merged
authorblanchet
Wed Oct 21 16:57:57 2009 +0200 (2009-10-21)
changeset 330555a733f325939
parent 33054 dd1192a96968
parent 33052 6f071d92960b
child 33056 791a4655cae3
merged
src/HOL/Isar_examples/Basic_Logic.thy
src/HOL/Isar_examples/Cantor.thy
src/HOL/Isar_examples/Drinker.thy
src/HOL/Isar_examples/Expr_Compiler.thy
src/HOL/Isar_examples/Fibonacci.thy
src/HOL/Isar_examples/Group.thy
src/HOL/Isar_examples/Hoare.thy
src/HOL/Isar_examples/Hoare_Ex.thy
src/HOL/Isar_examples/Knaster_Tarski.thy
src/HOL/Isar_examples/Mutilated_Checkerboard.thy
src/HOL/Isar_examples/Nested_Datatype.thy
src/HOL/Isar_examples/Peirce.thy
src/HOL/Isar_examples/Puzzle.thy
src/HOL/Isar_examples/README.html
src/HOL/Isar_examples/ROOT.ML
src/HOL/Isar_examples/Summation.thy
src/HOL/Isar_examples/document/proof.sty
src/HOL/Isar_examples/document/root.bib
src/HOL/Isar_examples/document/root.tex
src/HOL/Isar_examples/document/style.tex
src/HOL/MetisExamples/Abstraction.thy
src/HOL/MetisExamples/BT.thy
src/HOL/MetisExamples/BigO.thy
src/HOL/MetisExamples/Message.thy
src/HOL/MetisExamples/ROOT.ML
src/HOL/MetisExamples/Tarski.thy
src/HOL/MetisExamples/TransClosure.thy
src/HOL/MetisExamples/set.thy
src/HOL/SET-Protocol/Cardholder_Registration.thy
src/HOL/SET-Protocol/EventSET.thy
src/HOL/SET-Protocol/Merchant_Registration.thy
src/HOL/SET-Protocol/MessageSET.thy
src/HOL/SET-Protocol/PublicSET.thy
src/HOL/SET-Protocol/Purchase.thy
src/HOL/SET-Protocol/ROOT.ML
src/HOL/SET-Protocol/document/root.tex
src/HOL/SMT/SMT_Definitions.thy
src/HOL/Tools/record.ML
src/HOL/Tools/refute.ML
     1.1 --- a/Admin/Benchmarks/HOL-datatype/IsaMakefile	Wed Oct 21 16:54:04 2009 +0200
     1.2 +++ b/Admin/Benchmarks/HOL-datatype/IsaMakefile	Wed Oct 21 16:57:57 2009 +0200
     1.3 @@ -20,13 +20,13 @@
     1.4  ## HOL-datatype
     1.5  
     1.6  HOL:
     1.7 -	@cd $(SRC)/HOL; $(ISATOOL) make HOL
     1.8 +	@cd $(SRC)/HOL; $(ISABELLE_TOOL) make HOL
     1.9  
    1.10  HOL-datatype: HOL $(LOG)/HOL-datatype.gz
    1.11  
    1.12  $(LOG)/HOL-datatype.gz: $(OUT)/HOLBrackin.thy Instructions.thy SML.thy \
    1.13    Verilog.thy
    1.14 -	@cd ..; $(ISATOOL) usedir -s HOL-datatype $(OUT)/HOL HOL-datatype
    1.15 +	@cd ..; $(ISABELLE_TOOL) usedir -s HOL-datatype $(OUT)/HOL HOL-datatype
    1.16  
    1.17  
    1.18  ## clean
     2.1 --- a/Admin/isatest/isatest-makedist	Wed Oct 21 16:54:04 2009 +0200
     2.2 +++ b/Admin/isatest/isatest-makedist	Wed Oct 21 16:57:57 2009 +0200
     2.3 @@ -91,7 +91,7 @@
     2.4  
     2.5  ## spawn test runs
     2.6  
     2.7 -$SSH sunbroy2 "$MAKEALL $HOME/settings/sun-poly"
     2.8 +#$SSH sunbroy2 "$MAKEALL $HOME/settings/sun-poly"
     2.9  # give test some time to copy settings and start
    2.10  sleep 15
    2.11  $SSH macbroy22 "$MAKEALL $HOME/settings/at-poly"
     3.1 --- a/Admin/isatest/isatest-stats	Wed Oct 21 16:54:04 2009 +0200
     3.2 +++ b/Admin/isatest/isatest-stats	Wed Oct 21 16:57:57 2009 +0200
     3.3 @@ -21,13 +21,13 @@
     3.4    HOL-HoareParallel \
     3.5    HOL-Lambda \
     3.6    HOL-Library \
     3.7 -  HOL-MetisExamples \
     3.8 +  HOL-Metis_Examples \
     3.9    HOL-MicroJava \
    3.10    HOL-NSA \
    3.11    HOL-Nominal-Examples \
    3.12    HOL-Number_Theory \
    3.13    HOL-Old_Number_Theory \
    3.14 -  HOL-SET-Protocol \
    3.15 +  HOL-SET_Protocol \
    3.16    HOL-UNITY \
    3.17    HOL-Word \
    3.18    HOL-ex \
     4.1 --- a/CONTRIBUTORS	Wed Oct 21 16:54:04 2009 +0200
     4.2 +++ b/CONTRIBUTORS	Wed Oct 21 16:57:57 2009 +0200
     4.3 @@ -7,6 +7,15 @@
     4.4  Contributions to this Isabelle version
     4.5  --------------------------------------
     4.6  
     4.7 +* October 2009: Sascha Boehme, TUM
     4.8 +  Extension of SMT method: proof-reconstruction for the SMT solver Z3
     4.9 +
    4.10 +* October 2009: Florian Haftmann, TUM
    4.11 +  Refinement of parts of the HOL datatype package
    4.12 +
    4.13 +* October 2009: Florian Haftmann, TUM
    4.14 +  Generic term styles for term antiquotations
    4.15 +
    4.16  * September 2009: Thomas Sewell, NICTA
    4.17    More efficient HOL/record implementation
    4.18  
    4.19 @@ -14,7 +23,7 @@
    4.20    SMT method using external SMT solvers
    4.21  
    4.22  * September 2009: Florian Haftmann, TUM
    4.23 -  Refinement of Sets and Lattices
    4.24 +  Refinement of sets and lattices
    4.25  
    4.26  * July 2009: Jeremy Avigad and Amine Chaieb
    4.27    New number theory
     5.1 --- a/NEWS	Wed Oct 21 16:54:04 2009 +0200
     5.2 +++ b/NEWS	Wed Oct 21 16:57:57 2009 +0200
     5.3 @@ -23,6 +23,9 @@
     5.4  to print all interpretations of locale l in the theory.  Interpretations
     5.5  in proofs are not shown.
     5.6  
     5.7 +* Thoroughly revised locales tutorial.  New section on conditional
     5.8 +interpretation.
     5.9 +
    5.10  
    5.11  *** document preparation ***
    5.12  
    5.13 @@ -43,7 +46,9 @@
    5.14  arithmetic, and fixed-size bitvectors; there is also basic
    5.15  support for higher-order features (esp. lambda abstractions).
    5.16  It is an incomplete decision procedure based on external SMT
    5.17 -solvers using the oracle mechanism.
    5.18 +solvers using the oracle mechanism; for the SMT solver Z3,
    5.19 +this method is proof-producing. Certificates are provided to
    5.20 +avoid calling the external solvers solely for re-checking proofs.
    5.21  
    5.22  * Reorganization of number theory:
    5.23    * former session NumberTheory now named Old_Number_Theory
    5.24 @@ -79,8 +84,10 @@
    5.25  works well in practice on quantifier-free real arithmetic with +, -,
    5.26  *, ^, =, <= and <, i.e. boolean combinations of equalities and
    5.27  inequalities between polynomials. It makes use of external
    5.28 -semidefinite programming solvers.  For more information and examples
    5.29 -see src/HOL/Library/Sum_Of_Squares.
    5.30 +semidefinite programming solvers. Method "sos" generates a certificate
    5.31 +that can be pasted into the proof thus avoiding the need to call an external
    5.32 +tool every time the proof is checked.
    5.33 +For more information and examples see src/HOL/Library/Sum_Of_Squares.
    5.34  
    5.35  * Code generator attributes follow the usual underscore convention:
    5.36      code_unfold     replaces    code unfold
    5.37 @@ -146,6 +153,10 @@
    5.38  this.  Fix using O_assoc[symmetric].  The same applies to the curried
    5.39  version "R OO S".
    5.40  
    5.41 +* Function "Inv" is renamed to "inv_onto" and function "inv" is now an
    5.42 +abbreviation for "inv_onto UNIV". Lemmas are renamed accordingly.
    5.43 +INCOMPATIBILITY.
    5.44 +
    5.45  * ML antiquotation @{code_datatype} inserts definition of a datatype
    5.46  generated by the code generator; see Predicate.thy for an example.
    5.47  
    5.48 @@ -202,6 +213,9 @@
    5.49  
    5.50  *** ML ***
    5.51  
    5.52 +* Removed some old-style infix operations using polymorphic equality.
    5.53 +INCOMPATIBILITY.
    5.54 +
    5.55  * Structure Synchronized (cf. src/Pure/Concurrent/synchronized.ML)
    5.56  provides a high-level programming interface to synchronized state
    5.57  variables with atomic update.  This works via pure function
    5.58 @@ -250,6 +264,9 @@
    5.59  Syntax.pretty_typ/term directly, preferably with proper context
    5.60  instead of global theory.
    5.61  
    5.62 +* Operations of structure Skip_Proof (formerly SkipProof) no longer
    5.63 +require quick_and_dirty mode, which avoids critical setmp.
    5.64 +
    5.65  
    5.66  *** System ***
    5.67  
     6.1 --- a/doc-src/Intro/bool.thy	Wed Oct 21 16:54:04 2009 +0200
     6.2 +++ b/doc-src/Intro/bool.thy	Wed Oct 21 16:57:57 2009 +0200
     6.3 @@ -1,5 +1,5 @@
     6.4  Bool = FOL +
     6.5 -types 	bool 0
     6.6 -arities bool 	:: term
     6.7 -consts tt,ff	:: "bool"
     6.8 +types   bool 0
     6.9 +arities bool    :: term
    6.10 +consts tt,ff    :: "bool"
    6.11  end
     7.1 --- a/doc-src/Intro/list.thy	Wed Oct 21 16:54:04 2009 +0200
     7.2 +++ b/doc-src/Intro/list.thy	Wed Oct 21 16:57:57 2009 +0200
     7.3 @@ -1,6 +1,6 @@
     7.4  List = FOL +
     7.5 -types 	list 1
     7.6 -arities list	:: (term)term
     7.7 -consts	Nil	:: "'a list"
     7.8 -   	Cons	:: "['a, 'a list] => 'a list" 
     7.9 +types   list 1
    7.10 +arities list    :: (term)term
    7.11 +consts  Nil     :: "'a list"
    7.12 +        Cons    :: "['a, 'a list] => 'a list" 
    7.13  end
     8.1 --- a/doc-src/IsarImplementation/Thy/ML.thy	Wed Oct 21 16:54:04 2009 +0200
     8.2 +++ b/doc-src/IsarImplementation/Thy/ML.thy	Wed Oct 21 16:57:57 2009 +0200
     8.3 @@ -229,7 +229,7 @@
     8.4    view being presented to the user.
     8.5  
     8.6    Occasionally, such global process flags are treated like implicit
     8.7 -  arguments to certain operations, by using the @{ML setmp} combinator
     8.8 +  arguments to certain operations, by using the @{ML setmp_CRITICAL} combinator
     8.9    for safe temporary assignment.  Its traditional purpose was to
    8.10    ensure proper recovery of the original value when exceptions are
    8.11    raised in the body, now the functionality is extended to enter the
    8.12 @@ -237,7 +237,7 @@
    8.13    parallelism).
    8.14  
    8.15    Note that recovery of plain value passing semantics via @{ML
    8.16 -  setmp}~@{text "ref value"} assumes that this @{text "ref"} is
    8.17 +  setmp_CRITICAL}~@{text "ref value"} assumes that this @{text "ref"} is
    8.18    exclusively manipulated within the critical section.  In particular,
    8.19    any persistent global assignment of @{text "ref := value"} needs to
    8.20    be marked critical as well, to prevent intruding another threads
    8.21 @@ -258,7 +258,7 @@
    8.22    \begin{mldecls}
    8.23    @{index_ML NAMED_CRITICAL: "string -> (unit -> 'a) -> 'a"} \\
    8.24    @{index_ML CRITICAL: "(unit -> 'a) -> 'a"} \\
    8.25 -  @{index_ML setmp: "'a Unsynchronized.ref -> 'a -> ('b -> 'c) -> 'b -> 'c"} \\
    8.26 +  @{index_ML setmp_CRITICAL: "'a Unsynchronized.ref -> 'a -> ('b -> 'c) -> 'b -> 'c"} \\
    8.27    \end{mldecls}
    8.28  
    8.29    \begin{description}
    8.30 @@ -272,7 +272,7 @@
    8.31    \item @{ML CRITICAL} is the same as @{ML NAMED_CRITICAL} with empty
    8.32    name argument.
    8.33  
    8.34 -  \item @{ML setmp}~@{text "ref value f x"} evaluates @{text "f x"}
    8.35 +  \item @{ML setmp_CRITICAL}~@{text "ref value f x"} evaluates @{text "f x"}
    8.36    while staying within the critical section and having @{text "ref :=
    8.37    value"} assigned temporarily.  This recovers a value-passing
    8.38    semantics involving global references, regardless of exceptions or
     9.1 --- a/doc-src/Locales/Locales/Examples.thy	Wed Oct 21 16:54:04 2009 +0200
     9.2 +++ b/doc-src/Locales/Locales/Examples.thy	Wed Oct 21 16:57:57 2009 +0200
     9.3 @@ -1,5 +1,5 @@
     9.4  theory Examples
     9.5 -imports Main GCD
     9.6 +imports Main
     9.7  begin
     9.8  
     9.9  hide %invisible const Lattices.lattice
    9.10 @@ -12,9 +12,9 @@
    9.11    primitives are universal quantification (@{text "\<And>"}), entailment
    9.12    (@{text "\<Longrightarrow>"}) and equality (@{text "\<equiv>"}).  Variables (not bound
    9.13    variables) are sometimes preceded by a question mark.  The logic is
    9.14 -  typed.  Type variables are denoted by @{text "'a"}, @{text "'b"}
    9.15 -  etc., and @{text "\<Rightarrow>"} is the function type.  Double brackets @{text
    9.16 -  "\<lbrakk>"} and @{text "\<rbrakk>"} are used to abbreviate nested entailment.
    9.17 +  typed.  Type variables are denoted by~@{text "'a"},~@{text "'b"}
    9.18 +  etc., and~@{text "\<Rightarrow>"} is the function type.  Double brackets~@{text
    9.19 +  "\<lbrakk>"} and~@{text "\<rbrakk>"} are used to abbreviate nested entailment.
    9.20  *}
    9.21  *)
    9.22  
    9.23 @@ -26,25 +26,27 @@
    9.24  \[
    9.25    @{text "\<And>x\<^sub>1\<dots>x\<^sub>n. \<lbrakk> A\<^sub>1; \<dots> ;A\<^sub>m \<rbrakk> \<Longrightarrow> \<dots>"}
    9.26  \]
    9.27 -  where variables @{text "x\<^sub>1"}, \ldots, @{text "x\<^sub>n"} are called
    9.28 -  \emph{parameters} and the premises $@{text "A\<^sub>1"}, \ldots,
    9.29 -  @{text "A\<^sub>m"}$ \emph{assumptions}.  A formula @{text "C"}
    9.30 +  where variables~@{text "x\<^sub>1"}, \ldots,~@{text "x\<^sub>n"} are called
    9.31 +  \emph{parameters} and the premises $@{text "A\<^sub>1"}, \ldots,~@{text
    9.32 +  "A\<^sub>m"}$ \emph{assumptions}.  A formula~@{text "C"}
    9.33    is a \emph{theorem} in the context if it is a conclusion
    9.34  \[
    9.35 -%\label{eq-fact-in-context}
    9.36    @{text "\<And>x\<^sub>1\<dots>x\<^sub>n. \<lbrakk> A\<^sub>1; \<dots> ;A\<^sub>m \<rbrakk> \<Longrightarrow> C"}.
    9.37  \]
    9.38    Isabelle/Isar's notion of context goes beyond this logical view.
    9.39    Its contexts record, in a consecutive order, proved
    9.40 -  conclusions along with attributes, which
    9.41 -  may control proof procedures.  Contexts also contain syntax information
    9.42 -  for parameters and for terms depending on them.
    9.43 +  conclusions along with \emph{attributes}, which can provide context
    9.44 +  specific configuration information for proof procedures and concrete
    9.45 +  syntax.  From a logical perspective, locales are just contexts that
    9.46 +  have been made persistent.  To the user, though, they provide
    9.47 +  powerful means for declaring and combining contexts, and for the
    9.48 +  reuse of theorems proved in these contexts.
    9.49    *}
    9.50  
    9.51  section {* Simple Locales *}
    9.52  
    9.53  text {*
    9.54 -  Locales can be seen as persistent contexts.  In its simplest form, a
    9.55 +  In its simplest form, a
    9.56    \emph{locale declaration} consists of a sequence of context elements
    9.57    declaring parameters (keyword \isakeyword{fixes}) and assumptions
    9.58    (keyword \isakeyword{assumes}).  The following is the specification of
    9.59 @@ -57,22 +59,67 @@
    9.60        and anti_sym [intro]: "\<lbrakk> x \<sqsubseteq> y; y \<sqsubseteq> x \<rbrakk> \<Longrightarrow> x = y"
    9.61        and trans [trans]: "\<lbrakk> x \<sqsubseteq> y; y \<sqsubseteq> z \<rbrakk> \<Longrightarrow> x \<sqsubseteq> z"
    9.62  
    9.63 -text {* The parameter of this locale is @{term le}, with infix syntax
    9.64 -  @{text \<sqsubseteq>}.  There is an implicit type parameter @{typ "'a"}.  It
    9.65 -  is not necessary to declare parameter types: most general types will
    9.66 -  be inferred from the context elements for all parameters.
    9.67 +text (in partial_order) {* The parameter of this locale is~@{text le},
    9.68 +  which is a binary predicate with infix syntax~@{text \<sqsubseteq>}.  The
    9.69 +  parameter syntax is available in the subsequent
    9.70 +  assumptions, which are the familiar partial order axioms.
    9.71 +
    9.72 +  Isabelle recognises unbound names as free variables.  In locale
    9.73 +  assumptions, these are implicitly universally quantified.  That is,
    9.74 +  @{term "\<lbrakk> x \<sqsubseteq> y; y \<sqsubseteq> z \<rbrakk> \<Longrightarrow> x \<sqsubseteq> z"} in fact means
    9.75 +  @{term "\<And>x y z. \<lbrakk> x \<sqsubseteq> y; y \<sqsubseteq> z \<rbrakk> \<Longrightarrow> x \<sqsubseteq> z"}.
    9.76  
    9.77 -  The above declaration not only introduces the locale, it also
    9.78 -  defines the \emph{locale predicate} @{term partial_order} with
    9.79 -  definition @{thm [source] partial_order_def}:
    9.80 +  Two commands are provided to inspect locales:
    9.81 +  \isakeyword{print\_locales} lists the names of all locales of the
    9.82 +  current theory; \isakeyword{print\_locale}~$n$ prints the parameters
    9.83 +  and assumptions of locale $n$; the variation \isakeyword{print\_locale!}~$n$
    9.84 +  additionally outputs the conclusions that are stored in the locale.
    9.85 +  We may inspect the new locale
    9.86 +  by issuing \isakeyword{print\_locale!} @{term partial_order}.  The output
    9.87 +  is the following list of context elements.
    9.88 +\begin{small}
    9.89 +\begin{alltt}
    9.90 +  \isakeyword{fixes} le :: "'a \(\Rightarrow\) 'a \(\Rightarrow\)  bool" (\isakeyword{infixl} "\(\sqsubseteq\)" 50)
    9.91 +  \isakeyword{assumes} "partial_order op \(\sqsubseteq\)"
    9.92 +  \isakeyword{notes} assumption
    9.93 +    refl [intro, simp] = `?x \(\sqsubseteq\) ?x`
    9.94 +    \isakeyword{and}
    9.95 +    anti_sym [intro] = `\(\isasymlbrakk\)?x \(\sqsubseteq\) ?y; ?y \(\sqsubseteq\) ?x\(\isasymrbrakk\) \(\Longrightarrow\) ?x = ?y`
    9.96 +    \isakeyword{and}
    9.97 +    trans [trans] = `\(\isasymlbrakk\)?x \(\sqsubseteq\) ?y; ?y \(\sqsubseteq\) ?z\(\isasymrbrakk\) \(\Longrightarrow\) ?x \(\sqsubseteq\) ?z`
    9.98 +\end{alltt}
    9.99 +\end{small}
   9.100 +  The keyword \isakeyword{notes} denotes a conclusion element.  There
   9.101 +  is one conclusion, which was added automatically.  Instead, there is
   9.102 +  only one assumption, namely @{term "partial_order le"}.  The locale
   9.103 +  declaration has introduced the predicate @{term
   9.104 +  partial_order} to the theory.  This predicate is the
   9.105 +  \emph{locale predicate}.  Its definition may be inspected by
   9.106 +  issuing \isakeyword{thm} @{thm [source] partial_order_def}.
   9.107    @{thm [display, indent=2] partial_order_def}
   9.108 +  In our example, this is a unary predicate over the parameter of the
   9.109 +  locale.  It is equivalent to the original assumptions, which have
   9.110 +  been turned into conclusions and are
   9.111 +  available as theorems in the context of the locale.  The names and
   9.112 +  attributes from the locale declaration are associated to these
   9.113 +  theorems and are effective in the context of the locale.
   9.114  
   9.115 +  Each conclusion has a \emph{foundational theorem} as counterpart
   9.116 +  in the theory.  Technically, this is simply the theorem composed
   9.117 +  of context and conclusion.  For the transitivity theorem, this is
   9.118 +  @{thm [source] partial_order.trans}:
   9.119 +  @{thm [display, indent=2] partial_order_def}
   9.120 +*}
   9.121 +
   9.122 +subsection {* Targets: Extending Locales *}
   9.123 +
   9.124 +text {*
   9.125    The specification of a locale is fixed, but its list of conclusions
   9.126    may be extended through Isar commands that take a \emph{target} argument.
   9.127    In the following, \isakeyword{definition} and 
   9.128    \isakeyword{theorem} are illustrated.
   9.129    Table~\ref{tab:commands-with-target} lists Isar commands that accept
   9.130 -  a target.  There are various ways of specifying the target.  A
   9.131 +  a target.  Isar provides various ways of specifying the target.  A
   9.132    target for a single command may be indicated with keyword
   9.133    \isakeyword{in} in the following way:
   9.134  
   9.135 @@ -101,33 +148,39 @@
   9.136      less :: "'a \<Rightarrow> 'a \<Rightarrow> bool" (infixl "\<sqsubset>" 50)
   9.137      where "(x \<sqsubset> y) = (x \<sqsubseteq> y \<and> x \<noteq> y)"
   9.138  
   9.139 -text {* A definition in a locale depends on the locale parameters.
   9.140 -  Here, a global constant @{term partial_order.less} is declared, which is lifted over the
   9.141 -  locale parameter @{term le}.  Its definition is the global theorem
   9.142 -  @{thm [source] partial_order.less_def}:
   9.143 +text (in partial_order) {* The strict order @{text less} with infix
   9.144 +  syntax~@{text \<sqsubset>} is
   9.145 +  defined in terms of the locale parameter~@{text le} and the general
   9.146 +  equality of the object logic we work in.  The definition generates a
   9.147 +  \emph{foundational constant}
   9.148 +  @{term partial_order.less} with definition @{thm [source]
   9.149 +  partial_order.less_def}:
   9.150    @{thm [display, indent=2] partial_order.less_def}
   9.151    At the same time, the locale is extended by syntax transformations
   9.152 -  hiding this construction in the context of the locale.  That is,
   9.153 -  @{term "partial_order.less le"} is printed and parsed as infix
   9.154 -  @{text \<sqsubset>}. *}
   9.155 +  hiding this construction in the context of the locale.  Here, the
   9.156 +  abbreviation @{text less} is available for
   9.157 +  @{text "partial_order.less le"}, and it is printed
   9.158 +  and parsed as infix~@{text \<sqsubset>}.  Finally, the conclusion @{thm [source]
   9.159 +  less_def} is added to the locale:
   9.160 +  @{thm [display, indent=2] less_def}
   9.161 +*}
   9.162  
   9.163 -text (in partial_order) {* Finally, the conclusion of the definition
   9.164 -  is added to the locale, @{thm [source] less_def}:
   9.165 -  @{thm [display, indent=2] less_def}
   9.166 -  *}
   9.167 -
   9.168 -text {* As an example of a theorem statement in the locale, here is the
   9.169 -  derivation of a transitivity law. *}
   9.170 +text {* The treatment of theorem statements is more straightforward.
   9.171 +  As an example, here is the derivation of a transitivity law for the
   9.172 +  strict order relation. *}
   9.173  
   9.174    lemma (in partial_order) less_le_trans [trans]:
   9.175      "\<lbrakk> x \<sqsubset> y; y \<sqsubseteq> z \<rbrakk> \<Longrightarrow> x \<sqsubset> z"
   9.176      unfolding %visible less_def by %visible (blast intro: trans)
   9.177  
   9.178 -text {* In the context of the proof, assumptions and theorems of the
   9.179 -  locale may be used.  Attributes are effective: @{text anti_sym} was
   9.180 +text {* In the context of the proof, conclusions of the
   9.181 +  locale may be used like theorems.  Attributes are effective: @{text
   9.182 +  anti_sym} was
   9.183    declared as introduction rule, hence it is in the context's set of
   9.184    rules used by the classical reasoner by default.  *}
   9.185  
   9.186 +subsection {* Context Blocks *}
   9.187 +
   9.188  text {* When working with locales, sequences of commands with the same
   9.189    target are frequent.  A block of commands, delimited by
   9.190    \isakeyword{begin} and \isakeyword{end}, makes a theory-like style
   9.191 @@ -139,7 +192,7 @@
   9.192  
   9.193    This style of working is illustrated in the block below, where
   9.194    notions of infimum and supremum for partial orders are introduced,
   9.195 -  together with theorems.  *}
   9.196 +  together with theorems about their uniqueness.  *}
   9.197  
   9.198    context partial_order begin
   9.199  
   9.200 @@ -164,20 +217,20 @@
   9.201      by (unfold is_inf_def) blast
   9.202  
   9.203    theorem is_inf_uniq: "\<lbrakk>is_inf x y i; is_inf x y i'\<rbrakk> \<Longrightarrow> i = i'"
   9.204 -  proof -
   9.205 +    proof -
   9.206      assume inf: "is_inf x y i"
   9.207      assume inf': "is_inf x y i'"
   9.208      show ?thesis
   9.209      proof (rule anti_sym)
   9.210        from inf' show "i \<sqsubseteq> i'"
   9.211        proof (rule is_inf_greatest)
   9.212 -	from inf show "i \<sqsubseteq> x" ..
   9.213 -	from inf show "i \<sqsubseteq> y" ..
   9.214 +        from inf show "i \<sqsubseteq> x" ..
   9.215 +        from inf show "i \<sqsubseteq> y" ..
   9.216        qed
   9.217        from inf show "i' \<sqsubseteq> i"
   9.218        proof (rule is_inf_greatest)
   9.219 -	from inf' show "i' \<sqsubseteq> x" ..
   9.220 -	from inf' show "i' \<sqsubseteq> y" ..
   9.221 +        from inf' show "i' \<sqsubseteq> x" ..
   9.222 +        from inf' show "i' \<sqsubseteq> y" ..
   9.223        qed
   9.224      qed
   9.225    qed
   9.226 @@ -206,20 +259,20 @@
   9.227      by (unfold is_sup_def) blast
   9.228  
   9.229    theorem is_sup_uniq: "\<lbrakk>is_sup x y s; is_sup x y s'\<rbrakk> \<Longrightarrow> s = s'"
   9.230 -  proof -
   9.231 +    proof -
   9.232      assume sup: "is_sup x y s"
   9.233      assume sup': "is_sup x y s'"
   9.234      show ?thesis
   9.235      proof (rule anti_sym)
   9.236        from sup show "s \<sqsubseteq> s'"
   9.237        proof (rule is_sup_least)
   9.238 -	from sup' show "x \<sqsubseteq> s'" ..
   9.239 -	from sup' show "y \<sqsubseteq> s'" ..
   9.240 +        from sup' show "x \<sqsubseteq> s'" ..
   9.241 +        from sup' show "y \<sqsubseteq> s'" ..
   9.242        qed
   9.243        from sup' show "s' \<sqsubseteq> s"
   9.244        proof (rule is_sup_least)
   9.245 -	from sup show "x \<sqsubseteq> s" ..
   9.246 -	from sup show "y \<sqsubseteq> s" ..
   9.247 +        from sup show "x \<sqsubseteq> s" ..
   9.248 +        from sup show "y \<sqsubseteq> s" ..
   9.249        qed
   9.250      qed
   9.251    qed
   9.252 @@ -238,17 +291,12 @@
   9.253  
   9.254    end
   9.255  
   9.256 -text {* Two commands are provided to inspect locales:
   9.257 -  \isakeyword{print\_locales} lists the names of all locales of the
   9.258 -  current theory; \isakeyword{print\_locale}~$n$ prints the parameters
   9.259 -  and assumptions of locale $n$; \isakeyword{print\_locale!}~$n$
   9.260 -  additionally outputs the conclusions.
   9.261 -
   9.262 -  The syntax of the locale commands discussed in this tutorial is
   9.263 -  shown in Table~\ref{tab:commands}.  The grammer is complete with the
   9.264 -  exception of additional context elements not discussed here.  See the
   9.265 -  Isabelle/Isar Reference Manual~\cite{IsarRef}
   9.266 -  for full documentation.  *}
   9.267 +text {* The syntax of the locale commands discussed in this tutorial is
   9.268 +  shown in Table~\ref{tab:commands}.  The grammar is complete with the
   9.269 +  exception of the context elements \isakeyword{constrains} and
   9.270 +  \isakeyword{defines}, which are provided for backward
   9.271 +  compatibility.  See the Isabelle/Isar Reference
   9.272 +  Manual~\cite{IsarRef} for full documentation.  *}
   9.273  
   9.274  
   9.275  section {* Import \label{sec:import} *}
   9.276 @@ -257,11 +305,13 @@
   9.277    Algebraic structures are commonly defined by adding operations and
   9.278    properties to existing structures.  For example, partial orders
   9.279    are extended to lattices and total orders.  Lattices are extended to
   9.280 -  distributive lattices.
   9.281 +  distributive lattices. *}
   9.282  
   9.283 -  With locales, this inheritance is achieved through \emph{import} of a
   9.284 -  locale.  Import is a separate entity in the locale declaration.  If
   9.285 -  present, it precedes the context elements.
   9.286 +text {*
   9.287 +  With locales, this kind of inheritance is achieved through
   9.288 +  \emph{import} of locales.  The import part of a locale declaration,
   9.289 +  if present, precedes the context elements.  Here is an example,
   9.290 +  where partial orders are extended to lattices.
