map_lift_map_eq)
   7.248  apply (auto cong del: if_weak_cong 
   7.249 @@ -374,7 +374,7 @@
   7.250  lemma o_equiv_assoc: "f o g = h ==> f' o f o g = f' o h"
   7.251  by (simp add: expand_fun_eq o_def)
   7.252  
   7.253 -lemma o_equiv_apply: "f o g = h ==> ALL x. f(g x) = h x"
   7.254 +lemma o_equiv_apply: "f o g = h ==> \<forall>x. f(g x) = h x"
   7.255  by (simp add: expand_fun_eq o_def)
   7.256  
   7.257  lemma fst_o_lift_map: "sub i o fst o lift_map i = fst"
   7.258 @@ -402,7 +402,7 @@
   7.259  
   7.260  lemma project_act_extend_act:
   7.261       "project_act h (extend_act h' act) =  
   7.262 -        {(x,x'). EX s s' y y' z. (s,s') : act &  
   7.263 +        {(x,x'). \<exists>s s' y y' z. (s,s') \<in> act &  
   7.264                   h(x,y) = h'(s,z) & h(x',y') = h'(s',z)}"
   7.265  by (simp add: extend_act_def project_act_def, blast)
   7.266  
   7.267 @@ -410,24 +410,24 @@
   7.268  (*** OK and "lift" ***)
   7.269  
   7.270  lemma act_in_UNION_preserves_fst:
   7.271 -     "act <= {(x,x'). fst x = fst x'} ==> act : UNION (preserves fst) Acts"
   7.272 +     "act \<subseteq> {(x,x'). fst x = fst x'} ==> act \<in> UNION (preserves fst) Acts"
   7.273  apply (rule_tac a = "mk_program (UNIV,{act},UNIV) " in UN_I)
   7.274  apply (auto simp add: preserves_def stable_def constrains_def)
   7.275  done
   7.276  
   7.277  lemma UNION_OK_lift_I:
   7.278 -     "[| ALL i:I. F i : preserves snd;   
   7.279 -         ALL i:I. UNION (preserves fst) Acts <= AllowedActs (F i) |]  
   7.280 +     "[| \<forall>i \<in> I. F i \<in> preserves snd;   
   7.281 +         \<forall>i \<in> I. UNION (preserves fst) Acts \<subseteq> AllowedActs (F i) |]  
   7.282        ==> OK I (%i. lift i (F i))"
   7.283  apply (auto simp add: OK_def lift_def rename_def Extend.Acts_extend)
   7.284  apply (simp add: Extend.AllowedActs_extend project_act_extend_act)
   7.285  apply (rename_tac "act")
   7.286  apply (subgoal_tac
   7.287         "{(x, x'). \<exists>s f u s' f' u'. 
   7.288 -                    ((s, f, u), s', f', u') : act & 
   7.289 +                    ((s, f, u), s', f', u') \<in> act & 
   7.290                      lift_map j x = lift_map i (s, f, u) & 
   7.291                      lift_map j x' = lift_map i (s', f', u') } 
   7.292 -                <= { (x,x') . fst x = fst x'}")
   7.293 +                \<subseteq> { (x,x') . fst x = fst x'}")
   7.294  apply (blast intro: act_in_UNION_preserves_fst, clarify)
   7.295  apply (drule_tac x = j in fun_cong)+
   7.296  apply (drule_tac x = i in bspec, assumption)
   7.297 @@ -435,8 +435,8 @@
   7.298  done
   7.299  
   7.300  lemma OK_lift_I:
   7.301 -     "[| ALL i:I. F i : preserves snd;   
   7.302 -         ALL i:I. preserves fst <= Allowed (F i) |]  
   7.303 +     "[| \<forall>i \<in> I. F i \<in> preserves snd;   
   7.304 +         \<forall>i \<in> I. preserves fst \<subseteq> Allowed (F i) |]  
   7.305        ==> OK I (%i. lift i (F i))"
   7.306  by (simp add: safety_prop_AllowedActs_iff_Allowed UNION_OK_lift_I)
   7.307  
     8.1 --- a/src/HOL/UNITY/PPROD.thy	Mon Feb 03 11:45:05 2003 +0100
     8.2 +++ b/src/HOL/UNITY/PPROD.thy	Tue Feb 04 18:12:40 2003 +0100
     8.3 @@ -15,19 +15,19 @@
     8.4  
     8.5    PLam  :: "[nat set, nat => ('b * ((nat=>'b) * 'c)) program]
     8.6              => ((nat=>'b) * 'c) program"
     8.7 -    "PLam I F == JN i:I. lift i (F i)"
     8.8 +    "PLam I F == \<Squnion>i \<in> I. lift i (F i)"
     8.9  
    8.10  syntax
    8.11    "@PLam" :: "[pttrn, nat set, 'b set] => (nat => 'b) set"
    8.12                ("(3plam _:_./ _)" 10)
    8.13  
    8.14  translations
    8.15 -  "plam x:A. B"   == "PLam A (%x. B)"
    8.16 +  "plam x : A. B"   == "PLam A (%x. B)"
    8.17  
    8.18  
    8.19  (*** Basic properties ***)
    8.20  
    8.21 -lemma Init_PLam: "Init (PLam I F) = (INT i:I. lift_set i (Init (F i)))"
    8.22 +lemma Init_PLam: "Init (PLam I F) = (\<Inter>i \<in> I. lift_set i (Init (F i)))"
    8.23  apply (simp (no_asm) add: PLam_def lift_def lift_set_def)
    8.24  done
    8.25  
    8.26 @@ -37,7 +37,7 @@
    8.27  apply (simp (no_asm) add: PLam_def)
    8.28  done
    8.29  
    8.30 -lemma PLam_SKIP: "(plam i: I. SKIP) = SKIP"
    8.31 +lemma PLam_SKIP: "(plam i : I. SKIP) = SKIP"
    8.32  apply (simp (no_asm) add: PLam_def lift_SKIP JN_constant)
    8.33  done
    8.34  
    8.35 @@ -46,11 +46,11 @@
    8.36  lemma PLam_insert: "PLam (insert i I) F = (lift i (F i)) Join (PLam I F)"
    8.37  by (unfold PLam_def, auto)
    8.38  
    8.39 -lemma PLam_component_iff: "((PLam I F) <= H) = (ALL i: I. lift i (F i) <= H)"
    8.40 +lemma PLam_component_iff: "((PLam I F) \<le> H) = (\<forall>i \<in> I. lift i (F i) \<le> H)"
    8.41  apply (simp (no_asm) add: PLam_def JN_component_iff)
    8.42  done
    8.43  
    8.44 -lemma component_PLam: "i : I ==> lift i (F i) <= (PLam I F)"
    8.45 +lemma component_PLam: "i \<in> I ==> lift i (F i) \<le> (PLam I F)"
    8.46  apply (unfold PLam_def)
    8.47  (*blast_tac doesn't use HO unification*)
    8.48  apply (fast intro: component_JN)
    8.49 @@ -60,10 +60,10 @@
    8.50  (** Safety & Progress: but are they used anywhere? **)
    8.51  
    8.52  lemma PLam_constrains: 
    8.53 -     "[| i : I;  ALL j. F j : preserves snd |] ==>   
    8.54 -      (PLam I F : (lift_set i (A <*> UNIV)) co  
    8.55 +     "[| i \<in> I;  \<forall>j. F j \<in> preserves snd |] ==>   
    8.56 +      (PLam I F \<in> (lift_set i (A <*> UNIV)) co  
    8.57                    (lift_set i (B <*> UNIV)))  =   
    8.58 -      (F i : (A <*> UNIV) co (B <*> UNIV))"
    8.59 +      (F i \<in> (A <*> UNIV) co (B <*> UNIV))"
    8.60  apply (simp (no_asm_simp) add: PLam_def JN_constrains)
    8.61  apply (subst insert_Diff [symmetric], assumption)
    8.62  apply (simp (no_asm_simp) add: lift_constrains)
    8.63 @@ -71,33 +71,33 @@
    8.64  done
    8.65  
    8.66  lemma PLam_stable: 
    8.67 -     "[| i : I;  ALL j. F j : preserves snd |]   
    8.68 -      ==> (PLam I F : stable (lift_set i (A <*> UNIV))) =  
    8.69 -          (F i : stable (A <*> UNIV))"
    8.70 +     "[| i \<in> I;  \<forall>j. F j \<in> preserves snd |]   
    8.71 +      ==> (PLam I F \<in> stable (lift_set i (A <*> UNIV))) =  
    8.72 +          (F i \<in> stable (A <*> UNIV))"
    8.73  apply (simp (no_asm_simp) add: stable_def PLam_constrains)
    8.74  done
    8.75  
    8.76  lemma PLam_transient: 
    8.77 -     "i : I ==>  
    8.78 -    PLam I F : transient A = (EX i:I. lift i (F i) : transient A)"
    8.79 +     "i \<in> I ==>  
    8.80 +    PLam I F \<in> transient A = (\<exists>i \<in> I. lift i (F i) \<in> transient A)"
    8.81  apply (simp (no_asm_simp) add: JN_transient PLam_def)
    8.82  done
    8.83  
    8.84  (*This holds because the F j cannot change (lift_set i)*)
    8.85  lemma PLam_ensures: 
    8.86 -     "[| i : I;  F i : (A <*> UNIV) ensures (B <*> UNIV);   
    8.87 -         ALL j. F j : preserves snd |] ==>   
    8.88 -      PLam I F : lift_set i (A <*> UNIV) ensures lift_set i (B <*> UNIV)"
    8.89 +     "[| i \<in> I;  F i \<in> (A <*> UNIV) ensures (B <*> UNIV);   
    8.90 +         \<forall>j. F j \<in> preserves snd |] ==>   
    8.91 +      PLam I F \<in> lift_set i (A <*> UNIV) ensures lift_set i (B <*> UNIV)"
    8.92  apply (auto simp add: ensures_def PLam_constrains PLam_transient lift_transient_eq_disj lift_set_Un_distrib [symmetric] lift_set_Diff_distrib [symmetric] Times_Un_distrib1 [symmetric] Times_Diff_distrib1 [symmetric])
    8.93  done
    8.94  
    8.95  lemma PLam_leadsTo_Basis: 
    8.96 -     "[| i : I;   
    8.97 -         F i : ((A <*> UNIV) - (B <*> UNIV)) co  
    8.98 -               ((A <*> UNIV) Un (B <*> UNIV));   
    8.99 -         F i : transient ((A <*> UNIV) - (B <*> UNIV));   
   8.100 -         ALL j. F j : preserves snd |] ==>   
   8.101 -      PLam I F : lift_set i (A <*> UNIV) leadsTo lift_set i (B <*> UNIV)"
   8.102 +     "[| i \<in> I;   
   8.103 +         F i \<in> ((A <*> UNIV) - (B <*> UNIV)) co  
   8.104 +               ((A <*> UNIV) \<union> (B <*> UNIV));   
   8.105 +         F i \<in> transient ((A <*> UNIV) - (B <*> UNIV));   
   8.106 +         \<forall>j. F j \<in> preserves snd |] ==>   
   8.107 +      PLam I F \<in> lift_set i (A <*> UNIV) leadsTo lift_set i (B <*> UNIV)"
   8.108  by (rule PLam_ensures [THEN leadsTo_Basis], rule_tac [2] ensuresI)
   8.109  
   8.110  
   8.111 @@ -105,20 +105,20 @@
   8.112  (** invariant **)
   8.113  
   8.114  lemma invariant_imp_PLam_invariant: 
   8.115 -     "[| F i : invariant (A <*> UNIV);  i : I;   
   8.116 -         ALL j. F j : preserves snd |]  
   8.117 -      ==> PLam I F : invariant (lift_set i (A <*> UNIV))"
   8.118 +     "[| F i \<in> invariant (A <*> UNIV);  i \<in> I;   
   8.119 +         \<forall>j. F j \<in> preserves snd |]  
   8.120 +      ==> PLam I F \<in> invariant (lift_set i (A <*> UNIV))"
   8.121  by (auto simp add: PLam_stable invariant_def)
   8.122  
   8.123  
   8.124  lemma PLam_preserves_fst [simp]:
   8.125 -     "ALL j. F j : preserves snd  
   8.126 -      ==> (PLam I F : preserves (v o sub j o fst)) =  
   8.127 -          (if j: I then F j : preserves (v o fst) else True)"
   8.128 +     "\<forall>j. F j \<in> preserves snd  
   8.129 +      ==> (PLam I F \<in> preserves (v o sub j o fst)) =  
   8.130 +          (if j \<in> I then F j \<in> preserves (v o fst) else True)"
   8.131  by (simp (no_asm_simp) add: PLam_def lift_preserves_sub)
   8.132  
   8.133  lemma PLam_preserves_snd [simp,intro]:
   8.134 -     "ALL j. F j : preserves snd ==> PLam I F : preserves snd"
   8.135 +     "\<forall>j. F j \<in> preserves snd ==> PLam I F \<in> preserves snd"
   8.136  by (simp (no_asm_simp) add: PLam_def lift_preserves_snd_I)
   8.137  
   8.138  
   8.139 @@ -130,44 +130,44 @@
   8.140    something like lift_preserves_sub to rewrite the third.  However there's
   8.141    no obvious way to alternative for the third premise.*)
   8.142  lemma guarantees_PLam_I: 
   8.143 -    "[| lift i (F i): X guarantees Y;  i : I;   
   8.144 +    "[| lift i (F i): X guarantees Y;  i \<in> I;   
   8.145          OK I (%i. lift i (F i)) |]   
   8.146 -     ==> (PLam I F) : X guarantees Y"
   8.147 +     ==> (PLam I F) \<in> X guarantees Y"
   8.148  apply (unfold PLam_def)
   8.149  apply (simp (no_asm_simp) add: guarantees_JN_I)
   8.150  done
   8.151  
   8.152  lemma Allowed_PLam [simp]:
   8.153 -     "Allowed (PLam I F) = (INT i:I. lift i ` Allowed(F i))"
   8.154 +     "Allowed (PLam I F) = (\<Inter>i \<in> I. lift i ` Allowed(F i))"
   8.155  by (simp (no_asm) add: PLam_def)
   8.156  
   8.157  
   8.158  lemma PLam_preserves [simp]:
   8.159 -     "(PLam I F) : preserves v = (ALL i:I. F i : preserves (v o lift_map i))"
   8.160 -by (simp (no_asm) add: PLam_def lift_def rename_preserves)
   8.161 +     "(PLam I F) \<in> preserves v = (\<forall>i \<in> I. F i \<in> preserves (v o lift_map i))"
   8.162 +by (simp add: PLam_def lift_def rename_preserves)
   8.163  
   8.164  
   8.165  (**UNUSED
   8.166      (*The f0 premise ensures that the product is well-defined.*)
   8.167      lemma PLam_invariant_imp_invariant: 
   8.168 -     "[| PLam I F : invariant (lift_set i A);  i : I;   
   8.169 -             f0: Init (PLam I F) |] ==> F i : invariant A"
   8.170 +     "[| PLam I F \<in> invariant (lift_set i A);  i \<in> I;   
   8.171 +             f0: Init (PLam I F) |] ==> F i \<in> invariant A"
   8.172      apply (auto simp add: invariant_def)
   8.173      apply (drule_tac c = "f0 (i:=x) " in subsetD)
   8.174      apply auto
   8.175      done
   8.176  
   8.177      lemma PLam_invariant: 
   8.178 -     "[| i : I;  f0: Init (PLam I F) |]  
   8.179 -          ==> (PLam I F : invariant (lift_set i A)) = (F i : invariant A)"
   8.180 +     "[| i \<in> I;  f0: Init (PLam I F) |]  
   8.181 +          ==> (PLam I F \<in> invariant (lift_set i A)) = (F i \<in> invariant A)"
   8.182      apply (blast intro: invariant_imp_PLam_invariant PLam_invariant_imp_invariant)
   8.183      done
   8.184  
   8.185      (*The f0 premise isn't needed if F is a constant program because then
   8.186        we get an initial state by replicating that of F*)
   8.187      lemma reachable_PLam: 
   8.188 -     "i : I  
   8.189 -          ==> ((plam x:I. F) : invariant (lift_set i A)) = (F : invariant A)"
   8.190 +     "i \<in> I  
   8.191 +          ==> ((plam x \<in> I. F) \<in> invariant (lift_set i A)) = (F \<in> invariant A)"
   8.192      apply (auto simp add: invariant_def)
   8.193      done
   8.194  **)
   8.195 @@ -176,25 +176,25 @@
   8.196  (**UNUSED
   8.197      (** Reachability **)
   8.198  
   8.199 -    Goal "[| f : reachable (PLam I F);  i : I |] ==> f i : reachable (F i)"
   8.200 +    Goal "[| f \<in> reachable (PLam I F);  i \<in> I |] ==> f i \<in> reachable (F i)"
   8.201      apply (erule reachable.induct)
   8.202      apply (auto intro: reachable.intrs)
   8.203      done
   8.204  
   8.205      (*Result to justify a re-organization of this file*)
   8.206 -    lemma "{f. ALL i:I. f i : R i} = (INT i:I. lift_set i (R i))"
   8.207 +    lemma "{f. \<forall>i \<in> I. f i \<in> R i} = (\<Inter>i \<in> I. lift_set i (R i))"
   8.208      by auto
   8.209  
   8.210      lemma reachable_PLam_subset1: 
   8.211 -     "reachable (PLam I F) <= (INT i:I. lift_set i (reachable (F i)))"
   8.212 +     "reachable (PLam I F) \<subseteq> (\<Inter>i \<in> I. lift_set i (reachable (F i)))"
   8.213      apply (force dest!: reachable_PLam)
   8.214      done
   8.215  
   8.216      (*simplify using reachable_lift??*)
   8.217      lemma reachable_lift_Join_PLam [rule_format]:
   8.218 -      "[| i ~: I;  A : reachable (F i) |]      
   8.219 -       ==> ALL f. f : reachable (PLam I F)       
   8.220 -                  --> f(i:=A) : reachable (lift i (F i) Join PLam I F)"
   8.221 +      "[| i \<notin> I;  A \<in> reachable (F i) |]      
   8.222 +       ==> \<forall>f. f \<in> reachable (PLam I F)       
   8.223 +                  --> f(i:=A) \<in> reachable (lift i (F i) Join PLam I F)"
   8.224      apply (erule reachable.induct)
   8.225      apply (ALLGOALS Clarify_tac)
   8.226      apply (erule reachable.induct)
   8.227 @@ -224,7 +224,7 @@
   8.228        perform actions, and PLam can never catch up in finite time.*)
   8.229      lemma reachable_PLam_subset2: 
   8.230       "finite I  
   8.231 -          ==> (INT i:I. lift_set i (reachable (F i))) <= reachable (PLam I F)"
   8.232 +          ==> (\<Inter>i \<in> I. lift_set i (reachable (F i))) \<subseteq> reachable (PLam I F)"
   8.233      apply (erule finite_induct)
   8.234      apply (simp (no_asm))
   8.235      apply (force dest: reachable_lift_Join_PLam simp add: PLam_insert)
   8.236 @@ -232,7 +232,7 @@
   8.237  
   8.238      lemma reachable_PLam_eq: 
   8.239       "finite I ==>  
   8.240 -          reachable (PLam I F) = (INT i:I. lift_set i (reachable (F i)))"
   8.241 +          reachable (PLam I F) = (\<Inter>i \<in> I. lift_set i (reachable (F i)))"
   8.242      apply (REPEAT_FIRST (ares_tac [equalityI, reachable_PLam_subset1, reachable_PLam_subset2]))
   8.243      done
   8.244  
   8.245 @@ -240,8 +240,8 @@
   8.246      (** Co **)
   8.247  
   8.248      lemma Constrains_imp_PLam_Constrains: 
   8.249 -     "[| F i : A Co B;  i: I;  finite I |]   
   8.250 -          ==> PLam I F : (lift_set i A) Co (lift_set i B)"