   9.291    *}
   9.292  
   9.293    locale lattice = partial_order +
   9.294 @@ -270,12 +320,11 @@
   9.295    begin
   9.296  
   9.297  text {* These assumptions refer to the predicates for infimum
   9.298 -  and supremum defined in @{text partial_order}.  We may now introduce
   9.299 -  the notions of meet and join.  *}
   9.300 +  and supremum defined for @{text partial_order} in the previous
   9.301 +  section.  We now introduce the notions of meet and join.  *}
   9.302  
   9.303    definition
   9.304      meet (infixl "\<sqinter>" 70) where "x \<sqinter> y = (THE inf. is_inf x y inf)"
   9.305 -
   9.306    definition
   9.307      join (infixl "\<squnion>" 65) where "x \<squnion> y = (THE sup. is_sup x y sup)"
   9.308  
   9.309 @@ -346,9 +395,9 @@
   9.310        show "x \<sqinter> (y \<sqinter> z) \<sqsubseteq> x" ..
   9.311        show "x \<sqinter> (y \<sqinter> z) \<sqsubseteq> y"
   9.312        proof -
   9.313 -	have "x \<sqinter> (y \<sqinter> z) \<sqsubseteq> y \<sqinter> z" ..
   9.314 -	also have "\<dots> \<sqsubseteq> y" ..
   9.315 -	finally show ?thesis .
   9.316 +        have "x \<sqinter> (y \<sqinter> z) \<sqsubseteq> y \<sqinter> z" ..
   9.317 +        also have "\<dots> \<sqsubseteq> y" ..
   9.318 +        finally show ?thesis .
   9.319        qed
   9.320      qed
   9.321      show "x \<sqinter> (y \<sqinter> z) \<sqsubseteq> z"
   9.322 @@ -362,19 +411,19 @@
   9.323      proof
   9.324        show "w \<sqsubseteq> x"
   9.325        proof -
   9.326 -	have "w \<sqsubseteq> x \<sqinter> y" by fact
   9.327 -	also have "\<dots> \<sqsubseteq> x" ..
   9.328 -	finally show ?thesis .
   9.329 +        have "w \<sqsubseteq> x \<sqinter> y" by fact
   9.330 +        also have "\<dots> \<sqsubseteq> x" ..
   9.331 +        finally show ?thesis .
   9.332        qed
   9.333        show "w \<sqsubseteq> y \<sqinter> z"
   9.334        proof
   9.335 -	show "w \<sqsubseteq> y"
   9.336 -	proof -
   9.337 -	  have "w \<sqsubseteq> x \<sqinter> y" by fact
   9.338 -	  also have "\<dots> \<sqsubseteq> y" ..
   9.339 -	  finally show ?thesis .
   9.340 -	qed
   9.341 -	show "w \<sqsubseteq> z" by fact
   9.342 +        show "w \<sqsubseteq> y"
   9.343 +        proof -
   9.344 +          have "w \<sqsubseteq> x \<sqinter> y" by fact
   9.345 +          also have "\<dots> \<sqsubseteq> y" ..
   9.346 +          finally show ?thesis .
   9.347 +        qed
   9.348 +        show "w \<sqsubseteq> z" by fact
   9.349        qed
   9.350      qed
   9.351    qed
   9.352 @@ -402,9 +451,9 @@
   9.353        show "x \<sqsubseteq> x \<squnion> (y \<squnion> z)" ..
   9.354        show "y \<sqsubseteq> x \<squnion> (y \<squnion> z)"
   9.355        proof -
   9.356 -	have "y \<sqsubseteq> y \<squnion> z" ..
   9.357 -	also have "... \<sqsubseteq> x \<squnion> (y \<squnion> z)" ..
   9.358 -	finally show ?thesis .
   9.359 +        have "y \<sqsubseteq> y \<squnion> z" ..
   9.360 +        also have "... \<sqsubseteq> x \<squnion> (y \<squnion> z)" ..
   9.361 +        finally show ?thesis .
   9.362        qed
   9.363      qed
   9.364      show "z \<sqsubseteq> x \<squnion> (y \<squnion> z)"
   9.365 @@ -418,19 +467,19 @@
   9.366      proof
   9.367        show "x \<sqsubseteq> w"
   9.368        proof -
   9.369 -	have "x \<sqsubseteq> x \<squnion> y" ..
   9.370 -	also have "\<dots> \<sqsubseteq> w" by fact
   9.371 -	finally show ?thesis .
   9.372 +        have "x \<sqsubseteq> x \<squnion> y" ..
   9.373 +        also have "\<dots> \<sqsubseteq> w" by fact
   9.374 +        finally show ?thesis .
   9.375        qed
   9.376        show "y \<squnion> z \<sqsubseteq> w"
   9.377        proof
   9.378 -	show "y \<sqsubseteq> w"
   9.379 -	proof -
   9.380 -	  have "y \<sqsubseteq> x \<squnion> y" ..
   9.381 -	  also have "... \<sqsubseteq> w" by fact
   9.382 -	  finally show ?thesis .
   9.383 -	qed
   9.384 -	show "z \<sqsubseteq> w" by fact
   9.385 +        show "y \<sqsubseteq> w"
   9.386 +        proof -
   9.387 +          have "y \<sqsubseteq> x \<squnion> y" ..
   9.388 +          also have "... \<sqsubseteq> w" by fact
   9.389 +          finally show ?thesis .
   9.390 +        qed
   9.391 +        show "z \<sqsubseteq> w" by fact
   9.392        qed
   9.393      qed
   9.394    qed
   9.395 @@ -518,8 +567,10 @@
   9.396  
   9.397    end
   9.398  
   9.399 -text {* Locales for total orders and distributive lattices follow.
   9.400 -  Each comes with an example theorem. *}
   9.401 +text {* Locales for total orders and distributive lattices follow to
   9.402 +  establish a sufficiently rich landscape of locales for
   9.403 +  further examples in this tutorial.  Each comes with an example
   9.404 +  theorem. *}
   9.405  
   9.406    locale total_order = partial_order +
   9.407      assumes total: "x \<sqsubseteq> y \<or> y \<sqsubseteq> x"
   9.408 @@ -543,12 +594,13 @@
   9.409    qed
   9.410  
   9.411  text {*
   9.412 -  The locale hierachy obtained through these declarations is shown in Figure~\ref{fig:lattices}(a).
   9.413 +  The locale hierarchy obtained through these declarations is shown in
   9.414 +  Figure~\ref{fig:lattices}(a).
   9.415  
   9.416  \begin{figure}
   9.417  \hrule \vspace{2ex}
   9.418  \begin{center}
   9.419 -\subfigure[Declared hierachy]{
   9.420 +\subfigure[Declared hierarchy]{
   9.421  \begin{tikzpicture}
   9.422    \node (po) at (0,0) {@{text partial_order}};
   9.423    \node (lat) at (-1.5,-1) {@{text lattice}};
   9.424 @@ -594,21 +646,50 @@
   9.425    \label{sec:changing-the-hierarchy} *}
   9.426  
   9.427  text {*
   9.428 -  Total orders are lattices.  Hence, by deriving the lattice
   9.429 -  axioms for total orders, the hierarchy may be changed
   9.430 -  and @{text lattice} be placed between @{text partial_order}
   9.431 -  and @{text total_order}, as shown in Figure~\ref{fig:lattices}(b).
   9.432 -  Changes to the locale hierarchy may be declared
   9.433 -  with the \isakeyword{sublocale} command. *}
   9.434 +  Locales enable to prove theorems abstractly, relative to
   9.435 +  sets of assumptions.  These theorems can then be used in other
   9.436 +  contexts where the assumptions themselves, or
   9.437 +  instances of the assumptions, are theorems.  This form of theorem
   9.438 +  reuse is called \emph{interpretation}.  Locales generalise
   9.439 +  interpretation from theorems to conclusions, enabling the reuse of
   9.440 +  definitions and other constructs that are not part of the
   9.441 +  specifications of the locales.
   9.442 +
   9.443 +  The first from of interpretation we will consider in this tutorial
   9.444 +  is provided by the \isakeyword{sublocale} command.  It enables to
   9.445 +  modify the import hierarchy to reflect the \emph{logical} relation
   9.446 +  between locales.
   9.447 +
   9.448 +  Consider the locale hierarchy from Figure~\ref{fig:lattices}(a).
   9.449 +  Total orders are lattices, although this is not reflected here, and
   9.450 +  definitions, theorems and other conclusions
   9.451 +  from @{term lattice} are not available in @{term total_order}.  To
   9.452 +  obtain the situation in Figure~\ref{fig:lattices}(b), it is
   9.453 +  sufficient to add the conclusions of the latter locale to the former.
   9.454 +  The \isakeyword{sublocale} command does exactly this.
   9.455 +  The declaration \isakeyword{sublocale} $l_1
   9.456 +  \subseteq l_2$ causes locale $l_2$ to be \emph{interpreted} in the
   9.457 +  context of $l_1$.  This means that all conclusions of $l_2$ are made
   9.458 +  available in $l_1$.
   9.459 +
   9.460 +  Of course, the change of hierarchy must be supported by a theorem
   9.461 +  that reflects, in our example, that total orders are indeed
   9.462 +  lattices.  Therefore the \isakeyword{sublocale} command generates a
   9.463 +  goal, which must be discharged by the user.  This is illustrated in
   9.464 +  the following paragraphs.  First the sublocale relation is stated.
   9.465 +*}
   9.466  
   9.467    sublocale %visible total_order \<subseteq> lattice
   9.468  
   9.469 -txt {* This enters the context of locale @{text total_order}, in
   9.470 -  which the goal @{subgoals [display]} must be shown.  First, the
   9.471 -  locale predicate needs to be unfolded --- for example using its
   9.472 +txt {* \normalsize
   9.473 +  This enters the context of locale @{text total_order}, in
   9.474 +  which the goal @{subgoals [display]} must be shown.
   9.475 +  Now the
   9.476 +  locale predicate needs to be unfolded --- for example, using its
   9.477    definition or by introduction rules
   9.478 -  provided by the locale package.  The methods @{text intro_locales}
   9.479 -  and @{text unfold_locales} automate this.  They are aware of the
   9.480 +  provided by the locale package.  For automation, the locale package
   9.481 +  provides the methods @{text intro_locales} and @{text
   9.482 +  unfold_locales}.  They are aware of the
   9.483    current context and dependencies between locales and automatically
   9.484    discharge goals implied by these.  While @{text unfold_locales}
   9.485    always unfolds locale predicates to assumptions, @{text
   9.486 @@ -618,22 +699,26 @@
   9.487    is smaller.
   9.488  
   9.489    For the current goal, we would like to get hold of
   9.490 -  the assumptions of @{text lattice}, hence @{text unfold_locales}
   9.491 -  is appropriate. *}
   9.492 +  the assumptions of @{text lattice}, which need to be shown, hence
   9.493 +  @{text unfold_locales} is appropriate. *}
   9.494  
   9.495    proof unfold_locales
   9.496  
   9.497 -txt {* Since both @{text lattice} and @{text total_order}
   9.498 -  inherit @{text partial_order}, the assumptions of the latter are
   9.499 -  discharged, and the only subgoals that remain are the assumptions
   9.500 -  introduced in @{text lattice} @{subgoals [display]}
   9.501 -  The proof for the first subgoal is *}
   9.502 +txt {* \normalsize
   9.503 +  Since the fact that both lattices and total orders are partial
   9.504 +  orders is already reflected in the locale hierarchy, the assumptions
   9.505 +  of @{text partial_order} are discharged automatically, and only the
   9.506 +  assumptions introduced in @{text lattice} remain as subgoals
   9.507 +  @{subgoals [display]}
   9.508 +  The proof for the first subgoal is obtained by constructing an
   9.509 +  infimum, whose existence is implied by totality. *}
   9.510  
   9.511      fix x y
   9.512      from total have "is_inf x y (if x \<sqsubseteq> y then x else y)"
   9.513        by (auto simp: is_inf_def)
   9.514      then show "\<exists>inf. is_inf x y inf" ..
   9.515 -txt {* The proof for the second subgoal is analogous and not
   9.516 +txt {* \normalsize
   9.517 +   The proof for the second subgoal is analogous and not
   9.518    reproduced here. *}
   9.519    next %invisible
   9.520      fix x y
   9.521 @@ -641,31 +726,45 @@
   9.522        by (auto simp: is_sup_def)
   9.523      then show "\<exists>sup. is_sup x y sup" .. qed %visible
   9.524  
   9.525 -text {* Similarly, total orders are distributive lattices. *}
   9.526 +text {* Similarly, we may establish that total orders are distributive
   9.527 +  lattices with a second \isakeyword{sublocale} statement. *}
   9.528  
   9.529    sublocale total_order \<subseteq> distrib_lattice
   9.530 -  proof unfold_locales
   9.531 +    proof unfold_locales
   9.532      fix %"proof" x y z
   9.533      show "x \<sqinter> (y \<squnion> z) = x \<sqinter> y \<squnion> x \<sqinter> z" (is "?l = ?r")
   9.534        txt {* Jacobson I, p.\ 462 *}
   9.535      proof -
   9.536        { assume c: "y \<sqsubseteq> x" "z \<sqsubseteq> x"
   9.537 -	from c have "?l = y \<squnion> z"
   9.538 -	  by (metis c join_connection2 join_related2 meet_related2 total)
   9.539 -	also from c have "... = ?r" by (metis meet_related2)
   9.540 -	finally have "?l = ?r" . }
   9.541 +        from c have "?l = y \<squnion> z"
   9.542 +          by (metis c join_connection2 join_related2 meet_related2 total)
   9.543 +        also from c have "... = ?r" by (metis meet_related2)
   9.544 +        finally have "?l = ?r" . }
   9.545        moreover
   9.546        { assume c: "x \<sqsubseteq> y \<or> x \<sqsubseteq> z"
   9.547 -	from c have "?l = x"
   9.548 -	  by (metis join_connection2 join_related2 meet_connection total trans)
   9.549 -	also from c have "... = ?r"
   9.550 -	  by (metis join_commute join_related2 meet_connection meet_related2 total)
   9.551 -	finally have "?l = ?r" . }
   9.552 +        from c have "?l = x"
   9.553 +          by (metis join_connection2 join_related2 meet_connection total trans)
   9.554 +        also from c have "... = ?r"
   9.555 +          by (metis join_commute join_related2 meet_connection meet_related2 total)
   9.556 +        finally have "?l = ?r" . }
   9.557        moreover note total
   9.558        ultimately show ?thesis by blast
   9.559      qed
   9.560    qed
   9.561  
   9.562 -text {* The locale hierarchy is now as shown in Figure~\ref{fig:lattices}(c). *}
   9.563 +text {* The locale hierarchy is now as shown in
   9.564 +  Figure~\ref{fig:lattices}(c). *}
   9.565 +
   9.566 +text {*
   9.567 +  Locale interpretation is \emph{dynamic}.  The statement
   9.568 +  \isakeyword{sublocale} $l_1 \subseteq l_2$ will not just add the
   9.569 +  current conclusions of $l_2$ to $l_1$.  Rather the dependency is
   9.570 +  stored, and conclusions that will be
   9.571 +  added to $l_2$ in future are automatically propagated to $l_1$.
   9.572 +  The sublocale relation is transitive --- that is, propagation takes
   9.573 +  effect along chains of sublocales.  Even cycles in the sublocale relation are
   9.574 +  supported, as long as these cycles do not lead to infinite chains.
   9.575 +  Details are discussed in the technical report \cite{Ballarin2006a}.
   9.576 +  See also Section~\ref{sec:infinite-chains} of this tutorial.  *}
   9.577  
   9.578  end
    10.1 --- a/doc-src/Locales/Locales/Examples1.thy	Wed Oct 21 16:54:04 2009 +0200
    10.2 +++ b/doc-src/Locales/Locales/Examples1.thy	Wed Oct 21 16:57:57 2009 +0200
    10.3 @@ -1,36 +1,28 @@
    10.4  theory Examples1
    10.5  imports Examples
    10.6  begin
    10.7 -
    10.8 -section {* Use of Locales in Theories and Proofs *}
    10.9 -
   10.10 -text {* Locales enable to prove theorems abstractly, relative to
   10.11 -  sets of assumptions.  These theorems can then be used in other
   10.12 -  contexts where the assumptions themselves, or
   10.13 -  instances of the assumptions, are theorems.  This form of theorem
   10.14 -  reuse is called \emph{interpretation}.
   10.15 +text {* \vspace{-5ex} *}
   10.16 +section {* Use of Locales in Theories and Proofs
   10.17 +  \label{sec:interpretation} *}
   10.18  
   10.19 -  The changes of the locale
   10.20 -  hierarchy from the previous sections are examples of
   10.21 -  interpretations.  The command \isakeyword{sublocale} $l_1
   10.22 -  \subseteq l_2$ is said to \emph{interpret} locale $l_2$ in the
   10.23 -  context of $l_1$.  It causes all theorems of $l_2$ to be made
   10.24 -  available in $l_1$.  The interpretation is \emph{dynamic}: not only
   10.25 -  theorems already present in $l_2$ are available in $l_1$.  Theorems
   10.26 -  that will be added to $l_2$ in future will automatically be
   10.27 -  propagated to $l_1$.
   10.28 +text {*
   10.29 +  Locales can be interpreted in the contexts of theories and
   10.30 +  structured proofs.  These interpretations are dynamic, too.
   10.31 +  Conclusions of locales will be propagated to the current theory or
   10.32 +  the current proof context.%
   10.33 +\footnote{Strictly speaking, only interpretation in theories is
   10.34 +  dynamic since it is not possible to change locales or the locale
   10.35 +  hierarchy from within a proof.}
   10.36 +  The focus of this section is on
   10.37 +  interpretation in theories, but we will also encounter
   10.38 +  interpretations in proofs, in
   10.39 +  Section~\ref{sec:local-interpretation}.
   10.40  
   10.41 -  Locales can also be interpreted in the contexts of theories and
   10.42 -  structured proofs.  These interpretations are dynamic, too.
   10.43 -  Theorems added to locales will be propagated to theories.
   10.44 -  In this section the interpretation in
   10.45 -  theories is illustrated; interpretation in proofs is analogous.
   10.46 -
   10.47 -  As an example, consider the type of natural numbers @{typ nat}.  The
   10.48 -  relation @{text \<le>} is a total order over @{typ nat},
   10.49 -  divisibility @{text dvd} is a distributive lattice.  We start with the
   10.50 -  interpretation that @{text \<le>} is a partial order.  The facilities of
   10.51 -  the interpretation command are explored in three versions.
   10.52 +  As an example, consider the type of integers @{typ int}.  The
   10.53 +  relation @{term "op \<le>"} is a total order over @{typ int}.  We start
   10.54 +  with the interpretation that @{term "op \<le>"} is a partial order.  The
   10.55 +  facilities of the interpretation command are explored gradually in
   10.56 +  three versions.
   10.57    *}
   10.58  
   10.59  
   10.60 @@ -38,45 +30,60 @@
   10.61    \label{sec:po-first} *}
   10.62  
   10.63  text {*
   10.64 -  In the most basic form, interpretation just replaces the locale
   10.65 -  parameters by terms.  The following command interprets the locale
   10.66 -  @{text partial_order} in the global context of the theory.  The
   10.67 -  parameter @{term le} is replaced by @{term "op \<le> :: nat \<Rightarrow> nat \<Rightarrow> bool"}. *} 
   10.68 +  The command \isakeyword{interpretation} is for the interpretation of
   10.69 +  locale in theories.  In the following example, the parameter of locale
   10.70 +  @{text partial_order} is replaced by @{term "op \<le> :: int \<Rightarrow> int \<Rightarrow>
   10.71 +  bool"} and the locale instance is interpreted in the current
   10.72 +  theory. *}
   10.73  
   10.74 -  interpretation %visible nat: partial_order "op \<le> :: nat \<Rightarrow> nat \<Rightarrow> bool"
   10.75 -txt {* The locale name is succeeded by a \emph{parameter
   10.76 -  instantiation}.  This is a list of terms, which refer to
   10.77 -  the parameters in the order of declaration in the locale.  The
   10.78 -  locale name is preceded by an optional \emph{interpretation
   10.79 -  qualifier}, here @{text nat}.
   10.80 +  interpretation %visible int: partial_order "op \<le> :: int \<Rightarrow> int \<Rightarrow> bool"
   10.81 +txt {* \normalsize
   10.82 +  The argument of the command is a simple \emph{locale expression}
   10.83 +  consisting of the name of the interpreted locale, which is
   10.84 +  preceded by the qualifier @{text "int:"} and succeeded by a
   10.85 +  white-space-separated list of terms, which provide a full
   10.86 +  instantiation of the locale parameters.  The parameters are referred
   10.87 +  to by order of declaration, which is also the order in which
   10.88 +  \isakeyword{print\_locale} outputs them.  The locale has only a
   10.89 +  single parameter, hence the list of instantiation terms is a
   10.90 +  singleton.
   10.91  
   10.92 -  The command creates the goal%
   10.93 -\footnote{Note that @{text op} binds tighter than functions
   10.94 -  application: parentheses around @{text "op \<le>"} are not necessary.}
   10.95 +  The command creates the goal
   10.96    @{subgoals [display]} which can be shown easily:
   10.97   *}
   10.98      by unfold_locales auto
   10.99  
  10.100 -text {*  Now theorems from the locale are available in the theory,
  10.101 -  interpreted for natural numbers, for example @{thm [source]
  10.102 -  nat.trans}: @{thm [display, indent=2] nat.trans}
  10.103 -
  10.104 -  The interpretation qualifier, @{text nat} in the example, is applied
  10.105 -  to all names processed by the interpretation.  If a qualifer is
  10.106 -  given in the \isakeyword{interpretation} command, its use is
  10.107 -  mandatory when referencing the name.  For example, the above theorem
  10.108 -  cannot be referred to simply by @{text trans}.  This prevents
  10.109 -  unwanted hiding of theorems. *}
  10.110 +text {*  The effect of the command is that instances of all
  10.111 +  conclusions of the locale are available in the theory, where names
  10.112 +  are prefixed by the qualifier.  For example, transitivity for @{typ
  10.113 +  int} is named @{thm [source] int.trans} and is the following
  10.114 +  theorem:
  10.115 +  @{thm [display, indent=2] int.trans}
  10.116 +  It is not possible to reference this theorem simply as @{text
  10.117 +  trans}.  This prevents unwanted hiding of existing theorems of the
  10.118 +  theory by an interpretation. *}
  10.119  
  10.120  
  10.121  subsection {* Second Version: Replacement of Definitions *}
  10.122  
  10.123 -text {* The above interpretation also creates the theorem
  10.124 -  @{thm [source] nat.less_le_trans}: @{thm [display, indent=2]
  10.125 -  nat.less_le_trans}
  10.126 -  Here, @{term "partial_order.less (op \<le> :: nat \<Rightarrow> nat \<Rightarrow> bool)"}
  10.127 -  represents the strict order, although @{text "<"} is the natural
  10.128 -  strict order for @{typ nat}.  Interpretation allows to map concepts
  10.129 -  introduced by definitions in locales to the corresponding
  10.130 -  concepts of the theory.  *}
  10.131 +text {* Not only does the above interpretation qualify theorem names.
  10.132 +  The prefix @{text int} is applied to all names introduced in locale
  10.133 +  conclusions including names introduced in definitions.  The
  10.134 +  qualified name @{text int.less} is short for
  10.135 +  the interpretation of the definition, which is @{term int.less}.
  10.136 +  Qualified name and expanded form may be used almost
  10.137 +  interchangeably.%
  10.138 +\footnote{Since @{term "op \<le>"} is polymorphic, for @{term int.less} a
  10.139 +  more general type will be inferred than for @{text int.less} which
  10.140 +  is over type @{typ int}.}
  10.141 +  The latter is preferred on output, as for example in the theorem
  10.142 +  @{thm [source] int.less_le_trans}: @{thm [display, indent=2]
  10.143 +  int.less_le_trans}
  10.144 +  Both notations for the strict order are not satisfactory.  The
  10.145 +  constant @{term "op <"} is the strict order for @{typ int}.
  10.146 +  In order to allow for the desired replacement, interpretation
  10.147 +  accepts \emph{equations} in addition to the parameter instantiation.
  10.148 +  These follow the locale expression and are indicated with the
  10.149 +  keyword \isakeyword{where}.  This is the revised interpretation:
  10.150 +  *}
  10.151  end
    11.1 --- a/doc-src/Locales/Locales/Examples2.thy	Wed Oct 21 16:54:04 2009 +0200
    11.2 +++ b/doc-src/Locales/Locales/Examples2.thy	Wed Oct 21 16:57:57 2009 +0200
    11.3 @@ -1,27 +1,24 @@
    11.4  theory Examples2
    11.5  imports Examples
    11.6  begin
    11.7 -text {* This is achieved by unfolding suitable equations during
    11.8 -  interpretation.  These equations are given after the keyword
    11.9 -  \isakeyword{where} and require proofs.  The revised command
   11.10 -  that replaces @{text "\<sqsubset>"} by @{text "<"} is: *}
   11.11 +text {* \vspace{-5ex} *}
   11.12 +  interpretation %visible int: partial_order "op \<le> :: [int, int] \<Rightarrow> bool"
   11.13 +    where "partial_order.less op \<le> (x::int) y = (x < y)"
   11.14 +  proof -
   11.15 +    txt {* \normalsize The goals are now:
   11.16 +      @{subgoals [display]}
   11.17 +      The proof that~@{text \<le>} is a partial order is as above. *}
   11.18 +    show "partial_order (op \<le> :: int \<Rightarrow> int \<Rightarrow> bool)"
   11.19 +      by unfold_locales auto
   11.20 +    txt {* \normalsize The second goal is shown by unfolding the
   11.21 +      definition of @{term "partial_order.less"}. *}
   11.22 +    show "partial_order.less op \<le> (x::int) y = (x < y)"
   11.23 +      unfolding partial_order.less_def [OF `partial_order op \<le>`]
   11.24 +      by auto
   11.25 +  qed
   11.26  
   11.27 -interpretation %visible nat: partial_order "op \<le> :: [nat, nat] \<Rightarrow> bool"
   11.28 -  where "partial_order.less op \<le> (x::nat) y = (x < y)"
   11.29 -proof -
   11.30 -  txt {* The goals are @{subgoals [display]}
   11.31 -    The proof that @{text \<le>} is a partial order is as above. *}
   11.32 -  show "partial_order (op \<le> :: nat \<Rightarrow> nat \<Rightarrow> bool)"
   11.33 -    by unfold_locales auto
   11.34 -  txt {* The second goal is shown by unfolding the
   11.35 -    definition of @{term "partial_order.less"}. *}
   11.36 -  show "partial_order.less op \<le> (x::nat) y = (x < y)"
   11.37 -    unfolding partial_order.less_def [OF `partial_order op \<le>`]
   11.38 -    by auto
   11.39 -qed
   11.40 -
   11.41 -text {* Note that the above proof is not in the context of a locale.
   11.42 -  Hence, the correct interpretation of @{text
   11.43 -  "partial_order.less_def"} is obtained manually with @{text OF}.
   11.44 +text {* Note that the above proof is not in the context of the
   11.45 +  interpreted locale.  Hence, the premise of @{text
   11.46 +  "partial_order.less_def"} is discharged manually with @{text OF}.
   11.47    *}
   11.48  end
    12.1 --- a/doc-src/Locales/Locales/Examples3.thy	Wed Oct 21 16:54:04 2009 +0200
    12.2 +++ b/doc-src/Locales/Locales/Examples3.thy	Wed Oct 21 16:57:57 2009 +0200
    12.3 @@ -1,309 +1,234 @@
    12.4  theory Examples3
    12.5  imports Examples
    12.6  begin
    12.7 -subsection {* Third Version: Local Interpretation *}
    12.8 +text {* \vspace{-5ex} *}
    12.9 +subsection {* Third Version: Local Interpretation
   12.10 +  \label{sec:local-interpretation} *}
   12.11  
   12.12 -text {* In the above example, the fact that @{text \<le>} is a partial
   12.13 -  order for the natural numbers was used in the proof of the
   12.14 -  second goal.  In general, proofs of the equations may involve
   12.15 -  theorems implied by the fact the assumptions of the instantiated
   12.16 -  locale hold for the instantiating structure.  If these theorems have
   12.17 -  been shown abstractly in the locale they can be made available
   12.18 -  conveniently in the context through an auxiliary local interpretation (keyword
   12.19 -  \isakeyword{interpret}).  This interpretation is inside the proof of the global
   12.20 -  interpretation.  The third revision of the example illustrates this.  *}
   12.21 +text {* In the above example, the fact that @{term "op \<le>"} is a partial
   12.22 +  order for the integers was used in the second goal to
   12.23 +  discharge the premise in the definition of @{text "op \<sqsubset>"}.  In
   12.24 +  general, proofs of the equations not only may involve definitions
   12.25 +  from the interpreted locale but arbitrarily complex arguments in the
   12.26 +  context of the locale.  Therefore is would be convenient to have the
   12.27 +  interpreted locale conclusions temporary available in the proof.
   12.28 +  This can be achieved by a locale interpretation in the proof body.
   12.29 +  The command for local interpretations is \isakeyword{interpret}.  We
   12.30 +  repeat the example from the previous section to illustrate this. *}
   12.31  
   12.32 -interpretation %visible nat: partial_order "op \<le> :: nat \<Rightarrow> nat \<Rightarrow> bool"
   12.33 -  where "partial_order.less op \<le> (x::nat) y = (x < y)"
   12.34 -proof -
   12.35 -  show "partial_order (op \<le> :: nat \<Rightarrow> nat \<Rightarrow> bool)"
   12.36 -    by unfold_locales auto
   12.37 -  then interpret nat: partial_order "op \<le> :: [nat, nat] \<Rightarrow> bool" .
   12.38 -  show "partial_order.less op \<le> (x::nat) y = (x < y)"
   12.39 -    unfolding nat.less_def by auto
   12.40 -qed
   12.41 +  interpretation %visible int: partial_order "op \<le> :: int \<Rightarrow> int \<Rightarrow> bool"
   12.42 +    where "partial_order.less op \<le> (x::int) y = (x < y)"
   12.43 +  proof -
   12.44 +    show "partial_order (op \<le> :: int \<Rightarrow> int \<Rightarrow> bool)"
   12.45 +      by unfold_locales auto
   12.46 +    then interpret int: partial_order "op \<le> :: [int, int] \<Rightarrow> bool" .
   12.47 +    show "partial_order.less op \<le> (x::int) y = (x < y)"
   12.48 +      unfolding int.less_def by auto
   12.49 +  qed
   12.50  
   12.51 -text {* The inner interpretation does not require an elaborate new
   12.52 -  proof, it is immediate from the preceding fact and proved with
   12.53 -  ``.''.  It enriches the local proof context by the very theorems
   12.54 +text {* The inner interpretation is immediate from the preceding fact
   12.55 +  and proved by assumption (Isar short hand ``.'').  It enriches the
   12.56 +  local proof context by the theorems
   12.57    also obtained in the interpretation from Section~\ref{sec:po-first},
   12.58 -  and @{text nat.less_def} may directly be used to unfold the
   12.59 +  and @{text int.less_def} may directly be used to unfold the
   12.60    definition.  Theorems from the local interpretation disappear after
   12.61 -  leaving the proof context --- that is, after the closing
   12.62 -  \isakeyword{qed} --- and are then replaced by those with the desired
   12.63 -  substitutions of the strict order.  *}
   12.64 +  leaving the proof context --- that is, after the succeeding
   12.65 +  \isakeyword{next} or \isakeyword{qed} statement. *}
   12.66  
   12.67  
   12.68  subsection {* Further Interpretations *}
   12.69  
   12.70 -text {* Further interpretations are necessary to reuse theorems from
   12.71 -  the other locales.  In @{text lattice} the operations @{text \<sqinter>} and
   12.72 -  @{text \<squnion>} are substituted by @{term "min :: nat \<Rightarrow> nat \<Rightarrow> nat"} and
   12.73 -  @{term "max :: nat \<Rightarrow> nat \<Rightarrow> nat"}.  The entire proof for the
   12.74 -  interpretation is reproduced in order to give an example of a more
   12.75 -  elaborate interpretation proof.  *}
   12.76 +text {* Further interpretations are necessary for
   12.77 +  the other locales.  In @{text lattice} the operations~@{text \<sqinter>}
   12.78 +  and~@{text \<squnion>} are substituted by @{term "min :: int \<Rightarrow> int \<Rightarrow> int"}
   12.79 +  and @{term "max :: int \<Rightarrow> int \<Rightarrow> int"}.  The entire proof for the
   12.80 +  interpretation is reproduced to give an example of a more
   12.81 +  elaborate interpretation proof.  Note that the equations are named
   12.82 +  so they can be used in a later example.  *}
   12.83  
   12.84 -interpretation %visible nat: lattice "op \<le> :: nat \<Rightarrow> nat \<Rightarrow> bool"
   12.85 -  where "lattice.meet op \<le> (x::nat) y = min x y"
   12.86 -    and "lattice.join op \<le> (x::nat) y = max x y"
   12.87 -proof -
   12.88 -  show "lattice (op \<le> :: nat \<Rightarrow> nat \<Rightarrow> bool)"
   12.89 -    txt {* We have already shown that this is a partial order, *}
   12.90 -    apply unfold_locales
   12.91 -    txt {* hence only the lattice axioms remain to be shown: @{subgoals
   12.92 -      [display]}  After unfolding @{text is_inf} and @{text is_sup}, *}
   12.93 -    apply (unfold nat.is_inf_def nat.is_sup_def)
   12.94 -    txt {* the goals become @{subgoals [display]} which can be solved
   12.95 -      by Presburger arithmetic. *}
   12.96 -    by arith+
   12.97 -  txt {* In order to show the equations, we put ourselves in a
   12.98 -    situation where the lattice theorems can be used in a convenient way. *}
   12.99 -  then interpret nat: lattice "op \<le> :: nat \<Rightarrow> nat \<Rightarrow> bool" .
  12.100 -  show "lattice.meet op \<le> (x::nat) y = min x y"
  12.101 -    by (bestsimp simp: nat.meet_def nat.is_inf_def)
  12.102 -  show "lattice.join op \<le> (x::nat) y = max x y"
  12.103 -    by (bestsimp simp: nat.join_def nat.is_sup_def)
  12.104 -qed
  12.105 +  interpretation %visible int: lattice "op \<le> :: int \<Rightarrow> int \<Rightarrow> bool"
  12.106 +    where int_min_eq: "lattice.meet op \<le> (x::int) y = min x y"
  12.107 +      and int_max_eq: "lattice.join op \<le> (x::int) y = max x y"
  12.108 +  proof -
  12.109 +    show "lattice (op \<le> :: int \<Rightarrow> int \<Rightarrow> bool)"
  12.110 +      txt {* \normalsize We have already shown that this is a partial
  12.111 +	order, *}
  12.112 +      apply unfold_locales
  12.113 +      txt {* \normalsize hence only the lattice axioms remain to be
  12.114 +	shown.
  12.115 +        @{subgoals [display]}
  12.116 +	By @{text is_inf} and @{text is_sup}, *}
  12.117 +      apply (unfold int.is_inf_def int.is_sup_def)
  12.118 +      txt {* \normalsize the goals are transformed to these
  12.119 +	statements:
  12.120 +	@{subgoals [display]}
  12.121 +	This is Presburger arithmetic, which can be solved by the
  12.122 +	method @{text arith}. *}
  12.123 +      by arith+
  12.124 +    txt {* \normalsize In order to show the equations, we put ourselves
  12.125 +      in a situation where the lattice theorems can be used in a
  12.126 +      convenient way. *}
  12.127 +    then interpret int: lattice "op \<le> :: int \<Rightarrow> int \<Rightarrow> bool" .
  12.128 +    show "lattice.meet op \<le> (x::int) y = min x y"
  12.129 +      by (bestsimp simp: int.meet_def int.is_inf_def)
  12.130 +    show "lattice.join op \<le> (x::int) y = max x y"
  12.131 +      by (bestsimp simp: int.join_def int.is_sup_def)
  12.132 +  qed
  12.133  
  12.134 -text {* Next follows that @{text \<le>} is a total order. *}
  12.135 +text {* Next follows that @{text "op \<le>"} is a total order, again for
  12.136 +  the integers. *}
  12.137  
  12.138 -interpretation %visible nat: total_order "op \<le> :: nat \<Rightarrow> nat \<Rightarrow> bool"
  12.139 -  by unfold_locales arith
  12.140 +  interpretation %visible int: total_order "op \<le> :: int \<Rightarrow> int \<Rightarrow> bool"
  12.141 +    by unfold_locales arith
  12.142  
  12.143  text {* Theorems that are available in the theory at this point are shown in
  12.144 -  Table~\ref{tab:nat-lattice}.
  12.145 +  Table~\ref{tab:int-lattice}.  Two points are worth noting:
  12.146  
  12.147  \begin{table}
  12.148  \hrule
  12.149  \vspace{2ex}
  12.150  \begin{center}
  12.151  \begin{tabular}{l}
  12.152 -  @{thm [source] nat.less_def} from locale @{text partial_order}: \\
  12.153 -  \quad @{thm nat.less_def} \\
  12.154 -  @{thm [source] nat.meet_left} from locale @{text lattice}: \\
  12.155 -  \quad @{thm nat.meet_left} \\
  12.156 -  @{thm [source] nat.join_distr} from locale @{text distrib_lattice}: \\
  12.157 -  \quad @{thm nat.join_distr} \\
  12.158 -  @{thm [source] nat.less_total} from locale @{text total_order}: \\
  12.159 -  \quad @{thm nat.less_total}
  12.160 +  @{thm [source] int.less_def} from locale @{text partial_order}: \\
  12.161 +  \quad @{thm int.less_def} \\
  12.162 +  @{thm [source] int.meet_left} from locale @{text lattice}: \\
  12.163 +  \quad @{thm int.meet_left} \\
  12.164 +  @{thm [source] int.join_distr} from locale @{text distrib_lattice}: \\
  12.165 +  \quad @{thm int.join_distr} \\
  12.166 +  @{thm [source] int.less_total} from locale @{text total_order}: \\
  12.167 +  \quad @{thm int.less_total}
  12.168  \end{tabular}
  12.169  \end{center}
  12.170  \hrule
  12.171 -\caption{Interpreted theorems for @{text \<le>} on the natural numbers.}
  12.172 -\label{tab:nat-lattice}
  12.173 +\caption{Interpreted theorems for~@{text \<le>} on the integers.}
  12.174 +\label{tab:int-lattice}
  12.175  \end{table}
  12.176  
  12.177 -  Note that since the locale hierarchy reflects that total orders are
  12.178 -  distributive lattices, an explicit interpretation of distributive
  12.179 -  lattices for the order relation on natural numbers is not neccessary.
  12.180 -
  12.181 -  Why not push this idea further and just give the last interpretation
  12.182 -  as a single interpretation instead of the sequence of three?  The
  12.183 -  reasons for this are twofold:
  12.184  \begin{itemize}
  12.185  \item
  12.186 -  Often it is easier to work in an incremental fashion, because later
  12.187 -  interpretations require theorems provided by earlier
  12.188 -  interpretations.
  12.189 +  Locale @{text distrib_lattice} was also interpreted.  Since the
  12.190 +  locale hierarchy reflects that total orders are distributive
  12.191 +  lattices, the interpretation of the latter was inserted
  12.192 +  automatically with the interpretation of the former.  In general,
  12.193 +  interpretation traverses the locale hierarchy upwards and interprets
  12.194 +  all encountered locales, regardless whether imported or proved via
  12.195 +  the \isakeyword{sublocale} command.  Existing interpretations are
  12.196 +  skipped avoiding duplicate work.
  12.197  \item
  12.198 -  Assume that a definition is made in some locale $l_1$, and that $l_2$
  12.199 -  imports $l_1$.  Let an equation for the definition be
  12.200 -  proved in an interpretation of $l_2$.  The equation will be unfolded
  12.201 -  in interpretations of theorems added to $l_2$ or below in the import
  12.202 -  hierarchy, but not for theorems added above $l_2$.
  12.203 -  Hence, an equation interpreting a definition should always be given in
  12.204 -  an interpretation of the locale where the definition is made, not in
  12.205 -  an interpretation of a locale further down the hierarchy.
  12.206 +  The predicate @{term "op <"} appears in theorem @{thm [source]
  12.207 +  int.less_total}
  12.208 +  although an equation for the replacement of @{text "op \<sqsubset>"} was only
  12.209 +  given in the interpretation of @{text partial_order}.  The
  12.210 +  interpretation equations are pushed downwards the hierarchy for
  12.211 +  related interpretations --- that is, for interpretations that share
  12.212 +  the instances of parameters they have in common.
  12.213  \end{itemize}
  12.214    *}
  12.215  
  12.216 -
  12.217 -subsection {* Lattice @{text "dvd"} on @{typ nat} *}
  12.218 -
  12.219 -text {* Divisibility on the natural numbers is a distributive lattice
  12.220 -  but not a total order.  Interpretation again proceeds
  12.221 -  incrementally. *}
  12.222 -
  12.223 -interpretation nat_dvd: partial_order "op dvd :: nat \<Rightarrow> nat \<Rightarrow> bool"
  12.224 -  where "partial_order.less op dvd (x::nat) y = (x dvd y \<and> x \<noteq> y)"
  12.225 -proof -
  12.226 -  show "partial_order (op dvd :: nat \<Rightarrow> nat \<Rightarrow> bool)"
  12.227 -    by unfold_locales (auto simp: dvd_def)
  12.228 -  then interpret nat_dvd: partial_order "op dvd :: nat \<Rightarrow> nat \<Rightarrow> bool" .
  12.229 -  show "partial_order.less op dvd (x::nat) y = (x dvd y \<and> x \<noteq> y)"
  12.230 -    apply (unfold nat_dvd.less_def)
  12.231 -    apply auto
  12.232 -    done
  12.233 -qed
  12.234 -
  12.235 -text {* Note that in Isabelle/HOL there is no symbol for strict
  12.236 -  divisibility.  Instead, interpretation substitutes @{term "x dvd y \<and>
  12.237 -  x \<noteq> y"}.  *}
  12.238 -
  12.239 -interpretation nat_dvd: lattice "op dvd :: nat \<Rightarrow> nat \<Rightarrow> bool"
  12.240 -  where nat_dvd_meet_eq: "lattice.meet (op dvd :: nat \<Rightarrow> nat \<Rightarrow> bool) = gcd"
  12.241 -    and nat_dvd_join_eq: "lattice.join (op dvd :: nat \<Rightarrow> nat \<Rightarrow> bool) = lcm"
  12.242 -proof -
  12.243 -  show "lattice (op dvd :: nat \<Rightarrow> nat \<Rightarrow> bool)"
  12.244 -    apply unfold_locales
  12.245 -    apply (unfold nat_dvd.is_inf_def nat_dvd.is_sup_def)
  12.246 -    apply (rule_tac x = "gcd x y" in exI)
  12.247 -    apply auto [1]
  12.248 -    apply (rule_tac x = "lcm x y" in exI)
  12.249 -    apply (auto intro: lcm_least_nat)
  12.250 -    done
  12.251 -  then interpret nat_dvd: lattice "op dvd :: nat \<Rightarrow> nat \<Rightarrow> bool" .
  12.252 -  show "lattice.meet (op dvd :: nat \<Rightarrow> nat \<Rightarrow> bool) = gcd"
  12.253 -    apply (auto simp add: expand_fun_eq)
  12.254 -    apply (unfold nat_dvd.meet_def)
  12.255 -    apply (rule the_equality)
  12.256 -    apply (unfold nat_dvd.is_inf_def)
  12.257 -    by auto
  12.258 -  show "lattice.join (op dvd :: nat \<Rightarrow> nat \<Rightarrow> bool) = lcm"
  12.259 -    apply (auto simp add: expand_fun_eq)
  12.260 -    apply (unfold nat_dvd.join_def)
  12.261 -    apply (rule the_equality)
  12.262 -    apply (unfold nat_dvd.is_sup_def)
  12.263 -    apply (auto intro: lcm_least_nat iff: lcm_unique_nat)
  12.264 -    done
  12.265 -qed
  12.266 -
  12.267 -text {* Equations @{thm [source] nat_dvd_meet_eq} and @{thm [source]
  12.268 -  nat_dvd_join_eq} are used in the main part the subsequent
  12.269 -  interpretation. *}
  12.270 -
  12.271 -(*
  12.272 -definition
  12.273 -  is_lcm :: "nat \<Rightarrow> nat \<Rightarrow> nat \<Rightarrow> bool" where
  12.274 -  "is_lcm p m n \<longleftrightarrow> m dvd p \<and> n dvd p \<and>
  12.275 -    (\<forall>d. m dvd d \<longrightarrow> n dvd d \<longrightarrow> p dvd d)"
  12.276 -
  12.277 -lemma is_gcd: "is_lcm (lcm (m, n)) m n"
  12.278 -  by (simp add: is_lcm_def lcm_least)
  12.279 -
  12.280 -lemma gcd_lcm_distr_lemma:
  12.281 -  "[| is_gcd g1 x l1; is_lcm l1 y z; is_gcd g2 x y; is_gcd g3 x z |] ==> is_lcm g1 g2 g3"
  12.282 -apply (unfold is_gcd_def is_lcm_def dvd_def)
  12.283 -apply (clarsimp simp: mult_ac)
  12.284 -apply (blast intro: mult_is_0)
  12.285 -thm mult_is_0 [THEN iffD1]
  12.286 -*)
  12.287 -
  12.288 -lemma %invisible gcd_lcm_distr:
  12.289 -  "gcd x (lcm y z) = lcm (gcd x y) (gcd x z)" sorry
  12.290 -
  12.291 -interpretation %visible nat_dvd:
  12.292 -  distrib_lattice "op dvd :: nat \<Rightarrow> nat \<Rightarrow> bool"
  12.293 -  apply unfold_locales
  12.294 -  txt {* @{subgoals [display]} *}
  12.295 -  apply (unfold nat_dvd_meet_eq nat_dvd_join_eq)
  12.296 -  txt {* @{subgoals [display]} *}
  12.297 -  apply (rule gcd_lcm_distr) done
  12.298 -
  12.299 -
  12.300 -text {* Theorems that are available in the theory after these
  12.301 -  interpretations are shown in Table~\ref{tab:nat-dvd-lattice}.
  12.302 -
  12.303 -\begin{table}
  12.304 -\hrule
  12.305 -\vspace{2ex}
  12.306 -\begin{center}
  12.307 -\begin{tabular}{l}
  12.308 -  @{thm [source] nat_dvd.less_def} from locale @{text partial_order}: \\
  12.309 -  \quad @{thm nat_dvd.less_def} \\
  12.310 -  @{thm [source] nat_dvd.meet_left} from locale @{text lattice}: \\
  12.311 -  \quad @{thm nat_dvd.meet_left} \\
  12.312 -  @{thm [source] nat_dvd.join_distr} from locale @{text distrib_lattice}: \\
  12.313 -  \quad @{thm nat_dvd.join_distr} \\
  12.314 -\end{tabular}
  12.315 -\end{center}
  12.316 -\hrule
  12.317 -\caption{Interpreted theorems for @{text dvd} on the natural numbers.}
  12.318 -\label{tab:nat-dvd-lattice}
  12.319 -\end{table}
  12.320 -  *}
  12.321 -
  12.322 -text {*
  12.323 -  The syntax of the interpretation commands is shown in
  12.324 -  Table~\ref{tab:commands}.  The grammar refers to
  12.325 -  \textit{expression}, which stands for a \emph{locale} expression.
  12.326 -  Locale expressions are discussed in the following section.
  12.327 -  *}
  12.328 +text {* The interpretations for a locale $n$ within the current
  12.329 +  theory may be inspected with \isakeyword{print\_interps}~$n$.  This
  12.330 +  prints the list of instances of $n$, for which interpretations exist.
  12.331 +  For example, \isakeyword{print\_interps} @{term partial_order}
  12.332 +  outputs the following:
  12.333 +\begin{small}
  12.334 +\begin{alltt}
  12.335 +  int! : partial_order "op \(\le\)"
  12.336 +\end{alltt}
  12.337 +\end{small}
  12.338 +  Of course, there is only one interpretation.
  12.339 +  The interpretation qualifier on the left is decorated with an
  12.340 +  exclamation point.  This means that it is mandatory.  Qualifiers
  12.341 +  can either be \emph{mandatory} or \emph{optional}, designated by
  12.342 +  ``!'' or ``?'' respectively.  Mandatory qualifiers must occur in a
  12.343 +  name reference while optional ones need not.  Mandatory qualifiers
  12.344 +  prevent accidental hiding of names, while optional qualifiers can be
  12.345 +  more convenient to use.  For \isakeyword{interpretation}, the
  12.346 +  default is ``!''.
  12.347 +*}
  12.348  
  12.349  
  12.350  section {* Locale Expressions \label{sec:expressions} *}
  12.351  
  12.352  text {*
  12.353 -  A map @{term \<phi>} between partial orders @{text \<sqsubseteq>} and @{text \<preceq>}
  12.354 +  A map~@{term \<phi>} between partial orders~@{text \<sqsubseteq>} and~@{text \<preceq>}
  12.355    is called order preserving if @{text "x \<sqsubseteq> y"} implies @{text "\<phi> x \<preceq>
  12.356    \<phi> y"}.  This situation is more complex than those encountered so
  12.357    far: it involves two partial orders, and it is desirable to use the
  12.358    existing locale for both.
  12.359  
  12.360 -  Inspecting the grammar of locale commands in
  12.361 -  Table~\ref{tab:commands} reveals that the import of a locale can be
  12.362 -  more than just a single locale.  In general, the import is a
  12.363 -  \emph{locale expression}, which enables to combine locales
  12.364 -  and instantiate parameters.  A locale expression is a sequence of
  12.365 -  locale \emph{instances} followed by an optional \isakeyword{for}
  12.366 -  clause.  Each instance consists of a locale reference, which may be
  12.367 -  preceded by a qualifer and succeeded by instantiations of the
  12.368 -  parameters of that locale.  Instantiations may be either positional
  12.369 -  or through explicit mappings of parameters to arguments.
  12.370 +  A locale for order preserving maps requires three parameters: @{text
  12.371 +  le}~(\isakeyword{infixl}~@{text \<sqsubseteq>}) and @{text
  12.372 +  le'}~(\isakeyword{infixl}~@{text \<preceq>}) for the orders and~@{text \<phi>}
  12.373 +  for the map.
  12.374 +
  12.375 +  In order to reuse the existing locale for partial orders, which has
  12.376 +  the single parameter~@{text le}, it must be imported twice, once
  12.377 +  mapping its parameter to~@{text le} from the new locale and once
  12.378 +  to~@{text le'}.  This can be achieved with a compound locale
  12.379 +  expression.
  12.380  
  12.381 -  Using a locale expression, a locale for order
  12.382 -  preserving maps can be declared in the following way.  *}
  12.383 +  In general, a locale expression is a sequence of \emph{locale instances}
  12.384 +  separated by~``$\textbf{+}$'' and followed by a \isakeyword{for}
  12.385 +  clause.
  12.386 +  An instance has the following format:
  12.387 +\begin{quote}
  12.388 +  \textit{qualifier} \textbf{:} \textit{locale-name}
  12.389 +  \textit{parameter-instantiation}
  12.390 +\end{quote}
  12.391 +  We have already seen locale instances as arguments to
  12.392 +  \isakeyword{interpretation} in Section~\ref{sec:interpretation}.
  12.393 +  As before, the qualifier serves to disambiguate names from
  12.394 +  different instances of the same locale.  While in
  12.395 +  \isakeyword{interpretation} qualifiers default to mandatory, in
  12.396 +  import and in the \isakeyword{sublocale} command, they default to
  12.397 +  optional.
  12.398 +
  12.399 +  Since the parameters~@{text le} and~@{text le'} are to be partial
  12.400 +  orders, our locale for order preserving maps will import the these
  12.401 +  instances:
  12.402 +\begin{small}
  12.403 +\begin{alltt}
  12.404 +  le: partial_order le
  12.405 +  le': partial_order le'
  12.406 +\end{alltt}
  12.407 +\end{small}
  12.408 +  For matter of convenience we choose to name parameter names and
  12.409 +  qualifiers alike.  This is an arbitrary decision.  Technically, qualifiers
  12.410 +  and parameters are unrelated.
  12.411 +
  12.412 +  Having determined the instances, let us turn to the \isakeyword{for}
  12.413 +  clause.  It serves to declare locale parameters in the same way as
  12.414 +  the context element \isakeyword{fixes} does.  Context elements can
  12.415 +  only occur after the import section, and therefore the parameters
  12.416 +  referred to in the instances must be declared in the \isakeyword{for}
  12.417 +  clause.  The \isakeyword{for} clause is also where the syntax of these
  12.418 +  parameters is declared.
  12.419 +
  12.420 +  Two context elements for the map parameter~@{text \<phi>} and the
  12.421 +  assumptions that it is order preserving complete the locale
  12.422 +  declaration. *}
  12.423  
  12.424    locale order_preserving =
  12.425      le: partial_order le + le': partial_order le'
  12.426        for le (infixl "\<sqsubseteq>" 50) and le' (infixl "\<preceq>" 50) +
  12.427 -    fixes \<phi> :: "'a \<Rightarrow> 'b"
  12.428 +    fixes \<phi>
  12.429      assumes hom_le: "x \<sqsubseteq> y \<Longrightarrow> \<phi> x \<preceq> \<phi> y"
  12.430  
  12.431 -text {* The second and third line contain the expression --- two
  12.432 -  instances of the partial order locale where the parameter is
  12.433 -  instantiated to @{text le}
  12.434 -  and @{text le'}, respectively.  The \isakeyword{for} clause consists
  12.435 -  of parameter declarations and is similar to the context element
  12.436 -  \isakeyword{fixes}.  The notable difference is that the
  12.437 -  \isakeyword{for} clause is part of the expression, and only
  12.438 -  parameters defined in the expression may occur in its instances.
  12.439 +text (in order_preserving) {* Here are examples of theorems that are
  12.440 +  available in the locale:
  12.441  
  12.442 -  Instances define \emph{morphisms} on locales.  Their effect on the
  12.443 -  parameters is lifted to terms, propositions and theorems in the
  12.444 -  canonical way,
  12.445 -  and thus to the assumptions and conclusions of a locale.  The
  12.446 -  assumption of a locale expression is the conjunction of the
  12.447 -  assumptions of the instances.  The conclusions of a sequence of
  12.448 -  instances are obtained by appending the conclusions of the
  12.449 -  instances in the order of the sequence.
  12.450 +  \hspace*{1em}@{thm [source] hom_le}: @{thm hom_le}
  12.451 +
  12.452 +  \hspace*{1em}@{thm [source] le.less_le_trans}: @{thm le.less_le_trans}
  12.453  
  12.454 -  The qualifiers in the expression are already a familiar concept from
  12.455 -  the \isakeyword{interpretation} command
  12.456 -  (Section~\ref{sec:po-first}).  Here, they serve to distinguish names
  12.457 -  (in particular theorem names) for the two partial orders within the
  12.458 -  locale.  Qualifiers in the \isakeyword{locale} command (and in
  12.459 -  \isakeyword{sublocale}) default to optional --- that is, they need
  12.460 -  not occur in references to the qualified names.  Here are examples
  12.461 -  of theorems in locale @{text order_preserving}: *}
  12.462 -
  12.463 -context %invisible order_preserving begin
  12.464 -
  12.465 -text {*
  12.466 -  @{thm [source] le.less_le_trans}: @{thm le.less_le_trans}
  12.467 -
  12.468 -  @{thm [source] hom_le}: @{thm hom_le}
  12.469 -  *}
  12.470 -
  12.471 -text {* The theorems for the partial order @{text \<preceq>}
  12.472 -  are qualified by @{text le'}.  For example, @{thm [source]
  12.473 -  le'.less_le_trans}: @{thm [display, indent=2] le'.less_le_trans} *}
  12.474 -
  12.475 -end %invisible
  12.476 -
  12.477 -text {* This example reveals that there is no infix syntax for the
  12.478 -  strict operation associated with @{text \<preceq>}.  This can be declared
  12.479 -  through an abbreviation.  *}
  12.480 +  \hspace*{1em}@{thm [source] le'.less_le_trans}:
  12.481 +  @{thm [display, indent=4] le'.less_le_trans}
  12.482 +  While there is infix syntax for the strict operation associated to
  12.483 +  @{term "op \<sqsubseteq>"}, there is none for the strict version of @{term
  12.484 +  "op \<preceq>"}.  The abbreviation @{text less} with its infix syntax is only
  12.485 +  available for the original instance it was declared for.  We may
  12.486 +  introduce the abbreviation @{text less'} with infix syntax~@{text \<prec>}
  12.487 +  with the following declaration: *}
  12.488  
  12.489    abbreviation (in order_preserving)
  12.490      less' (infixl "\<prec>" 50) where "less' \<equiv> partial_order.less le'"
  12.491 @@ -312,33 +237,56 @@
  12.492    @{thm [source]  le'.less_le_trans}:
  12.493    @{thm [display, indent=2] le'.less_le_trans} *}
  12.494  
  12.495 -text (in order_preserving)  {* Qualifiers not only apply to theorem names, but also to names
  12.496 -  introduced by definitions and abbreviations.  For example, in @{text
  12.497 -  partial_order} the name @{text less} abbreviates @{term
  12.498 -  "partial_order.less le"}.  Therefore, in @{text order_preserving}
  12.499 -  the qualified name @{text le.less} abbreviates @{term
  12.500 -  "partial_order.less le"} and @{text le'.less} abbreviates @{term
  12.501 -  "partial_order.less le'"}.  Hence, the equation in the abbreviation
  12.502 -  above could have been written more concisely as @{text "less' \<equiv>
  12.503 -  le'.less"}. *}
  12.504 +text {* There are short notations for locale expressions.  These are
  12.505 +  discussed in the following. *}
  12.506 +
  12.507 +
  12.508 +subsection {* Default Instantiations *}
  12.509 +
  12.510 +text {* 
  12.511 +  It is possible to omit parameter instantiations.  The
  12.512 +  instantiation then defaults to the name of
  12.513 +  the parameter itself.  For example, the locale expression @{text
  12.514 +  partial_order} is short for @{text "partial_order le"}, since the
  12.515 +  locale's single parameter is~@{text le}.  We took advantage of this
  12.516 +  in the \isakeyword{sublocale} declarations of
  12.517 +  Section~\ref{sec:changing-the-hierarchy}. *}
  12.518 +
  12.519 +
  12.520 +subsection {* Implicit Parameters \label{sec:implicit-parameters} *}
  12.521 +
  12.522 +text {* In a locale expression that occurs within a locale
  12.523 +  declaration, omitted parameters additionally extend the (possibly
  12.524 +  empty) \isakeyword{for} clause.
  12.525  
  12.526 -text {* Readers may find the declaration of locale @{text
  12.527 -  order_preserving} a little awkward, because the declaration and
  12.528 -  concrete syntax for @{text le} from @{text partial_order} are
  12.529 -  repeated in the declaration of @{text order_preserving}.  Locale
  12.530 -  expressions provide a convenient short hand for this.  A parameter
  12.531 -  in an instance is \emph{untouched} if no instantiation term is
  12.532 -  provided for it.  In positional instantiations, a parameter position
  12.533 -  may be skipped with an underscore, and it is allowed to give fewer
  12.534 -  instantiation terms than the instantiated locale's number of
  12.535 -  parameters.  In named instantiations, instantiation pairs for
  12.536 -  certain parameters may simply be omitted.  Untouched parameters are
  12.537 -  implicitly declared by the locale expression and with their concrete
  12.538 -  syntax.  In the sequence of parameters, they appear before the
  12.539 -  parameters from the \isakeyword{for} clause.
  12.540 +  The \isakeyword{for} clause is a general construct of Isabelle/Isar
  12.541 +  to mark names occurring in the preceding declaration as ``arbitrary
  12.542 +  but fixed''.  This is necessary for example, if the name is already
  12.543 +  bound in a surrounding context.  In a locale expression, names
  12.544 +  occurring in parameter instantiations should be bound by a
  12.545 +  \isakeyword{for} clause whenever these names are not introduced
  12.546 +  elsewhere in the context --- for example, on the left hand side of a
  12.547 +  \isakeyword{sublocale} declaration.
  12.548  
  12.549 -  The following locales illustrate this.  A map @{text \<phi>} is a
  12.550 -  lattice homomorphism if it preserves meet and join. *}
  12.551 +  There is an exception to this rule in locale declarations, where the
  12.552 +  \isakeyword{for} clause serves to declare locale parameters.  Here,
  12.553 +  locale parameters for which no parameter instantiation is given are
  12.554 +  implicitly added, with their mixfix syntax, at the beginning of the
  12.555 +  \isakeyword{for} clause.  For example, in a locale declaration, the
  12.556 +  expression @{text partial_order} is short for
  12.557 +\begin{small}
  12.558 +\begin{alltt}
  12.559 +  partial_order le \isakeyword{for} le (\isakeyword{infixl} "\(\sqsubseteq\)" 50)\textrm{.}
  12.560 +\end{alltt}
  12.561 +\end{small}
  12.562 +  This short hand was used in the locale declarations throughout
  12.563 +  Section~\ref{sec:import}.
  12.564 + *}
  12.565 +
  12.566 +text{*
  12.567 +  The following locale declarations provide more examples.  A
  12.568 +  map~@{text \<phi>} is a lattice homomorphism if it preserves meet and
  12.569 +  join. *}
  12.570  
  12.571    locale lattice_hom =
  12.572      le: lattice + le': lattice le' for le' (infixl "\<preceq>" 50) +
  12.573 @@ -346,29 +294,43 @@
  12.574      assumes hom_meet: "\<phi> (x \<sqinter> y) = le'.meet (\<phi> x) (\<phi> y)"
  12.575        and hom_join: "\<phi> (x \<squnion> y) = le'.join (\<phi> x) (\<phi> y)"
  12.576  
  12.577 -  abbreviation (in lattice_hom)
  12.578 -    meet' (infixl "\<sqinter>''" 50) where "meet' \<equiv> le'.meet"
  12.579 -  abbreviation (in lattice_hom)
  12.580 -    join' (infixl "\<squnion>''" 50) where "join' \<equiv> le'.join"
  12.581 +text {* The parameter instantiation in the first instance of @{term
  12.582 +  lattice} is omitted.  This causes the parameter~@{text le} to be
  12.583 +  added to the \isakeyword{for} clause, and the locale has
  12.584 +  parameters~@{text le},~@{text le'} and, of course,~@{text \<phi>}.
  12.585  
  12.586 -text {* A homomorphism is an endomorphism if both orders coincide. *}
  12.587 +  Before turning to the second example, we complete the locale by
  12.588 +  providing infix syntax for the meet and join operations of the
  12.589 +  second lattice.