   8.251 +     "[| F i \<in> A Co B;  i \<in> I;  finite I |]   
   8.252 +          ==> PLam I F \<in> (lift_set i A) Co (lift_set i B)"
   8.253      apply (auto simp add: Constrains_def Collect_conj_eq [symmetric] reachable_PLam_eq)
   8.254      apply (auto simp add: constrains_def PLam_def)
   8.255      apply (REPEAT (blast intro: reachable.intrs))
   8.256 @@ -250,15 +250,15 @@
   8.257  
   8.258  
   8.259      lemma PLam_Constrains: 
   8.260 -     "[| i: I;  finite I;  f0: Init (PLam I F) |]   
   8.261 -          ==> (PLam I F : (lift_set i A) Co (lift_set i B)) =   
   8.262 -              (F i : A Co B)"
   8.263 +     "[| i \<in> I;  finite I;  f0: Init (PLam I F) |]   
   8.264 +          ==> (PLam I F \<in> (lift_set i A) Co (lift_set i B)) =   
   8.265 +              (F i \<in> A Co B)"
   8.266      apply (blast intro: Constrains_imp_PLam_Constrains PLam_Constrains_imp_Constrains)
   8.267      done
   8.268  
   8.269      lemma PLam_Stable: 
   8.270 -     "[| i: I;  finite I;  f0: Init (PLam I F) |]   
   8.271 -          ==> (PLam I F : Stable (lift_set i A)) = (F i : Stable A)"
   8.272 +     "[| i \<in> I;  finite I;  f0: Init (PLam I F) |]   
   8.273 +          ==> (PLam I F \<in> Stable (lift_set i A)) = (F i \<in> Stable A)"
   8.274      apply (simp (no_asm_simp) del: Init_PLam add: Stable_def PLam_Constrains)
   8.275      done
   8.276  
   8.277 @@ -266,23 +266,23 @@
   8.278      (** const_PLam (no dependence on i) doesn't require the f0 premise **)
   8.279  
   8.280      lemma const_PLam_Constrains: 
   8.281 -     "[| i: I;  finite I |]   
   8.282 -          ==> ((plam x:I. F) : (lift_set i A) Co (lift_set i B)) =   
   8.283 -              (F : A Co B)"
   8.284 +     "[| i \<in> I;  finite I |]   
   8.285 +          ==> ((plam x \<in> I. F) \<in> (lift_set i A) Co (lift_set i B)) =   
   8.286 +              (F \<in> A Co B)"
   8.287      apply (blast intro: Constrains_imp_PLam_Constrains const_PLam_Constrains_imp_Constrains)
   8.288      done
   8.289  
   8.290      lemma const_PLam_Stable: 
   8.291 -     "[| i: I;  finite I |]   
   8.292 -          ==> ((plam x:I. F) : Stable (lift_set i A)) = (F : Stable A)"
   8.293 +     "[| i \<in> I;  finite I |]   
   8.294 +          ==> ((plam x \<in> I. F) \<in> Stable (lift_set i A)) = (F \<in> Stable A)"
   8.295      apply (simp (no_asm_simp) add: Stable_def const_PLam_Constrains)
   8.296      done
   8.297  
   8.298      lemma const_PLam_Increasing: 
   8.299 -	 "[| i: I;  finite I |]   
   8.300 -          ==> ((plam x:I. F) : Increasing (f o sub i)) = (F : Increasing f)"
   8.301 +	 "[| i \<in> I;  finite I |]   
   8.302 +          ==> ((plam x \<in> I. F) \<in> Increasing (f o sub i)) = (F \<in> Increasing f)"
   8.303      apply (unfold Increasing_def)
   8.304 -    apply (subgoal_tac "ALL z. {s. z <= (f o sub i) s} = lift_set i {s. z <= f s}")
   8.305 +    apply (subgoal_tac "\<forall>z. {s. z \<subseteq> (f o sub i) s} = lift_set i {s. z \<subseteq> f s}")
   8.306      apply (asm_simp_tac (simpset () add: lift_set_sub) 2)
   8.307      apply (simp add: finite_lessThan const_PLam_Stable)
   8.308      done
     9.1 --- a/src/HOL/UNITY/Rename.thy	Mon Feb 03 11:45:05 2003 +0100
     9.2 +++ b/src/HOL/UNITY/Rename.thy	Tue Feb 04 18:12:40 2003 +0100
     9.3 @@ -31,7 +31,7 @@
     9.4  apply (erule surj_f_inv_f)
     9.5  done
     9.6  
     9.7 -lemma mem_rename_set_iff: "bij h ==> z : h`A = (inv h z : A)"
     9.8 +lemma mem_rename_set_iff: "bij h ==> z \<in> h`A = (inv h z \<in> A)"
     9.9  by (force simp add: bij_is_inj bij_is_surj [THEN surj_f_inv_f])
    9.10  
    9.11  
    9.12 @@ -176,31 +176,31 @@
    9.13  by (simp add: rename_def Extend.extend_Join)
    9.14  
    9.15  lemma rename_JN [simp]:
    9.16 -     "bij h ==> rename h (JOIN I F) = (JN i:I. rename h (F i))"
    9.17 +     "bij h ==> rename h (JOIN I F) = (\<Squnion>i \<in> I. rename h (F i))"
    9.18  by (simp add: rename_def Extend.extend_JN)
    9.19  
    9.20  
    9.21  subsection{*Strong Safety: co, stable*}
    9.22  
    9.23  lemma rename_constrains: 
    9.24 -     "bij h ==> (rename h F : (h`A) co (h`B)) = (F : A co B)"
    9.25 +     "bij h ==> (rename h F \<in> (h`A) co (h`B)) = (F \<in> A co B)"
    9.26  apply (unfold rename_def)
    9.27  apply (subst extend_set_eq_image [symmetric])+
    9.28  apply (erule good_map_bij [THEN Extend.intro, THEN Extend.extend_constrains])
    9.29  done
    9.30  
    9.31  lemma rename_stable: 
    9.32 -     "bij h ==> (rename h F : stable (h`A)) = (F : stable A)"
    9.33 +     "bij h ==> (rename h F \<in> stable (h`A)) = (F \<in> stable A)"
    9.34  apply (simp add: stable_def rename_constrains)
    9.35  done
    9.36  
    9.37  lemma rename_invariant:
    9.38 -     "bij h ==> (rename h F : invariant (h`A)) = (F : invariant A)"
    9.39 +     "bij h ==> (rename h F \<in> invariant (h`A)) = (F \<in> invariant A)"
    9.40  apply (simp add: invariant_def rename_stable bij_is_inj [THEN inj_image_subset_iff])
    9.41  done
    9.42  
    9.43  lemma rename_increasing:
    9.44 -     "bij h ==> (rename h F : increasing func) = (F : increasing (func o h))"
    9.45 +     "bij h ==> (rename h F \<in> increasing func) = (F \<in> increasing (func o h))"
    9.46  apply (simp add: increasing_def rename_stable [symmetric] bij_image_Collect_eq bij_is_surj [THEN surj_f_inv_f])
    9.47  done
    9.48  
    9.49 @@ -213,19 +213,19 @@
    9.50  done
    9.51  
    9.52  lemma rename_Constrains:
    9.53 -     "bij h ==> (rename h F : (h`A) Co (h`B)) = (F : A Co B)"
    9.54 +     "bij h ==> (rename h F \<in> (h`A) Co (h`B)) = (F \<in> A Co B)"
    9.55  by (simp add: Constrains_def reachable_rename_eq rename_constrains
    9.56                 bij_is_inj image_Int [symmetric])
    9.57  
    9.58  lemma rename_Stable: 
    9.59 -     "bij h ==> (rename h F : Stable (h`A)) = (F : Stable A)"
    9.60 +     "bij h ==> (rename h F \<in> Stable (h`A)) = (F \<in> Stable A)"
    9.61  by (simp add: Stable_def rename_Constrains)
    9.62  
    9.63 -lemma rename_Always: "bij h ==> (rename h F : Always (h`A)) = (F : Always A)"
    9.64 +lemma rename_Always: "bij h ==> (rename h F \<in> Always (h`A)) = (F \<in> Always A)"
    9.65  by (simp add: Always_def rename_Stable bij_is_inj [THEN inj_image_subset_iff])
    9.66  
    9.67  lemma rename_Increasing:
    9.68 -     "bij h ==> (rename h F : Increasing func) = (F : Increasing (func o h))"
    9.69 +     "bij h ==> (rename h F \<in> Increasing func) = (F \<in> Increasing (func o h))"
    9.70  by (simp add: Increasing_def rename_Stable [symmetric] bij_image_Collect_eq 
    9.71                bij_is_surj [THEN surj_f_inv_f])
    9.72  
    9.73 @@ -233,52 +233,52 @@
    9.74  subsection{*Progress: transient, ensures*}
    9.75  
    9.76  lemma rename_transient: 
    9.77 -     "bij h ==> (rename h F : transient (h`A)) = (F : transient A)"
    9.78 +     "bij h ==> (rename h F \<in> transient (h`A)) = (F \<in> transient A)"
    9.79  apply (unfold rename_def)
    9.80  apply (subst extend_set_eq_image [symmetric])
    9.81  apply (erule good_map_bij [THEN Extend.intro, THEN Extend.extend_transient])
    9.82  done
    9.83  
    9.84  lemma rename_ensures: 
    9.85 -     "bij h ==> (rename h F : (h`A) ensures (h`B)) = (F : A ensures B)"
    9.86 +     "bij h ==> (rename h F \<in> (h`A) ensures (h`B)) = (F \<in> A ensures B)"
    9.87  apply (unfold rename_def)
    9.88  apply (subst extend_set_eq_image [symmetric])+
    9.89  apply (erule good_map_bij [THEN Extend.intro, THEN Extend.extend_ensures])
    9.90  done
    9.91  
    9.92  lemma rename_leadsTo: 
    9.93 -     "bij h ==> (rename h F : (h`A) leadsTo (h`B)) = (F : A leadsTo B)"
    9.94 +     "bij h ==> (rename h F \<in> (h`A) leadsTo (h`B)) = (F \<in> A leadsTo B)"
    9.95  apply (unfold rename_def)
    9.96  apply (subst extend_set_eq_image [symmetric])+
    9.97  apply (erule good_map_bij [THEN Extend.intro, THEN Extend.extend_leadsTo])
    9.98  done
    9.99  
   9.100  lemma rename_LeadsTo: 
   9.101 -     "bij h ==> (rename h F : (h`A) LeadsTo (h`B)) = (F : A LeadsTo B)"
   9.102 +     "bij h ==> (rename h F \<in> (h`A) LeadsTo (h`B)) = (F \<in> A LeadsTo B)"
   9.103  apply (unfold rename_def)
   9.104  apply (subst extend_set_eq_image [symmetric])+
   9.105  apply (erule good_map_bij [THEN Extend.intro, THEN Extend.extend_LeadsTo])
   9.106  done
   9.107  
   9.108  lemma rename_rename_guarantees_eq: 
   9.109 -     "bij h ==> (rename h F : (rename h ` X) guarantees  
   9.110 +     "bij h ==> (rename h F \<in> (rename h ` X) guarantees  
   9.111                                (rename h ` Y)) =  
   9.112 -                (F : X guarantees Y)"
   9.113 +                (F \<in> X guarantees Y)"
   9.114  apply (unfold rename_def)
   9.115  apply (subst good_map_bij [THEN Extend.intro, THEN Extend.extend_guarantees_eq [symmetric]], assumption)
   9.116  apply (simp (no_asm_simp) add: fst_o_inv_eq_inv o_def)
   9.117  done
   9.118  
   9.119  lemma rename_guarantees_eq_rename_inv:
   9.120 -     "bij h ==> (rename h F : X guarantees Y) =  
   9.121 -                (F : (rename (inv h) ` X) guarantees  
   9.122 +     "bij h ==> (rename h F \<in> X guarantees Y) =  
   9.123 +                (F \<in> (rename (inv h) ` X) guarantees  
   9.124                       (rename (inv h) ` Y))"
   9.125  apply (subst rename_rename_guarantees_eq [symmetric], assumption)
   9.126  apply (simp add: image_eq_UN o_def bij_is_surj [THEN surj_f_inv_f])
   9.127  done
   9.128  
   9.129  lemma rename_preserves:
   9.130 -     "bij h ==> (rename h G : preserves v) = (G : preserves (v o h))"
   9.131 +     "bij h ==> (rename h G \<in> preserves v) = (G \<in> preserves (v o h))"
   9.132  apply (subst good_map_bij [THEN Extend.intro, THEN Extend.extend_preserves [symmetric]], assumption)
   9.133  apply (simp add: o_def fst_o_inv_eq_inv rename_def bij_is_surj [THEN surj_f_inv_f])
   9.134  done
    10.1 --- a/src/HOL/UNITY/SubstAx.thy	Mon Feb 03 11:45:05 2003 +0100
    10.2 +++ b/src/HOL/UNITY/SubstAx.thy	Tue Feb 04 18:12:40 2003 +0100
    10.3 @@ -12,10 +12,10 @@
    10.4  
    10.5  constdefs
    10.6     Ensures :: "['a set, 'a set] => 'a program set"    (infixl "Ensures" 60)
    10.7 -    "A Ensures B == {F. F : (reachable F Int A) ensures B}"
    10.8 +    "A Ensures B == {F. F \<in> (reachable F \<inter> A) ensures B}"
    10.9  
   10.10     LeadsTo :: "['a set, 'a set] => 'a program set"    (infixl "LeadsTo" 60)
   10.11 -    "A LeadsTo B == {F. F : (reachable F Int A) leadsTo B}"
   10.12 +    "A LeadsTo B == {F. F \<in> (reachable F \<inter> A) leadsTo B}"
   10.13  
   10.14  syntax (xsymbols)
   10.15    "op LeadsTo" :: "['a set, 'a set] => 'a program set" (infixl " \<longmapsto>w " 60)
   10.16 @@ -23,7 +23,7 @@
   10.17  
   10.18  (*Resembles the previous definition of LeadsTo*)
   10.19  lemma LeadsTo_eq_leadsTo: 
   10.20 -     "A LeadsTo B = {F. F : (reachable F Int A) leadsTo (reachable F Int B)}"
   10.21 +     "A LeadsTo B = {F. F \<in> (reachable F \<inter> A) leadsTo (reachable F \<inter> B)}"
   10.22  apply (unfold LeadsTo_def)
   10.23  apply (blast dest: psp_stable2 intro: leadsTo_weaken)
   10.24  done
   10.25 @@ -34,35 +34,37 @@
   10.26  (** Conjoining an Always property **)
   10.27  
   10.28  lemma Always_LeadsTo_pre:
   10.29 -     "F : Always INV ==> (F : (INV Int A) LeadsTo A') = (F : A LeadsTo A')"
   10.30 -by (simp add: LeadsTo_def Always_eq_includes_reachable Int_absorb2 Int_assoc [symmetric])
   10.31 +     "F \<in> Always INV ==> (F \<in> (INV \<inter> A) LeadsTo A') = (F \<in> A LeadsTo A')"
   10.32 +by (simp add: LeadsTo_def Always_eq_includes_reachable Int_absorb2 
   10.33 +              Int_assoc [symmetric])
   10.34  
   10.35  lemma Always_LeadsTo_post:
   10.36 -     "F : Always INV ==> (F : A LeadsTo (INV Int A')) = (F : A LeadsTo A')"
   10.37 -by (simp add: LeadsTo_eq_leadsTo Always_eq_includes_reachable Int_absorb2 Int_assoc [symmetric])
   10.38 +     "F \<in> Always INV ==> (F \<in> A LeadsTo (INV \<inter> A')) = (F \<in> A LeadsTo A')"
   10.39 +by (simp add: LeadsTo_eq_leadsTo Always_eq_includes_reachable Int_absorb2 
   10.40 +              Int_assoc [symmetric])
   10.41  
   10.42 -(* [| F : Always C;  F : (C Int A) LeadsTo A' |] ==> F : A LeadsTo A' *)
   10.43 +(* [| F \<in> Always C;  F \<in> (C \<inter> A) LeadsTo A' |] ==> F \<in> A LeadsTo A' *)
   10.44  lemmas Always_LeadsToI = Always_LeadsTo_pre [THEN iffD1, standard]
   10.45  
   10.46 -(* [| F : Always INV;  F : A LeadsTo A' |] ==> F : A LeadsTo (INV Int A') *)
   10.47 +(* [| F \<in> Always INV;  F \<in> A LeadsTo A' |] ==> F \<in> A LeadsTo (INV \<inter> A') *)
   10.48  lemmas Always_LeadsToD = Always_LeadsTo_post [THEN iffD2, standard]
   10.49  
   10.50  
   10.51  subsection{*Introduction rules: Basis, Trans, Union*}
   10.52  
   10.53 -lemma leadsTo_imp_LeadsTo: "F : A leadsTo B ==> F : A LeadsTo B"
   10.54 +lemma leadsTo_imp_LeadsTo: "F \<in> A leadsTo B ==> F \<in> A LeadsTo B"
   10.55  apply (simp add: LeadsTo_def)
   10.56  apply (blast intro: leadsTo_weaken_L)
   10.57  done
   10.58  
   10.59  lemma LeadsTo_Trans:
   10.60 -     "[| F : A LeadsTo B;  F : B LeadsTo C |] ==> F : A LeadsTo C"
   10.61 +     "[| F \<in> A LeadsTo B;  F \<in> B LeadsTo C |] ==> F \<in> A LeadsTo C"
   10.62  apply (simp add: LeadsTo_eq_leadsTo)
   10.63  apply (blast intro: leadsTo_Trans)
   10.64  done
   10.65  
   10.66  lemma LeadsTo_Union: 
   10.67 -     "(!!A. A : S ==> F : A LeadsTo B) ==> F : (Union S) LeadsTo B"
   10.68 +     "(!!A. A \<in> S ==> F \<in> A LeadsTo B) ==> F \<in> (Union S) LeadsTo B"
   10.69  apply (simp add: LeadsTo_def)
   10.70  apply (subst Int_Union)
   10.71  apply (blast intro: leadsTo_UN)
   10.72 @@ -71,37 +73,37 @@
   10.73  
   10.74  subsection{*Derived rules*}
   10.75  
   10.76 -lemma LeadsTo_UNIV [simp]: "F : A LeadsTo UNIV"
   10.77 +lemma LeadsTo_UNIV [simp]: "F \<in> A LeadsTo UNIV"
   10.78  by (simp add: LeadsTo_def)
   10.79  
   10.80  (*Useful with cancellation, disjunction*)
   10.81  lemma LeadsTo_Un_duplicate:
   10.82 -     "F : A LeadsTo (A' Un A') ==> F : A LeadsTo A'"
   10.83 +     "F \<in> A LeadsTo (A' \<union> A') ==> F \<in> A LeadsTo A'"
   10.84  by (simp add: Un_ac)
   10.85  
   10.86  lemma LeadsTo_Un_duplicate2:
   10.87 -     "F : A LeadsTo (A' Un C Un C) ==> F : A LeadsTo (A' Un C)"
   10.88 +     "F \<in> A LeadsTo (A' \<union> C \<union> C) ==> F \<in> A LeadsTo (A' \<union> C)"
   10.89  by (simp add: Un_ac)
   10.90  
   10.91  lemma LeadsTo_UN: 
   10.92 -     "(!!i. i : I ==> F : (A i) LeadsTo B) ==> F : (UN i:I. A i) LeadsTo B"
   10.93 +     "(!!i. i \<in> I ==> F \<in> (A i) LeadsTo B) ==> F \<in> (\<Union>i \<in> I. A i) LeadsTo B"
   10.94  apply (simp only: Union_image_eq [symmetric])
   10.95  apply (blast intro: LeadsTo_Union)
   10.96  done
   10.97  
   10.98  (*Binary union introduction rule*)
   10.99  lemma LeadsTo_Un:
  10.100 -     "[| F : A LeadsTo C; F : B LeadsTo C |] ==> F : (A Un B) LeadsTo C"
  10.101 +     "[| F \<in> A LeadsTo C; F \<in> B LeadsTo C |] ==> F \<in> (A \<union> B) LeadsTo C"
  10.102  apply (subst Un_eq_Union)
  10.103  apply (blast intro: LeadsTo_Union)
  10.104  done
  10.105  
  10.106  (*Lets us look at the starting state*)
  10.107  lemma single_LeadsTo_I:
  10.108 -     "(!!s. s : A ==> F : {s} LeadsTo B) ==> F : A LeadsTo B"
  10.109 +     "(!!s. s \<in> A ==> F \<in> {s} LeadsTo B) ==> F \<in> A LeadsTo B"