  12.590 +*}
  12.591 +
  12.592 +  context lattice_hom begin
  12.593 +  abbreviation meet' (infixl "\<sqinter>''" 50) where "meet' \<equiv> le'.meet"
  12.594 +  abbreviation join' (infixl "\<squnion>''" 50) where "join' \<equiv> le'.join"
  12.595 +  end
  12.596 +
  12.597 +text {* The next example makes radical use of the short hand
  12.598 +  facilities.  A homomorphism is an endomorphism if both orders
  12.599 +  coincide. *}
  12.600  
  12.601    locale lattice_end = lattice_hom _ le
  12.602  
  12.603 -text {* In this declaration, the first parameter of @{text
  12.604 -  lattice_hom}, @{text le}, is untouched and is then used to instantiate
  12.605 -  the second parameter.  Its concrete syntax is preserved. *}
  12.606 -
  12.607 +text {* The notation~@{text _} enables to omit a parameter in a
  12.608 +  positional instantiation.  The omitted parameter,~@{text le} becomes
  12.609 +  the parameter of the declared locale and is, in the following
  12.610 +  position, used to instantiate the second parameter of @{text
  12.611 +  lattice_hom}.  The effect is that of identifying the first in second
  12.612 +  parameter of the homomorphism locale. *}
  12.613  
  12.614  text {* The inheritance diagram of the situation we have now is shown
  12.615    in Figure~\ref{fig:hom}, where the dashed line depicts an
  12.616 -  interpretation which is introduced below.  Renamings are
  12.617 -  indicated by $\sqsubseteq \mapsto \preceq$ etc.  The expression
  12.618 -  imported by @{text lattice_end} identifies the first and second
  12.619 -  parameter of @{text lattice_hom}.  By looking at the inheritance diagram it would seem
  12.620 +  interpretation which is introduced below.  Parameter instantiations
  12.621 +  are indicated by $\sqsubseteq \mapsto \preceq$ etc.  By looking at
  12.622 +  the inheritance diagram it would seem
  12.623    that two identical copies of each of the locales @{text
  12.624 -  partial_order} and @{text lattice} are imported.  This is not the
  12.625 -  case!  Inheritance paths with identical morphisms are detected and
  12.626 +  partial_order} and @{text lattice} are imported by @{text
  12.627 +  lattice_end}.  This is not the case!  Inheritance paths with
  12.628 +  identical morphisms are automatically detected and
  12.629    the conclusions of the respective locales appear only once.
  12.630  
  12.631  \begin{figure}
  12.632 @@ -421,21 +383,130 @@
  12.633    lattice_hom}, for example
  12.634    @{thm [source] hom_le}:
  12.635    @{thm [display, indent=2] hom_le}
  12.636 +  This theorem will be useful in the following section.
  12.637    *}
  12.638  
  12.639  
  12.640 +section {* Conditional Interpretation *}
  12.641 +
  12.642 +text {* There are situations where an interpretation is not possible
  12.643 +  in the general case since the desired property is only valid if
  12.644 +  certain conditions are fulfilled.  Take, for example, the function
  12.645 +  @{text "\<lambda>i. n * i"} that scales its argument by a constant factor.
  12.646 +  This function is order preserving (and even a lattice endomorphism)
  12.647 +  with respect to @{term "op \<le>"} provided @{text "n \<ge> 0"}.
  12.648 +
  12.649 +  It is not possible to express this using a global interpretation,
  12.650 +  because it is in general unspecified whether~@{term n} is
  12.651 +  non-negative, but one may make an interpretation in an inner context
  12.652 +  of a proof where full information is available.
  12.653 +  This is not fully satisfactory either, since potentially
  12.654 +  interpretations may be required to make interpretations in many
  12.655 +  contexts.  What is
  12.656 +  required is an interpretation that depends on the condition --- and
  12.657 +  this can be done with the \isakeyword{sublocale} command.  For this
  12.658 +  purpose, we introduce a locale for the condition. *}
  12.659 +
  12.660 +  locale non_negative =
  12.661 +    fixes n :: int
  12.662 +    assumes non_neg: "0 \<le> n"
  12.663 +
  12.664 +text {* It is again convenient to make the interpretation in an
  12.665 +  incremental fashion, first for order preserving maps, the for
  12.666 +  lattice endomorphisms. *}
  12.667 +
  12.668 +  sublocale non_negative \<subseteq>
  12.669 +      order_preserving "op \<le>" "op \<le>" "\<lambda>i. n * i"
  12.670 +    using non_neg by unfold_locales (rule mult_left_mono)
  12.671 +
  12.672 +text {* While the proof of the previous interpretation
  12.673 +  is straightforward from monotonicity lemmas for~@{term "op *"}, the
  12.674 +  second proof follows a useful pattern. *}
  12.675 +
  12.676 +  sublocale %visible non_negative \<subseteq> lattice_end "op \<le>" "\<lambda>i. n * i"
  12.677 +  proof (unfold_locales, unfold int_min_eq int_max_eq)
  12.678 +    txt {* \normalsize Unfolding the locale predicates \emph{and} the
  12.679 +      interpretation equations immediately yields two subgoals that
  12.680 +      reflect the core conjecture.
  12.681 +      @{subgoals [display]}
  12.682 +      It is now necessary to show, in the context of @{term
  12.683 +      non_negative}, that multiplication by~@{term n} commutes with
  12.684 +      @{term min} and @{term max}. *}
  12.685 +  qed (auto simp: hom_le)
  12.686 +
  12.687 +text (in order_preserving) {* The lemma @{thm [source] hom_le}
  12.688 +  simplifies a proof that would have otherwise been lengthy and we may
  12.689 +  consider making it a default rule for the simplifier: *}
  12.690 +
  12.691 +  lemmas (in order_preserving) hom_le [simp]
  12.692 +
  12.693 +
  12.694 +subsection {* Avoiding Infinite Chains of Interpretations
  12.695 +  \label{sec:infinite-chains} *}
  12.696 +
  12.697 +text {* Similar situations arise frequently in formalisations of
  12.698 +  abstract algebra where it is desirable to express that certain
  12.699 +  constructions preserve certain properties.  For example, polynomials
  12.700 +  over rings are rings, or --- an example from the domain where the
  12.701 +  illustrations of this tutorial are taken from --- a partial order
  12.702 +  may be obtained for a function space by point-wise lifting of the
  12.703 +  partial order of the co-domain.  This corresponds to the following
  12.704 +  interpretation: *}
  12.705 +
  12.706 +  sublocale %visible partial_order \<subseteq> f: partial_order "\<lambda>f g. \<forall>x. f x \<sqsubseteq> g x"
  12.707 +    oops
  12.708 +
  12.709 +text {* Unfortunately this is a cyclic interpretation that leads to an
  12.710 +  infinite chain, namely
  12.711 +  @{text [display, indent=2] "partial_order \<subseteq> partial_order (\<lambda>f g. \<forall>x. f x \<sqsubseteq> g x) \<subseteq>
  12.712 +  partial_order (\<lambda>f g. \<forall>x y. f x y \<sqsubseteq> g x y) \<subseteq>  \<dots>"}
  12.713 +  and the interpretation is rejected.
  12.714 +
  12.715 +  Instead it is necessary to declare a locale that is logically
  12.716 +  equivalent to @{term partial_order} but serves to collect facts
  12.717 +  about functions spaces where the co-domain is a partial order, and
  12.718 +  to make the interpretation in its context: *}
  12.719 +
  12.720 +  locale fun_partial_order = partial_order
  12.721 +
  12.722 +  sublocale fun_partial_order \<subseteq>
  12.723 +      f: partial_order "\<lambda>f g. \<forall>x. f x \<sqsubseteq> g x"
  12.724 +    by unfold_locales (fast,rule,fast,blast intro: trans)
  12.725 +
  12.726 +text {* It is quite common in abstract algebra that such a construction
  12.727 +  maps a hierarchy of algebraic structures (or specifications) to a
  12.728 +  related hierarchy.  By means of the same lifting, a function space
  12.729 +  is a lattice if its co-domain is a lattice: *}
  12.730 +
  12.731 +  locale fun_lattice = fun_partial_order + lattice
  12.732 +
  12.733 +  sublocale fun_lattice \<subseteq> f: lattice "\<lambda>f g. \<forall>x. f x \<sqsubseteq> g x"
  12.734 +    proof unfold_locales
  12.735 +    fix f g
  12.736 +    have "partial_order.is_inf (\<lambda>f g. \<forall>x. f x \<sqsubseteq> g x) f g (\<lambda>x. f x \<sqinter> g x)"
  12.737 +      apply (rule is_infI) apply rule+ apply (drule spec, assumption)+ done
  12.738 +    then show "\<exists>inf. partial_order.is_inf (\<lambda>f g. \<forall>x. f x \<sqsubseteq> g x) f g inf"
  12.739 +      by fast
  12.740 +  next
  12.741 +    fix f g
  12.742 +    have "partial_order.is_sup (\<lambda>f g. \<forall>x. f x \<sqsubseteq> g x) f g (\<lambda>x. f x \<squnion> g x)"
  12.743 +      apply (rule is_supI) apply rule+ apply (drule spec, assumption)+ done
  12.744 +    then show "\<exists>sup. partial_order.is_sup (\<lambda>f g. \<forall>x. f x \<sqsubseteq> g x) f g sup"
  12.745 +      by fast
  12.746 +  qed
  12.747 +
  12.748  
  12.749  section {* Further Reading *}
  12.750  
  12.751  text {* More information on locales and their interpretation is
  12.752    available.  For the locale hierarchy of import and interpretation
  12.753 -  dependencies see \cite{Ballarin2006a}; interpretations in theories
  12.754 -  and proofs are covered in \cite{Ballarin2006b}.  In the latter, we
  12.755 +  dependencies see~\cite{Ballarin2006a}; interpretations in theories
  12.756 +  and proofs are covered in~\cite{Ballarin2006b}.  In the latter, I
  12.757    show how interpretation in proofs enables to reason about families
  12.758    of algebraic structures, which cannot be expressed with locales
  12.759    directly.
  12.760  
  12.761 -  Haftmann and Wenzel \cite{HaftmannWenzel2007} overcome a restriction
  12.762 +  Haftmann and Wenzel~\cite{HaftmannWenzel2007} overcome a restriction
  12.763    of axiomatic type classes through a combination with locale
  12.764    interpretation.  The result is a Haskell-style class system with a
  12.765    facility to generate ML and Haskell code.  Classes are sufficient for
  12.766 @@ -444,10 +515,21 @@
  12.767    category.  Order preserving maps, homomorphisms and vector spaces,
  12.768    on the other hand, do not.
  12.769  
  12.770 -  The original work of Kamm\"uller on locales \cite{KammullerEtAl1999}
  12.771 -  may be of interest from a historical perspective.  The mathematical
  12.772 -  background on orders and lattices is taken from Jacobson's textbook
  12.773 -  on algebra \cite[Chapter~8]{Jacobson1985}.
  12.774 +  The locales reimplementation for Isabelle 2009 provides, among other
  12.775 +  improvements, a clean integration with Isabelle/Isar's local theory
  12.776 +  mechanisms, which are described in another paper by Haftmann and
  12.777 +  Wenzel~\cite{HaftmannWenzel2009}.
  12.778 +
  12.779 +  The original work of Kamm\"uller on locales~\cite{KammullerEtAl1999}
  12.780 +  may be of interest from a historical perspective.  My previous
  12.781 +  report on locales and locale expressions~\cite{Ballarin2004a}
  12.782 +  describes a simpler form of expressions than available now and is
  12.783 +  outdated. The mathematical background on orders and lattices is
  12.784 +  taken from Jacobson's textbook on algebra~\cite[Chapter~8]{Jacobson1985}.
  12.785 +
  12.786 +  The sources of this tutorial, which include all proofs, are
  12.787 +  available with the Isabelle distribution at
  12.788 +  \url{http://isabelle.in.tum.de}.
  12.789    *}
  12.790  
  12.791  text {*
  12.792 @@ -542,8 +624,9 @@
  12.793    \multicolumn{3}{l}{Diagnostics} \\
  12.794  
  12.795    \textit{toplevel} & ::=
  12.796 -  & \textbf{print\_locale} [ ``\textbf{!}'' ] \textit{locale} \\
  12.797 -  & | & \textbf{print\_locales} 
  12.798 +  & \textbf{print\_locales} \\
  12.799 +  & | & \textbf{print\_locale} [ ``\textbf{!}'' ] \textit{locale} \\
  12.800 +  & | & \textbf{print\_interps} \textit{locale}
  12.801  \end{tabular}
  12.802  \end{center}
  12.803  \hrule
  12.804 @@ -552,8 +635,22 @@
  12.805  \end{table}
  12.806    *}
  12.807  
  12.808 +text {* \textbf{Revision History.}  For the present third revision of
  12.809 +  the tutorial, much of the explanatory text
  12.810 +  was rewritten.  Inheritance of interpretation equations is
  12.811 +  available with the forthcoming release of Isabelle, which at the
  12.812 +  time of editing these notes is expected for the end of 2009.
  12.813 +  The second revision accommodates changes introduced by the locales
  12.814 +  reimplementation for Isabelle 2009.  Most notably locale expressions
  12.815 +  have been generalised from renaming to instantiation.  *}
  12.816 +
  12.817  text {* \textbf{Acknowledgements.}  Alexander Krauss, Tobias Nipkow,
  12.818 -  Christian Sternagel and Makarius Wenzel have made useful comments on
  12.819 -  a draft of this document. *}
  12.820 +  Randy Pollack, Christian Sternagel and Makarius Wenzel have made
  12.821 +  useful comments on earlier versions of this document.  The section
  12.822 +  on conditional interpretation was inspired by a number of e-mail
  12.823 +  enquiries the author received from locale users, and which suggested
  12.824 +  that this use case is important enough to deserve explicit
  12.825 +  explanation.  The term \emph{conditional interpretation} is due to
  12.826 +  Larry Paulson. *}
  12.827  
  12.828  end
    13.1 --- a/doc-src/Locales/Locales/ROOT.ML	Wed Oct 21 16:54:04 2009 +0200
    13.2 +++ b/doc-src/Locales/Locales/ROOT.ML	Wed Oct 21 16:57:57 2009 +0200
    13.3 @@ -1,4 +1,3 @@
    13.4 -no_document use_thy "GCD";
    13.5  use_thy "Examples1";
    13.6  use_thy "Examples2";
    13.7 -setmp_noncritical quick_and_dirty true use_thy "Examples3";
    13.8 +use_thy "Examples3";
    14.1 --- a/doc-src/Locales/Locales/document/Examples.tex	Wed Oct 21 16:54:04 2009 +0200
    14.2 +++ b/doc-src/Locales/Locales/document/Examples.tex	Wed Oct 21 16:57:57 2009 +0200
    14.3 @@ -9,7 +9,7 @@
    14.4  \isatagtheory
    14.5  \isacommand{theory}\isamarkupfalse%
    14.6  \ Examples\isanewline
    14.7 -\isakeyword{imports}\ Main\ GCD\isanewline
    14.8 +\isakeyword{imports}\ Main\isanewline
    14.9  \isakeyword{begin}%
   14.10  \endisatagtheory
   14.11  {\isafoldtheory}%
   14.12 @@ -46,19 +46,20 @@
   14.13  \[
   14.14    \isa{{\isasymAnd}x\isactrlsub {\isadigit{1}}{\isasymdots}x\isactrlsub n{\isachardot}\ {\isasymlbrakk}\ A\isactrlsub {\isadigit{1}}{\isacharsemicolon}\ {\isasymdots}\ {\isacharsemicolon}A\isactrlsub m\ {\isasymrbrakk}\ {\isasymLongrightarrow}\ {\isasymdots}}
   14.15  \]
   14.16 -  where variables \isa{x\isactrlsub {\isadigit{1}}}, \ldots, \isa{x\isactrlsub n} are called
   14.17 -  \emph{parameters} and the premises $\isa{A\isactrlsub {\isadigit{1}}}, \ldots,
   14.18 -  \isa{A\isactrlsub m}$ \emph{assumptions}.  A formula \isa{C}
   14.19 +  where variables~\isa{x\isactrlsub {\isadigit{1}}}, \ldots,~\isa{x\isactrlsub n} are called
   14.20 +  \emph{parameters} and the premises $\isa{A\isactrlsub {\isadigit{1}}}, \ldots,~\isa{A\isactrlsub m}$ \emph{assumptions}.  A formula~\isa{C}
   14.21    is a \emph{theorem} in the context if it is a conclusion
   14.22  \[
   14.23 -%\label{eq-fact-in-context}
   14.24    \isa{{\isasymAnd}x\isactrlsub {\isadigit{1}}{\isasymdots}x\isactrlsub n{\isachardot}\ {\isasymlbrakk}\ A\isactrlsub {\isadigit{1}}{\isacharsemicolon}\ {\isasymdots}\ {\isacharsemicolon}A\isactrlsub m\ {\isasymrbrakk}\ {\isasymLongrightarrow}\ C}.
   14.25  \]
   14.26    Isabelle/Isar's notion of context goes beyond this logical view.
   14.27    Its contexts record, in a consecutive order, proved
   14.28 -  conclusions along with attributes, which
   14.29 -  may control proof procedures.  Contexts also contain syntax information
   14.30 -  for parameters and for terms depending on them.%
   14.31 +  conclusions along with \emph{attributes}, which can provide context
   14.32 +  specific configuration information for proof procedures and concrete
   14.33 +  syntax.  From a logical perspective, locales are just contexts that
   14.34 +  have been made persistent.  To the user, though, they provide
   14.35 +  powerful means for declaring and combining contexts, and for the
   14.36 +  reuse of theorems proved in these contexts.%
   14.37  \end{isamarkuptext}%
   14.38  \isamarkuptrue%
   14.39  %
   14.40 @@ -67,7 +68,7 @@
   14.41  \isamarkuptrue%
   14.42  %
   14.43  \begin{isamarkuptext}%
   14.44 -Locales can be seen as persistent contexts.  In its simplest form, a
   14.45 +In its simplest form, a
   14.46    \emph{locale declaration} consists of a sequence of context elements
   14.47    declaring parameters (keyword \isakeyword{fixes}) and assumptions
   14.48    (keyword \isakeyword{assumes}).  The following is the specification of
   14.49 @@ -81,27 +82,79 @@
   14.50  \ \ \ \ \ \ \isakeyword{and}\ anti{\isacharunderscore}sym\ {\isacharbrackleft}intro{\isacharbrackright}{\isacharcolon}\ {\isachardoublequoteopen}{\isasymlbrakk}\ x\ {\isasymsqsubseteq}\ y{\isacharsemicolon}\ y\ {\isasymsqsubseteq}\ x\ {\isasymrbrakk}\ {\isasymLongrightarrow}\ x\ {\isacharequal}\ y{\isachardoublequoteclose}\isanewline
   14.51  \ \ \ \ \ \ \isakeyword{and}\ trans\ {\isacharbrackleft}trans{\isacharbrackright}{\isacharcolon}\ {\isachardoublequoteopen}{\isasymlbrakk}\ x\ {\isasymsqsubseteq}\ y{\isacharsemicolon}\ y\ {\isasymsqsubseteq}\ z\ {\isasymrbrakk}\ {\isasymLongrightarrow}\ x\ {\isasymsqsubseteq}\ z{\isachardoublequoteclose}%
   14.52  \begin{isamarkuptext}%
   14.53 -The parameter of this locale is \isa{le}, with infix syntax
   14.54 -  \isa{{\isasymsqsubseteq}}.  There is an implicit type parameter \isa{{\isacharprime}a}.  It
   14.55 -  is not necessary to declare parameter types: most general types will
   14.56 -  be inferred from the context elements for all parameters.
   14.57 +The parameter of this locale is~\isa{le},
   14.58 +  which is a binary predicate with infix syntax~\isa{{\isasymsqsubseteq}}.  The
   14.59 +  parameter syntax is available in the subsequent
   14.60 +  assumptions, which are the familiar partial order axioms.
   14.61 +
   14.62 +  Isabelle recognises unbound names as free variables.  In locale
   14.63 +  assumptions, these are implicitly universally quantified.  That is,
   14.64 +  \isa{{\isasymlbrakk}x\ {\isasymsqsubseteq}\ y{\isacharsemicolon}\ y\ {\isasymsqsubseteq}\ z{\isasymrbrakk}\ {\isasymLongrightarrow}\ x\ {\isasymsqsubseteq}\ z} in fact means
   14.65 +  \isa{{\isasymAnd}x\ y\ z{\isachardot}\ {\isasymlbrakk}x\ {\isasymsqsubseteq}\ y{\isacharsemicolon}\ y\ {\isasymsqsubseteq}\ z{\isasymrbrakk}\ {\isasymLongrightarrow}\ x\ {\isasymsqsubseteq}\ z}.
   14.66  
   14.67 -  The above declaration not only introduces the locale, it also
   14.68 -  defines the \emph{locale predicate} \isa{partial{\isacharunderscore}order} with
   14.69 -  definition \isa{partial{\isacharunderscore}order{\isacharunderscore}def}:
   14.70 +  Two commands are provided to inspect locales:
   14.71 +  \isakeyword{print\_locales} lists the names of all locales of the
   14.72 +  current theory; \isakeyword{print\_locale}~$n$ prints the parameters
   14.73 +  and assumptions of locale $n$; the variation \isakeyword{print\_locale!}~$n$
   14.74 +  additionally outputs the conclusions that are stored in the locale.
   14.75 +  We may inspect the new locale
   14.76 +  by issuing \isakeyword{print\_locale!} \isa{partial{\isacharunderscore}order}.  The output
   14.77 +  is the following list of context elements.
   14.78 +\begin{small}
   14.79 +\begin{alltt}
   14.80 +  \isakeyword{fixes} le :: "'a \(\Rightarrow\) 'a \(\Rightarrow\)  bool" (\isakeyword{infixl} "\(\sqsubseteq\)" 50)
   14.81 +  \isakeyword{assumes} "partial_order op \(\sqsubseteq\)"
   14.82 +  \isakeyword{notes} assumption
   14.83 +    refl [intro, simp] = `?x \(\sqsubseteq\) ?x`
   14.84 +    \isakeyword{and}
   14.85 +    anti_sym [intro] = `\(\isasymlbrakk\)?x \(\sqsubseteq\) ?y; ?y \(\sqsubseteq\) ?x\(\isasymrbrakk\) \(\Longrightarrow\) ?x = ?y`
   14.86 +    \isakeyword{and}
   14.87 +    trans [trans] = `\(\isasymlbrakk\)?x \(\sqsubseteq\) ?y; ?y \(\sqsubseteq\) ?z\(\isasymrbrakk\) \(\Longrightarrow\) ?x \(\sqsubseteq\) ?z`
   14.88 +\end{alltt}
   14.89 +\end{small}
   14.90 +  The keyword \isakeyword{notes} denotes a conclusion element.  There
   14.91 +  is one conclusion, which was added automatically.  Instead, there is
   14.92 +  only one assumption, namely \isa{partial{\isacharunderscore}order\ op\ {\isasymsqsubseteq}}.  The locale
   14.93 +  declaration has introduced the predicate \isa{partial{\isacharunderscore}order} to the theory.  This predicate is the
   14.94 +  \emph{locale predicate}.  Its definition may be inspected by
   14.95 +  issuing \isakeyword{thm} \isa{partial{\isacharunderscore}order{\isacharunderscore}def}.
   14.96    \begin{isabelle}%
   14.97  \ \ partial{\isacharunderscore}order\ {\isacharquery}le\ {\isasymequiv}\isanewline
   14.98  \isaindent{\ \ }{\isacharparenleft}{\isasymforall}x{\isachardot}\ {\isacharquery}le\ x\ x{\isacharparenright}\ {\isasymand}\isanewline
   14.99  \isaindent{\ \ }{\isacharparenleft}{\isasymforall}x\ y{\isachardot}\ {\isacharquery}le\ x\ y\ {\isasymlongrightarrow}\ {\isacharquery}le\ y\ x\ {\isasymlongrightarrow}\ x\ {\isacharequal}\ y{\isacharparenright}\ {\isasymand}\isanewline
  14.100  \isaindent{\ \ }{\isacharparenleft}{\isasymforall}x\ y\ z{\isachardot}\ {\isacharquery}le\ x\ y\ {\isasymlongrightarrow}\ {\isacharquery}le\ y\ z\ {\isasymlongrightarrow}\ {\isacharquery}le\ x\ z{\isacharparenright}%
  14.101  \end{isabelle}
  14.102 +  In our example, this is a unary predicate over the parameter of the
  14.103 +  locale.  It is equivalent to the original assumptions, which have
  14.104 +  been turned into conclusions and are
  14.105 +  available as theorems in the context of the locale.  The names and
  14.106 +  attributes from the locale declaration are associated to these
  14.107 +  theorems and are effective in the context of the locale.
  14.108  
  14.109 -  The specification of a locale is fixed, but its list of conclusions
  14.110 +  Each conclusion has a \emph{foundational theorem} as counterpart
  14.111 +  in the theory.  Technically, this is simply the theorem composed
  14.112 +  of context and conclusion.  For the transitivity theorem, this is
  14.113 +  \isa{partial{\isacharunderscore}order{\isachardot}trans}:
  14.114 +  \begin{isabelle}%
  14.115 +\ \ partial{\isacharunderscore}order\ {\isacharquery}le\ {\isasymequiv}\isanewline
  14.116 +\isaindent{\ \ }{\isacharparenleft}{\isasymforall}x{\isachardot}\ {\isacharquery}le\ x\ x{\isacharparenright}\ {\isasymand}\isanewline
  14.117 +\isaindent{\ \ }{\isacharparenleft}{\isasymforall}x\ y{\isachardot}\ {\isacharquery}le\ x\ y\ {\isasymlongrightarrow}\ {\isacharquery}le\ y\ x\ {\isasymlongrightarrow}\ x\ {\isacharequal}\ y{\isacharparenright}\ {\isasymand}\isanewline
  14.118 +\isaindent{\ \ }{\isacharparenleft}{\isasymforall}x\ y\ z{\isachardot}\ {\isacharquery}le\ x\ y\ {\isasymlongrightarrow}\ {\isacharquery}le\ y\ z\ {\isasymlongrightarrow}\ {\isacharquery}le\ x\ z{\isacharparenright}%
  14.119 +\end{isabelle}%
  14.120 +\end{isamarkuptext}%
  14.121 +\isamarkuptrue%
  14.122 +%
  14.123 +\isamarkupsubsection{Targets: Extending Locales%
  14.124 +}
  14.125 +\isamarkuptrue%
  14.126 +%
  14.127 +\begin{isamarkuptext}%
  14.128 +The specification of a locale is fixed, but its list of conclusions
  14.129    may be extended through Isar commands that take a \emph{target} argument.
  14.130    In the following, \isakeyword{definition} and 
  14.131    \isakeyword{theorem} are illustrated.
  14.132    Table~\ref{tab:commands-with-target} lists Isar commands that accept
  14.133 -  a target.  There are various ways of specifying the target.  A
  14.134 +  a target.  Isar provides various ways of specifying the target.  A
  14.135    target for a single command may be indicated with keyword
  14.136    \isakeyword{in} in the following way:
  14.137  
  14.138 @@ -131,24 +184,21 @@
  14.139  \ \ \ \ less\ {\isacharcolon}{\isacharcolon}\ {\isachardoublequoteopen}{\isacharprime}a\ {\isasymRightarrow}\ {\isacharprime}a\ {\isasymRightarrow}\ bool{\isachardoublequoteclose}\ {\isacharparenleft}\isakeyword{infixl}\ {\isachardoublequoteopen}{\isasymsqsubset}{\isachardoublequoteclose}\ {\isadigit{5}}{\isadigit{0}}{\isacharparenright}\isanewline
  14.140  \ \ \ \ \isakeyword{where}\ {\isachardoublequoteopen}{\isacharparenleft}x\ {\isasymsqsubset}\ y{\isacharparenright}\ {\isacharequal}\ {\isacharparenleft}x\ {\isasymsqsubseteq}\ y\ {\isasymand}\ x\ {\isasymnoteq}\ y{\isacharparenright}{\isachardoublequoteclose}%
  14.141  \begin{isamarkuptext}%
  14.142 -A definition in a locale depends on the locale parameters.
  14.143 -  Here, a global constant \isa{partial{\isacharunderscore}order{\isachardot}less} is declared, which is lifted over the
  14.144 -  locale parameter \isa{le}.  Its definition is the global theorem
  14.145 -  \isa{partial{\isacharunderscore}order{\isachardot}less{\isacharunderscore}def}:
  14.146 +The strict order \isa{less} with infix
  14.147 +  syntax~\isa{{\isasymsqsubset}} is
  14.148 +  defined in terms of the locale parameter~\isa{le} and the general
  14.149 +  equality of the object logic we work in.  The definition generates a
  14.150 +  \emph{foundational constant}
  14.151 +  \isa{partial{\isacharunderscore}order{\isachardot}less} with definition \isa{partial{\isacharunderscore}order{\isachardot}less{\isacharunderscore}def}:
  14.152    \begin{isabelle}%
  14.153  \ \ partial{\isacharunderscore}order\ {\isacharquery}le\ {\isasymLongrightarrow}\isanewline
  14.154  \isaindent{\ \ }partial{\isacharunderscore}order{\isachardot}less\ {\isacharquery}le\ {\isacharquery}x\ {\isacharquery}y\ {\isacharequal}\ {\isacharparenleft}{\isacharquery}le\ {\isacharquery}x\ {\isacharquery}y\ {\isasymand}\ {\isacharquery}x\ {\isasymnoteq}\ {\isacharquery}y{\isacharparenright}%
  14.155  \end{isabelle}
  14.156    At the same time, the locale is extended by syntax transformations
  14.157 -  hiding this construction in the context of the locale.  That is,
  14.158 -  \isa{partial{\isacharunderscore}order{\isachardot}less\ le} is printed and parsed as infix
  14.159 -  \isa{{\isasymsqsubset}}.%
  14.160 -\end{isamarkuptext}%
  14.161 -\isamarkuptrue%
  14.162 -%
  14.163 -\begin{isamarkuptext}%
  14.164 -Finally, the conclusion of the definition
  14.165 -  is added to the locale, \isa{less{\isacharunderscore}def}:
  14.166 +  hiding this construction in the context of the locale.  Here, the
  14.167 +  abbreviation \isa{less} is available for
  14.168 +  \isa{partial{\isacharunderscore}order{\isachardot}less\ le}, and it is printed
  14.169 +  and parsed as infix~\isa{{\isasymsqsubset}}.  Finally, the conclusion \isa{less{\isacharunderscore}def} is added to the locale:
  14.170    \begin{isabelle}%
  14.171  \ \ {\isacharparenleft}{\isacharquery}x\ {\isasymsqsubset}\ {\isacharquery}y{\isacharparenright}\ {\isacharequal}\ {\isacharparenleft}{\isacharquery}x\ {\isasymsqsubseteq}\ {\isacharquery}y\ {\isasymand}\ {\isacharquery}x\ {\isasymnoteq}\ {\isacharquery}y{\isacharparenright}%
  14.172  \end{isabelle}%
  14.173 @@ -156,8 +206,9 @@
  14.174  \isamarkuptrue%
  14.175  %
  14.176  \begin{isamarkuptext}%
  14.177 -As an example of a theorem statement in the locale, here is the
  14.178 -  derivation of a transitivity law.%
  14.179 +The treatment of theorem statements is more straightforward.