  10.110  by (subst UN_singleton [symmetric], rule LeadsTo_UN, blast)
  10.111  
  10.112 -lemma subset_imp_LeadsTo: "A <= B ==> F : A LeadsTo B"
  10.113 +lemma subset_imp_LeadsTo: "A \<subseteq> B ==> F \<in> A LeadsTo B"
  10.114  apply (simp add: LeadsTo_def)
  10.115  apply (blast intro: subset_imp_leadsTo)
  10.116  done
  10.117 @@ -109,73 +111,73 @@
  10.118  lemmas empty_LeadsTo = empty_subsetI [THEN subset_imp_LeadsTo, standard, simp]
  10.119  
  10.120  lemma LeadsTo_weaken_R [rule_format]:
  10.121 -     "[| F : A LeadsTo A';  A' <= B' |] ==> F : A LeadsTo B'"
  10.122 -apply (simp (no_asm_use) add: LeadsTo_def)
  10.123 +     "[| F \<in> A LeadsTo A';  A' \<subseteq> B' |] ==> F \<in> A LeadsTo B'"
  10.124 +apply (simp add: LeadsTo_def)
  10.125  apply (blast intro: leadsTo_weaken_R)
  10.126  done
  10.127  
  10.128  lemma LeadsTo_weaken_L [rule_format]:
  10.129 -     "[| F : A LeadsTo A';  B <= A |]   
  10.130 -      ==> F : B LeadsTo A'"
  10.131 -apply (simp (no_asm_use) add: LeadsTo_def)
  10.132 +     "[| F \<in> A LeadsTo A';  B \<subseteq> A |]   
  10.133 +      ==> F \<in> B LeadsTo A'"
  10.134 +apply (simp add: LeadsTo_def)
  10.135  apply (blast intro: leadsTo_weaken_L)
  10.136  done
  10.137  
  10.138  lemma LeadsTo_weaken:
  10.139 -     "[| F : A LeadsTo A';    
  10.140 -         B  <= A;   A' <= B' |]  
  10.141 -      ==> F : B LeadsTo B'"
  10.142 +     "[| F \<in> A LeadsTo A';    
  10.143 +         B  \<subseteq> A;   A' \<subseteq> B' |]  
  10.144 +      ==> F \<in> B LeadsTo B'"
  10.145  by (blast intro: LeadsTo_weaken_R LeadsTo_weaken_L LeadsTo_Trans)
  10.146  
  10.147  lemma Always_LeadsTo_weaken:
  10.148 -     "[| F : Always C;  F : A LeadsTo A';    
  10.149 -         C Int B <= A;   C Int A' <= B' |]  
  10.150 -      ==> F : B LeadsTo B'"
  10.151 +     "[| F \<in> Always C;  F \<in> A LeadsTo A';    
  10.152 +         C \<inter> B \<subseteq> A;   C \<inter> A' \<subseteq> B' |]  
  10.153 +      ==> F \<in> B LeadsTo B'"
  10.154  by (blast dest: Always_LeadsToI intro: LeadsTo_weaken intro: Always_LeadsToD)
  10.155  
  10.156  (** Two theorems for "proof lattices" **)
  10.157  
  10.158 -lemma LeadsTo_Un_post: "F : A LeadsTo B ==> F : (A Un B) LeadsTo B"
  10.159 +lemma LeadsTo_Un_post: "F \<in> A LeadsTo B ==> F \<in> (A \<union> B) LeadsTo B"
  10.160  by (blast intro: LeadsTo_Un subset_imp_LeadsTo)
  10.161  
  10.162  lemma LeadsTo_Trans_Un:
  10.163 -     "[| F : A LeadsTo B;  F : B LeadsTo C |]  
  10.164 -      ==> F : (A Un B) LeadsTo C"
  10.165 +     "[| F \<in> A LeadsTo B;  F \<in> B LeadsTo C |]  
  10.166 +      ==> F \<in> (A \<union> B) LeadsTo C"
  10.167  by (blast intro: LeadsTo_Un subset_imp_LeadsTo LeadsTo_weaken_L LeadsTo_Trans)
  10.168  
  10.169  
  10.170  (** Distributive laws **)
  10.171  
  10.172  lemma LeadsTo_Un_distrib:
  10.173 -     "(F : (A Un B) LeadsTo C)  = (F : A LeadsTo C & F : B LeadsTo C)"
  10.174 +     "(F \<in> (A \<union> B) LeadsTo C)  = (F \<in> A LeadsTo C & F \<in> B LeadsTo C)"
  10.175  by (blast intro: LeadsTo_Un LeadsTo_weaken_L)
  10.176  
  10.177  lemma LeadsTo_UN_distrib:
  10.178 -     "(F : (UN i:I. A i) LeadsTo B)  =  (ALL i : I. F : (A i) LeadsTo B)"
  10.179 +     "(F \<in> (\<Union>i \<in> I. A i) LeadsTo B)  =  (\<forall>i \<in> I. F \<in> (A i) LeadsTo B)"
  10.180  by (blast intro: LeadsTo_UN LeadsTo_weaken_L)
  10.181  
  10.182  lemma LeadsTo_Union_distrib:
  10.183 -     "(F : (Union S) LeadsTo B)  =  (ALL A : S. F : A LeadsTo B)"
  10.184 +     "(F \<in> (Union S) LeadsTo B)  =  (\<forall>A \<in> S. F \<in> A LeadsTo B)"
  10.185  by (blast intro: LeadsTo_Union LeadsTo_weaken_L)
  10.186  
  10.187  
  10.188  (** More rules using the premise "Always INV" **)
  10.189  
  10.190 -lemma LeadsTo_Basis: "F : A Ensures B ==> F : A LeadsTo B"
  10.191 +lemma LeadsTo_Basis: "F \<in> A Ensures B ==> F \<in> A LeadsTo B"
  10.192  by (simp add: Ensures_def LeadsTo_def leadsTo_Basis)
  10.193  
  10.194  lemma EnsuresI:
  10.195 -     "[| F : (A-B) Co (A Un B);  F : transient (A-B) |]    
  10.196 -      ==> F : A Ensures B"
  10.197 +     "[| F \<in> (A-B) Co (A \<union> B);  F \<in> transient (A-B) |]    
  10.198 +      ==> F \<in> A Ensures B"
  10.199  apply (simp add: Ensures_def Constrains_eq_constrains)
  10.200  apply (blast intro: ensuresI constrains_weaken transient_strengthen)
  10.201  done
  10.202  
  10.203  lemma Always_LeadsTo_Basis:
  10.204 -     "[| F : Always INV;       
  10.205 -         F : (INV Int (A-A')) Co (A Un A');  
  10.206 -         F : transient (INV Int (A-A')) |]    
  10.207 -  ==> F : A LeadsTo A'"
  10.208 +     "[| F \<in> Always INV;       
  10.209 +         F \<in> (INV \<inter> (A-A')) Co (A \<union> A');  
  10.210 +         F \<in> transient (INV \<inter> (A-A')) |]    
  10.211 +  ==> F \<in> A LeadsTo A'"
  10.212  apply (rule Always_LeadsToI, assumption)
  10.213  apply (blast intro: EnsuresI LeadsTo_Basis Always_ConstrainsD [THEN Constrains_weaken] transient_strengthen)
  10.214  done
  10.215 @@ -183,14 +185,14 @@
  10.216  (*Set difference: maybe combine with leadsTo_weaken_L??
  10.217    This is the most useful form of the "disjunction" rule*)
  10.218  lemma LeadsTo_Diff:
  10.219 -     "[| F : (A-B) LeadsTo C;  F : (A Int B) LeadsTo C |]  
  10.220 -      ==> F : A LeadsTo C"
  10.221 +     "[| F \<in> (A-B) LeadsTo C;  F \<in> (A \<inter> B) LeadsTo C |]  
  10.222 +      ==> F \<in> A LeadsTo C"
  10.223  by (blast intro: LeadsTo_Un LeadsTo_weaken)
  10.224  
  10.225  
  10.226  lemma LeadsTo_UN_UN: 
  10.227 -     "(!! i. i:I ==> F : (A i) LeadsTo (A' i))  
  10.228 -      ==> F : (UN i:I. A i) LeadsTo (UN i:I. A' i)"
  10.229 +     "(!! i. i \<in> I ==> F \<in> (A i) LeadsTo (A' i))  
  10.230 +      ==> F \<in> (\<Union>i \<in> I. A i) LeadsTo (\<Union>i \<in> I. A' i)"
  10.231  apply (simp only: Union_image_eq [symmetric])
  10.232  apply (blast intro: LeadsTo_Union LeadsTo_weaken_R)
  10.233  done
  10.234 @@ -198,48 +200,47 @@
  10.235  
  10.236  (*Version with no index set*)
  10.237  lemma LeadsTo_UN_UN_noindex: 
  10.238 -     "(!! i. F : (A i) LeadsTo (A' i))  
  10.239 -      ==> F : (UN i. A i) LeadsTo (UN i. A' i)"
  10.240 +     "(!!i. F \<in> (A i) LeadsTo (A' i)) ==> F \<in> (\<Union>i. A i) LeadsTo (\<Union>i. A' i)"
  10.241  by (blast intro: LeadsTo_UN_UN)
  10.242  
  10.243  (*Version with no index set*)
  10.244  lemma all_LeadsTo_UN_UN:
  10.245 -     "ALL i. F : (A i) LeadsTo (A' i)  
  10.246 -      ==> F : (UN i. A i) LeadsTo (UN i. A' i)"
  10.247 +     "\<forall>i. F \<in> (A i) LeadsTo (A' i)  
  10.248 +      ==> F \<in> (\<Union>i. A i) LeadsTo (\<Union>i. A' i)"
  10.249  by (blast intro: LeadsTo_UN_UN)
  10.250  
  10.251  (*Binary union version*)
  10.252  lemma LeadsTo_Un_Un:
  10.253 -     "[| F : A LeadsTo A'; F : B LeadsTo B' |]  
  10.254 -            ==> F : (A Un B) LeadsTo (A' Un B')"
  10.255 +     "[| F \<in> A LeadsTo A'; F \<in> B LeadsTo B' |]  
  10.256 +            ==> F \<in> (A \<union> B) LeadsTo (A' \<union> B')"
  10.257  by (blast intro: LeadsTo_Un LeadsTo_weaken_R)
  10.258  
  10.259  
  10.260  (** The cancellation law **)
  10.261  
  10.262  lemma LeadsTo_cancel2:
  10.263 -     "[| F : A LeadsTo (A' Un B); F : B LeadsTo B' |]     
  10.264 -      ==> F : A LeadsTo (A' Un B')"
  10.265 +     "[| F \<in> A LeadsTo (A' \<union> B); F \<in> B LeadsTo B' |]     
  10.266 +      ==> F \<in> A LeadsTo (A' \<union> B')"
  10.267  by (blast intro: LeadsTo_Un_Un subset_imp_LeadsTo LeadsTo_Trans)
  10.268  
  10.269  lemma LeadsTo_cancel_Diff2:
  10.270 -     "[| F : A LeadsTo (A' Un B); F : (B-A') LeadsTo B' |]  
  10.271 -      ==> F : A LeadsTo (A' Un B')"
  10.272 +     "[| F \<in> A LeadsTo (A' \<union> B); F \<in> (B-A') LeadsTo B' |]  
  10.273 +      ==> F \<in> A LeadsTo (A' \<union> B')"
  10.274  apply (rule LeadsTo_cancel2)
  10.275  prefer 2 apply assumption
  10.276  apply (simp_all (no_asm_simp))
  10.277  done
  10.278  
  10.279  lemma LeadsTo_cancel1:
  10.280 -     "[| F : A LeadsTo (B Un A'); F : B LeadsTo B' |]  
  10.281 -      ==> F : A LeadsTo (B' Un A')"
  10.282 +     "[| F \<in> A LeadsTo (B \<union> A'); F \<in> B LeadsTo B' |]  
  10.283 +      ==> F \<in> A LeadsTo (B' \<union> A')"
  10.284  apply (simp add: Un_commute)
  10.285  apply (blast intro!: LeadsTo_cancel2)
  10.286  done
  10.287  
  10.288  lemma LeadsTo_cancel_Diff1:
  10.289 -     "[| F : A LeadsTo (B Un A'); F : (B-A') LeadsTo B' |]  
  10.290 -      ==> F : A LeadsTo (B' Un A')"
  10.291 +     "[| F \<in> A LeadsTo (B \<union> A'); F \<in> (B-A') LeadsTo B' |]  
  10.292 +      ==> F \<in> A LeadsTo (B' \<union> A')"
  10.293  apply (rule LeadsTo_cancel1)
  10.294  prefer 2 apply assumption
  10.295  apply (simp_all (no_asm_simp))
  10.296 @@ -249,8 +250,8 @@
  10.297  (** The impossibility law **)
  10.298  
  10.299  (*The set "A" may be non-empty, but it contains no reachable states*)
  10.300 -lemma LeadsTo_empty: "F : A LeadsTo {} ==> F : Always (-A)"
  10.301 -apply (simp (no_asm_use) add: LeadsTo_def Always_eq_includes_reachable)
  10.302 +lemma LeadsTo_empty: "F \<in> A LeadsTo {} ==> F \<in> Always (-A)"
  10.303 +apply (simp add: LeadsTo_def Always_eq_includes_reachable)
  10.304  apply (drule leadsTo_empty, auto)
  10.305  done
  10.306  
  10.307 @@ -259,33 +260,33 @@
  10.308  
  10.309  (*Special case of PSP: Misra's "stable conjunction"*)
  10.310  lemma PSP_Stable:
  10.311 -     "[| F : A LeadsTo A';  F : Stable B |]  
  10.312 -      ==> F : (A Int B) LeadsTo (A' Int B)"
  10.313 -apply (simp (no_asm_use) add: LeadsTo_eq_leadsTo Stable_eq_stable)
  10.314 +     "[| F \<in> A LeadsTo A';  F \<in> Stable B |]  
  10.315 +      ==> F \<in> (A \<inter> B) LeadsTo (A' \<inter> B)"
  10.316 +apply (simp add: LeadsTo_eq_leadsTo Stable_eq_stable)
  10.317  apply (drule psp_stable, assumption)
  10.318  apply (simp add: Int_ac)
  10.319  done
  10.320  
  10.321  lemma PSP_Stable2:
  10.322 -     "[| F : A LeadsTo A'; F : Stable B |]  
  10.323 -      ==> F : (B Int A) LeadsTo (B Int A')"
  10.324 +     "[| F \<in> A LeadsTo A'; F \<in> Stable B |]  
  10.325 +      ==> F \<in> (B \<inter> A) LeadsTo (B \<inter> A')"
  10.326  by (simp add: PSP_Stable Int_ac)
  10.327  
  10.328  lemma PSP:
  10.329 -     "[| F : A LeadsTo A'; F : B Co B' |]  
  10.330 -      ==> F : (A Int B') LeadsTo ((A' Int B) Un (B' - B))"
  10.331 -apply (simp (no_asm_use) add: LeadsTo_def Constrains_eq_constrains)
  10.332 +     "[| F \<in> A LeadsTo A'; F \<in> B Co B' |]  
  10.333 +      ==> F \<in> (A \<inter> B') LeadsTo ((A' \<inter> B) \<union> (B' - B))"
  10.334 +apply (simp add: LeadsTo_def Constrains_eq_constrains)
  10.335  apply (blast dest: psp intro: leadsTo_weaken)
  10.336  done
  10.337  
  10.338  lemma PSP2:
  10.339 -     "[| F : A LeadsTo A'; F : B Co B' |]  
  10.340 -      ==> F : (B' Int A) LeadsTo ((B Int A') Un (B' - B))"
  10.341 +     "[| F \<in> A LeadsTo A'; F \<in> B Co B' |]  
  10.342 +      ==> F \<in> (B' \<inter> A) LeadsTo ((B \<inter> A') \<union> (B' - B))"
  10.343  by (simp add: PSP Int_ac)
  10.344  
  10.345  lemma PSP_Unless: 
  10.346 -     "[| F : A LeadsTo A'; F : B Unless B' |]  
  10.347 -      ==> F : (A Int B) LeadsTo ((A' Int B) Un B')"
  10.348 +     "[| F \<in> A LeadsTo A'; F \<in> B Unless B' |]  
  10.349 +      ==> F \<in> (A \<inter> B) LeadsTo ((A' \<inter> B) \<union> B')"
  10.350  apply (unfold Unless_def)
  10.351  apply (drule PSP, assumption)
  10.352  apply (blast intro: LeadsTo_Diff LeadsTo_weaken subset_imp_LeadsTo)
  10.353 @@ -293,8 +294,8 @@
  10.354  
  10.355  
  10.356  lemma Stable_transient_Always_LeadsTo:
  10.357 -     "[| F : Stable A;  F : transient C;   
  10.358 -         F : Always (-A Un B Un C) |] ==> F : A LeadsTo B"
  10.359 +     "[| F \<in> Stable A;  F \<in> transient C;   
  10.360 +         F \<in> Always (-A \<union> B \<union> C) |] ==> F \<in> A LeadsTo B"
  10.361  apply (erule Always_LeadsTo_weaken)
  10.362  apply (rule LeadsTo_Diff)
  10.363     prefer 2
  10.364 @@ -309,10 +310,10 @@
  10.365  (** Meta or object quantifier ????? **)
  10.366  lemma LeadsTo_wf_induct:
  10.367       "[| wf r;      
  10.368 -         ALL m. F : (A Int f-`{m}) LeadsTo                      
  10.369 -                            ((A Int f-`(r^-1 `` {m})) Un B) |]  
  10.370 -      ==> F : A LeadsTo B"
  10.371 -apply (simp (no_asm_use) add: LeadsTo_eq_leadsTo)
  10.372 +         \<forall>m. F \<in> (A \<inter> f-`{m}) LeadsTo                      
  10.373 +                    ((A \<inter> f-`(r^-1 `` {m})) \<union> B) |]  
  10.374 +      ==> F \<in> A LeadsTo B"
  10.375 +apply (simp add: LeadsTo_eq_leadsTo)
  10.376  apply (erule leadsTo_wf_induct)
  10.377  apply (blast intro: leadsTo_weaken)
  10.378  done
  10.379 @@ -320,28 +321,27 @@
  10.380  
  10.381  lemma Bounded_induct:
  10.382       "[| wf r;      
  10.383 -         ALL m:I. F : (A Int f-`{m}) LeadsTo                    
  10.384 -                              ((A Int f-`(r^-1 `` {m})) Un B) |]  
  10.385 -      ==> F : A LeadsTo ((A - (f-`I)) Un B)"
  10.386 +         \<forall>m \<in> I. F \<in> (A \<inter> f-`{m}) LeadsTo                    
  10.387 +                      ((A \<inter> f-`(r^-1 `` {m})) \<union> B) |]  
  10.388 +      ==> F \<in> A LeadsTo ((A - (f-`I)) \<union> B)"
  10.389  apply (erule LeadsTo_wf_induct, safe)
  10.390 -apply (case_tac "m:I")
  10.391 +apply (case_tac "m \<in> I")
  10.392  apply (blast intro: LeadsTo_weaken)
  10.393  apply (blast intro: subset_imp_LeadsTo)
  10.394  done
  10.395  
  10.396  
  10.397  lemma LessThan_induct:
  10.398 -     "(!!m::nat. F : (A Int f-`{m}) LeadsTo ((A Int f-`(lessThan m)) Un B))  
  10.399 -      ==> F : A LeadsTo B"
  10.400 -apply (rule wf_less_than [THEN LeadsTo_wf_induct], auto)
  10.401 -done
  10.402 +     "(!!m::nat. F \<in> (A \<inter> f-`{m}) LeadsTo ((A \<inter> f-`(lessThan m)) \<union> B))
  10.403 +      ==> F \<in> A LeadsTo B"
  10.404 +by (rule wf_less_than [THEN LeadsTo_wf_induct], auto)
  10.405  
  10.406  (*Integer version.  Could generalize from 0 to any lower bound*)
  10.407  lemma integ_0_le_induct:
  10.408 -     "[| F : Always {s. (0::int) <= f s};   
  10.409 -         !! z. F : (A Int {s. f s = z}) LeadsTo                      
  10.410 -                            ((A Int {s. f s < z}) Un B) |]  
  10.411 -      ==> F : A LeadsTo B"
  10.412 +     "[| F \<in> Always {s. (0::int) \<le> f s};   
  10.413 +         !! z. F \<in> (A \<inter> {s. f s = z}) LeadsTo                      
  10.414 +                   ((A \<inter> {s. f s < z}) \<union> B) |]  
  10.415 +      ==> F \<in> A LeadsTo B"
  10.416  apply (rule_tac f = "nat o f" in LessThan_induct)
  10.417  apply (simp add: vimage_def)
  10.418  apply (rule Always_LeadsTo_weaken, assumption+)
  10.419 @@ -349,42 +349,42 @@
  10.420  done
  10.421  
  10.422  lemma LessThan_bounded_induct:
  10.423 -     "!!l::nat. [| ALL m:(greaterThan l). F : (A Int f-`{m}) LeadsTo    
  10.424 -                                         ((A Int f-`(lessThan m)) Un B) |]  
  10.425 -            ==> F : A LeadsTo ((A Int (f-`(atMost l))) Un B)"
  10.426 -apply (simp only: Diff_eq [symmetric] vimage_Compl Compl_greaterThan [symmetric])
  10.427 -apply (rule wf_less_than [THEN Bounded_induct])
  10.428 -apply (simp (no_asm_simp))
  10.429 +     "!!l::nat. \<forall>m \<in> greaterThan l. 
  10.430 +                   F \<in> (A \<inter> f-`{m}) LeadsTo ((A \<inter> f-`(lessThan m)) \<union> B)
  10.431 +            ==> F \<in> A LeadsTo ((A \<inter> (f-`(atMost l))) \<union> B)"
  10.432 +apply (simp only: Diff_eq [symmetric] vimage_Compl 
  10.433 +                  Compl_greaterThan [symmetric])
  10.434 +apply (rule wf_less_than [THEN Bounded_induct], simp)
  10.435  done
  10.436  
  10.437  lemma GreaterThan_bounded_induct:
  10.438 -     "!!l::nat. [| ALL m:(lessThan l). F : (A Int f-`{m}) LeadsTo    
  10.439 -                               ((A Int f-`(greaterThan m)) Un B) |]  
  10.440 -      ==> F : A LeadsTo ((A Int (f-`(atLeast l))) Un B)"
  10.441 +     "!!l::nat. \<forall>m \<in> lessThan l. 
  10.442 +                 F \<in> (A \<inter> f-`{m}) LeadsTo ((A \<inter> f-`(greaterThan m)) \<union> B)
  10.443 +      ==> F \<in> A LeadsTo ((A \<inter> (f-`(atLeast l))) \<union> B)"
  10.444  apply (rule_tac f = f and f1 = "%k. l - k" 
  10.445         in wf_less_than [THEN wf_inv_image, THEN LeadsTo_wf_induct])
  10.446  apply (simp add: inv_image_def Image_singleton, clarify)
  10.447  apply (case_tac "m<l")
  10.448 - prefer 2 apply (blast intro: not_leE subset_imp_LeadsTo)
  10.449 -apply (blast intro: LeadsTo_weaken_R diff_less_mono2)
  10.450 + apply (blast intro: LeadsTo_weaken_R diff_less_mono2)
  10.451 +apply (blast intro: not_leE subset_imp_LeadsTo)
  10.452  done
  10.453  
  10.454  
  10.455  subsection{*Completion: Binary and General Finite versions*}
  10.456  
  10.457  lemma Completion:
  10.458 -     "[| F : A LeadsTo (A' Un C);  F : A' Co (A' Un C);  
  10.459 -         F : B LeadsTo (B' Un C);  F : B' Co (B' Un C) |]  
  10.460 -      ==> F : (A Int B) LeadsTo ((A' Int B') Un C)"
  10.461 -apply (simp (no_asm_use) add: LeadsTo_eq_leadsTo Constrains_eq_constrains Int_Un_distrib)
  10.462 +     "[| F \<in> A LeadsTo (A' \<union> C);  F \<in> A' Co (A' \<union> C);  
  10.463 +         F \<in> B LeadsTo (B' \<union> C);  F \<in> B' Co (B' \<union> C) |]  
  10.464 +      ==> F \<in> (A \<inter> B) LeadsTo ((A' \<inter> B') \<union> C)"
  10.465 +apply (simp add: LeadsTo_eq_leadsTo Constrains_eq_constrains Int_Un_distrib)
  10.466  apply (blast intro: completion leadsTo_weaken)
  10.467  done
  10.468  
  10.469  lemma Finite_completion_lemma:
  10.470       "finite I  
  10.471 -      ==> (ALL i:I. F : (A i) LeadsTo (A' i Un C)) -->   
  10.472 -          (ALL i:I. F : (A' i) Co (A' i Un C)) -->  
  10.473 -          F : (INT i:I. A i) LeadsTo ((INT i:I. A' i) Un C)"
  10.474 +      ==> (\<forall>i \<in> I. F \<in> (A i) LeadsTo (A' i \<union> C)) -->   
  10.475 +          (\<forall>i \<in> I. F \<in> (A' i) Co (A' i \<union> C)) -->  
  10.476 +          F \<in> (\<Inter>i \<in> I. A i) LeadsTo ((\<Inter>i \<in> I. A' i) \<union> C)"
  10.477  apply (erule finite_induct, auto)
  10.478  apply (rule Completion)
  10.479     prefer 4
  10.480 @@ -394,15 +394,15 @@
  10.481  
  10.482  lemma Finite_completion: 
  10.483       "[| finite I;   
  10.484 -         !!i. i:I ==> F : (A i) LeadsTo (A' i Un C);  
  10.485 -         !!i. i:I ==> F : (A' i) Co (A' i Un C) |]    
  10.486 -      ==> F : (INT i:I. A i) LeadsTo ((INT i:I. A' i) Un C)"
  10.487 +         !!i. i \<in> I ==> F \<in> (A i) LeadsTo (A' i \<union> C);  
  10.488 +         !!i. i \<in> I ==> F \<in> (A' i) Co (A' i \<union> C) |]    
  10.489 +      ==> F \<in> (\<Inter>i \<in> I. A i) LeadsTo ((\<Inter>i \<in> I. A' i) \<union> C)"
  10.490  by (blast intro: Finite_completion_lemma [THEN mp, THEN mp])
  10.491  
  10.492  lemma Stable_completion: 
  10.493 -     "[| F : A LeadsTo A';  F : Stable A';    
  10.494 -         F : B LeadsTo B';  F : Stable B' |]  
  10.495 -      ==> F : (A Int B) LeadsTo (A' Int B')"
  10.496 +     "[| F \<in> A LeadsTo A';  F \<in> Stable A';    
  10.497 +         F \<in> B LeadsTo B';  F \<in> Stable B' |]  
  10.498 +      ==> F \<in> (A \<inter> B) LeadsTo (A' \<inter> B')"
  10.499  apply (unfold Stable_def)
  10.500  apply (rule_tac C1 = "{}" in Completion [THEN LeadsTo_weaken_R])
  10.501  apply (force+)
  10.502 @@ -410,14 +410,12 @@
  10.503  
  10.504  lemma Finite_stable_completion: 
  10.505       "[| finite I;   
  10.506 -         !!i. i:I ==> F : (A i) LeadsTo (A' i);  
  10.507 -         !!i. i:I ==> F : Stable (A' i) |]    
  10.508 -      ==> F : (INT i:I. A i) LeadsTo (INT i:I. A' i)"
  10.509 +         !!i. i \<in> I ==> F \<in> (A i) LeadsTo (A' i);  
  10.510 +         !!i. i \<in> I ==> F \<in> Stable (A' i) |]    
  10.511 +      ==> F \<in> (\<Inter>i \<in> I. A i) LeadsTo (\<Inter>i \<in> I. A' i)"
  10.512  apply (unfold Stable_def)
  10.513  apply (rule_tac C1 = "{}" in Finite_completion [THEN LeadsTo_weaken_R])
  10.514 -apply (simp_all (no_asm_simp))
  10.515 -apply blast+
  10.516 +apply (simp_all, blast+)
  10.517  done
  10.518  
  10.519 -
  10.520  end
    11.1 --- a/src/HOL/UNITY/UNITY.thy	Mon Feb 03 11:45:05 2003 +0100
    11.2 +++ b/src/HOL/UNITY/UNITY.thy	Tue Feb 04 18:12:40 2003 +0100
    11.3 @@ -14,15 +14,15 @@
    11.4  
    11.5  typedef (Program)
    11.6    'a program = "{(init:: 'a set, acts :: ('a * 'a)set set,
    11.7 -		   allowed :: ('a * 'a)set set). Id:acts & Id: allowed}" 
    11.8 +		   allowed :: ('a * 'a)set set). Id \<in> acts & Id: allowed}" 
    11.9    by blast
   11.10  
   11.11  constdefs
   11.12    constrains :: "['a set, 'a set] => 'a program set"  (infixl "co"     60)
   11.13 -    "A co B == {F. ALL act: Acts F. act``A <= B}"
   11.14 +    "A co B == {F. \<forall>act \<in> Acts F. act``A \<subseteq> B}"
   11.15  
   11.16    unless  :: "['a set, 'a set] => 'a program set"  (infixl "unless" 60)
   11.17 -    "A unless B == (A-B) co (A Un B)"
   11.18 +    "A unless B == (A-B) co (A \<union> B)"
   11.19  
   11.20    mk_program :: "('a set * ('a * 'a)set set * ('a * 'a)set set)
   11.21  		   => 'a program"
   11.22 @@ -39,20 +39,20 @@
   11.23      "AllowedActs F == (%(init, acts, allowed). allowed) (Rep_Program F)"
   11.24  
   11.25    Allowed :: "'a program => 'a program set"
   11.26 -    "Allowed F == {G. Acts G <= AllowedActs F}"
   11.27 +    "Allowed F == {G. Acts G \<subseteq> AllowedActs F}"
   11.28  
   11.29    stable     :: "'a set => 'a program set"
   11.30      "stable A == A co A"
   11.31  
   11.32    strongest_rhs :: "['a program, 'a set] => 'a set"
   11.33 -    "strongest_rhs F A == Inter {B. F : A co B}"
   11.34 +    "strongest_rhs F A == Inter {B. F \<in> A co B}"
   11.35  
   11.36    invariant :: "'a set => 'a program set"
   11.37 -    "invariant A == {F. Init F <= A} Int stable A"
   11.38 +    "invariant A == {F. Init F \<subseteq> A} \<inter> stable A"
   11.39  
   11.40 -  (*Polymorphic in both states and the meaning of <= *)
   11.41 +  (*Polymorphic in both states and the meaning of \<le> *)
   11.42    increasing :: "['a => 'b::{order}] => 'a program set"
   11.43 -    "increasing f == INT z. stable {s. z <= f s}"
   11.44 +    "increasing f == \<Inter>z. stable {s. z \<le> f s}"
   11.45  
   11.46  
   11.47  (*Perhaps equalities.ML shouldn't add this in the first place!*)
   11.48 @@ -64,7 +64,7 @@
   11.49       Rep_Program Rep_Program_inverse Abs_Program_inverse 
   11.50       Program_def Init_def Acts_def AllowedActs_def mk_program_def
   11.51  
   11.52 -lemma Id_in_Acts [iff]: "Id : Acts F"
   11.53 +lemma Id_in_Acts [iff]: "Id \<in> Acts F"
   11.54  apply (cut_tac x = F in Rep_Program)
   11.55  apply (auto simp add: program_typedef) 
   11.56  done
   11.57 @@ -72,7 +72,7 @@
   11.58  lemma insert_Id_Acts [iff]: "insert Id (Acts F) = Acts F"
   11.59  by (simp add: insert_absorb Id_in_Acts)
   11.60  
   11.61 -lemma Id_in_AllowedActs [iff]: "Id : AllowedActs F"
   11.62 +lemma Id_in_AllowedActs [iff]: "Id \<in> AllowedActs F"
   11.63  apply (cut_tac x = F in Rep_Program)
   11.64  apply (auto simp add: program_typedef) 
   11.65  done
   11.66 @@ -145,114 +145,114 @@
   11.67  
   11.68  (*An action is expanded only if a pair of states is being tested against it*)
   11.69  lemma def_act_simp:
   11.70 -     "[| act == {(s,s'). P s s'} |] ==> ((s,s') : act) = P s s'"
   11.71 +     "[| act == {(s,s'). P s s'} |] ==> ((s,s') \<in> act) = P s s'"
   11.72  by auto
   11.73  
   11.74  (*A set is expanded only if an element is being tested against it*)
   11.75 -lemma def_set_simp: "A == B ==> (x : A) = (x : B)"
   11.76 +lemma def_set_simp: "A == B ==> (x \<in> A) = (x \<in> B)"
   11.77  by auto
   11.78  
   11.79  
   11.80  (*** co ***)
   11.81  
   11.82  lemma constrainsI: 
   11.83 -    "(!!act s s'. [| act: Acts F;  (s,s') : act;  s: A |] ==> s': A')  
   11.84 -     ==> F : A co A'"
   11.85 +    "(!!act s s'. [| act: Acts F;  (s,s') \<in> act;  s \<in> A |] ==> s': A')  
   11.86 +     ==> F \<in> A co A'"
   11.87  by (simp add: constrains_def, blast)
   11.88  
   11.89  lemma constrainsD: 
   11.90 -    "[| F : A co A'; act: Acts F;  (s,s'): act;  s: A |] ==> s': A'"
   11.91 +    "[| F \<in> A co A'; act: Acts F;  (s,s'): act;  s \<in> A |] ==> s': A'"
   11.92  by (unfold constrains_def, blast)
   11.93  
   11.94 -lemma constrains_empty [iff]: "F : {} co B"
   11.95 +lemma constrains_empty [iff]: "F \<in> {} co B"
   11.96  by (unfold constrains_def, blast)
   11.97  
   11.98 -lemma constrains_empty2 [iff]: "(F : A co {}) = (A={})"
   11.99 +lemma constrains_empty2 [iff]: "(F \<in> A co {}) = (A={})"
  11.100  by (unfold constrains_def, blast)
  11.101  
  11.102 -lemma constrains_UNIV [iff]: "(F : UNIV co B) = (B = UNIV)"
  11.103 +lemma constrains_UNIV [iff]: "(F \<in> UNIV co B) = (B = UNIV)"
  11.104  by (unfold constrains_def, blast)
  11.105  
  11.106 -lemma constrains_UNIV2 [iff]: "F : A co UNIV"
  11.107 +lemma constrains_UNIV2 [iff]: "F \<in> A co UNIV"
  11.108  by (unfold constrains_def, blast)
  11.109  
  11.110  (*monotonic in 2nd argument*)
  11.111  lemma constrains_weaken_R: 
  11.112 -    "[| F : A co A'; A'<=B' |] ==> F : A co B'"
  11.113 +    "[| F \<in> A co A'; A'<=B' |] ==> F \<in> A co B'"
  11.114  by (unfold constrains_def, blast)
  11.115  
  11.116  (*anti-monotonic in 1st argument*)
  11.117  lemma constrains_weaken_L: 
  11.118 -    "[| F : A co A'; B<=A |] ==> F : B co A'"
  11.119 +    "[| F \<in> A co A'; B \<subseteq> A |] ==> F \<in> B co A'"
  11.120  by (unfold constrains_def, blast)
  11.121  
  11.122  lemma constrains_weaken: 
  11.123 -   "[| F : A co A'; B<=A; A'<=B' |] ==> F : B co B'"
  11.124 +   "[| F \<in> A co A'; B \<subseteq> A; A'<=B' |] ==> F \<in> B co B'"
  11.125  by (unfold constrains_def, blast)
  11.126  
  11.127  (** Union **)
  11.128  
  11.129  lemma constrains_Un: 
  11.130 -    "[| F : A co A'; F : B co B' |] ==> F : (A Un B) co (A' Un B')"
  11.131 +    "[| F \<in> A co A'; F \<in> B co B' |] ==> F \<in> (A \<union> B) co (A' \<union> B')"
  11.132  by (unfold constrains_def, blast)
  11.133  
  11.134  lemma constrains_UN: 
  11.135 -    "(!!i. i:I ==> F : (A i) co (A' i)) 
  11.136 -     ==> F : (UN i:I. A i) co (UN i:I. A' i)"
  11.137 +    "(!!i. i \<in> I ==> F \<in> (A i) co (A' i)) 
  11.138 +     ==> F \<in> (\<Union>i \<in> I. A i) co (\<Union>i \<in> I. A' i)"
  11.139  by (unfold constrains_def, blast)
  11.140  
  11.141 -lemma constrains_Un_distrib: "(A Un B) co C = (A co C) Int (B co C)"
  11.142 +lemma constrains_Un_distrib: "(A \<union> B) co C = (A co C) \<inter> (B co C)"
  11.143  by (unfold constrains_def, blast)
  11.144  
  11.145 -lemma constrains_UN_distrib: "(UN i:I. A i) co B = (INT i:I. A i co B)"
  11.146 +lemma constrains_UN_distrib: "(\<Union>i \<in> I. A i) co B = (\<Inter>i \<in> I. A i co B)"
  11.147  by (unfold constrains_def, blast)
  11.148  
  11.149 -lemma constrains_Int_distrib: "C co (A Int B) = (C co A) Int (C co B)"
  11.150 +lemma constrains_Int_distrib: "C co (A \<inter> B) = (C co A) \<inter> (C co B)"
  11.151  by (unfold constrains_def, blast)
  11.152  
  11.153 -lemma constrains_INT_distrib: "A co (INT i:I. B i) = (INT i:I. A co B i)"
  11.154 +lemma constrains_INT_distrib: "A co (\<Inter>i \<in> I. B i) = (\<Inter>i \<in> I. A co B i)"
  11.155  by (unfold constrains_def, blast)
  11.156  
  11.157  (** Intersection **)
  11.158  
  11.159  lemma constrains_Int: 
  11.160 -    "[| F : A co A'; F : B co B' |] ==> F : (A Int B) co (A' Int B')"
  11.161 +    "[| F \<in> A co A'; F \<in> B co B' |] ==> F \<in> (A \<inter> B) co (A' \<inter> B')"
  11.162  by (unfold constrains_def, blast)
  11.163  
  11.164  lemma constrains_INT: 
  11.165 -    "(!!i. i:I ==> F : (A i) co (A' i)) 
  11.166 -     ==> F : (INT i:I. A i) co (INT i:I. A' i)"
  11.167 +    "(!!i. i \<in> I ==> F \<in> (A i) co (A' i)) 
  11.168 +     ==> F \<in> (\<Inter>i \<in> I. A i) co (\<Inter>i \<in> I. A' i)"
  11.169  by (unfold constrains_def, blast)
  11.170  
  11.171 -lemma constrains_imp_subset: "F : A co A' ==> A <= A'"
  11.172 +lemma constrains_imp_subset: "F \<in> A co A' ==> A \<subseteq> A'"
  11.173  by (unfold constrains_def, auto)
  11.174  
  11.175  (*The reasoning is by subsets since "co" refers to single actions
  11.176    only.  So this rule isn't that useful.*)
  11.177  lemma constrains_trans: 
  11.178 -    "[| F : A co B; F : B co C |] ==> F : A co C"
  11.179 +    "[| F \<in> A co B; F \<in> B co C |] ==> F \<in> A co C"
  11.180  by (unfold constrains_def, blast)
  11.181  
  11.182  lemma constrains_cancel: 
  11.183 -   "[| F : A co (A' Un B); F : B co B' |] ==> F : A co (A' Un B')"
  11.184 +   "[| F \<in> A co (A' \<union> B); F \<in> B co B' |] ==> F \<in> A co (A' \<union> B')"
  11.185  by (unfold constrains_def, clarify, blast)
  11.186  
  11.187  
  11.188  (*** unless ***)
  11.189  
  11.190 -lemma unlessI: "F : (A-B) co (A Un B) ==> F : A unless B"
  11.191 +lemma unlessI: "F \<in> (A-B) co (A \<union> B) ==> F \<in> A unless B"
  11.192  by (unfold unless_def, assumption)
  11.193  
  11.194 -lemma unlessD: "F : A unless B ==> F : (A-B) co (A Un B)"
  11.195 +lemma unlessD: "F \<in> A unless B ==> F \<in> (A-B) co (A \<union> B)"
  11.196  by (unfold unless_def, assumption)
  11.197  
  11.198  
  11.199  (*** stable ***)
  11.200  
  11.201 -lemma stableI: "F : A co A ==> F : stable A"
  11.202 +lemma stableI: "F \<in> A co A ==> F \<in> stable A"
  11.203  by (unfold stable_def, assumption)
  11.204  
  11.205 -lemma stableD: "F : stable A ==> F : A co A"
  11.206 +lemma stableD: "F \<in> stable A ==> F \<in> A co A"
  11.207  by (unfold stable_def, assumption)
  11.208  
  11.209  lemma stable_UNIV [simp]: "stable UNIV = UNIV"
  11.210 @@ -261,14 +261,14 @@
  11.211  (** Union **)
  11.212  
  11.213  lemma stable_Un: 
  11.214 -    "[| F : stable A; F : stable A' |] ==> F : stable (A Un A')"
  11.215 +    "[| F \<in> stable A; F \<in> stable A' |] ==> F \<in> stable (A \<union> A')"
  11.216  
  11.217  apply (unfold stable_def)
  11.218  apply (blast intro: constrains_Un)
  11.219  done
  11.220  
  11.221  lemma stable_UN: 
  11.222 -    "(!!i. i:I ==> F : stable (A i)) ==> F : stable (UN i:I. A i)"
  11.223 +    "(!!i. i \<in> I ==> F \<in> stable (A i)) ==> F \<in> stable (\<Union>i \<in> I. A i)"
  11.224  apply (unfold stable_def)