  14.180 +  As an example, here is the derivation of a transitivity law for the
  14.181 +  strict order relation.%
  14.182  \end{isamarkuptext}%
  14.183  \isamarkuptrue%
  14.184  \ \ \isacommand{lemma}\isamarkupfalse%
  14.185 @@ -180,13 +231,17 @@
  14.186  \endisadelimvisible
  14.187  %
  14.188  \begin{isamarkuptext}%
  14.189 -In the context of the proof, assumptions and theorems of the
  14.190 -  locale may be used.  Attributes are effective: \isa{anti{\isacharunderscore}sym} was
  14.191 +In the context of the proof, conclusions of the
  14.192 +  locale may be used like theorems.  Attributes are effective: \isa{anti{\isacharunderscore}sym} was
  14.193    declared as introduction rule, hence it is in the context's set of
  14.194    rules used by the classical reasoner by default.%
  14.195  \end{isamarkuptext}%
  14.196  \isamarkuptrue%
  14.197  %
  14.198 +\isamarkupsubsection{Context Blocks%
  14.199 +}
  14.200 +\isamarkuptrue%
  14.201 +%
  14.202  \begin{isamarkuptext}%
  14.203  When working with locales, sequences of commands with the same
  14.204    target are frequent.  A block of commands, delimited by
  14.205 @@ -199,7 +254,7 @@
  14.206  
  14.207    This style of working is illustrated in the block below, where
  14.208    notions of infimum and supremum for partial orders are introduced,
  14.209 -  together with theorems.%
  14.210 +  together with theorems about their uniqueness.%
  14.211  \end{isamarkuptext}%
  14.212  \isamarkuptrue%
  14.213  \ \ \isacommand{context}\isamarkupfalse%
  14.214 @@ -250,7 +305,7 @@
  14.215  \ is{\isacharunderscore}inf{\isacharunderscore}uniq{\isacharcolon}\ {\isachardoublequoteopen}{\isasymlbrakk}is{\isacharunderscore}inf\ x\ y\ i{\isacharsemicolon}\ is{\isacharunderscore}inf\ x\ y\ i{\isacharprime}{\isasymrbrakk}\ {\isasymLongrightarrow}\ i\ {\isacharequal}\ i{\isacharprime}{\isachardoublequoteclose}\isanewline
  14.216  %
  14.217  \isadelimproof
  14.218 -\ \ %
  14.219 +\ \ \ \ %
  14.220  \endisadelimproof
  14.221  %
  14.222  \isatagproof
  14.223 @@ -367,7 +422,7 @@
  14.224  \ is{\isacharunderscore}sup{\isacharunderscore}uniq{\isacharcolon}\ {\isachardoublequoteopen}{\isasymlbrakk}is{\isacharunderscore}sup\ x\ y\ s{\isacharsemicolon}\ is{\isacharunderscore}sup\ x\ y\ s{\isacharprime}{\isasymrbrakk}\ {\isasymLongrightarrow}\ s\ {\isacharequal}\ s{\isacharprime}{\isachardoublequoteclose}\isanewline
  14.225  %
  14.226  \isadelimproof
  14.227 -\ \ %
  14.228 +\ \ \ \ %
  14.229  \endisadelimproof
  14.230  %
  14.231  \isatagproof
  14.232 @@ -466,17 +521,12 @@
  14.233  \ \ \isacommand{end}\isamarkupfalse%
  14.234  %
  14.235  \begin{isamarkuptext}%
  14.236 -Two commands are provided to inspect locales:
  14.237 -  \isakeyword{print\_locales} lists the names of all locales of the
  14.238 -  current theory; \isakeyword{print\_locale}~$n$ prints the parameters
  14.239 -  and assumptions of locale $n$; \isakeyword{print\_locale!}~$n$
  14.240 -  additionally outputs the conclusions.
  14.241 -
  14.242 -  The syntax of the locale commands discussed in this tutorial is
  14.243 -  shown in Table~\ref{tab:commands}.  The grammer is complete with the
  14.244 -  exception of additional context elements not discussed here.  See the
  14.245 -  Isabelle/Isar Reference Manual~\cite{IsarRef}
  14.246 -  for full documentation.%
  14.247 +The syntax of the locale commands discussed in this tutorial is
  14.248 +  shown in Table~\ref{tab:commands}.  The grammar is complete with the
  14.249 +  exception of the context elements \isakeyword{constrains} and
  14.250 +  \isakeyword{defines}, which are provided for backward
  14.251 +  compatibility.  See the Isabelle/Isar Reference
  14.252 +  Manual~\cite{IsarRef} for full documentation.%
  14.253  \end{isamarkuptext}%
  14.254  \isamarkuptrue%
  14.255  %
  14.256 @@ -488,11 +538,15 @@
  14.257  Algebraic structures are commonly defined by adding operations and
  14.258    properties to existing structures.  For example, partial orders
  14.259    are extended to lattices and total orders.  Lattices are extended to
  14.260 -  distributive lattices.
  14.261 -
  14.262 -  With locales, this inheritance is achieved through \emph{import} of a
  14.263 -  locale.  Import is a separate entity in the locale declaration.  If
  14.264 -  present, it precedes the context elements.%
  14.265 +  distributive lattices.%
  14.266 +\end{isamarkuptext}%
  14.267 +\isamarkuptrue%
  14.268 +%
  14.269 +\begin{isamarkuptext}%
  14.270 +With locales, this kind of inheritance is achieved through
  14.271 +  \emph{import} of locales.  The import part of a locale declaration,
  14.272 +  if present, precedes the context elements.  Here is an example,
  14.273 +  where partial orders are extended to lattices.%
  14.274  \end{isamarkuptext}%
  14.275  \isamarkuptrue%
  14.276  \ \ \isacommand{locale}\isamarkupfalse%
  14.277 @@ -502,14 +556,13 @@
  14.278  \ \ \isakeyword{begin}%
  14.279  \begin{isamarkuptext}%
  14.280  These assumptions refer to the predicates for infimum
  14.281 -  and supremum defined in \isa{partial{\isacharunderscore}order}.  We may now introduce
  14.282 -  the notions of meet and join.%
  14.283 +  and supremum defined for \isa{partial{\isacharunderscore}order} in the previous
  14.284 +  section.  We now introduce the notions of meet and join.%
  14.285  \end{isamarkuptext}%
  14.286  \isamarkuptrue%
  14.287  \ \ \isacommand{definition}\isamarkupfalse%
  14.288  \isanewline
  14.289  \ \ \ \ meet\ {\isacharparenleft}\isakeyword{infixl}\ {\isachardoublequoteopen}{\isasymsqinter}{\isachardoublequoteclose}\ {\isadigit{7}}{\isadigit{0}}{\isacharparenright}\ \isakeyword{where}\ {\isachardoublequoteopen}x\ {\isasymsqinter}\ y\ {\isacharequal}\ {\isacharparenleft}THE\ inf{\isachardot}\ is{\isacharunderscore}inf\ x\ y\ inf{\isacharparenright}{\isachardoublequoteclose}\isanewline
  14.290 -\isanewline
  14.291  \ \ \isacommand{definition}\isamarkupfalse%
  14.292  \isanewline
  14.293  \ \ \ \ join\ {\isacharparenleft}\isakeyword{infixl}\ {\isachardoublequoteopen}{\isasymsqunion}{\isachardoublequoteclose}\ {\isadigit{6}}{\isadigit{5}}{\isacharparenright}\ \isakeyword{where}\ {\isachardoublequoteopen}x\ {\isasymsqunion}\ y\ {\isacharequal}\ {\isacharparenleft}THE\ sup{\isachardot}\ is{\isacharunderscore}sup\ x\ y\ sup{\isacharparenright}{\isachardoublequoteclose}\isanewline
  14.294 @@ -1071,8 +1124,10 @@
  14.295  \ \ \isacommand{end}\isamarkupfalse%
  14.296  %
  14.297  \begin{isamarkuptext}%
  14.298 -Locales for total orders and distributive lattices follow.
  14.299 -  Each comes with an example theorem.%
  14.300 +Locales for total orders and distributive lattices follow to
  14.301 +  establish a sufficiently rich landscape of locales for
  14.302 +  further examples in this tutorial.  Each comes with an example
  14.303 +  theorem.%
  14.304  \end{isamarkuptext}%
  14.305  \isamarkuptrue%
  14.306  \ \ \isacommand{locale}\isamarkupfalse%
  14.307 @@ -1147,12 +1202,13 @@
  14.308  \endisadelimproof
  14.309  %
  14.310  \begin{isamarkuptext}%
  14.311 -The locale hierachy obtained through these declarations is shown in Figure~\ref{fig:lattices}(a).
  14.312 +The locale hierarchy obtained through these declarations is shown in
  14.313 +  Figure~\ref{fig:lattices}(a).
  14.314  
  14.315  \begin{figure}
  14.316  \hrule \vspace{2ex}
  14.317  \begin{center}
  14.318 -\subfigure[Declared hierachy]{
  14.319 +\subfigure[Declared hierarchy]{
  14.320  \begin{tikzpicture}
  14.321    \node (po) at (0,0) {\isa{partial{\isacharunderscore}order}};
  14.322    \node (lat) at (-1.5,-1) {\isa{lattice}};
  14.323 @@ -1201,12 +1257,37 @@
  14.324  \isamarkuptrue%
  14.325  %
  14.326  \begin{isamarkuptext}%
  14.327 -Total orders are lattices.  Hence, by deriving the lattice
  14.328 -  axioms for total orders, the hierarchy may be changed
  14.329 -  and \isa{lattice} be placed between \isa{partial{\isacharunderscore}order}
  14.330 -  and \isa{total{\isacharunderscore}order}, as shown in Figure~\ref{fig:lattices}(b).
  14.331 -  Changes to the locale hierarchy may be declared
  14.332 -  with the \isakeyword{sublocale} command.%
  14.333 +Locales enable to prove theorems abstractly, relative to
  14.334 +  sets of assumptions.  These theorems can then be used in other
  14.335 +  contexts where the assumptions themselves, or
  14.336 +  instances of the assumptions, are theorems.  This form of theorem
  14.337 +  reuse is called \emph{interpretation}.  Locales generalise
  14.338 +  interpretation from theorems to conclusions, enabling the reuse of
  14.339 +  definitions and other constructs that are not part of the
  14.340 +  specifications of the locales.
  14.341 +
  14.342 +  The first from of interpretation we will consider in this tutorial
  14.343 +  is provided by the \isakeyword{sublocale} command.  It enables to
  14.344 +  modify the import hierarchy to reflect the \emph{logical} relation
  14.345 +  between locales.
  14.346 +
  14.347 +  Consider the locale hierarchy from Figure~\ref{fig:lattices}(a).
  14.348 +  Total orders are lattices, although this is not reflected here, and
  14.349 +  definitions, theorems and other conclusions
  14.350 +  from \isa{lattice} are not available in \isa{total{\isacharunderscore}order}.  To
  14.351 +  obtain the situation in Figure~\ref{fig:lattices}(b), it is
  14.352 +  sufficient to add the conclusions of the latter locale to the former.
  14.353 +  The \isakeyword{sublocale} command does exactly this.
  14.354 +  The declaration \isakeyword{sublocale} $l_1
  14.355 +  \subseteq l_2$ causes locale $l_2$ to be \emph{interpreted} in the
  14.356 +  context of $l_1$.  This means that all conclusions of $l_2$ are made
  14.357 +  available in $l_1$.
  14.358 +
  14.359 +  Of course, the change of hierarchy must be supported by a theorem
  14.360 +  that reflects, in our example, that total orders are indeed
  14.361 +  lattices.  Therefore the \isakeyword{sublocale} command generates a
  14.362 +  goal, which must be discharged by the user.  This is illustrated in
  14.363 +  the following paragraphs.  First the sublocale relation is stated.%
  14.364  \end{isamarkuptext}%
  14.365  \isamarkuptrue%
  14.366  %
  14.367 @@ -1218,14 +1299,16 @@
  14.368  \isacommand{sublocale}\isamarkupfalse%
  14.369  \ total{\isacharunderscore}order\ {\isasymsubseteq}\ lattice%
  14.370  \begin{isamarkuptxt}%
  14.371 -This enters the context of locale \isa{total{\isacharunderscore}order}, in
  14.372 +\normalsize
  14.373 +  This enters the context of locale \isa{total{\isacharunderscore}order}, in
  14.374    which the goal \begin{isabelle}%
  14.375  \ {\isadigit{1}}{\isachardot}\ lattice\ op\ {\isasymsqsubseteq}%
  14.376 -\end{isabelle} must be shown.  First, the
  14.377 -  locale predicate needs to be unfolded --- for example using its
  14.378 +\end{isabelle} must be shown.
  14.379 +  Now the
  14.380 +  locale predicate needs to be unfolded --- for example, using its
  14.381    definition or by introduction rules
  14.382 -  provided by the locale package.  The methods \isa{intro{\isacharunderscore}locales}
  14.383 -  and \isa{unfold{\isacharunderscore}locales} automate this.  They are aware of the
  14.384 +  provided by the locale package.  For automation, the locale package
  14.385 +  provides the methods \isa{intro{\isacharunderscore}locales} and \isa{unfold{\isacharunderscore}locales}.  They are aware of the
  14.386    current context and dependencies between locales and automatically
  14.387    discharge goals implied by these.  While \isa{unfold{\isacharunderscore}locales}
  14.388    always unfolds locale predicates to assumptions, \isa{intro{\isacharunderscore}locales} only unfolds definitions along the locale
  14.389 @@ -1234,21 +1317,24 @@
  14.390    is smaller.
  14.391  
  14.392    For the current goal, we would like to get hold of
  14.393 -  the assumptions of \isa{lattice}, hence \isa{unfold{\isacharunderscore}locales}
  14.394 -  is appropriate.%
  14.395 +  the assumptions of \isa{lattice}, which need to be shown, hence
  14.396 +  \isa{unfold{\isacharunderscore}locales} is appropriate.%
  14.397  \end{isamarkuptxt}%
  14.398  \isamarkuptrue%
  14.399  \ \ \isacommand{proof}\isamarkupfalse%
  14.400  \ unfold{\isacharunderscore}locales%
  14.401  \begin{isamarkuptxt}%
  14.402 -Since both \isa{lattice} and \isa{total{\isacharunderscore}order}
  14.403 -  inherit \isa{partial{\isacharunderscore}order}, the assumptions of the latter are
  14.404 -  discharged, and the only subgoals that remain are the assumptions
  14.405 -  introduced in \isa{lattice} \begin{isabelle}%
  14.406 +\normalsize
  14.407 +  Since the fact that both lattices and total orders are partial
  14.408 +  orders is already reflected in the locale hierarchy, the assumptions
  14.409 +  of \isa{partial{\isacharunderscore}order} are discharged automatically, and only the
  14.410 +  assumptions introduced in \isa{lattice} remain as subgoals
  14.411 +  \begin{isabelle}%
  14.412  \ {\isadigit{1}}{\isachardot}\ {\isasymAnd}x\ y{\isachardot}\ {\isasymexists}inf{\isachardot}\ is{\isacharunderscore}inf\ x\ y\ inf\isanewline
  14.413  \ {\isadigit{2}}{\isachardot}\ {\isasymAnd}x\ y{\isachardot}\ {\isasymexists}sup{\isachardot}\ is{\isacharunderscore}sup\ x\ y\ sup%
  14.414  \end{isabelle}
  14.415 -  The proof for the first subgoal is%
  14.416 +  The proof for the first subgoal is obtained by constructing an
  14.417 +  infimum, whose existence is implied by totality.%
  14.418  \end{isamarkuptxt}%
  14.419  \isamarkuptrue%
  14.420  \ \ \ \ \isacommand{fix}\isamarkupfalse%
  14.421 @@ -1263,7 +1349,8 @@
  14.422  \ {\isachardoublequoteopen}{\isasymexists}inf{\isachardot}\ is{\isacharunderscore}inf\ x\ y\ inf{\isachardoublequoteclose}\ \isacommand{{\isachardot}{\isachardot}}\isamarkupfalse%
  14.423  %
  14.424  \begin{isamarkuptxt}%
  14.425 -The proof for the second subgoal is analogous and not
  14.426 +\normalsize
  14.427 +   The proof for the second subgoal is analogous and not
  14.428    reproduced here.%
  14.429  \end{isamarkuptxt}%
  14.430  \isamarkuptrue%
  14.431 @@ -1315,14 +1402,15 @@
  14.432  \endisadelimvisible
  14.433  %
  14.434  \begin{isamarkuptext}%
  14.435 -Similarly, total orders are distributive lattices.%
  14.436 +Similarly, we may establish that total orders are distributive
  14.437 +  lattices with a second \isakeyword{sublocale} statement.%
  14.438  \end{isamarkuptext}%
  14.439  \isamarkuptrue%
  14.440  \ \ \isacommand{sublocale}\isamarkupfalse%
  14.441  \ total{\isacharunderscore}order\ {\isasymsubseteq}\ distrib{\isacharunderscore}lattice\isanewline
  14.442  %
  14.443  \isadelimproof
  14.444 -\ \ %
  14.445 +\ \ \ \ %
  14.446  \endisadelimproof
  14.447  %
  14.448  \isatagproof
  14.449 @@ -1396,7 +1484,22 @@
  14.450  \endisadelimproof
  14.451  %
  14.452  \begin{isamarkuptext}%
  14.453 -The locale hierarchy is now as shown in Figure~\ref{fig:lattices}(c).%
  14.454 +The locale hierarchy is now as shown in
  14.455 +  Figure~\ref{fig:lattices}(c).%
  14.456 +\end{isamarkuptext}%
  14.457 +\isamarkuptrue%
  14.458 +%
  14.459 +\begin{isamarkuptext}%
  14.460 +Locale interpretation is \emph{dynamic}.  The statement
  14.461 +  \isakeyword{sublocale} $l_1 \subseteq l_2$ will not just add the
  14.462 +  current conclusions of $l_2$ to $l_1$.  Rather the dependency is
  14.463 +  stored, and conclusions that will be
  14.464 +  added to $l_2$ in future are automatically propagated to $l_1$.
  14.465 +  The sublocale relation is transitive --- that is, propagation takes
  14.466 +  effect along chains of sublocales.  Even cycles in the sublocale relation are
  14.467 +  supported, as long as these cycles do not lead to infinite chains.
  14.468 +  Details are discussed in the technical report \cite{Ballarin2006a}.
  14.469 +  See also Section~\ref{sec:infinite-chains} of this tutorial.%
  14.470  \end{isamarkuptext}%
  14.471  \isamarkuptrue%
  14.472  %
    15.1 --- a/doc-src/Locales/Locales/document/Examples1.tex	Wed Oct 21 16:54:04 2009 +0200
    15.2 +++ b/doc-src/Locales/Locales/document/Examples1.tex	Wed Oct 21 16:57:57 2009 +0200
    15.3 @@ -18,38 +18,34 @@
    15.4  %
    15.5  \endisadelimtheory
    15.6  %
    15.7 -\isamarkupsection{Use of Locales in Theories and Proofs%
    15.8 +\begin{isamarkuptext}%
    15.9 +\vspace{-5ex}%
   15.10 +\end{isamarkuptext}%
   15.11 +\isamarkuptrue%
   15.12 +%
   15.13 +\isamarkupsection{Use of Locales in Theories and Proofs
   15.14 +  \label{sec:interpretation}%
   15.15  }
   15.16  \isamarkuptrue%
   15.17  %
   15.18  \begin{isamarkuptext}%
   15.19 -Locales enable to prove theorems abstractly, relative to
   15.20 -  sets of assumptions.  These theorems can then be used in other
   15.21 -  contexts where the assumptions themselves, or
   15.22 -  instances of the assumptions, are theorems.  This form of theorem
   15.23 -  reuse is called \emph{interpretation}.
   15.24 +Locales can be interpreted in the contexts of theories and
   15.25 +  structured proofs.  These interpretations are dynamic, too.
   15.26 +  Conclusions of locales will be propagated to the current theory or
   15.27 +  the current proof context.%
   15.28 +\footnote{Strictly speaking, only interpretation in theories is
   15.29 +  dynamic since it is not possible to change locales or the locale
   15.30 +  hierarchy from within a proof.}
   15.31 +  The focus of this section is on
   15.32 +  interpretation in theories, but we will also encounter
   15.33 +  interpretations in proofs, in
   15.34 +  Section~\ref{sec:local-interpretation}.
   15.35  
   15.36 -  The changes of the locale
   15.37 -  hierarchy from the previous sections are examples of
   15.38 -  interpretations.  The command \isakeyword{sublocale} $l_1
   15.39 -  \subseteq l_2$ is said to \emph{interpret} locale $l_2$ in the
   15.40 -  context of $l_1$.  It causes all theorems of $l_2$ to be made
   15.41 -  available in $l_1$.  The interpretation is \emph{dynamic}: not only
   15.42 -  theorems already present in $l_2$ are available in $l_1$.  Theorems
   15.43 -  that will be added to $l_2$ in future will automatically be
   15.44 -  propagated to $l_1$.
   15.45 -
   15.46 -  Locales can also be interpreted in the contexts of theories and
   15.47 -  structured proofs.  These interpretations are dynamic, too.
   15.48 -  Theorems added to locales will be propagated to theories.
   15.49 -  In this section the interpretation in
   15.50 -  theories is illustrated; interpretation in proofs is analogous.
   15.51 -
   15.52 -  As an example, consider the type of natural numbers \isa{nat}.  The
   15.53 -  relation \isa{{\isasymle}} is a total order over \isa{nat},
   15.54 -  divisibility \isa{dvd} is a distributive lattice.  We start with the
   15.55 -  interpretation that \isa{{\isasymle}} is a partial order.  The facilities of
   15.56 -  the interpretation command are explored in three versions.%
   15.57 +  As an example, consider the type of integers \isa{int}.  The
   15.58 +  relation \isa{op\ {\isasymle}} is a total order over \isa{int}.  We start
   15.59 +  with the interpretation that \isa{op\ {\isasymle}} is a partial order.  The
   15.60 +  facilities of the interpretation command are explored gradually in
   15.61 +  three versions.%
   15.62  \end{isamarkuptext}%
   15.63  \isamarkuptrue%
   15.64  %
   15.65 @@ -59,10 +55,10 @@
   15.66  \isamarkuptrue%
   15.67  %
   15.68  \begin{isamarkuptext}%
   15.69 -In the most basic form, interpretation just replaces the locale
   15.70 -  parameters by terms.  The following command interprets the locale
   15.71 -  \isa{partial{\isacharunderscore}order} in the global context of the theory.  The
   15.72 -  parameter \isa{le} is replaced by \isa{op\ {\isasymle}}.%
   15.73 +The command \isakeyword{interpretation} is for the interpretation of
   15.74 +  locale in theories.  In the following example, the parameter of locale
   15.75 +  \isa{partial{\isacharunderscore}order} is replaced by \isa{op\ {\isasymle}} and the locale instance is interpreted in the current
   15.76 +  theory.%
   15.77  \end{isamarkuptext}%
   15.78  \isamarkuptrue%
   15.79  %
   15.80 @@ -72,17 +68,20 @@
   15.81  %
   15.82  \isatagvisible
   15.83  \isacommand{interpretation}\isamarkupfalse%
   15.84 -\ nat{\isacharcolon}\ partial{\isacharunderscore}order\ {\isachardoublequoteopen}op\ {\isasymle}\ {\isacharcolon}{\isacharcolon}\ nat\ {\isasymRightarrow}\ nat\ {\isasymRightarrow}\ bool{\isachardoublequoteclose}%
   15.85 +\ int{\isacharcolon}\ partial{\isacharunderscore}order\ {\isachardoublequoteopen}op\ {\isasymle}\ {\isacharcolon}{\isacharcolon}\ int\ {\isasymRightarrow}\ int\ {\isasymRightarrow}\ bool{\isachardoublequoteclose}%
   15.86  \begin{isamarkuptxt}%
   15.87 -The locale name is succeeded by a \emph{parameter
   15.88 -  instantiation}.  This is a list of terms, which refer to
   15.89 -  the parameters in the order of declaration in the locale.  The
   15.90 -  locale name is preceded by an optional \emph{interpretation
   15.91 -  qualifier}, here \isa{nat}.
   15.92 +\normalsize
   15.93 +  The argument of the command is a simple \emph{locale expression}
   15.94 +  consisting of the name of the interpreted locale, which is
   15.95 +  preceded by the qualifier \isa{int{\isacharcolon}} and succeeded by a
   15.96 +  white-space-separated list of terms, which provide a full
   15.97 +  instantiation of the locale parameters.  The parameters are referred
   15.98 +  to by order of declaration, which is also the order in which
   15.99 +  \isakeyword{print\_locale} outputs them.  The locale has only a
  15.100 +  single parameter, hence the list of instantiation terms is a
  15.101 +  singleton.
  15.102  
  15.103 -  The command creates the goal%
  15.104 -\footnote{Note that \isa{op} binds tighter than functions
  15.105 -  application: parentheses around \isa{op\ {\isasymle}} are not necessary.}
  15.106 +  The command creates the goal
  15.107    \begin{isabelle}%
  15.108  \ {\isadigit{1}}{\isachardot}\ partial{\isacharunderscore}order\ op\ {\isasymle}%
  15.109  \end{isabelle} which can be shown easily:%
  15.110 @@ -98,17 +97,15 @@
  15.111  \endisadelimvisible
  15.112  %
  15.113  \begin{isamarkuptext}%
  15.114 -Now theorems from the locale are available in the theory,
  15.115 -  interpreted for natural numbers, for example \isa{nat{\isachardot}trans}: \begin{isabelle}%
  15.116 +The effect of the command is that instances of all
  15.117 +  conclusions of the locale are available in the theory, where names
  15.118 +  are prefixed by the qualifier.  For example, transitivity for \isa{int} is named \isa{int{\isachardot}trans} and is the following
  15.119 +  theorem:
  15.120 +  \begin{isabelle}%
  15.121  \ \ {\isasymlbrakk}{\isacharquery}x\ {\isasymle}\ {\isacharquery}y{\isacharsemicolon}\ {\isacharquery}y\ {\isasymle}\ {\isacharquery}z{\isasymrbrakk}\ {\isasymLongrightarrow}\ {\isacharquery}x\ {\isasymle}\ {\isacharquery}z%
  15.122  \end{isabelle}
  15.123 -
  15.124 -  The interpretation qualifier, \isa{nat} in the example, is applied
  15.125 -  to all names processed by the interpretation.  If a qualifer is
  15.126 -  given in the \isakeyword{interpretation} command, its use is
  15.127 -  mandatory when referencing the name.  For example, the above theorem
  15.128 -  cannot be referred to simply by \isa{trans}.  This prevents
  15.129 -  unwanted hiding of theorems.%
  15.130 +  It is not possible to reference this theorem simply as \isa{trans}.  This prevents unwanted hiding of existing theorems of the
  15.131 +  theory by an interpretation.%
  15.132  \end{isamarkuptext}%
  15.133  \isamarkuptrue%
  15.134  %
  15.135 @@ -117,16 +114,27 @@
  15.136  \isamarkuptrue%
  15.137  %
  15.138  \begin{isamarkuptext}%
  15.139 -The above interpretation also creates the theorem
  15.140 -  \isa{nat{\isachardot}less{\isacharunderscore}le{\isacharunderscore}trans}: \begin{isabelle}%
  15.141 +Not only does the above interpretation qualify theorem names.
  15.142 +  The prefix \isa{int} is applied to all names introduced in locale
  15.143 +  conclusions including names introduced in definitions.  The
  15.144 +  qualified name \isa{int{\isachardot}less} is short for
  15.145 +  the interpretation of the definition, which is \isa{partial{\isacharunderscore}order{\isachardot}less\ op\ {\isasymle}}.
  15.146 +  Qualified name and expanded form may be used almost
  15.147 +  interchangeably.%
  15.148 +\footnote{Since \isa{op\ {\isasymle}} is polymorphic, for \isa{partial{\isacharunderscore}order{\isachardot}less\ op\ {\isasymle}} a
  15.149 +  more general type will be inferred than for \isa{int{\isachardot}less} which
  15.150 +  is over type \isa{int}.}
  15.151 +  The latter is preferred on output, as for example in the theorem
  15.152 +  \isa{int{\isachardot}less{\isacharunderscore}le{\isacharunderscore}trans}: \begin{isabelle}%
  15.153  \ \ {\isasymlbrakk}partial{\isacharunderscore}order{\isachardot}less\ op\ {\isasymle}\ {\isacharquery}x\ {\isacharquery}y{\isacharsemicolon}\ {\isacharquery}y\ {\isasymle}\ {\isacharquery}z{\isasymrbrakk}\isanewline
  15.154  \isaindent{\ \ }{\isasymLongrightarrow}\ partial{\isacharunderscore}order{\isachardot}less\ op\ {\isasymle}\ {\isacharquery}x\ {\isacharquery}z%
  15.155  \end{isabelle}
  15.156 -  Here, \isa{partial{\isacharunderscore}order{\isachardot}less\ op\ {\isasymle}}
  15.157 -  represents the strict order, although \isa{{\isacharless}} is the natural
  15.158 -  strict order for \isa{nat}.  Interpretation allows to map concepts
  15.159 -  introduced by definitions in locales to the corresponding
  15.160 -  concepts of the theory.%
  15.161 +  Both notations for the strict order are not satisfactory.  The
  15.162 +  constant \isa{op\ {\isacharless}} is the strict order for \isa{int}.
  15.163 +  In order to allow for the desired replacement, interpretation
  15.164 +  accepts \emph{equations} in addition to the parameter instantiation.