  11.225  apply (blast intro: constrains_UN)
  11.226  done
  11.227 @@ -276,75 +276,75 @@
  11.228  (** Intersection **)
  11.229  
  11.230  lemma stable_Int: 
  11.231 -    "[| F : stable A;  F : stable A' |] ==> F : stable (A Int A')"
  11.232 +    "[| F \<in> stable A;  F \<in> stable A' |] ==> F \<in> stable (A \<inter> A')"
  11.233  apply (unfold stable_def)
  11.234  apply (blast intro: constrains_Int)
  11.235  done
  11.236  
  11.237  lemma stable_INT: 
  11.238 -    "(!!i. i:I ==> F : stable (A i)) ==> F : stable (INT i:I. A i)"
  11.239 +    "(!!i. i \<in> I ==> F \<in> stable (A i)) ==> F \<in> stable (\<Inter>i \<in> I. A i)"
  11.240  apply (unfold stable_def)
  11.241  apply (blast intro: constrains_INT)
  11.242  done
  11.243  
  11.244  lemma stable_constrains_Un: 
  11.245 -    "[| F : stable C; F : A co (C Un A') |] ==> F : (C Un A) co (C Un A')"
  11.246 +    "[| F \<in> stable C; F \<in> A co (C \<union> A') |] ==> F \<in> (C \<union> A) co (C \<union> A')"
  11.247  by (unfold stable_def constrains_def, blast)
  11.248  
  11.249  lemma stable_constrains_Int: 
  11.250 -  "[| F : stable C; F :  (C Int A) co A' |] ==> F : (C Int A) co (C Int A')"
  11.251 +  "[| F \<in> stable C; F \<in>  (C \<inter> A) co A' |] ==> F \<in> (C \<inter> A) co (C \<inter> A')"
  11.252  by (unfold stable_def constrains_def, blast)
  11.253  
  11.254 -(*[| F : stable C; F :  (C Int A) co A |] ==> F : stable (C Int A) *)
  11.255 +(*[| F \<in> stable C; F \<in>  (C \<inter> A) co A |] ==> F \<in> stable (C \<inter> A) *)
  11.256  lemmas stable_constrains_stable = stable_constrains_Int [THEN stableI, standard]
  11.257  
  11.258  
  11.259  (*** invariant ***)
  11.260  
  11.261 -lemma invariantI: "[| Init F<=A;  F: stable A |] ==> F : invariant A"
  11.262 +lemma invariantI: "[| Init F \<subseteq> A;  F \<in> stable A |] ==> F \<in> invariant A"
  11.263  by (simp add: invariant_def)
  11.264  
  11.265 -(*Could also say "invariant A Int invariant B <= invariant (A Int B)"*)
  11.266 +(*Could also say "invariant A \<inter> invariant B \<subseteq> invariant (A \<inter> B)"*)
  11.267  lemma invariant_Int:
  11.268 -     "[| F : invariant A;  F : invariant B |] ==> F : invariant (A Int B)"
  11.269 +     "[| F \<in> invariant A;  F \<in> invariant B |] ==> F \<in> invariant (A \<inter> B)"
  11.270  by (auto simp add: invariant_def stable_Int)
  11.271  
  11.272  
  11.273  (*** increasing ***)
  11.274  
  11.275  lemma increasingD: 
  11.276 -     "F : increasing f ==> F : stable {s. z <= f s}"
  11.277 +     "F \<in> increasing f ==> F \<in> stable {s. z \<subseteq> f s}"
  11.278  
  11.279  by (unfold increasing_def, blast)
  11.280  
  11.281 -lemma increasing_constant [iff]: "F : increasing (%s. c)"
  11.282 +lemma increasing_constant [iff]: "F \<in> increasing (%s. c)"
  11.283  by (unfold increasing_def stable_def, auto)
  11.284  
  11.285  lemma mono_increasing_o: 
  11.286 -     "mono g ==> increasing f <= increasing (g o f)"
  11.287 +     "mono g ==> increasing f \<subseteq> increasing (g o f)"
  11.288  apply (unfold increasing_def stable_def constrains_def, auto)
  11.289  apply (blast intro: monoD order_trans)
  11.290  done
  11.291  
  11.292 -(*Holds by the theorem (Suc m <= n) = (m < n) *)
  11.293 +(*Holds by the theorem (Suc m \<subseteq> n) = (m < n) *)
  11.294  lemma strict_increasingD: 
  11.295 -     "!!z::nat. F : increasing f ==> F: stable {s. z < f s}"
  11.296 +     "!!z::nat. F \<in> increasing f ==> F \<in> stable {s. z < f s}"
  11.297  by (simp add: increasing_def Suc_le_eq [symmetric])
  11.298  
  11.299  
  11.300  (** The Elimination Theorem.  The "free" m has become universally quantified!
  11.301 -    Should the premise be !!m instead of ALL m ?  Would make it harder to use
  11.302 +    Should the premise be !!m instead of \<forall>m ?  Would make it harder to use
  11.303      in forward proof. **)
  11.304  
  11.305  lemma elimination: 
  11.306 -    "[| ALL m:M. F : {s. s x = m} co (B m) |]  
  11.307 -     ==> F : {s. s x : M} co (UN m:M. B m)"
  11.308 +    "[| \<forall>m \<in> M. F \<in> {s. s x = m} co (B m) |]  
  11.309 +     ==> F \<in> {s. s x \<in> M} co (\<Union>m \<in> M. B m)"
  11.310  by (unfold constrains_def, blast)
  11.311  
  11.312  (*As above, but for the trivial case of a one-variable state, in which the
  11.313    state is identified with its one variable.*)
  11.314  lemma elimination_sing: 
  11.315 -    "(ALL m:M. F : {m} co (B m)) ==> F : M co (UN m:M. B m)"
  11.316 +    "(\<forall>m \<in> M. F \<in> {m} co (B m)) ==> F \<in> M co (\<Union>m \<in> M. B m)"
  11.317  by (unfold constrains_def, blast)
  11.318  
  11.319  
  11.320 @@ -352,20 +352,20 @@
  11.321  (*** Theoretical Results from Section 6 ***)
  11.322  
  11.323  lemma constrains_strongest_rhs: 
  11.324 -    "F : A co (strongest_rhs F A )"
  11.325 +    "F \<in> A co (strongest_rhs F A )"
  11.326  by (unfold constrains_def strongest_rhs_def, blast)
  11.327  
  11.328  lemma strongest_rhs_is_strongest: 
  11.329 -    "F : A co B ==> strongest_rhs F A <= B"
  11.330 +    "F \<in> A co B ==> strongest_rhs F A \<subseteq> B"
  11.331  by (unfold constrains_def strongest_rhs_def, blast)
  11.332  
  11.333  
  11.334  (** Ad-hoc set-theory rules **)
  11.335  
  11.336 -lemma Un_Diff_Diff [simp]: "A Un B - (A - B) = B"
  11.337 +lemma Un_Diff_Diff [simp]: "A \<union> B - (A - B) = B"
  11.338  by blast
  11.339  
  11.340 -lemma Int_Union_Union: "Union(B) Int A = Union((%C. C Int A)`B)"
  11.341 +lemma Int_Union_Union: "Union(B) \<inter> A = Union((%C. C \<inter> A)`B)"
  11.342  by blast
  11.343  
  11.344  (** Needed for WF reasoning in WFair.ML **)
    12.1 --- a/src/HOL/UNITY/Union.thy	Mon Feb 03 11:45:05 2003 +0100
    12.2 +++ b/src/HOL/UNITY/Union.thy	Tue Feb 04 18:12:40 2003 +0100
    12.3 @@ -12,36 +12,36 @@
    12.4  
    12.5  constdefs
    12.6  
    12.7 -  (*FIXME: conjoin Init F Int Init G ~= {} *) 
    12.8 +  (*FIXME: conjoin Init F \<inter> Init G \<noteq> {} *) 
    12.9    ok :: "['a program, 'a program] => bool"      (infixl "ok" 65)
   12.10 -    "F ok G == Acts F <= AllowedActs G &
   12.11 -               Acts G <= AllowedActs F"
   12.12 +    "F ok G == Acts F \<subseteq> AllowedActs G &
   12.13 +               Acts G \<subseteq> AllowedActs F"
   12.14  
   12.15 -  (*FIXME: conjoin (INT i:I. Init (F i)) ~= {} *) 
   12.16 +  (*FIXME: conjoin (\<Inter>i \<in> I. Init (F i)) \<noteq> {} *) 
   12.17    OK  :: "['a set, 'a => 'b program] => bool"
   12.18 -    "OK I F == (ALL i:I. ALL j: I-{i}. Acts (F i) <= AllowedActs (F j))"
   12.19 +    "OK I F == (\<forall>i \<in> I. \<forall>j \<in> I-{i}. Acts (F i) \<subseteq> AllowedActs (F j))"
   12.20  
   12.21    JOIN  :: "['a set, 'a => 'b program] => 'b program"
   12.22 -    "JOIN I F == mk_program (INT i:I. Init (F i), UN i:I. Acts (F i),
   12.23 -			     INT i:I. AllowedActs (F i))"
   12.24 +    "JOIN I F == mk_program (\<Inter>i \<in> I. Init (F i), \<Union>i \<in> I. Acts (F i),
   12.25 +			     \<Inter>i \<in> I. AllowedActs (F i))"
   12.26  
   12.27    Join :: "['a program, 'a program] => 'a program"      (infixl "Join" 65)
   12.28 -    "F Join G == mk_program (Init F Int Init G, Acts F Un Acts G,
   12.29 -			     AllowedActs F Int AllowedActs G)"
   12.30 +    "F Join G == mk_program (Init F \<inter> Init G, Acts F \<union> Acts G,
   12.31 +			     AllowedActs F \<inter> AllowedActs G)"
   12.32  
   12.33    SKIP :: "'a program"
   12.34      "SKIP == mk_program (UNIV, {}, UNIV)"
   12.35  
   12.36    (*Characterizes safety properties.  Used with specifying AllowedActs*)
   12.37    safety_prop :: "'a program set => bool"
   12.38 -    "safety_prop X == SKIP: X & (ALL G. Acts G <= UNION X Acts --> G : X)"
   12.39 +    "safety_prop X == SKIP: X & (\<forall>G. Acts G \<subseteq> UNION X Acts --> G \<in> X)"
   12.40  
   12.41  syntax
   12.42    "@JOIN1"     :: "[pttrns, 'b set] => 'b set"         ("(3JN _./ _)" 10)
   12.43    "@JOIN"      :: "[pttrn, 'a set, 'b set] => 'b set"  ("(3JN _:_./ _)" 10)
   12.44  
   12.45  translations
   12.46 -  "JN x:A. B"   == "JOIN A (%x. B)"
   12.47 +  "JN x : A. B"   == "JOIN A (%x. B)"
   12.48    "JN x y. B"   == "JN x. JN y. B"
   12.49    "JN x. B"     == "JOIN UNIV (%x. B)"
   12.50  
   12.51 @@ -49,7 +49,7 @@
   12.52    SKIP      :: "'a program"                              ("\<bottom>")
   12.53    "op Join" :: "['a program, 'a program] => 'a program"  (infixl "\<squnion>" 65)
   12.54    "@JOIN1"  :: "[pttrns, 'b set] => 'b set"              ("(3\<Squnion> _./ _)" 10)
   12.55 -  "@JOIN"   :: "[pttrn, 'a set, 'b set] => 'b set"       ("(3\<Squnion> _:_./ _)" 10)
   12.56 +  "@JOIN"   :: "[pttrn, 'a set, 'b set] => 'b set"       ("(3\<Squnion> _\<in>_./ _)" 10)
   12.57  
   12.58  
   12.59  subsection{*SKIP*}
   12.60 @@ -68,13 +68,13 @@
   12.61  
   12.62  subsection{*SKIP and safety properties*}
   12.63  
   12.64 -lemma SKIP_in_constrains_iff [iff]: "(SKIP : A co B) = (A<=B)"
   12.65 +lemma SKIP_in_constrains_iff [iff]: "(SKIP \<in> A co B) = (A \<subseteq> B)"
   12.66  by (unfold constrains_def, auto)
   12.67  
   12.68 -lemma SKIP_in_Constrains_iff [iff]: "(SKIP : A Co B) = (A<=B)"
   12.69 +lemma SKIP_in_Constrains_iff [iff]: "(SKIP \<in> A Co B) = (A \<subseteq> B)"
   12.70  by (unfold Constrains_def, auto)
   12.71  
   12.72 -lemma SKIP_in_stable [iff]: "SKIP : stable A"
   12.73 +lemma SKIP_in_stable [iff]: "SKIP \<in> stable A"
   12.74  by (unfold stable_def, auto)
   12.75  
   12.76  declare SKIP_in_stable [THEN stable_imp_Stable, iff]
   12.77 @@ -82,40 +82,40 @@
   12.78  
   12.79  subsection{*Join*}
   12.80  
   12.81 -lemma Init_Join [simp]: "Init (F Join G) = Init F Int Init G"
   12.82 +lemma Init_Join [simp]: "Init (F Join G) = Init F \<inter> Init G"
   12.83  by (simp add: Join_def)
   12.84  
   12.85 -lemma Acts_Join [simp]: "Acts (F Join G) = Acts F Un Acts G"
   12.86 +lemma Acts_Join [simp]: "Acts (F Join G) = Acts F \<union> Acts G"
   12.87  by (auto simp add: Join_def)
   12.88  
   12.89  lemma AllowedActs_Join [simp]:
   12.90 -     "AllowedActs (F Join G) = AllowedActs F Int AllowedActs G"
   12.91 +     "AllowedActs (F Join G) = AllowedActs F \<inter> AllowedActs G"
   12.92  by (auto simp add: Join_def)
   12.93  
   12.94  
   12.95  subsection{*JN*}
   12.96  
   12.97 -lemma JN_empty [simp]: "(JN i:{}. F i) = SKIP"
   12.98 +lemma JN_empty [simp]: "(\<Squnion>i\<in>{}. F i) = SKIP"
   12.99  by (unfold JOIN_def SKIP_def, auto)
  12.100  
  12.101 -lemma JN_insert [simp]: "(JN i:insert a I. F i) = (F a) Join (JN i:I. F i)"
  12.102 +lemma JN_insert [simp]: "(\<Squnion>i \<in> insert a I. F i) = (F a) Join (\<Squnion>i \<in> I. F i)"
  12.103  apply (rule program_equalityI)
  12.104  apply (auto simp add: JOIN_def Join_def)
  12.105  done
  12.106  
  12.107 -lemma Init_JN [simp]: "Init (JN i:I. F i) = (INT i:I. Init (F i))"
  12.108 +lemma Init_JN [simp]: "Init (\<Squnion>i \<in> I. F i) = (\<Inter>i \<in> I. Init (F i))"
  12.109  by (simp add: JOIN_def)
  12.110  
  12.111 -lemma Acts_JN [simp]: "Acts (JN i:I. F i) = insert Id (UN i:I. Acts (F i))"
  12.112 +lemma Acts_JN [simp]: "Acts (\<Squnion>i \<in> I. F i) = insert Id (\<Union>i \<in> I. Acts (F i))"
  12.113  by (auto simp add: JOIN_def)
  12.114  
  12.115  lemma AllowedActs_JN [simp]:
  12.116 -     "AllowedActs (JN i:I. F i) = (INT i:I. AllowedActs (F i))"
  12.117 +     "AllowedActs (\<Squnion>i \<in> I. F i) = (\<Inter>i \<in> I. AllowedActs (F i))"
  12.118  by (auto simp add: JOIN_def)
  12.119  
  12.120  
  12.121  lemma JN_cong [cong]: 
  12.122 -    "[| I=J;  !!i. i:J ==> F i = G i |] ==> (JN i:I. F i) = (JN i:J. G i)"
  12.123 +    "[| I=J;  !!i. i \<in> J ==> F i = G i |] ==> (\<Squnion>i \<in> I. F i) = (\<Squnion>i \<in> J. G i)"
  12.124  by (simp add: JOIN_def)
  12.125  
  12.126  
  12.127 @@ -156,28 +156,28 @@
  12.128  lemmas Join_ac = Join_assoc Join_left_absorb Join_commute Join_left_commute
  12.129  
  12.130  
  12.131 -subsection{*JN laws*}
  12.132 +subsection{*\<Squnion>laws*}
  12.133  
  12.134  (*Also follows by JN_insert and insert_absorb, but the proof is longer*)
  12.135 -lemma JN_absorb: "k:I ==> F k Join (JN i:I. F i) = (JN i:I. F i)"
  12.136 +lemma JN_absorb: "k \<in> I ==> F k Join (\<Squnion>i \<in> I. F i) = (\<Squnion>i \<in> I. F i)"
  12.137  by (auto intro!: program_equalityI)
  12.138  
  12.139 -lemma JN_Un: "(JN i: I Un J. F i) = ((JN i: I. F i) Join (JN i:J. F i))"
  12.140 +lemma JN_Un: "(\<Squnion>i \<in> I \<union> J. F i) = ((\<Squnion>i \<in> I. F i) Join (\<Squnion>i \<in> J. F i))"
  12.141  by (auto intro!: program_equalityI)
  12.142  
  12.143 -lemma JN_constant: "(JN i:I. c) = (if I={} then SKIP else c)"
  12.144 +lemma JN_constant: "(\<Squnion>i \<in> I. c) = (if I={} then SKIP else c)"
  12.145  by (rule program_equalityI, auto)
  12.146  
  12.147  lemma JN_Join_distrib:
  12.148 -     "(JN i:I. F i Join G i) = (JN i:I. F i)  Join  (JN i:I. G i)"
  12.149 +     "(\<Squnion>i \<in> I. F i Join G i) = (\<Squnion>i \<in> I. F i)  Join  (\<Squnion>i \<in> I. G i)"
  12.150  by (auto intro!: program_equalityI)
  12.151  
  12.152  lemma JN_Join_miniscope:
  12.153 -     "i : I ==> (JN i:I. F i Join G) = ((JN i:I. F i) Join G)"
  12.154 +     "i \<in> I ==> (\<Squnion>i \<in> I. F i Join G) = ((\<Squnion>i \<in> I. F i) Join G)"
  12.155  by (auto simp add: JN_Join_distrib JN_constant)
  12.156  
  12.157  (*Used to prove guarantees_JN_I*)
  12.158 -lemma JN_Join_diff: "i: I ==> F i Join JOIN (I - {i}) F = JOIN I F"
  12.159 +lemma JN_Join_diff: "i \<in> I ==> F i Join JOIN (I - {i}) F = JOIN I F"
  12.160  apply (unfold JOIN_def Join_def)
  12.161  apply (rule program_equalityI, auto)
  12.162  done
  12.163 @@ -185,19 +185,19 @@
  12.164  
  12.165  subsection{*Safety: co, stable, FP*}
  12.166  
  12.167 -(*Fails if I={} because it collapses to SKIP : A co B, i.e. to A<=B.  So an
  12.168 -  alternative precondition is A<=B, but most proofs using this rule require
  12.169 +(*Fails if I={} because it collapses to SKIP \<in> A co B, i.e. to A \<subseteq> B.  So an
  12.170 +  alternative precondition is A \<subseteq> B, but most proofs using this rule require
  12.171    I to be nonempty for other reasons anyway.*)
  12.172  lemma JN_constrains: 
  12.173 -    "i : I ==> (JN i:I. F i) : A co B = (ALL i:I. F i : A co B)"
  12.174 +    "i \<in> I ==> (\<Squnion>i \<in> I. F i) \<in> A co B = (\<forall>i \<in> I. F i \<in> A co B)"
  12.175  by (simp add: constrains_def JOIN_def, blast)
  12.176  
  12.177  lemma Join_constrains [simp]:
  12.178 -     "(F Join G : A co B) = (F : A co B & G : A co B)"
  12.179 +     "(F Join G \<in> A co B) = (F \<in> A co B & G \<in> A co B)"
  12.180  by (auto simp add: constrains_def Join_def)
  12.181  
  12.182  lemma Join_unless [simp]:
  12.183 -     "(F Join G : A unless B) = (F : A unless B & G : A unless B)"
  12.184 +     "(F Join G \<in> A unless B) = (F \<in> A unless B & G \<in> A unless B)"
  12.185  by (simp add: Join_constrains unless_def)
  12.186  
  12.187  (*Analogous weak versions FAIL; see Misra [1994] 5.4.1, Substitution Axiom.