  15.165 +  These follow the locale expression and are indicated with the
  15.166 +  keyword \isakeyword{where}.  This is the revised interpretation:%
  15.167  \end{isamarkuptext}%
  15.168  \isamarkuptrue%
  15.169  %
    16.1 --- a/doc-src/Locales/Locales/document/Examples2.tex	Wed Oct 21 16:54:04 2009 +0200
    16.2 +++ b/doc-src/Locales/Locales/document/Examples2.tex	Wed Oct 21 16:57:57 2009 +0200
    16.3 @@ -19,47 +19,45 @@
    16.4  \endisadelimtheory
    16.5  %
    16.6  \begin{isamarkuptext}%
    16.7 -This is achieved by unfolding suitable equations during
    16.8 -  interpretation.  These equations are given after the keyword
    16.9 -  \isakeyword{where} and require proofs.  The revised command
   16.10 -  that replaces \isa{{\isasymsqsubset}} by \isa{{\isacharless}} is:%
   16.11 +\vspace{-5ex}%
   16.12  \end{isamarkuptext}%
   16.13  \isamarkuptrue%
   16.14  %
   16.15  \isadelimvisible
   16.16 -%
   16.17 +\ \ %
   16.18  \endisadelimvisible
   16.19  %
   16.20  \isatagvisible
   16.21  \isacommand{interpretation}\isamarkupfalse%
   16.22 -\ nat{\isacharcolon}\ partial{\isacharunderscore}order\ {\isachardoublequoteopen}op\ {\isasymle}\ {\isacharcolon}{\isacharcolon}\ {\isacharbrackleft}nat{\isacharcomma}\ nat{\isacharbrackright}\ {\isasymRightarrow}\ bool{\isachardoublequoteclose}\isanewline
   16.23 -\ \ \isakeyword{where}\ {\isachardoublequoteopen}partial{\isacharunderscore}order{\isachardot}less\ op\ {\isasymle}\ {\isacharparenleft}x{\isacharcolon}{\isacharcolon}nat{\isacharparenright}\ y\ {\isacharequal}\ {\isacharparenleft}x\ {\isacharless}\ y{\isacharparenright}{\isachardoublequoteclose}\isanewline
   16.24 -\isacommand{proof}\isamarkupfalse%
   16.25 +\ int{\isacharcolon}\ partial{\isacharunderscore}order\ {\isachardoublequoteopen}op\ {\isasymle}\ {\isacharcolon}{\isacharcolon}\ {\isacharbrackleft}int{\isacharcomma}\ int{\isacharbrackright}\ {\isasymRightarrow}\ bool{\isachardoublequoteclose}\isanewline
   16.26 +\ \ \ \ \isakeyword{where}\ {\isachardoublequoteopen}partial{\isacharunderscore}order{\isachardot}less\ op\ {\isasymle}\ {\isacharparenleft}x{\isacharcolon}{\isacharcolon}int{\isacharparenright}\ y\ {\isacharequal}\ {\isacharparenleft}x\ {\isacharless}\ y{\isacharparenright}{\isachardoublequoteclose}\isanewline
   16.27 +\ \ \isacommand{proof}\isamarkupfalse%
   16.28  \ {\isacharminus}%
   16.29  \begin{isamarkuptxt}%
   16.30 -The goals are \begin{isabelle}%
   16.31 +\normalsize The goals are now:
   16.32 +      \begin{isabelle}%
   16.33  \ {\isadigit{1}}{\isachardot}\ partial{\isacharunderscore}order\ op\ {\isasymle}\isanewline
   16.34  \ {\isadigit{2}}{\isachardot}\ partial{\isacharunderscore}order{\isachardot}less\ op\ {\isasymle}\ x\ y\ {\isacharequal}\ {\isacharparenleft}x\ {\isacharless}\ y{\isacharparenright}%
   16.35  \end{isabelle}
   16.36 -    The proof that \isa{{\isasymle}} is a partial order is as above.%
   16.37 +      The proof that~\isa{{\isasymle}} is a partial order is as above.%
   16.38  \end{isamarkuptxt}%
   16.39  \isamarkuptrue%
   16.40 -\ \ \isacommand{show}\isamarkupfalse%
   16.41 -\ {\isachardoublequoteopen}partial{\isacharunderscore}order\ {\isacharparenleft}op\ {\isasymle}\ {\isacharcolon}{\isacharcolon}\ nat\ {\isasymRightarrow}\ nat\ {\isasymRightarrow}\ bool{\isacharparenright}{\isachardoublequoteclose}\isanewline
   16.42 -\ \ \ \ \isacommand{by}\isamarkupfalse%
   16.43 +\ \ \ \ \isacommand{show}\isamarkupfalse%
   16.44 +\ {\isachardoublequoteopen}partial{\isacharunderscore}order\ {\isacharparenleft}op\ {\isasymle}\ {\isacharcolon}{\isacharcolon}\ int\ {\isasymRightarrow}\ int\ {\isasymRightarrow}\ bool{\isacharparenright}{\isachardoublequoteclose}\isanewline
   16.45 +\ \ \ \ \ \ \isacommand{by}\isamarkupfalse%
   16.46  \ unfold{\isacharunderscore}locales\ auto%
   16.47  \begin{isamarkuptxt}%
   16.48 -The second goal is shown by unfolding the
   16.49 -    definition of \isa{partial{\isacharunderscore}order{\isachardot}less}.%
   16.50 +\normalsize The second goal is shown by unfolding the
   16.51 +      definition of \isa{partial{\isacharunderscore}order{\isachardot}less}.%
   16.52  \end{isamarkuptxt}%
   16.53  \isamarkuptrue%
   16.54 -\ \ \isacommand{show}\isamarkupfalse%
   16.55 -\ {\isachardoublequoteopen}partial{\isacharunderscore}order{\isachardot}less\ op\ {\isasymle}\ {\isacharparenleft}x{\isacharcolon}{\isacharcolon}nat{\isacharparenright}\ y\ {\isacharequal}\ {\isacharparenleft}x\ {\isacharless}\ y{\isacharparenright}{\isachardoublequoteclose}\isanewline
   16.56 -\ \ \ \ \isacommand{unfolding}\isamarkupfalse%
   16.57 +\ \ \ \ \isacommand{show}\isamarkupfalse%
   16.58 +\ {\isachardoublequoteopen}partial{\isacharunderscore}order{\isachardot}less\ op\ {\isasymle}\ {\isacharparenleft}x{\isacharcolon}{\isacharcolon}int{\isacharparenright}\ y\ {\isacharequal}\ {\isacharparenleft}x\ {\isacharless}\ y{\isacharparenright}{\isachardoublequoteclose}\isanewline
   16.59 +\ \ \ \ \ \ \isacommand{unfolding}\isamarkupfalse%
   16.60  \ partial{\isacharunderscore}order{\isachardot}less{\isacharunderscore}def\ {\isacharbrackleft}OF\ {\isacharbackquoteopen}partial{\isacharunderscore}order\ op\ {\isasymle}{\isacharbackquoteclose}{\isacharbrackright}\isanewline
   16.61 -\ \ \ \ \isacommand{by}\isamarkupfalse%
   16.62 +\ \ \ \ \ \ \isacommand{by}\isamarkupfalse%
   16.63  \ auto\isanewline
   16.64 -\isacommand{qed}\isamarkupfalse%
   16.65 +\ \ \isacommand{qed}\isamarkupfalse%
   16.66  %
   16.67  \endisatagvisible
   16.68  {\isafoldvisible}%
   16.69 @@ -69,8 +67,8 @@
   16.70  \endisadelimvisible
   16.71  %
   16.72  \begin{isamarkuptext}%
   16.73 -Note that the above proof is not in the context of a locale.
   16.74 -  Hence, the correct interpretation of \isa{partial{\isacharunderscore}order{\isachardot}less{\isacharunderscore}def} is obtained manually with \isa{OF}.%
   16.75 +Note that the above proof is not in the context of the
   16.76 +  interpreted locale.  Hence, the premise of \isa{partial{\isacharunderscore}order{\isachardot}less{\isacharunderscore}def} is discharged manually with \isa{OF}.%
   16.77  \end{isamarkuptext}%
   16.78  \isamarkuptrue%
   16.79  %
    17.1 --- a/doc-src/Locales/Locales/document/Examples3.tex	Wed Oct 21 16:54:04 2009 +0200
    17.2 +++ b/doc-src/Locales/Locales/document/Examples3.tex	Wed Oct 21 16:57:57 2009 +0200
    17.3 @@ -18,47 +18,54 @@
    17.4  %
    17.5  \endisadelimtheory
    17.6  %
    17.7 -\isamarkupsubsection{Third Version: Local Interpretation%
    17.8 +\begin{isamarkuptext}%
    17.9 +\vspace{-5ex}%
   17.10 +\end{isamarkuptext}%
   17.11 +\isamarkuptrue%
   17.12 +%
   17.13 +\isamarkupsubsection{Third Version: Local Interpretation
   17.14 +  \label{sec:local-interpretation}%
   17.15  }
   17.16  \isamarkuptrue%
   17.17  %
   17.18  \begin{isamarkuptext}%
   17.19 -In the above example, the fact that \isa{{\isasymle}} is a partial
   17.20 -  order for the natural numbers was used in the proof of the
   17.21 -  second goal.  In general, proofs of the equations may involve
   17.22 -  theorems implied by the fact the assumptions of the instantiated
   17.23 -  locale hold for the instantiating structure.  If these theorems have
   17.24 -  been shown abstractly in the locale they can be made available
   17.25 -  conveniently in the context through an auxiliary local interpretation (keyword
   17.26 -  \isakeyword{interpret}).  This interpretation is inside the proof of the global
   17.27 -  interpretation.  The third revision of the example illustrates this.%
   17.28 +In the above example, the fact that \isa{op\ {\isasymle}} is a partial
   17.29 +  order for the integers was used in the second goal to
   17.30 +  discharge the premise in the definition of \isa{op\ {\isasymsqsubset}}.  In
   17.31 +  general, proofs of the equations not only may involve definitions
   17.32 +  from the interpreted locale but arbitrarily complex arguments in the
   17.33 +  context of the locale.  Therefore is would be convenient to have the
   17.34 +  interpreted locale conclusions temporary available in the proof.
   17.35 +  This can be achieved by a locale interpretation in the proof body.
   17.36 +  The command for local interpretations is \isakeyword{interpret}.  We
   17.37 +  repeat the example from the previous section to illustrate this.%
   17.38  \end{isamarkuptext}%
   17.39  \isamarkuptrue%
   17.40  %
   17.41  \isadelimvisible
   17.42 -%
   17.43 +\ \ %
   17.44  \endisadelimvisible
   17.45  %
   17.46  \isatagvisible
   17.47  \isacommand{interpretation}\isamarkupfalse%
   17.48 -\ nat{\isacharcolon}\ partial{\isacharunderscore}order\ {\isachardoublequoteopen}op\ {\isasymle}\ {\isacharcolon}{\isacharcolon}\ nat\ {\isasymRightarrow}\ nat\ {\isasymRightarrow}\ bool{\isachardoublequoteclose}\isanewline
   17.49 -\ \ \isakeyword{where}\ {\isachardoublequoteopen}partial{\isacharunderscore}order{\isachardot}less\ op\ {\isasymle}\ {\isacharparenleft}x{\isacharcolon}{\isacharcolon}nat{\isacharparenright}\ y\ {\isacharequal}\ {\isacharparenleft}x\ {\isacharless}\ y{\isacharparenright}{\isachardoublequoteclose}\isanewline
   17.50 -\isacommand{proof}\isamarkupfalse%
   17.51 +\ int{\isacharcolon}\ partial{\isacharunderscore}order\ {\isachardoublequoteopen}op\ {\isasymle}\ {\isacharcolon}{\isacharcolon}\ int\ {\isasymRightarrow}\ int\ {\isasymRightarrow}\ bool{\isachardoublequoteclose}\isanewline
   17.52 +\ \ \ \ \isakeyword{where}\ {\isachardoublequoteopen}partial{\isacharunderscore}order{\isachardot}less\ op\ {\isasymle}\ {\isacharparenleft}x{\isacharcolon}{\isacharcolon}int{\isacharparenright}\ y\ {\isacharequal}\ {\isacharparenleft}x\ {\isacharless}\ y{\isacharparenright}{\isachardoublequoteclose}\isanewline
   17.53 +\ \ \isacommand{proof}\isamarkupfalse%
   17.54  \ {\isacharminus}\isanewline
   17.55 -\ \ \isacommand{show}\isamarkupfalse%
   17.56 -\ {\isachardoublequoteopen}partial{\isacharunderscore}order\ {\isacharparenleft}op\ {\isasymle}\ {\isacharcolon}{\isacharcolon}\ nat\ {\isasymRightarrow}\ nat\ {\isasymRightarrow}\ bool{\isacharparenright}{\isachardoublequoteclose}\isanewline
   17.57 -\ \ \ \ \isacommand{by}\isamarkupfalse%
   17.58 +\ \ \ \ \isacommand{show}\isamarkupfalse%
   17.59 +\ {\isachardoublequoteopen}partial{\isacharunderscore}order\ {\isacharparenleft}op\ {\isasymle}\ {\isacharcolon}{\isacharcolon}\ int\ {\isasymRightarrow}\ int\ {\isasymRightarrow}\ bool{\isacharparenright}{\isachardoublequoteclose}\isanewline
   17.60 +\ \ \ \ \ \ \isacommand{by}\isamarkupfalse%
   17.61  \ unfold{\isacharunderscore}locales\ auto\isanewline
   17.62 -\ \ \isacommand{then}\isamarkupfalse%
   17.63 +\ \ \ \ \isacommand{then}\isamarkupfalse%
   17.64  \ \isacommand{interpret}\isamarkupfalse%
   17.65 -\ nat{\isacharcolon}\ partial{\isacharunderscore}order\ {\isachardoublequoteopen}op\ {\isasymle}\ {\isacharcolon}{\isacharcolon}\ {\isacharbrackleft}nat{\isacharcomma}\ nat{\isacharbrackright}\ {\isasymRightarrow}\ bool{\isachardoublequoteclose}\ \isacommand{{\isachardot}}\isamarkupfalse%
   17.66 +\ int{\isacharcolon}\ partial{\isacharunderscore}order\ {\isachardoublequoteopen}op\ {\isasymle}\ {\isacharcolon}{\isacharcolon}\ {\isacharbrackleft}int{\isacharcomma}\ int{\isacharbrackright}\ {\isasymRightarrow}\ bool{\isachardoublequoteclose}\ \isacommand{{\isachardot}}\isamarkupfalse%
   17.67  \isanewline
   17.68 -\ \ \isacommand{show}\isamarkupfalse%
   17.69 -\ {\isachardoublequoteopen}partial{\isacharunderscore}order{\isachardot}less\ op\ {\isasymle}\ {\isacharparenleft}x{\isacharcolon}{\isacharcolon}nat{\isacharparenright}\ y\ {\isacharequal}\ {\isacharparenleft}x\ {\isacharless}\ y{\isacharparenright}{\isachardoublequoteclose}\isanewline
   17.70 -\ \ \ \ \isacommand{unfolding}\isamarkupfalse%
   17.71 -\ nat{\isachardot}less{\isacharunderscore}def\ \isacommand{by}\isamarkupfalse%
   17.72 +\ \ \ \ \isacommand{show}\isamarkupfalse%
   17.73 +\ {\isachardoublequoteopen}partial{\isacharunderscore}order{\isachardot}less\ op\ {\isasymle}\ {\isacharparenleft}x{\isacharcolon}{\isacharcolon}int{\isacharparenright}\ y\ {\isacharequal}\ {\isacharparenleft}x\ {\isacharless}\ y{\isacharparenright}{\isachardoublequoteclose}\isanewline
   17.74 +\ \ \ \ \ \ \isacommand{unfolding}\isamarkupfalse%
   17.75 +\ int{\isachardot}less{\isacharunderscore}def\ \isacommand{by}\isamarkupfalse%
   17.76  \ auto\isanewline
   17.77 -\isacommand{qed}\isamarkupfalse%
   17.78 +\ \ \isacommand{qed}\isamarkupfalse%
   17.79  %
   17.80  \endisatagvisible
   17.81  {\isafoldvisible}%
   17.82 @@ -68,15 +75,14 @@
   17.83  \endisadelimvisible
   17.84  %
   17.85  \begin{isamarkuptext}%
   17.86 -The inner interpretation does not require an elaborate new
   17.87 -  proof, it is immediate from the preceding fact and proved with
   17.88 -  ``.''.  It enriches the local proof context by the very theorems
   17.89 +The inner interpretation is immediate from the preceding fact
   17.90 +  and proved by assumption (Isar short hand ``.'').  It enriches the
   17.91 +  local proof context by the theorems
   17.92    also obtained in the interpretation from Section~\ref{sec:po-first},
   17.93 -  and \isa{nat{\isachardot}less{\isacharunderscore}def} may directly be used to unfold the
   17.94 +  and \isa{int{\isachardot}less{\isacharunderscore}def} may directly be used to unfold the
   17.95    definition.  Theorems from the local interpretation disappear after
   17.96 -  leaving the proof context --- that is, after the closing
   17.97 -  \isakeyword{qed} --- and are then replaced by those with the desired
   17.98 -  substitutions of the strict order.%
   17.99 +  leaving the proof context --- that is, after the succeeding
  17.100 +  \isakeyword{next} or \isakeyword{qed} statement.%
  17.101  \end{isamarkuptext}%
  17.102  \isamarkuptrue%
  17.103  %
  17.104 @@ -85,71 +91,80 @@
  17.105  \isamarkuptrue%
  17.106  %
  17.107  \begin{isamarkuptext}%
  17.108 -Further interpretations are necessary to reuse theorems from
  17.109 -  the other locales.  In \isa{lattice} the operations \isa{{\isasymsqinter}} and
  17.110 -  \isa{{\isasymsqunion}} are substituted by \isa{min} and
  17.111 -  \isa{max}.  The entire proof for the
  17.112 -  interpretation is reproduced in order to give an example of a more
  17.113 -  elaborate interpretation proof.%
  17.114 +Further interpretations are necessary for
  17.115 +  the other locales.  In \isa{lattice} the operations~\isa{{\isasymsqinter}}
  17.116 +  and~\isa{{\isasymsqunion}} are substituted by \isa{min}
  17.117 +  and \isa{max}.  The entire proof for the
  17.118 +  interpretation is reproduced to give an example of a more
  17.119 +  elaborate interpretation proof.  Note that the equations are named
  17.120 +  so they can be used in a later example.%
  17.121  \end{isamarkuptext}%
  17.122  \isamarkuptrue%
  17.123  %
  17.124  \isadelimvisible
  17.125 -%
  17.126 +\ \ %
  17.127  \endisadelimvisible
  17.128  %
  17.129  \isatagvisible
  17.130  \isacommand{interpretation}\isamarkupfalse%
  17.131 -\ nat{\isacharcolon}\ lattice\ {\isachardoublequoteopen}op\ {\isasymle}\ {\isacharcolon}{\isacharcolon}\ nat\ {\isasymRightarrow}\ nat\ {\isasymRightarrow}\ bool{\isachardoublequoteclose}\isanewline
  17.132 -\ \ \isakeyword{where}\ {\isachardoublequoteopen}lattice{\isachardot}meet\ op\ {\isasymle}\ {\isacharparenleft}x{\isacharcolon}{\isacharcolon}nat{\isacharparenright}\ y\ {\isacharequal}\ min\ x\ y{\isachardoublequoteclose}\isanewline
  17.133 -\ \ \ \ \isakeyword{and}\ {\isachardoublequoteopen}lattice{\isachardot}join\ op\ {\isasymle}\ {\isacharparenleft}x{\isacharcolon}{\isacharcolon}nat{\isacharparenright}\ y\ {\isacharequal}\ max\ x\ y{\isachardoublequoteclose}\isanewline
  17.134 -\isacommand{proof}\isamarkupfalse%
  17.135 +\ int{\isacharcolon}\ lattice\ {\isachardoublequoteopen}op\ {\isasymle}\ {\isacharcolon}{\isacharcolon}\ int\ {\isasymRightarrow}\ int\ {\isasymRightarrow}\ bool{\isachardoublequoteclose}\isanewline
  17.136 +\ \ \ \ \isakeyword{where}\ int{\isacharunderscore}min{\isacharunderscore}eq{\isacharcolon}\ {\isachardoublequoteopen}lattice{\isachardot}meet\ op\ {\isasymle}\ {\isacharparenleft}x{\isacharcolon}{\isacharcolon}int{\isacharparenright}\ y\ {\isacharequal}\ min\ x\ y{\isachardoublequoteclose}\isanewline
  17.137 +\ \ \ \ \ \ \isakeyword{and}\ int{\isacharunderscore}max{\isacharunderscore}eq{\isacharcolon}\ {\isachardoublequoteopen}lattice{\isachardot}join\ op\ {\isasymle}\ {\isacharparenleft}x{\isacharcolon}{\isacharcolon}int{\isacharparenright}\ y\ {\isacharequal}\ max\ x\ y{\isachardoublequoteclose}\isanewline
  17.138 +\ \ \isacommand{proof}\isamarkupfalse%
  17.139  \ {\isacharminus}\isanewline
  17.140 -\ \ \isacommand{show}\isamarkupfalse%
  17.141 -\ {\isachardoublequoteopen}lattice\ {\isacharparenleft}op\ {\isasymle}\ {\isacharcolon}{\isacharcolon}\ nat\ {\isasymRightarrow}\ nat\ {\isasymRightarrow}\ bool{\isacharparenright}{\isachardoublequoteclose}%
  17.142 +\ \ \ \ \isacommand{show}\isamarkupfalse%
  17.143 +\ {\isachardoublequoteopen}lattice\ {\isacharparenleft}op\ {\isasymle}\ {\isacharcolon}{\isacharcolon}\ int\ {\isasymRightarrow}\ int\ {\isasymRightarrow}\ bool{\isacharparenright}{\isachardoublequoteclose}%
  17.144  \begin{isamarkuptxt}%
  17.145 -We have already shown that this is a partial order,%
  17.146 +\normalsize We have already shown that this is a partial
  17.147 +	order,%
  17.148  \end{isamarkuptxt}%
  17.149  \isamarkuptrue%
  17.150 -\ \ \ \ \isacommand{apply}\isamarkupfalse%
  17.151 +\ \ \ \ \ \ \isacommand{apply}\isamarkupfalse%
  17.152  \ unfold{\isacharunderscore}locales%
  17.153  \begin{isamarkuptxt}%
  17.154 -hence only the lattice axioms remain to be shown: \begin{isabelle}%
  17.155 +\normalsize hence only the lattice axioms remain to be
  17.156 +	shown.
  17.157 +        \begin{isabelle}%
  17.158  \ {\isadigit{1}}{\isachardot}\ {\isasymAnd}x\ y{\isachardot}\ {\isasymexists}inf{\isachardot}\ partial{\isacharunderscore}order{\isachardot}is{\isacharunderscore}inf\ op\ {\isasymle}\ x\ y\ inf\isanewline
  17.159  \ {\isadigit{2}}{\isachardot}\ {\isasymAnd}x\ y{\isachardot}\ {\isasymexists}sup{\isachardot}\ partial{\isacharunderscore}order{\isachardot}is{\isacharunderscore}sup\ op\ {\isasymle}\ x\ y\ sup%
  17.160 -\end{isabelle}  After unfolding \isa{is{\isacharunderscore}inf} and \isa{is{\isacharunderscore}sup},%
  17.161 +\end{isabelle}
  17.162 +	By \isa{is{\isacharunderscore}inf} and \isa{is{\isacharunderscore}sup},%
  17.163  \end{isamarkuptxt}%
  17.164  \isamarkuptrue%
  17.165 -\ \ \ \ \isacommand{apply}\isamarkupfalse%
  17.166 -\ {\isacharparenleft}unfold\ nat{\isachardot}is{\isacharunderscore}inf{\isacharunderscore}def\ nat{\isachardot}is{\isacharunderscore}sup{\isacharunderscore}def{\isacharparenright}%
  17.167 +\ \ \ \ \ \ \isacommand{apply}\isamarkupfalse%
  17.168 +\ {\isacharparenleft}unfold\ int{\isachardot}is{\isacharunderscore}inf{\isacharunderscore}def\ int{\isachardot}is{\isacharunderscore}sup{\isacharunderscore}def{\isacharparenright}%
  17.169  \begin{isamarkuptxt}%
  17.170 -the goals become \begin{isabelle}%
  17.171 +\normalsize the goals are transformed to these
  17.172 +	statements:
  17.173 +	\begin{isabelle}%
  17.174  \ {\isadigit{1}}{\isachardot}\ {\isasymAnd}x\ y{\isachardot}\ {\isasymexists}inf{\isasymle}x{\isachardot}\ inf\ {\isasymle}\ y\ {\isasymand}\ {\isacharparenleft}{\isasymforall}z{\isachardot}\ z\ {\isasymle}\ x\ {\isasymand}\ z\ {\isasymle}\ y\ {\isasymlongrightarrow}\ z\ {\isasymle}\ inf{\isacharparenright}\isanewline
  17.175  \ {\isadigit{2}}{\isachardot}\ {\isasymAnd}x\ y{\isachardot}\ {\isasymexists}sup{\isasymge}x{\isachardot}\ y\ {\isasymle}\ sup\ {\isasymand}\ {\isacharparenleft}{\isasymforall}z{\isachardot}\ x\ {\isasymle}\ z\ {\isasymand}\ y\ {\isasymle}\ z\ {\isasymlongrightarrow}\ sup\ {\isasymle}\ z{\isacharparenright}%
  17.176 -\end{isabelle} which can be solved
  17.177 -      by Presburger arithmetic.%
  17.178 +\end{isabelle}
  17.179 +	This is Presburger arithmetic, which can be solved by the
  17.180 +	method \isa{arith}.%
  17.181  \end{isamarkuptxt}%
  17.182  \isamarkuptrue%
  17.183 -\ \ \ \ \isacommand{by}\isamarkupfalse%
  17.184 +\ \ \ \ \ \ \isacommand{by}\isamarkupfalse%
  17.185  \ arith{\isacharplus}%
  17.186  \begin{isamarkuptxt}%
  17.187 -In order to show the equations, we put ourselves in a
  17.188 -    situation where the lattice theorems can be used in a convenient way.%
  17.189 +\normalsize In order to show the equations, we put ourselves
  17.190 +      in a situation where the lattice theorems can be used in a
  17.191 +      convenient way.%
  17.192  \end{isamarkuptxt}%
  17.193  \isamarkuptrue%
  17.194 -\ \ \isacommand{then}\isamarkupfalse%
  17.195 +\ \ \ \ \isacommand{then}\isamarkupfalse%
  17.196  \ \isacommand{interpret}\isamarkupfalse%
  17.197 -\ nat{\isacharcolon}\ lattice\ {\isachardoublequoteopen}op\ {\isasymle}\ {\isacharcolon}{\isacharcolon}\ nat\ {\isasymRightarrow}\ nat\ {\isasymRightarrow}\ bool{\isachardoublequoteclose}\ \isacommand{{\isachardot}}\isamarkupfalse%
  17.198 +\ int{\isacharcolon}\ lattice\ {\isachardoublequoteopen}op\ {\isasymle}\ {\isacharcolon}{\isacharcolon}\ int\ {\isasymRightarrow}\ int\ {\isasymRightarrow}\ bool{\isachardoublequoteclose}\ \isacommand{{\isachardot}}\isamarkupfalse%
  17.199  \isanewline
  17.200 -\ \ \isacommand{show}\isamarkupfalse%
  17.201 -\ {\isachardoublequoteopen}lattice{\isachardot}meet\ op\ {\isasymle}\ {\isacharparenleft}x{\isacharcolon}{\isacharcolon}nat{\isacharparenright}\ y\ {\isacharequal}\ min\ x\ y{\isachardoublequoteclose}\isanewline
  17.202 -\ \ \ \ \isacommand{by}\isamarkupfalse%
  17.203 -\ {\isacharparenleft}bestsimp\ simp{\isacharcolon}\ nat{\isachardot}meet{\isacharunderscore}def\ nat{\isachardot}is{\isacharunderscore}inf{\isacharunderscore}def{\isacharparenright}\isanewline
  17.204 -\ \ \isacommand{show}\isamarkupfalse%
  17.205 -\ {\isachardoublequoteopen}lattice{\isachardot}join\ op\ {\isasymle}\ {\isacharparenleft}x{\isacharcolon}{\isacharcolon}nat{\isacharparenright}\ y\ {\isacharequal}\ max\ x\ y{\isachardoublequoteclose}\isanewline
  17.206 -\ \ \ \ \isacommand{by}\isamarkupfalse%
  17.207 -\ {\isacharparenleft}bestsimp\ simp{\isacharcolon}\ nat{\isachardot}join{\isacharunderscore}def\ nat{\isachardot}is{\isacharunderscore}sup{\isacharunderscore}def{\isacharparenright}\isanewline
  17.208 -\isacommand{qed}\isamarkupfalse%
  17.209 +\ \ \ \ \isacommand{show}\isamarkupfalse%
  17.210 +\ {\isachardoublequoteopen}lattice{\isachardot}meet\ op\ {\isasymle}\ {\isacharparenleft}x{\isacharcolon}{\isacharcolon}int{\isacharparenright}\ y\ {\isacharequal}\ min\ x\ y{\isachardoublequoteclose}\isanewline
  17.211 +\ \ \ \ \ \ \isacommand{by}\isamarkupfalse%
  17.212 +\ {\isacharparenleft}bestsimp\ simp{\isacharcolon}\ int{\isachardot}meet{\isacharunderscore}def\ int{\isachardot}is{\isacharunderscore}inf{\isacharunderscore}def{\isacharparenright}\isanewline
  17.213 +\ \ \ \ \isacommand{show}\isamarkupfalse%
  17.214 +\ {\isachardoublequoteopen}lattice{\isachardot}join\ op\ {\isasymle}\ {\isacharparenleft}x{\isacharcolon}{\isacharcolon}int{\isacharparenright}\ y\ {\isacharequal}\ max\ x\ y{\isachardoublequoteclose}\isanewline
  17.215 +\ \ \ \ \ \ \isacommand{by}\isamarkupfalse%
  17.216 +\ {\isacharparenleft}bestsimp\ simp{\isacharcolon}\ int{\isachardot}join{\isacharunderscore}def\ int{\isachardot}is{\isacharunderscore}sup{\isacharunderscore}def{\isacharparenright}\isanewline
  17.217 +\ \ \isacommand{qed}\isamarkupfalse%
  17.218  %
  17.219  \endisatagvisible
  17.220  {\isafoldvisible}%
  17.221 @@ -159,18 +174,19 @@
  17.222  \endisadelimvisible
  17.223  %
  17.224  \begin{isamarkuptext}%
  17.225 -Next follows that \isa{{\isasymle}} is a total order.%
  17.226 +Next follows that \isa{op\ {\isasymle}} is a total order, again for
  17.227 +  the integers.%
  17.228  \end{isamarkuptext}%
  17.229  \isamarkuptrue%
  17.230  %
  17.231  \isadelimvisible
  17.232 -%
  17.233 +\ \ %
  17.234  \endisadelimvisible
  17.235  %
  17.236  \isatagvisible
  17.237  \isacommand{interpretation}\isamarkupfalse%
  17.238 -\ nat{\isacharcolon}\ total{\isacharunderscore}order\ {\isachardoublequoteopen}op\ {\isasymle}\ {\isacharcolon}{\isacharcolon}\ nat\ {\isasymRightarrow}\ nat\ {\isasymRightarrow}\ bool{\isachardoublequoteclose}\isanewline
  17.239 -\ \ \isacommand{by}\isamarkupfalse%
  17.240 +\ int{\isacharcolon}\ total{\isacharunderscore}order\ {\isachardoublequoteopen}op\ {\isasymle}\ {\isacharcolon}{\isacharcolon}\ int\ {\isasymRightarrow}\ int\ {\isasymRightarrow}\ bool{\isachardoublequoteclose}\isanewline
  17.241 +\ \ \ \ \isacommand{by}\isamarkupfalse%
  17.242  \ unfold{\isacharunderscore}locales\ arith%
  17.243  \endisatagvisible
  17.244  {\isafoldvisible}%
  17.245 @@ -181,261 +197,69 @@
  17.246  %
  17.247  \begin{isamarkuptext}%
  17.248  Theorems that are available in the theory at this point are shown in
  17.249 -  Table~\ref{tab:nat-lattice}.
  17.250 +  Table~\ref{tab:int-lattice}.  Two points are worth noting:
  17.251  
  17.252  \begin{table}
  17.253  \hrule
  17.254  \vspace{2ex}
  17.255  \begin{center}
  17.256  \begin{tabular}{l}
  17.257 -  \isa{nat{\isachardot}less{\isacharunderscore}def} from locale \isa{partial{\isacharunderscore}order}: \\
  17.258 +  \isa{int{\isachardot}less{\isacharunderscore}def} from locale \isa{partial{\isacharunderscore}order}: \\
  17.259    \quad \isa{{\isacharparenleft}{\isacharquery}x\ {\isacharless}\ {\isacharquery}y{\isacharparenright}\ {\isacharequal}\ {\isacharparenleft}{\isacharquery}x\ {\isasymle}\ {\isacharquery}y\ {\isasymand}\ {\isacharquery}x\ {\isasymnoteq}\ {\isacharquery}y{\isacharparenright}} \\
  17.260 -  \isa{nat{\isachardot}meet{\isacharunderscore}left} from locale \isa{lattice}: \\
  17.261 +  \isa{int{\isachardot}meet{\isacharunderscore}left} from locale \isa{lattice}: \\
  17.262    \quad \isa{min\ {\isacharquery}x\ {\isacharquery}y\ {\isasymle}\ {\isacharquery}x} \\
  17.263 -  \isa{nat{\isachardot}join{\isacharunderscore}distr} from locale \isa{distrib{\isacharunderscore}lattice}: \\
  17.264 +  \isa{int{\isachardot}join{\isacharunderscore}distr} from locale \isa{distrib{\isacharunderscore}lattice}: \\
  17.265    \quad \isa{max\ {\isacharquery}x\ {\isacharparenleft}min\ {\isacharquery}y\ {\isacharquery}z{\isacharparenright}\ {\isacharequal}\ min\ {\isacharparenleft}max\ {\isacharquery}x\ {\isacharquery}y{\isacharparenright}\ {\isacharparenleft}max\ {\isacharquery}x\ {\isacharquery}z{\isacharparenright}} \\
  17.266 -  \isa{nat{\isachardot}less{\isacharunderscore}total} from locale \isa{total{\isacharunderscore}order}: \\
  17.267 +  \isa{int{\isachardot}less{\isacharunderscore}total} from locale \isa{total{\isacharunderscore}order}: \\
  17.268    \quad \isa{{\isacharquery}x\ {\isacharless}\ {\isacharquery}y\ {\isasymor}\ {\isacharquery}x\ {\isacharequal}\ {\isacharquery}y\ {\isasymor}\ {\isacharquery}y\ {\isacharless}\ {\isacharquery}x}
  17.269  \end{tabular}
  17.270  \end{center}
  17.271  \hrule
  17.272 -\caption{Interpreted theorems for \isa{{\isasymle}} on the natural numbers.}
  17.273 -\label{tab:nat-lattice}
  17.274 +\caption{Interpreted theorems for~\isa{{\isasymle}} on the integers.}
  17.275 +\label{tab:int-lattice}
  17.276  \end{table}
  17.277  
  17.278 -  Note that since the locale hierarchy reflects that total orders are
  17.279 -  distributive lattices, an explicit interpretation of distributive
  17.280 -  lattices for the order relation on natural numbers is not neccessary.
  17.281 -
  17.282 -  Why not push this idea further and just give the last interpretation
  17.283 -  as a single interpretation instead of the sequence of three?  The
  17.284 -  reasons for this are twofold:
  17.285  \begin{itemize}
  17.286  \item
  17.287 -  Often it is easier to work in an incremental fashion, because later
  17.288 -  interpretations require theorems provided by earlier
  17.289 -  interpretations.
  17.290 +  Locale \isa{distrib{\isacharunderscore}lattice} was also interpreted.  Since the
  17.291 +  locale hierarchy reflects that total orders are distributive
  17.292 +  lattices, the interpretation of the latter was inserted
  17.293 +  automatically with the interpretation of the former.  In general,
  17.294 +  interpretation traverses the locale hierarchy upwards and interprets
  17.295 +  all encountered locales, regardless whether imported or proved via
  17.296 +  the \isakeyword{sublocale} command.  Existing interpretations are
  17.297 +  skipped avoiding duplicate work.
  17.298  \item
  17.299 -  Assume that a definition is made in some locale $l_1$, and that $l_2$
  17.300 -  imports $l_1$.  Let an equation for the definition be
  17.301 -  proved in an interpretation of $l_2$.  The equation will be unfolded
  17.302 -  in interpretations of theorems added to $l_2$ or below in the import
  17.303 -  hierarchy, but not for theorems added above $l_2$.
  17.304 -  Hence, an equation interpreting a definition should always be given in
  17.305 -  an interpretation of the locale where the definition is made, not in
  17.306 -  an interpretation of a locale further down the hierarchy.
  17.307 +  The predicate \isa{op\ {\isacharless}} appears in theorem \isa{int{\isachardot}less{\isacharunderscore}total}
  17.308 +  although an equation for the replacement of \isa{op\ {\isasymsqsubset}} was only
  17.309 +  given in the interpretation of \isa{partial{\isacharunderscore}order}.  The
  17.310 +  interpretation equations are pushed downwards the hierarchy for
  17.311 +  related interpretations --- that is, for interpretations that share
  17.312 +  the instances of parameters they have in common.
  17.313  \end{itemize}%
  17.314  \end{isamarkuptext}%
  17.315  \isamarkuptrue%
  17.316  %
  17.317 -\isamarkupsubsection{Lattice \isa{dvd} on \isa{nat}%
  17.318 -}
  17.319 -\isamarkuptrue%
  17.320 -%
  17.321  \begin{isamarkuptext}%
  17.322 -Divisibility on the natural numbers is a distributive lattice
  17.323 -  but not a total order.  Interpretation again proceeds
  17.324 -  incrementally.%
  17.325 -\end{isamarkuptext}%
  17.326 -\isamarkuptrue%
  17.327 -\isacommand{interpretation}\isamarkupfalse%
  17.328 -\ nat{\isacharunderscore}dvd{\isacharcolon}\ partial{\isacharunderscore}order\ {\isachardoublequoteopen}op\ dvd\ {\isacharcolon}{\isacharcolon}\ nat\ {\isasymRightarrow}\ nat\ {\isasymRightarrow}\ bool{\isachardoublequoteclose}\isanewline
  17.329 -\ \ \isakeyword{where}\ {\isachardoublequoteopen}partial{\isacharunderscore}order{\isachardot}less\ op\ dvd\ {\isacharparenleft}x{\isacharcolon}{\isacharcolon}nat{\isacharparenright}\ y\ {\isacharequal}\ {\isacharparenleft}x\ dvd\ y\ {\isasymand}\ x\ {\isasymnoteq}\ y{\isacharparenright}{\isachardoublequoteclose}\isanewline
  17.330 -%
  17.331 -\isadelimproof
  17.332 -%
  17.333 -\endisadelimproof
  17.334 -%
  17.335 -\isatagproof
  17.336 -\isacommand{proof}\isamarkupfalse%
  17.337 -\ {\isacharminus}\isanewline
  17.338 -\ \ \isacommand{show}\isamarkupfalse%
  17.339 -\ {\isachardoublequoteopen}partial{\isacharunderscore}order\ {\isacharparenleft}op\ dvd\ {\isacharcolon}{\isacharcolon}\ nat\ {\isasymRightarrow}\ nat\ {\isasymRightarrow}\ bool{\isacharparenright}{\isachardoublequoteclose}\isanewline
  17.340 -\ \ \ \ \isacommand{by}\isamarkupfalse%
  17.341 -\ unfold{\isacharunderscore}locales\ {\isacharparenleft}auto\ simp{\isacharcolon}\ dvd{\isacharunderscore}def{\isacharparenright}\isanewline
  17.342 -\ \ \isacommand{then}\isamarkupfalse%
  17.343 -\ \isacommand{interpret}\isamarkupfalse%
  17.344 -\ nat{\isacharunderscore}dvd{\isacharcolon}\ partial{\isacharunderscore}order\ {\isachardoublequoteopen}op\ dvd\ {\isacharcolon}{\isacharcolon}\ nat\ {\isasymRightarrow}\ nat\ {\isasymRightarrow}\ bool{\isachardoublequoteclose}\ \isacommand{{\isachardot}}\isamarkupfalse%
  17.345 -\isanewline
  17.346 -\ \ \isacommand{show}\isamarkupfalse%
  17.347 -\ {\isachardoublequoteopen}partial{\isacharunderscore}order{\isachardot}less\ op\ dvd\ {\isacharparenleft}x{\isacharcolon}{\isacharcolon}nat{\isacharparenright}\ y\ {\isacharequal}\ {\isacharparenleft}x\ dvd\ y\ {\isasymand}\ x\ {\isasymnoteq}\ y{\isacharparenright}{\isachardoublequoteclose}\isanewline
  17.348 -\ \ \ \ \isacommand{apply}\isamarkupfalse%
  17.349 -\ {\isacharparenleft}unfold\ nat{\isacharunderscore}dvd{\isachardot}less{\isacharunderscore}def{\isacharparenright}\isanewline
  17.350 -\ \ \ \ \isacommand{apply}\isamarkupfalse%
  17.351 -\ auto\isanewline
  17.352 -\ \ \ \ \isacommand{done}\isamarkupfalse%
  17.353 -\isanewline
  17.354 -\isacommand{qed}\isamarkupfalse%
  17.355 -%
  17.356 -\endisatagproof
  17.357 -{\isafoldproof}%
  17.358 -%
  17.359 -\isadelimproof
  17.360 -%
  17.361 -\endisadelimproof
  17.362 -%
  17.363 -\begin{isamarkuptext}%
  17.364 -Note that in Isabelle/HOL there is no symbol for strict
  17.365 -  divisibility.  Instead, interpretation substitutes \isa{x\ dvd\ y\ {\isasymand}\ x\ {\isasymnoteq}\ y}.%
  17.366 -\end{isamarkuptext}%
  17.367 -\isamarkuptrue%
  17.368 -\isacommand{interpretation}\isamarkupfalse%
  17.369 -\ nat{\isacharunderscore}dvd{\isacharcolon}\ lattice\ {\isachardoublequoteopen}op\ dvd\ {\isacharcolon}{\isacharcolon}\ nat\ {\isasymRightarrow}\ nat\ {\isasymRightarrow}\ bool{\isachardoublequoteclose}\isanewline
  17.370 -\ \ \isakeyword{where}\ nat{\isacharunderscore}dvd{\isacharunderscore}meet{\isacharunderscore}eq{\isacharcolon}\ {\isachardoublequoteopen}lattice{\isachardot}meet\ {\isacharparenleft}op\ dvd\ {\isacharcolon}{\isacharcolon}\ nat\ {\isasymRightarrow}\ nat\ {\isasymRightarrow}\ bool{\isacharparenright}\ {\isacharequal}\ gcd{\isachardoublequoteclose}\isanewline
  17.371 -\ \ \ \ \isakeyword{and}\ nat{\isacharunderscore}dvd{\isacharunderscore}join{\isacharunderscore}eq{\isacharcolon}\ {\isachardoublequoteopen}lattice{\isachardot}join\ {\isacharparenleft}op\ dvd\ {\isacharcolon}{\isacharcolon}\ nat\ {\isasymRightarrow}\ nat\ {\isasymRightarrow}\ bool{\isacharparenright}\ {\isacharequal}\ lcm{\isachardoublequoteclose}\isanewline
  17.372 -%
  17.373 -\isadelimproof
  17.374 -%
  17.375 -\endisadelimproof
  17.376 -%
  17.377 -\isatagproof
  17.378 -\isacommand{proof}\isamarkupfalse%
  17.379 -\ {\isacharminus}\isanewline
  17.380 -\ \ \isacommand{show}\isamarkupfalse%
  17.381 -\ {\isachardoublequoteopen}lattice\ {\isacharparenleft}op\ dvd\ {\isacharcolon}{\isacharcolon}\ nat\ {\isasymRightarrow}\ nat\ {\isasymRightarrow}\ bool{\isacharparenright}{\isachardoublequoteclose}\isanewline
  17.382 -\ \ \ \ \isacommand{apply}\isamarkupfalse%
  17.383 -\ unfold{\isacharunderscore}locales\isanewline
  17.384 -\ \ \ \ \isacommand{apply}\isamarkupfalse%
  17.385 -\ {\isacharparenleft}unfold\ nat{\isacharunderscore}dvd{\isachardot}is{\isacharunderscore}inf{\isacharunderscore}def\ nat{\isacharunderscore}dvd{\isachardot}is{\isacharunderscore}sup{\isacharunderscore}def{\isacharparenright}\isanewline
  17.386 -\ \ \ \ \isacommand{apply}\isamarkupfalse%
  17.387 -\ {\isacharparenleft}rule{\isacharunderscore}tac\ x\ {\isacharequal}\ {\isachardoublequoteopen}gcd\ x\ y{\isachardoublequoteclose}\ \isakeyword{in}\ exI{\isacharparenright}\isanewline
  17.388 -\ \ \ \ \isacommand{apply}\isamarkupfalse%
  17.389 -\ auto\ {\isacharbrackleft}{\isadigit{1}}{\isacharbrackright}\isanewline
  17.390 -\ \ \ \ \isacommand{apply}\isamarkupfalse%
  17.391 -\ {\isacharparenleft}rule{\isacharunderscore}tac\ x\ {\isacharequal}\ {\isachardoublequoteopen}lcm\ x\ y{\isachardoublequoteclose}\ \isakeyword{in}\ exI{\isacharparenright}\isanewline
  17.392 -\ \ \ \ \isacommand{apply}\isamarkupfalse%
  17.393 -\ {\isacharparenleft}auto\ intro{\isacharcolon}\ lcm{\isacharunderscore}least{\isacharunderscore}nat{\isacharparenright}\isanewline
  17.394 -\ \ \ \ \isacommand{done}\isamarkupfalse%
  17.395 -\isanewline
  17.396 -\ \ \isacommand{then}\isamarkupfalse%
  17.397 -\ \isacommand{interpret}\isamarkupfalse%
  17.398 -\ nat{\isacharunderscore}dvd{\isacharcolon}\ lattice\ {\isachardoublequoteopen}op\ dvd\ {\isacharcolon}{\isacharcolon}\ nat\ {\isasymRightarrow}\ nat\ {\isasymRightarrow}\ bool{\isachardoublequoteclose}\ \isacommand{{\isachardot}}\isamarkupfalse%
  17.399 -\isanewline
  17.400 -\ \ \isacommand{show}\isamarkupfalse%
  17.401 -\ {\isachardoublequoteopen}lattice{\isachardot}meet\ {\isacharparenleft}op\ dvd\ {\isacharcolon}{\isacharcolon}\ nat\ {\isasymRightarrow}\ nat\ {\isasymRightarrow}\ bool{\isacharparenright}\ {\isacharequal}\ gcd{\isachardoublequoteclose}\isanewline
  17.402 -\ \ \ \ \isacommand{apply}\isamarkupfalse%
  17.403 -\ {\isacharparenleft}auto\ simp\ add{\isacharcolon}\ expand{\isacharunderscore}fun{\isacharunderscore}eq{\isacharparenright}\isanewline
  17.404 -\ \ \ \ \isacommand{apply}\isamarkupfalse%
  17.405 -\ {\isacharparenleft}unfold\ nat{\isacharunderscore}dvd{\isachardot}meet{\isacharunderscore}def{\isacharparenright}\isanewline
  17.406 -\ \ \ \ \isacommand{apply}\isamarkupfalse%
  17.407 -\ {\isacharparenleft}rule\ the{\isacharunderscore}equality{\isacharparenright}\isanewline
  17.408 -\ \ \ \ \isacommand{apply}\isamarkupfalse%
  17.409 -\ {\isacharparenleft}unfold\ nat{\isacharunderscore}dvd{\isachardot}is{\isacharunderscore}inf{\isacharunderscore}def{\isacharparenright}\isanewline
  17.410 -\ \ \ \ \isacommand{by}\isamarkupfalse%
  17.411 -\ auto\isanewline
  17.412 -\ \ \isacommand{show}\isamarkupfalse%
  17.413 -\ {\isachardoublequoteopen}lattice{\isachardot}join\ {\isacharparenleft}op\ dvd\ {\isacharcolon}{\isacharcolon}\ nat\ {\isasymRightarrow}\ nat\ {\isasymRightarrow}\ bool{\isacharparenright}\ {\isacharequal}\ lcm{\isachardoublequoteclose}\isanewline
  17.414 -\ \ \ \ \isacommand{apply}\isamarkupfalse%
  17.415 -\ {\isacharparenleft}auto\ simp\ add{\isacharcolon}\ expand{\isacharunderscore}fun{\isacharunderscore}eq{\isacharparenright}\isanewline
  17.416 -\ \ \ \ \isacommand{apply}\isamarkupfalse%
  17.417 -\ {\isacharparenleft}unfold\ nat{\isacharunderscore}dvd{\isachardot}join{\isacharunderscore}def{\isacharparenright}\isanewline
  17.418 -\ \ \ \ \isacommand{apply}\isamarkupfalse%
  17.419 -\ {\isacharparenleft}rule\ the{\isacharunderscore}equality{\isacharparenright}\isanewline
  17.420 -\ \ \ \ \isacommand{apply}\isamarkupfalse%
  17.421 -\ {\isacharparenleft}unfold\ nat{\isacharunderscore}dvd{\isachardot}is{\isacharunderscore}sup{\isacharunderscore}def{\isacharparenright}\isanewline
  17.422 -\ \ \ \ \isacommand{apply}\isamarkupfalse%
  17.423 -\ {\isacharparenleft}auto\ intro{\isacharcolon}\ lcm{\isacharunderscore}least{\isacharunderscore}nat\ iff{\isacharcolon}\ lcm{\isacharunderscore}unique{\isacharunderscore}nat{\isacharparenright}\isanewline
  17.424 -\ \ \ \ \isacommand{done}\isamarkupfalse%
  17.425 -\isanewline
  17.426 -\isacommand{qed}\isamarkupfalse%
  17.427 -%
  17.428 -\endisatagproof
  17.429 -{\isafoldproof}%
  17.430 -%
  17.431 -\isadelimproof
  17.432 -%
  17.433 -\endisadelimproof
  17.434 -%
  17.435 -\begin{isamarkuptext}%
  17.436 -Equations \isa{nat{\isacharunderscore}dvd{\isacharunderscore}meet{\isacharunderscore}eq} and \isa{nat{\isacharunderscore}dvd{\isacharunderscore}join{\isacharunderscore}eq} are used in the main part the subsequent
  17.437 -  interpretation.%
  17.438 -\end{isamarkuptext}%
  17.439 -\isamarkuptrue%
  17.440 -%
  17.441 -\isadeliminvisible
  17.442 -%
  17.443 -\endisadeliminvisible
  17.444 -%
  17.445 -\isataginvisible
  17.446 -\isacommand{lemma}\isamarkupfalse%
  17.447 -\ gcd{\isacharunderscore}lcm{\isacharunderscore}distr{\isacharcolon}\isanewline
  17.448 -\ \ {\isachardoublequoteopen}gcd\ x\ {\isacharparenleft}lcm\ y\ z{\isacharparenright}\ {\isacharequal}\ lcm\ {\isacharparenleft}gcd\ x\ y{\isacharparenright}\ {\isacharparenleft}gcd\ x\ z{\isacharparenright}{\isachardoublequoteclose}\ \isacommand{sorry}\isamarkupfalse%
  17.449 -%
  17.450 -\endisataginvisible
  17.451 -{\isafoldinvisible}%
  17.452 -%
  17.453 -\isadeliminvisible
  17.454 -%
  17.455 -\endisadeliminvisible
  17.456 -\isanewline
  17.457 -%
  17.458 -\isadelimvisible
  17.459 -\isanewline
  17.460 -%
  17.461 -\endisadelimvisible
  17.462 -%
  17.463 -\isatagvisible
  17.464 -\isacommand{interpretation}\isamarkupfalse%
  17.465 -\ nat{\isacharunderscore}dvd{\isacharcolon}\isanewline
  17.466 -\ \ distrib{\isacharunderscore}lattice\ {\isachardoublequoteopen}op\ dvd\ {\isacharcolon}{\isacharcolon}\ nat\ {\isasymRightarrow}\ nat\ {\isasymRightarrow}\ bool{\isachardoublequoteclose}\isanewline
  17.467 -\ \ \isacommand{apply}\isamarkupfalse%
  17.468 -\ unfold{\isacharunderscore}locales%
  17.469 -\begin{isamarkuptxt}%
  17.470 -\begin{isabelle}%
  17.471 -\ {\isadigit{1}}{\isachardot}\ {\isasymAnd}x\ y\ z{\isachardot}\isanewline
  17.472 -\isaindent{\ {\isadigit{1}}{\isachardot}\ \ \ \ }lattice{\isachardot}meet\ op\ dvd\ x\ {\isacharparenleft}lattice{\isachardot}join\ op\ dvd\ y\ z{\isacharparenright}\ {\isacharequal}\isanewline
  17.473 -\isaindent{\ {\isadigit{1}}{\isachardot}\ \ \ \ }lattice{\isachardot}join\ op\ dvd\ {\isacharparenleft}lattice{\isachardot}meet\ op\ dvd\ x\ y{\isacharparenright}\isanewline
  17.474 -\isaindent{\ {\isadigit{1}}{\isachardot}\ \ \ \ \ }{\isacharparenleft}lattice{\isachardot}meet\ op\ dvd\ x\ z{\isacharparenright}%
  17.475 -\end{isabelle}%
  17.476 -\end{isamarkuptxt}%
  17.477 -\isamarkuptrue%
  17.478 -\ \ \isacommand{apply}\isamarkupfalse%
  17.479 -\ {\isacharparenleft}unfold\ nat{\isacharunderscore}dvd{\isacharunderscore}meet{\isacharunderscore}eq\ nat{\isacharunderscore}dvd{\isacharunderscore}join{\isacharunderscore}eq{\isacharparenright}%
  17.480 -\begin{isamarkuptxt}%
  17.481 -\begin{isabelle}%
  17.482 -\ {\isadigit{1}}{\isachardot}\ {\isasymAnd}x\ y\ z{\isachardot}\ gcd\ x\ {\isacharparenleft}lcm\ y\ z{\isacharparenright}\ {\isacharequal}\ lcm\ {\isacharparenleft}gcd\ x\ y{\isacharparenright}\ {\isacharparenleft}gcd\ x\ z{\isacharparenright}%
  17.483 -\end{isabelle}%
  17.484 -\end{isamarkuptxt}%
  17.485 -\isamarkuptrue%
  17.486 -\ \ \isacommand{apply}\isamarkupfalse%
  17.487 -\ {\isacharparenleft}rule\ gcd{\isacharunderscore}lcm{\isacharunderscore}distr{\isacharparenright}\ \isacommand{done}\isamarkupfalse%
  17.488 -%
  17.489 -\endisatagvisible
  17.490 -{\isafoldvisible}%
  17.491 -%
  17.492 -\isadelimvisible
  17.493 -%
  17.494 -\endisadelimvisible
  17.495 -%
  17.496 -\begin{isamarkuptext}%
  17.497 -Theorems that are available in the theory after these
  17.498 -  interpretations are shown in Table~\ref{tab:nat-dvd-lattice}.
  17.499 -
  17.500 -\begin{table}
  17.501 -\hrule
  17.502 -\vspace{2ex}
  17.503 -\begin{center}
  17.504 -\begin{tabular}{l}
  17.505 -  \isa{nat{\isacharunderscore}dvd{\isachardot}less{\isacharunderscore}def} from locale \isa{partial{\isacharunderscore}order}: \\
  17.506 -  \quad \isa{{\isacharparenleft}{\isacharquery}x\ dvd\ {\isacharquery}y\ {\isasymand}\ {\isacharquery}x\ {\isasymnoteq}\ {\isacharquery}y{\isacharparenright}\ {\isacharequal}\ {\isacharparenleft}{\isacharquery}x\ dvd\ {\isacharquery}y\ {\isasymand}\ {\isacharquery}x\ {\isasymnoteq}\ {\isacharquery}y{\isacharparenright}} \\
  17.507 -  \isa{nat{\isacharunderscore}dvd{\isachardot}meet{\isacharunderscore}left} from locale \isa{lattice}: \\
  17.508 -  \quad \isa{gcd\ {\isacharquery}x\ {\isacharquery}y\ dvd\ {\isacharquery}x} \\
  17.509 -  \isa{nat{\isacharunderscore}dvd{\isachardot}join{\isacharunderscore}distr} from locale \isa{distrib{\isacharunderscore}lattice}: \\
  17.510 -  \quad \isa{lcm\ {\isacharquery}x\ {\isacharparenleft}gcd\ {\isacharquery}y\ {\isacharquery}z{\isacharparenright}\ {\isacharequal}\ gcd\ {\isacharparenleft}lcm\ {\isacharquery}x\ {\isacharquery}y{\isacharparenright}\ {\isacharparenleft}lcm\ {\isacharquery}x\ {\isacharquery}z{\isacharparenright}} \\
  17.511 -\end{tabular}
  17.512 -\end{center}
  17.513 -\hrule
  17.514 -\caption{Interpreted theorems for \isa{dvd} on the natural numbers.}
  17.515 -\label{tab:nat-dvd-lattice}
  17.516 -\end{table}%
  17.517 -\end{isamarkuptext}%
  17.518 -\isamarkuptrue%
  17.519 -%
  17.520 -\begin{isamarkuptext}%
  17.521 -The syntax of the interpretation commands is shown in
  17.522 -  Table~\ref{tab:commands}.  The grammar refers to
  17.523 -  \textit{expression}, which stands for a \emph{locale} expression.
  17.524 -  Locale expressions are discussed in the following section.%
  17.525 +The interpretations for a locale $n$ within the current
  17.526 +  theory may be inspected with \isakeyword{print\_interps}~$n$.  This
  17.527 +  prints the list of instances of $n$, for which interpretations exist.
  17.528 +  For example, \isakeyword{print\_interps} \isa{partial{\isacharunderscore}order}
  17.529 +  outputs the following:
  17.530 +\begin{small}
  17.531 +\begin{alltt}
  17.532 +  int! : partial_order "op \(\le\)"
  17.533 +\end{alltt}
  17.534 +\end{small}
  17.535 +  Of course, there is only one interpretation.
  17.536 +  The interpretation qualifier on the left is decorated with an
  17.537 +  exclamation point.  This means that it is mandatory.  Qualifiers
  17.538 +  can either be \emph{mandatory} or \emph{optional}, designated by
  17.539 +  ``!'' or ``?'' respectively.  Mandatory qualifiers must occur in a
  17.540 +  name reference while optional ones need not.  Mandatory qualifiers
  17.541 +  prevent accidental hiding of names, while optional qualifiers can be
  17.542 +  more convenient to use.  For \isakeyword{interpretation}, the
  17.543 +  default is ``!''.%
  17.544  \end{isamarkuptext}%
  17.545  \isamarkuptrue%
  17.546  %
  17.547 @@ -444,110 +268,86 @@
  17.548  \isamarkuptrue%
  17.549  %
  17.550  \begin{isamarkuptext}%
  17.551 -A map \isa{{\isasymphi}} between partial orders \isa{{\isasymsqsubseteq}} and \isa{{\isasympreceq}}
  17.552 +A map~\isa{{\isasymphi}} between partial orders~\isa{{\isasymsqsubseteq}} and~\isa{{\isasympreceq}}
  17.553    is called order preserving if \isa{x\ {\isasymsqsubseteq}\ y} implies \isa{{\isasymphi}\ x\ {\isasympreceq}\ {\isasymphi}\ y}.  This situation is more complex than those encountered so
  17.554    far: it involves two partial orders, and it is desirable to use the
  17.555    existing locale for both.
  17.556  
  17.557 -  Inspecting the grammar of locale commands in
  17.558 -  Table~\ref{tab:commands} reveals that the import of a locale can be
  17.559 -  more than just a single locale.  In general, the import is a
  17.560 -  \emph{locale expression}, which enables to combine locales
  17.561 -  and instantiate parameters.  A locale expression is a sequence of
  17.562 -  locale \emph{instances} followed by an optional \isakeyword{for}
  17.563 -  clause.  Each instance consists of a locale reference, which may be
  17.564 -  preceded by a qualifer and succeeded by instantiations of the
  17.565 -  parameters of that locale.  Instantiations may be either positional
  17.566 -  or through explicit mappings of parameters to arguments.
  17.567 +  A locale for order preserving maps requires three parameters: \isa{le}~(\isakeyword{infixl}~\isa{{\isasymsqsubseteq}}) and \isa{le{\isacharprime}}~(\isakeyword{infixl}~\isa{{\isasympreceq}}) for the orders and~\isa{{\isasymphi}}
  17.568 +  for the map.
  17.569 +
  17.570 +  In order to reuse the existing locale for partial orders, which has
  17.571 +  the single parameter~\isa{le}, it must be imported twice, once
  17.572 +  mapping its parameter to~\isa{le} from the new locale and once
  17.573 +  to~\isa{le{\isacharprime}}.  This can be achieved with a compound locale
  17.574 +  expression.
  17.575 +
  17.576 +  In general, a locale expression is a sequence of \emph{locale instances}
  17.577 +  separated by~``$\textbf{+}$'' and followed by a \isakeyword{for}
  17.578 +  clause.
  17.579 +  An instance has the following format:
  17.580 +\begin{quote}
  17.581 +  \textit{qualifier} \textbf{:} \textit{locale-name}
  17.582 +  \textit{parameter-instantiation}
  17.583 +\end{quote}
  17.584 +  We have already seen locale instances as arguments to
  17.585 +  \isakeyword{interpretation} in Section~\ref{sec:interpretation}.
  17.586 +  As before, the qualifier serves to disambiguate names from
  17.587 +  different instances of the same locale.  While in
  17.588 +  \isakeyword{interpretation} qualifiers default to mandatory, in
  17.589 +  import and in the \isakeyword{sublocale} command, they default to
  17.590 +  optional.
  17.591  
  17.592 -  Using a locale expression, a locale for order
  17.593 -  preserving maps can be declared in the following way.%
  17.594 +  Since the parameters~\isa{le} and~\isa{le{\isacharprime}} are to be partial
  17.595 +  orders, our locale for order preserving maps will import the these
  17.596 +  instances:
  17.597 +\begin{small}
  17.598 +\begin{alltt}
  17.599 +  le: partial_order le
  17.600 +  le': partial_order le'
  17.601 +\end{alltt}
  17.602 +\end{small}
  17.603 +  For matter of convenience we choose to name parameter names and
  17.604 +  qualifiers alike.  This is an arbitrary decision.  Technically, qualifiers
  17.605 +  and parameters are unrelated.
  17.606 +
  17.607 +  Having determined the instances, let us turn to the \isakeyword{for}
  17.608 +  clause.  It serves to declare locale parameters in the same way as
  17.609 +  the context element \isakeyword{fixes} does.  Context elements can
  17.610 +  only occur after the import section, and therefore the parameters
  17.611 +  referred to in the instances must be declared in the \isakeyword{for}
  17.612 +  clause.  The \isakeyword{for} clause is also where the syntax of these
  17.613 +  parameters is declared.
  17.614 +
  17.615 +  Two context elements for the map parameter~\isa{{\isasymphi}} and the
  17.616 +  assumptions that it is order preserving complete the locale
  17.617 +  declaration.%
  17.618  \end{isamarkuptext}%
  17.619  \isamarkuptrue%
  17.620  \ \ \isacommand{locale}\isamarkupfalse%
  17.621  \ order{\isacharunderscore}preserving\ {\isacharequal}\isanewline
  17.622  \ \ \ \ le{\isacharcolon}\ partial{\isacharunderscore}order\ le\ {\isacharplus}\ le{\isacharprime}{\isacharcolon}\ partial{\isacharunderscore}order\ le{\isacharprime}\isanewline
  17.623  \ \ \ \ \ \ \isakeyword{for}\ le\ {\isacharparenleft}\isakeyword{infixl}\ {\isachardoublequoteopen}{\isasymsqsubseteq}{\isachardoublequoteclose}\ {\isadigit{5}}{\isadigit{0}}{\isacharparenright}\ \isakeyword{and}\ le{\isacharprime}\ {\isacharparenleft}\isakeyword{infixl}\ {\isachardoublequoteopen}{\isasympreceq}{\isachardoublequoteclose}\ {\isadigit{5}}{\isadigit{0}}{\isacharparenright}\ {\isacharplus}\isanewline
  17.624 -\ \ \ \ \isakeyword{fixes}\ {\isasymphi}\ {\isacharcolon}{\isacharcolon}\ {\isachardoublequoteopen}{\isacharprime}a\ {\isasymRightarrow}\ {\isacharprime}b{\isachardoublequoteclose}\isanewline
  17.625 +\ \ \ \ \isakeyword{fixes}\ {\isasymphi}\isanewline
  17.626  \ \ \ \ \isakeyword{assumes}\ hom{\isacharunderscore}le{\isacharcolon}\ {\isachardoublequoteopen}x\ {\isasymsqsubseteq}\ y\ {\isasymLongrightarrow}\ {\isasymphi}\ x\ {\isasympreceq}\ {\isasymphi}\ y{\isachardoublequoteclose}%
  17.627  \begin{isamarkuptext}%
  17.628 -The second and third line contain the expression --- two
  17.629 -  instances of the partial order locale where the parameter is
  17.630 -  instantiated to \isa{le}
  17.631 -  and \isa{le{\isacharprime}}, respectively.  The \isakeyword{for} clause consists
  17.632 -  of parameter declarations and is similar to the context element
  17.633 -  \isakeyword{fixes}.  The notable difference is that the
  17.634 -  \isakeyword{for} clause is part of the expression, and only
  17.635 -  parameters defined in the expression may occur in its instances.