  12.188 @@ -206,100 +206,100 @@
  12.189  
  12.190  
  12.191  lemma Join_constrains_weaken:
  12.192 -     "[| F : A co A';  G : B co B' |]  
  12.193 -      ==> F Join G : (A Int B) co (A' Un B')"
  12.194 +     "[| F \<in> A co A';  G \<in> B co B' |]  
  12.195 +      ==> F Join G \<in> (A \<inter> B) co (A' \<union> B')"
  12.196  by (simp, blast intro: constrains_weaken)
  12.197  
  12.198 -(*If I={}, it degenerates to SKIP : UNIV co {}, which is false.*)
  12.199 +(*If I={}, it degenerates to SKIP \<in> UNIV co {}, which is false.*)
  12.200  lemma JN_constrains_weaken:
  12.201 -     "[| ALL i:I. F i : A i co A' i;  i: I |]  
  12.202 -      ==> (JN i:I. F i) : (INT i:I. A i) co (UN i:I. A' i)"
  12.203 +     "[| \<forall>i \<in> I. F i \<in> A i co A' i;  i \<in> I |]  
  12.204 +      ==> (\<Squnion>i \<in> I. F i) \<in> (\<Inter>i \<in> I. A i) co (\<Union>i \<in> I. A' i)"
  12.205  apply (simp (no_asm_simp) add: JN_constrains)
  12.206  apply (blast intro: constrains_weaken)
  12.207  done
  12.208  
  12.209 -lemma JN_stable: "(JN i:I. F i) : stable A = (ALL i:I. F i : stable A)"
  12.210 +lemma JN_stable: "(\<Squnion>i \<in> I. F i) \<in> stable A = (\<forall>i \<in> I. F i \<in> stable A)"
  12.211  by (simp add: stable_def constrains_def JOIN_def)
  12.212  
  12.213  lemma invariant_JN_I:
  12.214 -     "[| !!i. i:I ==> F i : invariant A;  i : I |]   
  12.215 -       ==> (JN i:I. F i) : invariant A"
  12.216 +     "[| !!i. i \<in> I ==> F i \<in> invariant A;  i \<in> I |]   
  12.217 +       ==> (\<Squnion>i \<in> I. F i) \<in> invariant A"
  12.218  by (simp add: invariant_def JN_stable, blast)
  12.219  
  12.220  lemma Join_stable [simp]:
  12.221 -     "(F Join G : stable A) =  
  12.222 -      (F : stable A & G : stable A)"
  12.223 +     "(F Join G \<in> stable A) =  
  12.224 +      (F \<in> stable A & G \<in> stable A)"
  12.225  by (simp add: stable_def)
  12.226  
  12.227  lemma Join_increasing [simp]:
  12.228 -     "(F Join G : increasing f) =  
  12.229 -      (F : increasing f & G : increasing f)"
  12.230 +     "(F Join G \<in> increasing f) =  
  12.231 +      (F \<in> increasing f & G \<in> increasing f)"
  12.232  by (simp add: increasing_def Join_stable, blast)
  12.233  
  12.234  lemma invariant_JoinI:
  12.235 -     "[| F : invariant A; G : invariant A |]   
  12.236 -      ==> F Join G : invariant A"
  12.237 +     "[| F \<in> invariant A; G \<in> invariant A |]   
  12.238 +      ==> F Join G \<in> invariant A"
  12.239  by (simp add: invariant_def, blast)
  12.240  
  12.241 -lemma FP_JN: "FP (JN i:I. F i) = (INT i:I. FP (F i))"
  12.242 +lemma FP_JN: "FP (\<Squnion>i \<in> I. F i) = (\<Inter>i \<in> I. FP (F i))"
  12.243  by (simp add: FP_def JN_stable INTER_def)
  12.244  
  12.245  
  12.246  subsection{*Progress: transient, ensures*}
  12.247  
  12.248  lemma JN_transient:
  12.249 -     "i : I ==>  
  12.250 -    (JN i:I. F i) : transient A = (EX i:I. F i : transient A)"
  12.251 +     "i \<in> I ==>  
  12.252 +    (\<Squnion>i \<in> I. F i) \<in> transient A = (\<exists>i \<in> I. F i \<in> transient A)"
  12.253  by (auto simp add: transient_def JOIN_def)
  12.254  
  12.255  lemma Join_transient [simp]:
  12.256 -     "F Join G : transient A =  
  12.257 -      (F : transient A | G : transient A)"
  12.258 +     "F Join G \<in> transient A =  
  12.259 +      (F \<in> transient A | G \<in> transient A)"
  12.260  by (auto simp add: bex_Un transient_def Join_def)
  12.261  
  12.262 -lemma Join_transient_I1: "F : transient A ==> F Join G : transient A"
  12.263 +lemma Join_transient_I1: "F \<in> transient A ==> F Join G \<in> transient A"
  12.264  by (simp add: Join_transient)
  12.265  
  12.266 -lemma Join_transient_I2: "G : transient A ==> F Join G : transient A"
  12.267 +lemma Join_transient_I2: "G \<in> transient A ==> F Join G \<in> transient A"
  12.268  by (simp add: Join_transient)
  12.269  
  12.270 -(*If I={} it degenerates to (SKIP : A ensures B) = False, i.e. to ~(A<=B) *)
  12.271 +(*If I={} it degenerates to (SKIP \<in> A ensures B) = False, i.e. to ~(A \<subseteq> B) *)
  12.272  lemma JN_ensures:
  12.273 -     "i : I ==>  
  12.274 -      (JN i:I. F i) : A ensures B =  
  12.275 -      ((ALL i:I. F i : (A-B) co (A Un B)) & (EX i:I. F i : A ensures B))"
  12.276 +     "i \<in> I ==>  
  12.277 +      (\<Squnion>i \<in> I. F i) \<in> A ensures B =  
  12.278 +      ((\<forall>i \<in> I. F i \<in> (A-B) co (A \<union> B)) & (\<exists>i \<in> I. F i \<in> A ensures B))"
  12.279  by (auto simp add: ensures_def JN_constrains JN_transient)
  12.280  
  12.281  lemma Join_ensures: 
  12.282 -     "F Join G : A ensures B =      
  12.283 -      (F : (A-B) co (A Un B) & G : (A-B) co (A Un B) &  
  12.284 -       (F : transient (A-B) | G : transient (A-B)))"
  12.285 +     "F Join G \<in> A ensures B =      
  12.286 +      (F \<in> (A-B) co (A \<union> B) & G \<in> (A-B) co (A \<union> B) &  
  12.287 +       (F \<in> transient (A-B) | G \<in> transient (A-B)))"
  12.288  by (auto simp add: ensures_def Join_transient)
  12.289  
  12.290  lemma stable_Join_constrains: 
  12.291 -    "[| F : stable A;  G : A co A' |]  
  12.292 -     ==> F Join G : A co A'"
  12.293 +    "[| F \<in> stable A;  G \<in> A co A' |]  
  12.294 +     ==> F Join G \<in> A co A'"
  12.295  apply (unfold stable_def constrains_def Join_def)
  12.296  apply (simp add: ball_Un, blast)
  12.297  done
  12.298  
  12.299 -(*Premise for G cannot use Always because  F: Stable A  is weaker than
  12.300 -  G : stable A *)
  12.301 +(*Premise for G cannot use Always because  F \<in> Stable A  is weaker than
  12.302 +  G \<in> stable A *)
  12.303  lemma stable_Join_Always1:
  12.304 -     "[| F : stable A;  G : invariant A |] ==> F Join G : Always A"
  12.305 +     "[| F \<in> stable A;  G \<in> invariant A |] ==> F Join G \<in> Always A"
  12.306  apply (simp (no_asm_use) add: Always_def invariant_def Stable_eq_stable)
  12.307  apply (force intro: stable_Int)
  12.308  done
  12.309  
  12.310  (*As above, but exchanging the roles of F and G*)
  12.311  lemma stable_Join_Always2:
  12.312 -     "[| F : invariant A;  G : stable A |] ==> F Join G : Always A"
  12.313 +     "[| F \<in> invariant A;  G \<in> stable A |] ==> F Join G \<in> Always A"
  12.314  apply (subst Join_commute)
  12.315  apply (blast intro: stable_Join_Always1)
  12.316  done
  12.317  
  12.318  lemma stable_Join_ensures1:
  12.319 -     "[| F : stable A;  G : A ensures B |] ==> F Join G : A ensures B"
  12.320 +     "[| F \<in> stable A;  G \<in> A ensures B |] ==> F Join G \<in> A ensures B"
  12.321  apply (simp (no_asm_simp) add: Join_ensures)
  12.322  apply (simp add: stable_def ensures_def)
  12.323  apply (erule constrains_weaken, auto)
  12.324 @@ -307,7 +307,7 @@
  12.325  
  12.326  (*As above, but exchanging the roles of F and G*)
  12.327  lemma stable_Join_ensures2:
  12.328 -     "[| F : A ensures B;  G : stable A |] ==> F Join G : A ensures B"
  12.329 +     "[| F \<in> A ensures B;  G \<in> stable A |] ==> F Join G \<in> A ensures B"
  12.330  apply (subst Join_commute)
  12.331  apply (blast intro: stable_Join_ensures1)
  12.332  done
  12.333 @@ -344,16 +344,16 @@
  12.334  lemma ok_Join_commute_I: "[| F ok G; (F Join G) ok H |] ==> F ok (G Join H)"
  12.335  by (auto simp add: ok_def)
  12.336  
  12.337 -lemma ok_JN_iff1 [iff]: "F ok (JOIN I G) = (ALL i:I. F ok G i)"
  12.338 +lemma ok_JN_iff1 [iff]: "F ok (JOIN I G) = (\<forall>i \<in> I. F ok G i)"
  12.339  by (auto simp add: ok_def)
  12.340  
  12.341 -lemma ok_JN_iff2 [iff]: "(JOIN I G) ok F =  (ALL i:I. G i ok F)"
  12.342 +lemma ok_JN_iff2 [iff]: "(JOIN I G) ok F =  (\<forall>i \<in> I. G i ok F)"
  12.343  by (auto simp add: ok_def)
  12.344  
  12.345 -lemma OK_iff_ok: "OK I F = (ALL i: I. ALL j: I-{i}. (F i) ok (F j))"
  12.346 +lemma OK_iff_ok: "OK I F = (\<forall>i \<in> I. \<forall>j \<in> I-{i}. (F i) ok (F j))"
  12.347  by (auto simp add: ok_def OK_def)
  12.348  
  12.349 -lemma OK_imp_ok: "[| OK I F; i: I; j: I; i ~= j|] ==> (F i) ok (F j)"
  12.350 +lemma OK_imp_ok: "[| OK I F; i \<in> I; j \<in> I; i \<noteq> j|] ==> (F i) ok (F j)"
  12.351  by (auto simp add: OK_iff_ok)
  12.352  
  12.353  
  12.354 @@ -362,27 +362,27 @@
  12.355  lemma Allowed_SKIP [simp]: "Allowed SKIP = UNIV"
  12.356  by (auto simp add: Allowed_def)
  12.357  
  12.358 -lemma Allowed_Join [simp]: "Allowed (F Join G) = Allowed F Int Allowed G"
  12.359 +lemma Allowed_Join [simp]: "Allowed (F Join G) = Allowed F \<inter> Allowed G"
  12.360  by (auto simp add: Allowed_def)
  12.361  
  12.362 -lemma Allowed_JN [simp]: "Allowed (JOIN I F) = (INT i:I. Allowed (F i))"
  12.363 +lemma Allowed_JN [simp]: "Allowed (JOIN I F) = (\<Inter>i \<in> I. Allowed (F i))"
  12.364  by (auto simp add: Allowed_def)
  12.365  
  12.366 -lemma ok_iff_Allowed: "F ok G = (F : Allowed G & G : Allowed F)"
  12.367 +lemma ok_iff_Allowed: "F ok G = (F \<in> Allowed G & G \<in> Allowed F)"
  12.368  by (simp add: ok_def Allowed_def)
  12.369  
  12.370 -lemma OK_iff_Allowed: "OK I F = (ALL i: I. ALL j: I-{i}. F i : Allowed(F j))"
  12.371 +lemma OK_iff_Allowed: "OK I F = (\<forall>i \<in> I. \<forall>j \<in> I-{i}. F i \<in> Allowed(F j))"
  12.372  by (auto simp add: OK_iff_ok ok_iff_Allowed)
  12.373  
  12.374  subsection{*@{text safety_prop}, for reasoning about
  12.375   given instances of "ok"*}
  12.376  
  12.377  lemma safety_prop_Acts_iff:
  12.378 -     "safety_prop X ==> (Acts G <= insert Id (UNION X Acts)) = (G : X)"
  12.379 +     "safety_prop X ==> (Acts G \<subseteq> insert Id (UNION X Acts)) = (G \<in> X)"
  12.380  by (auto simp add: safety_prop_def)
  12.381  
  12.382  lemma safety_prop_AllowedActs_iff_Allowed:
  12.383 -     "safety_prop X ==> (UNION X Acts <= AllowedActs F) = (X <= Allowed F)"
  12.384 +     "safety_prop X ==> (UNION X Acts \<subseteq> AllowedActs F) = (X \<subseteq> Allowed F)"
  12.385  by (auto simp add: Allowed_def safety_prop_Acts_iff [symmetric])
  12.386  
  12.387  lemma Allowed_eq:
  12.388 @@ -395,27 +395,27 @@
  12.389  by (simp add: Allowed_eq)
  12.390  
  12.391  (*For safety_prop to hold, the property must be satisfiable!*)
  12.392 -lemma safety_prop_constrains [iff]: "safety_prop (A co B) = (A <= B)"
  12.393 +lemma safety_prop_constrains [iff]: "safety_prop (A co B) = (A \<subseteq> B)"
  12.394  by (simp add: safety_prop_def constrains_def, blast)
  12.395  
  12.396  lemma safety_prop_stable [iff]: "safety_prop (stable A)"
  12.397  by (simp add: stable_def)
  12.398  
  12.399  lemma safety_prop_Int [simp]:
  12.400 -     "[| safety_prop X; safety_prop Y |] ==> safety_prop (X Int Y)"
  12.401 +     "[| safety_prop X; safety_prop Y |] ==> safety_prop (X \<inter> Y)"
  12.402  by (simp add: safety_prop_def, blast)
  12.403  
  12.404  lemma safety_prop_INTER1 [simp]:
  12.405 -     "(!!i. safety_prop (X i)) ==> safety_prop (INT i. X i)"
  12.406 +     "(!!i. safety_prop (X i)) ==> safety_prop (\<Inter>i. X i)"
  12.407  by (auto simp add: safety_prop_def, blast)
  12.408  							       
  12.409  lemma safety_prop_INTER [simp]:
  12.410 -     "(!!i. i:I ==> safety_prop (X i)) ==> safety_prop (INT i:I. X i)"
  12.411 +     "(!!i. i \<in> I ==> safety_prop (X i)) ==> safety_prop (\<Inter>i \<in> I. X i)"
  12.412  by (auto simp add: safety_prop_def, blast)
  12.413  
  12.414  lemma def_UNION_ok_iff:
  12.415       "[| F == mk_program(init,acts,UNION X Acts); safety_prop X |]  
  12.416 -      ==> F ok G = (G : X & acts <= AllowedActs G)"
  12.417 +      ==> F ok G = (G \<in> X & acts \<subseteq> AllowedActs G)"
  12.418  by (auto simp add: ok_def safety_prop_Acts_iff)
  12.419  
  12.420  end
    13.1 --- a/src/HOL/UNITY/WFair.thy	Mon Feb 03 11:45:05 2003 +0100
    13.2 +++ b/src/HOL/UNITY/WFair.thy	Tue Feb 04 18:12:40 2003 +0100
    13.3 @@ -17,10 +17,10 @@
    13.4    (*This definition specifies weak fairness.  The rest of the theory
    13.5      is generic to all forms of fairness.*)
    13.6    transient :: "'a set => 'a program set"
    13.7 -    "transient A == {F. EX act: Acts F. A <= Domain act & act``A <= -A}"
    13.8 +    "transient A == {F. \<exists>act\<in>Acts F. A \<subseteq> Domain act & act``A \<subseteq> -A}"
    13.9  
   13.10    ensures :: "['a set, 'a set] => 'a program set"       (infixl "ensures" 60)
   13.11 -    "A ensures B == (A-B co A Un B) Int transient (A-B)"
   13.12 +    "A ensures B == (A-B co A \<union> B) \<inter> transient (A-B)"
   13.13  
   13.14  
   13.15  consts
   13.16 @@ -32,22 +32,22 @@
   13.17  inductive "leads F"
   13.18    intros 
   13.19  
   13.20 -    Basis:  "F : A ensures B ==> (A,B) : leads F"
   13.21 +    Basis:  "F \<in> A ensures B ==> (A,B) \<in> leads F"
   13.22  
   13.23 -    Trans:  "[| (A,B) : leads F;  (B,C) : leads F |] ==> (A,C) : leads F"
   13.24 +    Trans:  "[| (A,B) \<in> leads F;  (B,C) \<in> leads F |] ==> (A,C) \<in> leads F"
   13.25  
   13.26 -    Union:  "ALL A: S. (A,B) : leads F ==> (Union S, B) : leads F"
   13.27 +    Union:  "\<forall>A \<in> S. (A,B) \<in> leads F ==> (Union S, B) \<in> leads F"
   13.28  
   13.29  
   13.30  constdefs
   13.31  
   13.32    (*visible version of the LEADS-TO relation*)
   13.33    leadsTo :: "['a set, 'a set] => 'a program set"    (infixl "leadsTo" 60)
   13.34 -    "A leadsTo B == {F. (A,B) : leads F}"
   13.35 +    "A leadsTo B == {F. (A,B) \<in> leads F}"
   13.36    
   13.37    (*wlt F B is the largest set that leads to B*)
   13.38    wlt :: "['a program, 'a set] => 'a set"
   13.39 -    "wlt F B == Union {A. F: A leadsTo B}"
   13.40 +    "wlt F B == Union {A. F \<in> A leadsTo B}"
   13.41  
   13.42  syntax (xsymbols)
   13.43    "op leadsTo" :: "['a set, 'a set] => 'a program set" (infixl "\<longmapsto>" 60)
   13.44 @@ -56,22 +56,22 @@
   13.45  subsection{*transient*}
   13.46  
   13.47  lemma stable_transient_empty: 
   13.48 -    "[| F : stable A; F : transient A |] ==> A = {}"
   13.49 +    "[| F \<in> stable A; F \<in> transient A |] ==> A = {}"
   13.50  by (unfold stable_def constrains_def transient_def, blast)
   13.51  
   13.52  lemma transient_strengthen: 
   13.53 -    "[| F : transient A; B<=A |] ==> F : transient B"
   13.54 +    "[| F \<in> transient A; B \<subseteq> A |] ==> F \<in> transient B"
   13.55  apply (unfold transient_def, clarify)
   13.56  apply (blast intro!: rev_bexI)
   13.57  done
   13.58  
   13.59  lemma transientI: 
   13.60 -    "[| act: Acts F;  A <= Domain act;  act``A <= -A |] ==> F : transient A"
   13.61 +    "[| act: Acts F;  A \<subseteq> Domain act;  act``A \<subseteq> -A |] ==> F \<in> transient A"
   13.62  by (unfold transient_def, blast)
   13.63  
   13.64  lemma transientE: 
   13.65 -    "[| F : transient A;   
   13.66 -        !!act. [| act: Acts F;  A <= Domain act;  act``A <= -A |] ==> P |]  
   13.67 +    "[| F \<in> transient A;   
   13.68 +        !!act. [| act: Acts F;  A \<subseteq> Domain act;  act``A \<subseteq> -A |] ==> P |]  
   13.69       ==> P"
   13.70  by (unfold transient_def, blast)
   13.71  
   13.72 @@ -85,23 +85,23 @@
   13.73  subsection{*ensures*}
   13.74  
   13.75  lemma ensuresI: 
   13.76 -    "[| F : (A-B) co (A Un B); F : transient (A-B) |] ==> F : A ensures B"
   13.77 +    "[| F \<in> (A-B) co (A \<union> B); F \<in> transient (A-B) |] ==> F \<in> A ensures B"
   13.78  by (unfold ensures_def, blast)
   13.79  
   13.80  lemma ensuresD: 
   13.81 -    "F : A ensures B ==> F : (A-B) co (A Un B) & F : transient (A-B)"
   13.82 +    "F \<in> A ensures B ==> F \<in> (A-B) co (A \<union> B) & F \<in> transient (A-B)"
   13.83  by (unfold ensures_def, blast)
   13.84  
   13.85  lemma ensures_weaken_R: 
   13.86 -    "[| F : A ensures A'; A'<=B' |] ==> F : A ensures B'"
   13.87 +    "[| F \<in> A ensures A'; A'<=B' |] ==> F \<in> A ensures B'"
   13.88  apply (unfold ensures_def)
   13.89  apply (blast intro: constrains_weaken transient_strengthen)
   13.90  done
   13.91  
   13.92  (*The L-version (precondition strengthening) fails, but we have this*)
   13.93  lemma stable_ensures_Int: 
   13.94 -    "[| F : stable C;  F : A ensures B |]    
   13.95 -    ==> F : (C Int A) ensures (C Int B)"
   13.96 +    "[| F \<in> stable C;  F \<in> A ensures B |]    
   13.97 +    ==> F \<in> (C \<inter> A) ensures (C \<inter> B)"
   13.98  apply (unfold ensures_def)
   13.99  apply (auto simp add: ensures_def Int_Un_distrib [symmetric] Diff_Int_distrib [symmetric])
  13.100  prefer 2 apply (blast intro: transient_strengthen)
  13.101 @@ -109,78 +109,78 @@
  13.102  done
  13.103  
  13.104  lemma stable_transient_ensures:
  13.105 -     "[| F : stable A;  F : transient C;  A <= B Un C |] ==> F : A ensures B"
  13.106 +     "[| F \<in> stable A;  F \<in> transient C;  A \<subseteq> B \<union> C |] ==> F \<in> A ensures B"
  13.107  apply (simp add: ensures_def stable_def)
  13.108  apply (blast intro: constrains_weaken transient_strengthen)
  13.109  done
  13.110  
  13.111 -lemma ensures_eq: "(A ensures B) = (A unless B) Int transient (A-B)"
  13.112 +lemma ensures_eq: "(A ensures B) = (A unless B) \<inter> transient (A-B)"
  13.113  by (simp (no_asm) add: ensures_def unless_def)
  13.114  
  13.115  
  13.116  subsection{*leadsTo*}
  13.117  
  13.118 -lemma leadsTo_Basis [intro]: "F : A ensures B ==> F : A leadsTo B"
  13.119 +lemma leadsTo_Basis [intro]: "F \<in> A ensures B ==> F \<in> A leadsTo B"
  13.120  apply (unfold leadsTo_def)
  13.121  apply (blast intro: leads.Basis)
  13.122  done
  13.123  
  13.124  lemma leadsTo_Trans: 
  13.125 -     "[| F : A leadsTo B;  F : B leadsTo C |] ==> F : A leadsTo C"
  13.126 +     "[| F \<in> A leadsTo B;  F \<in> B leadsTo C |] ==> F \<in> A leadsTo C"
  13.127  apply (unfold leadsTo_def)
  13.128  apply (blast intro: leads.Trans)
  13.129  done
  13.130  
  13.131 -lemma transient_imp_leadsTo: "F : transient A ==> F : A leadsTo (-A)"
  13.132 +lemma transient_imp_leadsTo: "F \<in> transient A ==> F \<in> A leadsTo (-A)"
  13.133  by (simp (no_asm_simp) add: leadsTo_Basis ensuresI Compl_partition)
  13.134  
  13.135  (*Useful with cancellation, disjunction*)
  13.136 -lemma leadsTo_Un_duplicate: "F : A leadsTo (A' Un A') ==> F : A leadsTo A'"
  13.137 +lemma leadsTo_Un_duplicate: "F \<in> A leadsTo (A' \<union> A') ==> F \<in> A leadsTo A'"
  13.138  by (simp add: Un_ac)
  13.139  
  13.140  lemma leadsTo_Un_duplicate2:
  13.141 -     "F : A leadsTo (A' Un C Un C) ==> F : A leadsTo (A' Un C)"
  13.142 +     "F \<in> A leadsTo (A' \<union> C \<union> C) ==> F \<in> A leadsTo (A' \<union> C)"
  13.143  by (simp add: Un_ac)
  13.144  
  13.145  (*The Union introduction rule as we should have liked to state it*)
  13.146  lemma leadsTo_Union: 
  13.147 -    "(!!A. A : S ==> F : A leadsTo B) ==> F : (Union S) leadsTo B"
  13.148 +    "(!!A. A \<in> S ==> F \<in> A leadsTo B) ==> F \<in> (Union S) leadsTo B"
  13.149  apply (unfold leadsTo_def)
  13.150  apply (blast intro: leads.Union)
  13.151  done
  13.152  
  13.153  lemma leadsTo_Union_Int: 
  13.154 - "(!!A. A : S ==> F : (A Int C) leadsTo B) ==> F : (Union S Int C) leadsTo B"
  13.155 + "(!!A. A \<in> S ==> F \<in> (A \<inter> C) leadsTo B) ==> F \<in> (Union S \<inter> C) leadsTo B"
  13.156  apply (unfold leadsTo_def)
  13.157  apply (simp only: Int_Union_Union)
  13.158  apply (blast intro: leads.Union)
  13.159  done
  13.160  
  13.161  lemma leadsTo_UN: 
  13.162 -    "(!!i. i : I ==> F : (A i) leadsTo B) ==> F : (UN i:I. A i) leadsTo B"
  13.163 +    "(!!i. i \<in> I ==> F \<in> (A i) leadsTo B) ==> F \<in> (\<Union>i \<in> I. A i) leadsTo B"
  13.164  apply (subst Union_image_eq [symmetric])
  13.165  apply (blast intro: leadsTo_Union)
  13.166  done
  13.167  
  13.168  (*Binary union introduction rule*)
  13.169  lemma leadsTo_Un:
  13.170 -     "[| F : A leadsTo C; F : B leadsTo C |] ==> F : (A Un B) leadsTo C"
  13.171 +     "[| F \<in> A leadsTo C; F \<in> B leadsTo C |] ==> F \<in> (A \<union> B) leadsTo C"
  13.172  apply (subst Un_eq_Union)
  13.173  apply (blast intro: leadsTo_Union)
  13.174  done
  13.175  
  13.176  lemma single_leadsTo_I: 
  13.177 -     "(!!x. x : A ==> F : {x} leadsTo B) ==> F : A leadsTo B"
  13.178 +     "(!!x. x \<in> A ==> F \<in> {x} leadsTo B) ==> F \<in> A leadsTo B"
  13.179  by (subst UN_singleton [symmetric], rule leadsTo_UN, blast)
  13.180  
  13.181  
  13.182  (*The INDUCTION rule as we should have liked to state it*)
  13.183  lemma leadsTo_induct: 
  13.184 -  "[| F : za leadsTo zb;   
  13.185 -      !!A B. F : A ensures B ==> P A B;  
  13.186 -      !!A B C. [| F : A leadsTo B; P A B; F : B leadsTo C; P B C |]  
  13.187 +  "[| F \<in> za leadsTo zb;   
  13.188 +      !!A B. F \<in> A ensures B ==> P A B;  
  13.189 +      !!A B C. [| F \<in> A leadsTo B; P A B; F \<in> B leadsTo C; P B C |]  
  13.190                 ==> P A C;  
  13.191 -      !!B S. ALL A:S. F : A leadsTo B & P A B ==> P (Union S) B  
  13.192 +      !!B S. \<forall>A \<in> S. F \<in> A leadsTo B & P A B ==> P (Union S) B  
  13.193     |] ==> P za zb"
  13.194  apply (unfold leadsTo_def)
  13.195  apply (drule CollectD, erule leads.induct)
  13.196 @@ -188,7 +188,7 @@
  13.197  done
  13.198  
  13.199  
  13.200 -lemma subset_imp_ensures: "A<=B ==> F : A ensures B"
  13.201 +lemma subset_imp_ensures: "A \<subseteq> B ==> F \<in> A ensures B"
  13.202  by (unfold ensures_def constrains_def transient_def, blast)
  13.203  
  13.204  lemmas subset_imp_leadsTo = subset_imp_ensures [THEN leadsTo_Basis, standard]
  13.205 @@ -205,10 +205,10 @@
  13.206  
  13.207  (*Lemma is the weak version: can't see how to do it in one step*)
  13.208  lemma leadsTo_induct_pre_lemma: 
  13.209 -  "[| F : za leadsTo zb;   
  13.210 +  "[| F \<in> za leadsTo zb;   
  13.211        P zb;  
  13.212 -      !!A B. [| F : A ensures B;  P B |] ==> P A;  
  13.213 -      !!S. ALL A:S. P A ==> P (Union S)  
  13.214 +      !!A B. [| F \<in> A ensures B;  P B |] ==> P A;  
  13.215 +      !!S. \<forall>A \<in> S. P A ==> P (Union S)  
  13.216     |] ==> P za"
  13.217  (*by induction on this formula*)
  13.218  apply (subgoal_tac "P zb --> P za")
  13.219 @@ -219,12 +219,12 @@
  13.220  done
  13.221  
  13.222  lemma leadsTo_induct_pre: 
  13.223 -  "[| F : za leadsTo zb;   
  13.224 +  "[| F \<in> za leadsTo zb;   
  13.225        P zb;  
  13.226 -      !!A B. [| F : A ensures B;  F : B leadsTo zb;  P B |] ==> P A;  
  13.227 -      !!S. ALL A:S. F : A leadsTo zb & P A ==> P (Union S)  
  13.228 +      !!A B. [| F \<in> A ensures B;  F \<in> B leadsTo zb;  P B |] ==> P A;  
  13.229 +      !!S. \<forall>A \<in> S. F \<in> A leadsTo zb & P A ==> P (Union S)  
  13.230     |] ==> P za"
  13.231 -apply (subgoal_tac "F : za leadsTo zb & P za")
  13.232 +apply (subgoal_tac "F \<in> za leadsTo zb & P za")
  13.233  apply (erule conjunct2)
  13.234  apply (erule leadsTo_induct_pre_lemma)
  13.235  prefer 3 apply (blast intro: leadsTo_Union)
  13.236 @@ -233,76 +233,76 @@
  13.237  done
  13.238  
  13.239  
  13.240 -lemma leadsTo_weaken_R: "[| F : A leadsTo A'; A'<=B' |] ==> F : A leadsTo B'"
  13.241 +lemma leadsTo_weaken_R: "[| F \<in> A leadsTo A'; A'<=B' |] ==> F \<in> A leadsTo B'"
  13.242  by (blast intro: subset_imp_leadsTo leadsTo_Trans)
  13.243  
  13.244  lemma leadsTo_weaken_L [rule_format]:
  13.245 -     "[| F : A leadsTo A'; B<=A |] ==> F : B leadsTo A'"
  13.246 +     "[| F \<in> A leadsTo A'; B \<subseteq> A |] ==> F \<in> B leadsTo A'"
  13.247  by (blast intro: leadsTo_Trans subset_imp_leadsTo)
  13.248  
  13.249  (*Distributes over binary unions*)
  13.250  lemma leadsTo_Un_distrib:
  13.251 -     "F : (A Un B) leadsTo C  =  (F : A leadsTo C & F : B leadsTo C)"
  13.252 +     "F \<in> (A \<union> B) leadsTo C  =  (F \<in> A leadsTo C & F \<in> B leadsTo C)"
  13.253  by (blast intro: leadsTo_Un leadsTo_weaken_L)
  13.254  
  13.255  lemma leadsTo_UN_distrib:
  13.256 -     "F : (UN i:I. A i) leadsTo B  =  (ALL i : I. F : (A i) leadsTo B)"
  13.257 +     "F \<in> (\<Union>i \<in> I. A i) leadsTo B  =  (\<forall>i \<in> I. F \<in> (A i) leadsTo B)"
  13.258  by (blast intro: leadsTo_UN leadsTo_weaken_L)
  13.259  
  13.260  lemma leadsTo_Union_distrib:
  13.261 -     "F : (Union S) leadsTo B  =  (ALL A : S. F : A leadsTo B)"
  13.262 +     "F \<in> (Union S) leadsTo B  =  (\<forall>A \<in> S. F \<in> A leadsTo B)"
  13.263  by (blast intro: leadsTo_Union leadsTo_weaken_L)
  13.264  
  13.265  
  13.266  lemma leadsTo_weaken:
  13.267 -     "[| F : A leadsTo A'; B<=A; A'<=B' |] ==> F : B leadsTo B'"
  13.268 +     "[| F \<in> A leadsTo A'; B \<subseteq> A; A'<=B' |] ==> F \<in> B leadsTo B'"
  13.269  by (blast intro: leadsTo_weaken_R leadsTo_weaken_L leadsTo_Trans)
  13.270  
  13.271  
  13.272  (*Set difference: maybe combine with leadsTo_weaken_L?*)
  13.273  lemma leadsTo_Diff:
  13.274 -     "[| F : (A-B) leadsTo C; F : B leadsTo C |]   ==> F : A leadsTo C"
  13.275 +     "[| F \<in> (A-B) leadsTo C; F \<in> B leadsTo C |]   ==> F \<in> A leadsTo C"
  13.276  by (blast intro: leadsTo_Un leadsTo_weaken)
  13.277  
  13.278  lemma leadsTo_UN_UN:
  13.279 -   "(!! i. i:I ==> F : (A i) leadsTo (A' i))  
  13.280 -    ==> F : (UN i:I. A i) leadsTo (UN i:I. A' i)"
  13.281 +   "(!! i. i \<in> I ==> F \<in> (A i) leadsTo (A' i))  
  13.282 +    ==> F \<in> (\<Union>i \<in> I. A i) leadsTo (\<Union>i \<in> I. A' i)"
  13.283  apply (simp only: Union_image_eq [symmetric])
  13.284  apply (blast intro: leadsTo_Union leadsTo_weaken_R)
  13.285  done
  13.286  
  13.287  (*Binary union version*)
  13.288  lemma leadsTo_Un_Un:
  13.289 -     "[| F : A leadsTo A'; F : B leadsTo B' |]  
  13.290 -      ==> F : (A Un B) leadsTo (A' Un B')"
  13.291 +     "[| F \<in> A leadsTo A'; F \<in> B leadsTo B' |]  
  13.292 +      ==> F \<in> (A \<union> B) leadsTo (A' \<union> B')"
  13.293  by (blast intro: leadsTo_Un leadsTo_weaken_R)
  13.294  
  13.295  
  13.296  (** The cancellation law **)
  13.297  
  13.298  lemma leadsTo_cancel2:
  13.299 -     "[| F : A leadsTo (A' Un B); F : B leadsTo B' |]  
  13.300 -      ==> F : A leadsTo (A' Un B')"
  13.301 +     "[| F \<in> A leadsTo (A' \<union> B); F \<in> B leadsTo B' |]  
  13.302 +      ==> F \<in> A leadsTo (A' \<union> B')"
  13.303  by (blast intro: leadsTo_Un_Un subset_imp_leadsTo leadsTo_Trans)
  13.304  
  13.305  lemma leadsTo_cancel_Diff2:
  13.306 -     "[| F : A leadsTo (A' Un B); F : (B-A') leadsTo B' |]  
  13.307 -      ==> F : A leadsTo (A' Un B')"
  13.308 +     "[| F \<in> A leadsTo (A' \<union> B); F \<in> (B-A') leadsTo B' |]  
  13.309 +      ==> F \<in> A leadsTo (A' \<union> B')"
  13.310  apply (rule leadsTo_cancel2)
  13.311  prefer 2 apply assumption
  13.312  apply (simp_all (no_asm_simp))
  13.313  done
  13.314  
  13.315  lemma leadsTo_cancel1:
  13.316 -     "[| F : A leadsTo (B Un A'); F : B leadsTo B' |]  
  13.317 -    ==> F : A leadsTo (B' Un A')"
  13.318 +     "[| F \<in> A leadsTo (B \<union> A'); F \<in> B leadsTo B' |]  
  13.319 +    ==> F \<in> A leadsTo (B' \<union> A')"
  13.320  apply (simp add: Un_commute)
  13.321  apply (blast intro!: leadsTo_cancel2)
  13.322  done
  13.323  
  13.324  lemma leadsTo_cancel_Diff1:
  13.325 -     "[| F : A leadsTo (B Un A'); F : (B-A') leadsTo B' |]  
  13.326 -    ==> F : A leadsTo (B' Un A')"
  13.327 +     "[| F \<in> A leadsTo (B \<union> A'); F \<in> (B-A') leadsTo B' |]  
  13.328 +    ==> F \<in> A leadsTo (B' \<union> A')"
  13.329  apply (rule leadsTo_cancel1)
  13.330  prefer 2 apply assumption
  13.331  apply (simp_all (no_asm_simp))
  13.332 @@ -312,7 +312,7 @@
  13.333  
  13.334  (** The impossibility law **)
  13.335  
  13.336 -lemma leadsTo_empty: "F : A leadsTo {} ==> A={}"
  13.337 +lemma leadsTo_empty: "F \<in> A leadsTo {} ==> A={}"
  13.338  apply (erule leadsTo_induct_pre)
  13.339  apply (simp_all add: ensures_def constrains_def transient_def, blast)
  13.340  done
  13.341 @@ -322,8 +322,8 @@
  13.342  
  13.343  (*Special case of PSP: Misra's "stable conjunction"*)
  13.344  lemma psp_stable: 
  13.345 -   "[| F : A leadsTo A'; F : stable B |]  
  13.346 -    ==> F : (A Int B) leadsTo (A' Int B)"
  13.347 +   "[| F \<in> A leadsTo A'; F \<in> stable B |]  
  13.348 +    ==> F \<in> (A \<inter> B) leadsTo (A' \<inter> B)"
  13.349  apply (unfold stable_def)
  13.350  apply (erule leadsTo_induct)
  13.351  prefer 3 apply (blast intro: leadsTo_Union_Int)
  13.352 @@ -334,19 +334,19 @@
  13.353  done
  13.354  
  13.355  lemma psp_stable2: 
  13.356 -   "[| F : A leadsTo A'; F : stable B |] ==> F : (B Int A) leadsTo (B Int A')"
  13.357 +   "[| F \<in> A leadsTo A'; F \<in> stable B |] ==> F \<in> (B \<inter> A) leadsTo (B \<inter> A')"
  13.358  by (simp add: psp_stable Int_ac)
  13.359  
  13.360  lemma psp_ensures: 
  13.361 -   "[| F : A ensures A'; F : B co B' |]  
  13.362 -    ==> F : (A Int B') ensures ((A' Int B) Un (B' - B))"
  13.363 +   "[| F \<in> A ensures A'; F \<in> B co B' |]  
  13.364 +    ==> F \<in> (A \<inter> B') ensures ((A' \<inter> B) \<union> (B' - B))"
  13.365  apply (unfold ensures_def constrains_def, clarify) (*speeds up the proof*)
  13.366  apply (blast intro: transient_strengthen)
  13.367  done
  13.368  
  13.369  lemma psp:
  13.370 -     "[| F : A leadsTo A'; F : B co B' |]  
  13.371 -      ==> F : (A Int B') leadsTo ((A' Int B) Un (B' - B))"
  13.372 +     "[| F \<in> A leadsTo A'; F \<in> B co B' |]  
  13.373 +      ==> F \<in> (A \<inter> B') leadsTo ((A' \<inter> B) \<union> (B' - B))"
  13.374  apply (erule leadsTo_induct)
  13.375    prefer 3 apply (blast intro: leadsTo_Union_Int)
  13.376   txt{*Basis case*}
  13.377 @@ -359,13 +359,13 @@
  13.378  done
  13.379  
  13.380  lemma psp2:
  13.381 -     "[| F : A leadsTo A'; F : B co B' |]  
  13.382 -    ==> F : (B' Int A) leadsTo ((B Int A') Un (B' - B))"
  13.383 +     "[| F \<in> A leadsTo A'; F \<in> B co B' |]  
  13.384 +    ==> F \<in> (B' \<inter> A) leadsTo ((B \<inter> A') \<union> (B' - B))"
  13.385  by (simp (no_asm_simp) add: psp Int_ac)
  13.386  
  13.387  lemma psp_unless: 
  13.388 -   "[| F : A leadsTo A';  F : B unless B' |]  
  13.389 -    ==> F : (A Int B) leadsTo ((A' Int B) Un B')"
  13.390 +   "[| F \<in> A leadsTo A';  F \<in> B unless B' |]  
  13.391 +    ==> F \<in> (A \<inter> B) leadsTo ((A' \<inter> B) \<union> B')"
  13.392  
  13.393  apply (unfold unless_def)
  13.394  apply (drule psp, assumption)
  13.395 @@ -379,11 +379,11 @@
  13.396  
  13.397  lemma leadsTo_wf_induct_lemma:
  13.398       "[| wf r;      
  13.399 -         ALL m. F : (A Int f-`{m}) leadsTo                      
  13.400 -                    ((A Int f-`(r^-1 `` {m})) Un B) |]  
  13.401 -      ==> F : (A Int f-`{m}) leadsTo B"
  13.402 +         \<forall>m. F \<in> (A \<inter> f-`{m}) leadsTo                      
  13.403 +                    ((A \<inter> f-`(r^-1 `` {m})) \<union> B) |]  
  13.404 +      ==> F \<in> (A \<inter> f-`{m}) leadsTo B"
  13.405  apply (erule_tac a = m in wf_induct)
  13.406 -apply (subgoal_tac "F : (A Int (f -` (r^-1 `` {x}))) leadsTo B")
  13.407 +apply (subgoal_tac "F \<in> (A \<inter> (f -` (r^-1 `` {x}))) leadsTo B")
  13.408   apply (blast intro: leadsTo_cancel1 leadsTo_Un_duplicate)
  13.409  apply (subst vimage_eq_UN)
  13.410  apply (simp only: UN_simps [symmetric])
  13.411 @@ -394,9 +394,9 @@
  13.412  (** Meta or object quantifier ? **)
  13.413  lemma leadsTo_wf_induct:
  13.414       "[| wf r;      
  13.415 -         ALL m. F : (A Int f-`{m}) leadsTo                      
  13.416 -                    ((A Int f-`(r^-1 `` {m})) Un B) |]  
  13.417 -      ==> F : A leadsTo B"
  13.418 +         \<forall>m. F \<in> (A \<inter> f-`{m}) leadsTo                      
  13.419 +                    ((A \<inter> f-`(r^-1 `` {m})) \<union> B) |]  
  13.420 +      ==> F \<in> A leadsTo B"
  13.421  apply (rule_tac t = A in subst)
  13.422   defer 1
  13.423   apply (rule leadsTo_UN)
  13.424 @@ -408,102 +408,102 @@
  13.425  
  13.426  lemma bounded_induct:
  13.427       "[| wf r;      
  13.428 -         ALL m:I. F : (A Int f-`{m}) leadsTo                    
  13.429 -                      ((A Int f-`(r^-1 `` {m})) Un B) |]  
  13.430 -      ==> F : A leadsTo ((A - (f-`I)) Un B)"
  13.431 +         \<forall>m \<in> I. F \<in> (A \<inter> f-`{m}) leadsTo                    
  13.432 +                      ((A \<inter> f-`(r^-1 `` {m})) \<union> B) |]  
  13.433 +      ==> F \<in> A leadsTo ((A - (f-`I)) \<union> B)"
  13.434  apply (erule leadsTo_wf_induct, safe)
  13.435 -apply (case_tac "m:I")
  13.436 +apply (case_tac "m \<in> I")
  13.437  apply (blast intro: leadsTo_weaken)
  13.438  apply (blast intro: subset_imp_leadsTo)
  13.439  done
  13.440  
  13.441  
  13.442 -(*Alternative proof is via the lemma F : (A Int f-`(lessThan m)) leadsTo B*)
  13.443 +(*Alternative proof is via the lemma F \<in> (A \<inter> f-`(lessThan m)) leadsTo B*)
  13.444  lemma lessThan_induct: 
  13.445 -     "[| !!m::nat. F : (A Int f-`{m}) leadsTo ((A Int f-`{..m(}) Un B) |]  
  13.446 -      ==> F : A leadsTo B"
  13.447 +     "[| !!m::nat. F \<in> (A \<inter> f-`{m}) leadsTo ((A \<inter> f-`{..m(}) \<union> B) |]  
  13.448 +      ==> F \<in> A leadsTo B"
  13.449  apply (rule wf_less_than [THEN leadsTo_wf_induct])
  13.450  apply (simp (no_asm_simp))
  13.451  apply blast
  13.452  done
  13.453  
  13.454  lemma lessThan_bounded_induct:
  13.455 -     "!!l::nat. [| ALL m:(greaterThan l).     
  13.456 -            F : (A Int f-`{m}) leadsTo ((A Int f-`(lessThan m)) Un B) |]  
  13.457 -      ==> F : A leadsTo ((A Int (f-`(atMost l))) Un B)"
  13.458 +     "!!l::nat. [| \<forall>m \<in> greaterThan l.     
  13.459 +            F \<in> (A \<inter> f-`{m}) leadsTo ((A \<inter> f-`(lessThan m)) \<union> B) |]  
  13.460 +      ==> F \<in> A leadsTo ((A \<inter> (f-`(atMost l))) \<union> B)"
  13.461  apply (simp only: Diff_eq [symmetric] vimage_Compl Compl_greaterThan [symmetric])
  13.462  apply (rule wf_less_than [THEN bounded_induct])
  13.463  apply (simp (no_asm_simp))
  13.464  done
  13.465  
  13.466  lemma greaterThan_bounded_induct:
  13.467 -     "!!l::nat. [| ALL m:(lessThan l).     
  13.468 -            F : (A Int f-`{m}) leadsTo ((A Int f-`(greaterThan m)) Un B) |]  
  13.469 -      ==> F : A leadsTo ((A Int (f-`(atLeast l))) Un B)"
  13.470 +     "(!!l::nat. \<forall>m \<in> lessThan l.     
  13.471 +                 F \<in> (A \<inter> f-`{m}) leadsTo ((A \<inter> f-`(greaterThan m)) \<union> B))
  13.472 +      ==> F \<in> A leadsTo ((A \<inter> (f-`(atLeast l))) \<union> B)"
  13.473  apply (rule_tac f = f and f1 = "%k. l - k" 
  13.474         in wf_less_than [THEN wf_inv_image, THEN leadsTo_wf_induct])
  13.475  apply (simp (no_asm) add: inv_image_def Image_singleton)
  13.476  apply clarify
  13.477  apply (case_tac "m<l")
  13.478 -prefer 2 apply (blast intro: not_leE subset_imp_leadsTo)
  13.479 -apply (blast intro: leadsTo_weaken_R diff_less_mono2)
  13.480 + apply (blast intro: leadsTo_weaken_R diff_less_mono2)
  13.481 +apply (blast intro: not_leE subset_imp_leadsTo)
  13.482  done
  13.483  
  13.484  
  13.485  subsection{*wlt*}
  13.486  
  13.487  (*Misra's property W3*)
  13.488 -lemma wlt_leadsTo: "F : (wlt F B) leadsTo B"
  13.489 +lemma wlt_leadsTo: "F \<in> (wlt F B) leadsTo B"
  13.490  apply (unfold wlt_def)
  13.491  apply (blast intro!: leadsTo_Union)
  13.492  done
  13.493  
  13.494 -lemma leadsTo_subset: "F : A leadsTo B ==> A <= wlt F B"
  13.495 +lemma leadsTo_subset: "F \<in> A leadsTo B ==> A \<subseteq> wlt F B"
  13.496  apply (unfold wlt_def)
  13.497  apply (blast intro!: leadsTo_Union)
  13.498  done
  13.499  
  13.500  (*Misra's property W2*)
  13.501 -lemma leadsTo_eq_subset_wlt: "F : A leadsTo B = (A <= wlt F B)"
  13.502 +lemma leadsTo_eq_subset_wlt: "F \<in> A leadsTo B = (A \<subseteq> wlt F B)"
  13.503  by (blast intro!: leadsTo_subset wlt_leadsTo [THEN leadsTo_weaken_L])
  13.504  
  13.505  (*Misra's property W4*)
  13.506 -lemma wlt_increasing: "B <= wlt F B"
  13.507 +lemma wlt_increasing: "B \<subseteq> wlt F B"
  13.508  apply (simp (no_asm_simp) add: leadsTo_eq_subset_wlt [symmetric] subset_imp_leadsTo)
  13.509  done
  13.510  
  13.511  
  13.512  (*Used in the Trans case below*)
  13.513  lemma lemma1: 
  13.514 -   "[| B <= A2;   
  13.515 -       F : (A1 - B) co (A1 Un B);  
  13.516 -       F : (A2 - C) co (A2 Un C) |]  
  13.517 -    ==> F : (A1 Un A2 - C) co (A1 Un A2 Un C)"
  13.518 +   "[| B \<subseteq> A2;   
  13.519 +       F \<in> (A1 - B) co (A1 \<union> B);  
  13.520 +       F \<in> (A2 - C) co (A2 \<union> C) |]  
  13.521 +    ==> F \<in> (A1 \<union> A2 - C) co (A1 \<union> A2 \<union> C)"
  13.522  by (unfold constrains_def, clarify,  blast)
  13.523  
  13.524  (*Lemma (1,2,3) of Misra's draft book, Chapter 4, "Progress"*)
  13.525  lemma leadsTo_123:
  13.526 -     "F : A leadsTo A'  
  13.527 -      ==> EX B. A<=B & F : B leadsTo A' & F : (B-A') co (B Un A')"
  13.528 +     "F \<in> A leadsTo A'  
  13.529 +      ==> \<exists>B. A \<subseteq> B & F \<in> B leadsTo A' & F \<in> (B-A') co (B \<union> A')"
  13.530  apply (erule leadsTo_induct)
  13.531  (*Basis*)
  13.532  apply (blast dest: ensuresD)
  13.533  (*Trans*)
  13.534  apply clarify
  13.535 -apply (rule_tac x = "Ba Un Bb" in exI)
  13.536 +apply (rule_tac x = "Ba \<union> Bb" in exI)
  13.537  apply (blast intro: lemma1 leadsTo_Un_Un leadsTo_cancel1 leadsTo_Un_duplicate)
  13.538  (*Union*)
  13.539  apply (clarify dest!: ball_conj_distrib [THEN iffD1] bchoice)
  13.540 -apply (rule_tac x = "UN A:S. f A" in exI)
  13.541 +apply (rule_tac x = "\<Union>A \<in> S. f A" in exI)
  13.542  apply (auto intro: leadsTo_UN)
  13.543  (*Blast_tac says PROOF FAILED*)
  13.544 -apply (rule_tac I1=S and A1="%i. f i - B" and A'1="%i. f i Un B" 
  13.545 +apply (rule_tac I1=S and A1="%i. f i - B" and A'1="%i. f i \<union> B" 
  13.546         in constrains_UN [THEN constrains_weaken], auto) 
  13.547  done
  13.548  
  13.549  
  13.550  (*Misra's property W5*)
  13.551 -lemma wlt_constrains_wlt: "F : (wlt F B - B) co (wlt F B)"
  13.552 +lemma wlt_constrains_wlt: "F \<in> (wlt F B - B) co (wlt F B)"
  13.553  proof -
  13.554    from wlt_leadsTo [of F B, THEN leadsTo_123]
  13.555    show ?thesis
  13.556 @@ -527,28 +527,28 @@
  13.557  subsection{*Completion: Binary and General Finite versions*}
  13.558  
  13.559  lemma completion_lemma :
  13.560 -     "[| W = wlt F (B' Un C);      
  13.561 -       F : A leadsTo (A' Un C);  F : A' co (A' Un C);    
  13.562 -       F : B leadsTo (B' Un C);  F : B' co (B' Un C) |]  
  13.563 -    ==> F : (A Int B) leadsTo ((A' Int B') Un C)"
  13.564 -apply (subgoal_tac "F : (W-C) co (W Un B' Un C) ")
  13.565 +     "[| W = wlt F (B' \<union> C);      
  13.566 +       F \<in> A leadsTo (A' \<union> C);  F \<in> A' co (A' \<union> C);    
  13.567 +       F \<in> B leadsTo (B' \<union> C);  F \<in> B' co (B' \<union> C) |]  
  13.568 +    ==> F \<in> (A \<inter> B) leadsTo ((A' \<inter> B') \<union> C)"
  13.569 +apply (subgoal_tac "F \<in> (W-C) co (W \<union> B' \<union> C) ")
  13.570   prefer 2
  13.571   apply (blast intro: wlt_constrains_wlt [THEN [2] constrains_Un, 
  13.572                                           THEN constrains_weaken])
  13.573 -apply (subgoal_tac "F : (W-C) co W")
  13.574 +apply (subgoal_tac "F \<in> (W-C) co W")
  13.575   prefer 2
  13.576   apply (simp add: wlt_increasing Un_assoc Un_absorb2)
  13.577 -apply (subgoal_tac "F : (A Int W - C) leadsTo (A' Int W Un C) ")
  13.578 +apply (subgoal_tac "F \<in> (A \<inter> W - C) leadsTo (A' \<inter> W \<union> C) ")
  13.579   prefer 2 apply (blast intro: wlt_leadsTo psp [THEN leadsTo_weaken])
  13.580  (** LEVEL 6 **)
  13.581 -apply (subgoal_tac "F : (A' Int W Un C) leadsTo (A' Int B' Un C) ")
  13.582 +apply (subgoal_tac "F \<in> (A' \<inter> W \<union> C) leadsTo (A' \<inter> B' \<union> C) ")
  13.583   prefer 2
  13.584   apply (rule leadsTo_Un_duplicate2)
  13.585   apply (blast intro: leadsTo_Un_Un wlt_leadsTo
  13.586                           [THEN psp2, THEN leadsTo_weaken] leadsTo_refl)
  13.587  apply (drule leadsTo_Diff)
  13.588  apply (blast intro: subset_imp_leadsTo)
  13.589 -apply (subgoal_tac "A Int B <= A Int W")
  13.590 +apply (subgoal_tac "A \<inter> B \<subseteq> A \<inter> W")
  13.591   prefer 2
  13.592   apply (blast dest!: leadsTo_subset intro!: subset_refl [THEN Int_mono])
  13.593  apply (blast intro: leadsTo_Trans subset_imp_leadsTo)
  13.594 @@ -557,9 +557,9 @@
  13.595  lemmas completion = completion_lemma [OF refl]
  13.596  
  13.597  lemma finite_completion_lemma:
  13.598 -     "finite I ==> (ALL i:I. F : (A i) leadsTo (A' i Un C)) -->   
  13.599 -                   (ALL i:I. F : (A' i) co (A' i Un C)) -->  
  13.600 -                   F : (INT i:I. A i) leadsTo ((INT i:I. A' i) Un C)"
  13.601 +     "finite I ==> (\<forall>i \<in> I. F \<in> (A i) leadsTo (A' i \<union> C)) -->   
  13.602 +                   (\<forall>i \<in> I. F \<in> (A' i) co (A' i \<union> C)) -->  
  13.603 +                   F \<in> (\<Inter>i \<in> I. A i) leadsTo ((\<Inter>i \<in> I. A' i) \<union> C)"
  13.604  apply (erule finite_induct, auto)
  13.605  apply (rule completion)
  13.606     prefer 4
  13.607 @@ -569,15 +569,15 @@
  13.608  
  13.609  lemma finite_completion: 
  13.610       "[| finite I;   
  13.611 -         !!i. i:I ==> F : (A i) leadsTo (A' i Un C);  
  13.612 -         !!i. i:I ==> F : (A' i) co (A' i Un C) |]    
  13.613 -      ==> F : (INT i:I. A i) leadsTo ((INT i:I. A' i) Un C)"
  13.614 +         !!i. i \<in> I ==> F \<in> (A i) leadsTo (A' i \<union> C);  
  13.615 +         !!i. i \<in> I ==> F \<in> (A' i) co (A' i \<union> C) |]    
  13.616 +      ==> F \<in> (\<Inter>i \<in> I. A i) leadsTo ((\<Inter>i \<in> I. A' i) \<union> C)"
  13.617  by (blast intro: finite_completion_lemma [THEN mp, THEN mp])
  13.618  
  13.619  lemma stable_completion: 
  13.620 -     "[| F : A leadsTo A';  F : stable A';    
  13.621 -         F : B leadsTo B';  F : stable B' |]  
  13.622 -    ==> F : (A Int B) leadsTo (A' Int B')"
  13.623 +     "[| F \<in> A leadsTo A';  F \<in> stable A';    
  13.624 +         F \<in> B leadsTo B';  F \<in> stable B' |]  
  13.625 +    ==> F \<in> (A \<inter> B) leadsTo (A' \<inter> B')"
  13.626  apply (unfold stable_def)
  13.627  apply (rule_tac C1 = "{}" in completion [THEN leadsTo_weaken_R])
  13.628  apply (force+)
  13.629 @@ -585,9 +585,9 @@
  13.630  
  13.631  lemma finite_stable_completion: 
  13.632       "[| finite I;   
  13.633 -         !!i. i:I ==> F : (A i) leadsTo (A' i);  
  13.634 -         !!i. i:I ==> F : stable (A' i) |]    
  13.635 -      ==> F : (INT i:I. A i) leadsTo (INT i:I. A' i)"
  13.636 +         !!i. i \<in> I ==> F \<in> (A i) leadsTo (A' i);  
  13.637 +         !!i. i \<in> I ==> F \<in> stable (A' i) |]    
  13.638 +      ==> F \<in> (\<Inter>i \<in> I. A i) leadsTo (\<Inter>i \<in> I. A' i)"
  13.639  apply (unfold stable_def)
  13.640  apply (rule_tac C1 = "{}" in finite_completion [THEN leadsTo_weaken_R])
  13.641  apply (simp_all (no_asm_simp))