  17.636 +Here are examples of theorems that are
  17.637 +  available in the locale:
  17.638  
  17.639 -  Instances define \emph{morphisms} on locales.  Their effect on the
  17.640 -  parameters is lifted to terms, propositions and theorems in the
  17.641 -  canonical way,
  17.642 -  and thus to the assumptions and conclusions of a locale.  The
  17.643 -  assumption of a locale expression is the conjunction of the
  17.644 -  assumptions of the instances.  The conclusions of a sequence of
  17.645 -  instances are obtained by appending the conclusions of the
  17.646 -  instances in the order of the sequence.
  17.647 +  \hspace*{1em}\isa{hom{\isacharunderscore}le}: \isa{{\isacharquery}x\ {\isasymsqsubseteq}\ {\isacharquery}y\ {\isasymLongrightarrow}\ {\isasymphi}\ {\isacharquery}x\ {\isasympreceq}\ {\isasymphi}\ {\isacharquery}y}
  17.648 +
  17.649 +  \hspace*{1em}\isa{le{\isachardot}less{\isacharunderscore}le{\isacharunderscore}trans}: \isa{{\isasymlbrakk}{\isacharquery}x\ {\isasymsqsubset}\ {\isacharquery}y{\isacharsemicolon}\ {\isacharquery}y\ {\isasymsqsubseteq}\ {\isacharquery}z{\isasymrbrakk}\ {\isasymLongrightarrow}\ {\isacharquery}x\ {\isasymsqsubset}\ {\isacharquery}z}
  17.650  
  17.651 -  The qualifiers in the expression are already a familiar concept from
  17.652 -  the \isakeyword{interpretation} command
  17.653 -  (Section~\ref{sec:po-first}).  Here, they serve to distinguish names
  17.654 -  (in particular theorem names) for the two partial orders within the
  17.655 -  locale.  Qualifiers in the \isakeyword{locale} command (and in
  17.656 -  \isakeyword{sublocale}) default to optional --- that is, they need
  17.657 -  not occur in references to the qualified names.  Here are examples
  17.658 -  of theorems in locale \isa{order{\isacharunderscore}preserving}:%
  17.659 -\end{isamarkuptext}%
  17.660 -\isamarkuptrue%
  17.661 -%
  17.662 -\isadeliminvisible
  17.663 -%
  17.664 -\endisadeliminvisible
  17.665 -%
  17.666 -\isataginvisible
  17.667 -\isacommand{context}\isamarkupfalse%
  17.668 -\ order{\isacharunderscore}preserving\ \isakeyword{begin}%
  17.669 -\endisataginvisible
  17.670 -{\isafoldinvisible}%
  17.671 -%
  17.672 -\isadeliminvisible
  17.673 -%
  17.674 -\endisadeliminvisible
  17.675 -%
  17.676 -\begin{isamarkuptext}%
  17.677 -\isa{le{\isachardot}less{\isacharunderscore}le{\isacharunderscore}trans}: \isa{{\isasymlbrakk}{\isacharquery}x\ {\isasymsqsubset}\ {\isacharquery}y{\isacharsemicolon}\ {\isacharquery}y\ {\isasymsqsubseteq}\ {\isacharquery}z{\isasymrbrakk}\ {\isasymLongrightarrow}\ {\isacharquery}x\ {\isasymsqsubset}\ {\isacharquery}z}
  17.678 -
  17.679 -  \isa{hom{\isacharunderscore}le}: \isa{{\isacharquery}x\ {\isasymsqsubseteq}\ {\isacharquery}y\ {\isasymLongrightarrow}\ {\isasymphi}\ {\isacharquery}x\ {\isasympreceq}\ {\isasymphi}\ {\isacharquery}y}%
  17.680 -\end{isamarkuptext}%
  17.681 -\isamarkuptrue%
  17.682 -%
  17.683 -\begin{isamarkuptext}%
  17.684 -The theorems for the partial order \isa{{\isasympreceq}}
  17.685 -  are qualified by \isa{le{\isacharprime}}.  For example, \isa{le{\isacharprime}{\isachardot}less{\isacharunderscore}le{\isacharunderscore}trans}: \begin{isabelle}%
  17.686 -\ \ {\isasymlbrakk}partial{\isacharunderscore}order{\isachardot}less\ op\ {\isasympreceq}\ {\isacharquery}x\ {\isacharquery}y{\isacharsemicolon}\ {\isacharquery}y\ {\isasympreceq}\ {\isacharquery}z{\isasymrbrakk}\isanewline
  17.687 -\isaindent{\ \ }{\isasymLongrightarrow}\ partial{\isacharunderscore}order{\isachardot}less\ op\ {\isasympreceq}\ {\isacharquery}x\ {\isacharquery}z%
  17.688 -\end{isabelle}%
  17.689 -\end{isamarkuptext}%
  17.690 -\isamarkuptrue%
  17.691 -%
  17.692 -\isadeliminvisible
  17.693 -%
  17.694 -\endisadeliminvisible
  17.695 -%
  17.696 -\isataginvisible
  17.697 -\isacommand{end}\isamarkupfalse%
  17.698 -%
  17.699 -\endisataginvisible
  17.700 -{\isafoldinvisible}%
  17.701 -%
  17.702 -\isadeliminvisible
  17.703 -%
  17.704 -\endisadeliminvisible
  17.705 -%
  17.706 -\begin{isamarkuptext}%
  17.707 -This example reveals that there is no infix syntax for the
  17.708 -  strict operation associated with \isa{{\isasympreceq}}.  This can be declared
  17.709 -  through an abbreviation.%
  17.710 +  \hspace*{1em}\isa{le{\isacharprime}{\isachardot}less{\isacharunderscore}le{\isacharunderscore}trans}:
  17.711 +  \begin{isabelle}%
  17.712 +\ \ \ \ {\isasymlbrakk}partial{\isacharunderscore}order{\isachardot}less\ op\ {\isasympreceq}\ {\isacharquery}x\ {\isacharquery}y{\isacharsemicolon}\ {\isacharquery}y\ {\isasympreceq}\ {\isacharquery}z{\isasymrbrakk}\isanewline
  17.713 +\isaindent{\ \ \ \ }{\isasymLongrightarrow}\ partial{\isacharunderscore}order{\isachardot}less\ op\ {\isasympreceq}\ {\isacharquery}x\ {\isacharquery}z%
  17.714 +\end{isabelle}
  17.715 +  While there is infix syntax for the strict operation associated to
  17.716 +  \isa{op\ {\isasymsqsubseteq}}, there is none for the strict version of \isa{op\ {\isasympreceq}}.  The abbreviation \isa{less} with its infix syntax is only
  17.717 +  available for the original instance it was declared for.  We may
  17.718 +  introduce the abbreviation \isa{less{\isacharprime}} with infix syntax~\isa{{\isasymprec}}
  17.719 +  with the following declaration:%
  17.720  \end{isamarkuptext}%
  17.721  \isamarkuptrue%
  17.722  \ \ \isacommand{abbreviation}\isamarkupfalse%
  17.723 @@ -563,30 +363,63 @@
  17.724  \isamarkuptrue%
  17.725  %
  17.726  \begin{isamarkuptext}%
  17.727 -Qualifiers not only apply to theorem names, but also to names
  17.728 -  introduced by definitions and abbreviations.  For example, in \isa{partial{\isacharunderscore}order} the name \isa{less} abbreviates \isa{op\ {\isasymsqsubset}}.  Therefore, in \isa{order{\isacharunderscore}preserving}
  17.729 -  the qualified name \isa{le{\isachardot}less} abbreviates \isa{op\ {\isasymsqsubset}} and \isa{le{\isacharprime}{\isachardot}less} abbreviates \isa{op\ {\isasymprec}}.  Hence, the equation in the abbreviation
  17.730 -  above could have been written more concisely as \isa{less{\isacharprime}\ {\isasymequiv}\ le{\isacharprime}{\isachardot}less}.%
  17.731 +There are short notations for locale expressions.  These are
  17.732 +  discussed in the following.%
  17.733 +\end{isamarkuptext}%
  17.734 +\isamarkuptrue%
  17.735 +%
  17.736 +\isamarkupsubsection{Default Instantiations%
  17.737 +}
  17.738 +\isamarkuptrue%
  17.739 +%
  17.740 +\begin{isamarkuptext}%
  17.741 +It is possible to omit parameter instantiations.  The
  17.742 +  instantiation then defaults to the name of
  17.743 +  the parameter itself.  For example, the locale expression \isa{partial{\isacharunderscore}order} is short for \isa{partial{\isacharunderscore}order\ le}, since the
  17.744 +  locale's single parameter is~\isa{le}.  We took advantage of this
  17.745 +  in the \isakeyword{sublocale} declarations of
  17.746 +  Section~\ref{sec:changing-the-hierarchy}.%
  17.747 +\end{isamarkuptext}%
  17.748 +\isamarkuptrue%
  17.749 +%
  17.750 +\isamarkupsubsection{Implicit Parameters \label{sec:implicit-parameters}%
  17.751 +}
  17.752 +\isamarkuptrue%
  17.753 +%
  17.754 +\begin{isamarkuptext}%
  17.755 +In a locale expression that occurs within a locale
  17.756 +  declaration, omitted parameters additionally extend the (possibly
  17.757 +  empty) \isakeyword{for} clause.
  17.758 +
  17.759 +  The \isakeyword{for} clause is a general construct of Isabelle/Isar
  17.760 +  to mark names occurring in the preceding declaration as ``arbitrary
  17.761 +  but fixed''.  This is necessary for example, if the name is already
  17.762 +  bound in a surrounding context.  In a locale expression, names
  17.763 +  occurring in parameter instantiations should be bound by a
  17.764 +  \isakeyword{for} clause whenever these names are not introduced
  17.765 +  elsewhere in the context --- for example, on the left hand side of a
  17.766 +  \isakeyword{sublocale} declaration.
  17.767 +
  17.768 +  There is an exception to this rule in locale declarations, where the
  17.769 +  \isakeyword{for} clause serves to declare locale parameters.  Here,
  17.770 +  locale parameters for which no parameter instantiation is given are
  17.771 +  implicitly added, with their mixfix syntax, at the beginning of the
  17.772 +  \isakeyword{for} clause.  For example, in a locale declaration, the
  17.773 +  expression \isa{partial{\isacharunderscore}order} is short for
  17.774 +\begin{small}
  17.775 +\begin{alltt}
  17.776 +  partial_order le \isakeyword{for} le (\isakeyword{infixl} "\(\sqsubseteq\)" 50)\textrm{.}
  17.777 +\end{alltt}
  17.778 +\end{small}
  17.779 +  This short hand was used in the locale declarations throughout
  17.780 +  Section~\ref{sec:import}.%
  17.781  \end{isamarkuptext}%
  17.782  \isamarkuptrue%
  17.783  %
  17.784  \begin{isamarkuptext}%
  17.785 -Readers may find the declaration of locale \isa{order{\isacharunderscore}preserving} a little awkward, because the declaration and
  17.786 -  concrete syntax for \isa{le} from \isa{partial{\isacharunderscore}order} are
  17.787 -  repeated in the declaration of \isa{order{\isacharunderscore}preserving}.  Locale
  17.788 -  expressions provide a convenient short hand for this.  A parameter
  17.789 -  in an instance is \emph{untouched} if no instantiation term is
  17.790 -  provided for it.  In positional instantiations, a parameter position
  17.791 -  may be skipped with an underscore, and it is allowed to give fewer
  17.792 -  instantiation terms than the instantiated locale's number of
  17.793 -  parameters.  In named instantiations, instantiation pairs for
  17.794 -  certain parameters may simply be omitted.  Untouched parameters are
  17.795 -  implicitly declared by the locale expression and with their concrete
  17.796 -  syntax.  In the sequence of parameters, they appear before the
  17.797 -  parameters from the \isakeyword{for} clause.
  17.798 -
  17.799 -  The following locales illustrate this.  A map \isa{{\isasymphi}} is a
  17.800 -  lattice homomorphism if it preserves meet and join.%
  17.801 +The following locale declarations provide more examples.  A
  17.802 +  map~\isa{{\isasymphi}} is a lattice homomorphism if it preserves meet and
  17.803 +  join.%
  17.804  \end{isamarkuptext}%
  17.805  \isamarkuptrue%
  17.806  \ \ \isacommand{locale}\isamarkupfalse%
  17.807 @@ -594,35 +427,50 @@
  17.808  \ \ \ \ le{\isacharcolon}\ lattice\ {\isacharplus}\ le{\isacharprime}{\isacharcolon}\ lattice\ le{\isacharprime}\ \isakeyword{for}\ le{\isacharprime}\ {\isacharparenleft}\isakeyword{infixl}\ {\isachardoublequoteopen}{\isasympreceq}{\isachardoublequoteclose}\ {\isadigit{5}}{\isadigit{0}}{\isacharparenright}\ {\isacharplus}\isanewline
  17.809  \ \ \ \ \isakeyword{fixes}\ {\isasymphi}\isanewline
  17.810  \ \ \ \ \isakeyword{assumes}\ hom{\isacharunderscore}meet{\isacharcolon}\ {\isachardoublequoteopen}{\isasymphi}\ {\isacharparenleft}x\ {\isasymsqinter}\ y{\isacharparenright}\ {\isacharequal}\ le{\isacharprime}{\isachardot}meet\ {\isacharparenleft}{\isasymphi}\ x{\isacharparenright}\ {\isacharparenleft}{\isasymphi}\ y{\isacharparenright}{\isachardoublequoteclose}\isanewline
  17.811 -\ \ \ \ \ \ \isakeyword{and}\ hom{\isacharunderscore}join{\isacharcolon}\ {\isachardoublequoteopen}{\isasymphi}\ {\isacharparenleft}x\ {\isasymsqunion}\ y{\isacharparenright}\ {\isacharequal}\ le{\isacharprime}{\isachardot}join\ {\isacharparenleft}{\isasymphi}\ x{\isacharparenright}\ {\isacharparenleft}{\isasymphi}\ y{\isacharparenright}{\isachardoublequoteclose}\isanewline
  17.812 -\isanewline
  17.813 +\ \ \ \ \ \ \isakeyword{and}\ hom{\isacharunderscore}join{\isacharcolon}\ {\isachardoublequoteopen}{\isasymphi}\ {\isacharparenleft}x\ {\isasymsqunion}\ y{\isacharparenright}\ {\isacharequal}\ le{\isacharprime}{\isachardot}join\ {\isacharparenleft}{\isasymphi}\ x{\isacharparenright}\ {\isacharparenleft}{\isasymphi}\ y{\isacharparenright}{\isachardoublequoteclose}%
  17.814 +\begin{isamarkuptext}%
  17.815 +The parameter instantiation in the first instance of \isa{lattice} is omitted.  This causes the parameter~\isa{le} to be
  17.816 +  added to the \isakeyword{for} clause, and the locale has
  17.817 +  parameters~\isa{le},~\isa{le{\isacharprime}} and, of course,~\isa{{\isasymphi}}.
  17.818 +
  17.819 +  Before turning to the second example, we complete the locale by
  17.820 +  providing infix syntax for the meet and join operations of the
  17.821 +  second lattice.%
  17.822 +\end{isamarkuptext}%
  17.823 +\isamarkuptrue%
  17.824 +\ \ \isacommand{context}\isamarkupfalse%
  17.825 +\ lattice{\isacharunderscore}hom\ \isakeyword{begin}\isanewline
  17.826  \ \ \isacommand{abbreviation}\isamarkupfalse%
  17.827 -\ {\isacharparenleft}\isakeyword{in}\ lattice{\isacharunderscore}hom{\isacharparenright}\isanewline
  17.828 -\ \ \ \ meet{\isacharprime}\ {\isacharparenleft}\isakeyword{infixl}\ {\isachardoublequoteopen}{\isasymsqinter}{\isacharprime}{\isacharprime}{\isachardoublequoteclose}\ {\isadigit{5}}{\isadigit{0}}{\isacharparenright}\ \isakeyword{where}\ {\isachardoublequoteopen}meet{\isacharprime}\ {\isasymequiv}\ le{\isacharprime}{\isachardot}meet{\isachardoublequoteclose}\isanewline
  17.829 +\ meet{\isacharprime}\ {\isacharparenleft}\isakeyword{infixl}\ {\isachardoublequoteopen}{\isasymsqinter}{\isacharprime}{\isacharprime}{\isachardoublequoteclose}\ {\isadigit{5}}{\isadigit{0}}{\isacharparenright}\ \isakeyword{where}\ {\isachardoublequoteopen}meet{\isacharprime}\ {\isasymequiv}\ le{\isacharprime}{\isachardot}meet{\isachardoublequoteclose}\isanewline
  17.830  \ \ \isacommand{abbreviation}\isamarkupfalse%
  17.831 -\ {\isacharparenleft}\isakeyword{in}\ lattice{\isacharunderscore}hom{\isacharparenright}\isanewline
  17.832 -\ \ \ \ join{\isacharprime}\ {\isacharparenleft}\isakeyword{infixl}\ {\isachardoublequoteopen}{\isasymsqunion}{\isacharprime}{\isacharprime}{\isachardoublequoteclose}\ {\isadigit{5}}{\isadigit{0}}{\isacharparenright}\ \isakeyword{where}\ {\isachardoublequoteopen}join{\isacharprime}\ {\isasymequiv}\ le{\isacharprime}{\isachardot}join{\isachardoublequoteclose}%
  17.833 +\ join{\isacharprime}\ {\isacharparenleft}\isakeyword{infixl}\ {\isachardoublequoteopen}{\isasymsqunion}{\isacharprime}{\isacharprime}{\isachardoublequoteclose}\ {\isadigit{5}}{\isadigit{0}}{\isacharparenright}\ \isakeyword{where}\ {\isachardoublequoteopen}join{\isacharprime}\ {\isasymequiv}\ le{\isacharprime}{\isachardot}join{\isachardoublequoteclose}\isanewline
  17.834 +\ \ \isacommand{end}\isamarkupfalse%
  17.835 +%
  17.836  \begin{isamarkuptext}%
  17.837 -A homomorphism is an endomorphism if both orders coincide.%
  17.838 +The next example makes radical use of the short hand
  17.839 +  facilities.  A homomorphism is an endomorphism if both orders
  17.840 +  coincide.%
  17.841  \end{isamarkuptext}%
  17.842  \isamarkuptrue%
  17.843  \ \ \isacommand{locale}\isamarkupfalse%
  17.844  \ lattice{\isacharunderscore}end\ {\isacharequal}\ lattice{\isacharunderscore}hom\ {\isacharunderscore}\ le%
  17.845  \begin{isamarkuptext}%
  17.846 -In this declaration, the first parameter of \isa{lattice{\isacharunderscore}hom}, \isa{le}, is untouched and is then used to instantiate
  17.847 -  the second parameter.  Its concrete syntax is preserved.%
  17.848 +The notation~\isa{{\isacharunderscore}} enables to omit a parameter in a
  17.849 +  positional instantiation.  The omitted parameter,~\isa{le} becomes
  17.850 +  the parameter of the declared locale and is, in the following
  17.851 +  position, used to instantiate the second parameter of \isa{lattice{\isacharunderscore}hom}.  The effect is that of identifying the first in second
  17.852 +  parameter of the homomorphism locale.%
  17.853  \end{isamarkuptext}%
  17.854  \isamarkuptrue%
  17.855  %
  17.856  \begin{isamarkuptext}%
  17.857  The inheritance diagram of the situation we have now is shown
  17.858    in Figure~\ref{fig:hom}, where the dashed line depicts an
  17.859 -  interpretation which is introduced below.  Renamings are
  17.860 -  indicated by $\sqsubseteq \mapsto \preceq$ etc.  The expression
  17.861 -  imported by \isa{lattice{\isacharunderscore}end} identifies the first and second
  17.862 -  parameter of \isa{lattice{\isacharunderscore}hom}.  By looking at the inheritance diagram it would seem
  17.863 -  that two identical copies of each of the locales \isa{partial{\isacharunderscore}order} and \isa{lattice} are imported.  This is not the
  17.864 -  case!  Inheritance paths with identical morphisms are detected and
  17.865 +  interpretation which is introduced below.  Parameter instantiations
  17.866 +  are indicated by $\sqsubseteq \mapsto \preceq$ etc.  By looking at
  17.867 +  the inheritance diagram it would seem
  17.868 +  that two identical copies of each of the locales \isa{partial{\isacharunderscore}order} and \isa{lattice} are imported by \isa{lattice{\isacharunderscore}end}.  This is not the case!  Inheritance paths with
  17.869 +  identical morphisms are automatically detected and
  17.870    the conclusions of the respective locales appear only once.
  17.871  
  17.872  \begin{figure}
  17.873 @@ -704,9 +552,236 @@
  17.874    \isa{hom{\isacharunderscore}le}:
  17.875    \begin{isabelle}%
  17.876  \ \ {\isacharquery}x\ {\isasymsqsubseteq}\ {\isacharquery}y\ {\isasymLongrightarrow}\ {\isasymphi}\ {\isacharquery}x\ {\isasympreceq}\ {\isasymphi}\ {\isacharquery}y%
  17.877 -\end{isabelle}%
  17.878 +\end{isabelle}
  17.879 +  This theorem will be useful in the following section.%
  17.880 +\end{isamarkuptext}%
  17.881 +\isamarkuptrue%
  17.882 +%
  17.883 +\isamarkupsection{Conditional Interpretation%
  17.884 +}
  17.885 +\isamarkuptrue%
  17.886 +%
  17.887 +\begin{isamarkuptext}%
  17.888 +There are situations where an interpretation is not possible
  17.889 +  in the general case since the desired property is only valid if
  17.890 +  certain conditions are fulfilled.  Take, for example, the function
  17.891 +  \isa{{\isasymlambda}i{\isachardot}\ n\ {\isacharasterisk}\ i} that scales its argument by a constant factor.
  17.892 +  This function is order preserving (and even a lattice endomorphism)
  17.893 +  with respect to \isa{op\ {\isasymle}} provided \isa{n\ {\isasymge}\ {\isadigit{0}}}.
  17.894 +
  17.895 +  It is not possible to express this using a global interpretation,
  17.896 +  because it is in general unspecified whether~\isa{n} is
  17.897 +  non-negative, but one may make an interpretation in an inner context
  17.898 +  of a proof where full information is available.
  17.899 +  This is not fully satisfactory either, since potentially
  17.900 +  interpretations may be required to make interpretations in many
  17.901 +  contexts.  What is
  17.902 +  required is an interpretation that depends on the condition --- and
  17.903 +  this can be done with the \isakeyword{sublocale} command.  For this
  17.904 +  purpose, we introduce a locale for the condition.%
  17.905 +\end{isamarkuptext}%
  17.906 +\isamarkuptrue%
  17.907 +\ \ \isacommand{locale}\isamarkupfalse%
  17.908 +\ non{\isacharunderscore}negative\ {\isacharequal}\isanewline
  17.909 +\ \ \ \ \isakeyword{fixes}\ n\ {\isacharcolon}{\isacharcolon}\ int\isanewline
  17.910 +\ \ \ \ \isakeyword{assumes}\ non{\isacharunderscore}neg{\isacharcolon}\ {\isachardoublequoteopen}{\isadigit{0}}\ {\isasymle}\ n{\isachardoublequoteclose}%
  17.911 +\begin{isamarkuptext}%
  17.912 +It is again convenient to make the interpretation in an
  17.913 +  incremental fashion, first for order preserving maps, the for
  17.914 +  lattice endomorphisms.%
  17.915 +\end{isamarkuptext}%
  17.916 +\isamarkuptrue%
  17.917 +\ \ \isacommand{sublocale}\isamarkupfalse%
  17.918 +\ non{\isacharunderscore}negative\ {\isasymsubseteq}\isanewline
  17.919 +\ \ \ \ \ \ order{\isacharunderscore}preserving\ {\isachardoublequoteopen}op\ {\isasymle}{\isachardoublequoteclose}\ {\isachardoublequoteopen}op\ {\isasymle}{\isachardoublequoteclose}\ {\isachardoublequoteopen}{\isasymlambda}i{\isachardot}\ n\ {\isacharasterisk}\ i{\isachardoublequoteclose}\isanewline
  17.920 +%
  17.921 +\isadelimproof
  17.922 +\ \ \ \ %
  17.923 +\endisadelimproof
  17.924 +%
  17.925 +\isatagproof
  17.926 +\isacommand{using}\isamarkupfalse%
  17.927 +\ non{\isacharunderscore}neg\ \isacommand{by}\isamarkupfalse%
  17.928 +\ unfold{\isacharunderscore}locales\ {\isacharparenleft}rule\ mult{\isacharunderscore}left{\isacharunderscore}mono{\isacharparenright}%
  17.929 +\endisatagproof
  17.930 +{\isafoldproof}%
  17.931 +%
  17.932 +\isadelimproof
  17.933 +%
  17.934 +\endisadelimproof
  17.935 +%
  17.936 +\begin{isamarkuptext}%
  17.937 +While the proof of the previous interpretation
  17.938 +  is straightforward from monotonicity lemmas for~\isa{op\ {\isacharasterisk}}, the
  17.939 +  second proof follows a useful pattern.%
  17.940 +\end{isamarkuptext}%
  17.941 +\isamarkuptrue%
  17.942 +%
  17.943 +\isadelimvisible
  17.944 +\ \ %
  17.945 +\endisadelimvisible
  17.946 +%
  17.947 +\isatagvisible
  17.948 +\isacommand{sublocale}\isamarkupfalse%
  17.949 +\ non{\isacharunderscore}negative\ {\isasymsubseteq}\ lattice{\isacharunderscore}end\ {\isachardoublequoteopen}op\ {\isasymle}{\isachardoublequoteclose}\ {\isachardoublequoteopen}{\isasymlambda}i{\isachardot}\ n\ {\isacharasterisk}\ i{\isachardoublequoteclose}\isanewline
  17.950 +\ \ \isacommand{proof}\isamarkupfalse%
  17.951 +\ {\isacharparenleft}unfold{\isacharunderscore}locales{\isacharcomma}\ unfold\ int{\isacharunderscore}min{\isacharunderscore}eq\ int{\isacharunderscore}max{\isacharunderscore}eq{\isacharparenright}%
  17.952 +\begin{isamarkuptxt}%
  17.953 +\normalsize Unfolding the locale predicates \emph{and} the
  17.954 +      interpretation equations immediately yields two subgoals that
  17.955 +      reflect the core conjecture.
  17.956 +      \begin{isabelle}%
  17.957 +\ {\isadigit{1}}{\isachardot}\ {\isasymAnd}x\ y{\isachardot}\ n\ {\isacharasterisk}\ min\ x\ y\ {\isacharequal}\ min\ {\isacharparenleft}n\ {\isacharasterisk}\ x{\isacharparenright}\ {\isacharparenleft}n\ {\isacharasterisk}\ y{\isacharparenright}\isanewline
  17.958 +\ {\isadigit{2}}{\isachardot}\ {\isasymAnd}x\ y{\isachardot}\ n\ {\isacharasterisk}\ max\ x\ y\ {\isacharequal}\ max\ {\isacharparenleft}n\ {\isacharasterisk}\ x{\isacharparenright}\ {\isacharparenleft}n\ {\isacharasterisk}\ y{\isacharparenright}%
  17.959 +\end{isabelle}
  17.960 +      It is now necessary to show, in the context of \isa{non{\isacharunderscore}negative}, that multiplication by~\isa{n} commutes with
  17.961 +      \isa{min} and \isa{max}.%
  17.962 +\end{isamarkuptxt}%
  17.963 +\isamarkuptrue%
  17.964 +\ \ \isacommand{qed}\isamarkupfalse%
  17.965 +\ {\isacharparenleft}auto\ simp{\isacharcolon}\ hom{\isacharunderscore}le{\isacharparenright}%
  17.966 +\endisatagvisible
  17.967 +{\isafoldvisible}%
  17.968 +%
  17.969 +\isadelimvisible
  17.970 +%
  17.971 +\endisadelimvisible
  17.972 +%
  17.973 +\begin{isamarkuptext}%
  17.974 +The lemma \isa{hom{\isacharunderscore}le}
  17.975 +  simplifies a proof that would have otherwise been lengthy and we may
  17.976 +  consider making it a default rule for the simplifier:%
  17.977  \end{isamarkuptext}%
  17.978  \isamarkuptrue%
  17.979 +\ \ \isacommand{lemmas}\isamarkupfalse%
  17.980 +\ {\isacharparenleft}\isakeyword{in}\ order{\isacharunderscore}preserving{\isacharparenright}\ hom{\isacharunderscore}le\ {\isacharbrackleft}simp{\isacharbrackright}%
  17.981 +\isamarkupsubsection{Avoiding Infinite Chains of Interpretations
  17.982 +  \label{sec:infinite-chains}%
  17.983 +}
  17.984 +\isamarkuptrue%
  17.985 +%
  17.986 +\begin{isamarkuptext}%
  17.987 +Similar situations arise frequently in formalisations of
  17.988 +  abstract algebra where it is desirable to express that certain
  17.989 +  constructions preserve certain properties.  For example, polynomials
  17.990 +  over rings are rings, or --- an example from the domain where the
  17.991 +  illustrations of this tutorial are taken from --- a partial order
  17.992 +  may be obtained for a function space by point-wise lifting of the
  17.993 +  partial order of the co-domain.  This corresponds to the following
  17.994 +  interpretation:%
  17.995 +\end{isamarkuptext}%
  17.996 +\isamarkuptrue%
  17.997 +%
  17.998 +\isadelimvisible
  17.999 +\ \ %
 17.1000 +\endisadelimvisible
 17.1001 +%
 17.1002 +\isatagvisible
 17.1003 +\isacommand{sublocale}\isamarkupfalse%
 17.1004 +\ partial{\isacharunderscore}order\ {\isasymsubseteq}\ f{\isacharcolon}\ partial{\isacharunderscore}order\ {\isachardoublequoteopen}{\isasymlambda}f\ g{\isachardot}\ {\isasymforall}x{\isachardot}\ f\ x\ {\isasymsqsubseteq}\ g\ x{\isachardoublequoteclose}\isanewline
 17.1005 +\ \ \ \ \isacommand{oops}\isamarkupfalse%
 17.1006 +%
 17.1007 +\endisatagvisible
 17.1008 +{\isafoldvisible}%
 17.1009 +%
 17.1010 +\isadelimvisible
 17.1011 +%
 17.1012 +\endisadelimvisible
 17.1013 +%
 17.1014 +\begin{isamarkuptext}%
 17.1015 +Unfortunately this is a cyclic interpretation that leads to an
 17.1016 +  infinite chain, namely
 17.1017 +  \begin{isabelle}%
 17.1018 +\ \ partial{\isacharunderscore}order\ {\isasymsubseteq}\ partial{\isacharunderscore}order\ {\isacharparenleft}{\isasymlambda}f\ g{\isachardot}\ {\isasymforall}x{\isachardot}\ f\ x\ {\isasymsqsubseteq}\ g\ x{\isacharparenright}\ {\isasymsubseteq}\isanewline
 17.1019 +\isaindent{\ \ }\ \ partial{\isacharunderscore}order\ {\isacharparenleft}{\isasymlambda}f\ g{\isachardot}\ {\isasymforall}x\ y{\isachardot}\ f\ x\ y\ {\isasymsqsubseteq}\ g\ x\ y{\isacharparenright}\ {\isasymsubseteq}\ \ {\isasymdots}%
 17.1020 +\end{isabelle}
 17.1021 +  and the interpretation is rejected.
 17.1022 +
 17.1023 +  Instead it is necessary to declare a locale that is logically
 17.1024 +  equivalent to \isa{partial{\isacharunderscore}order} but serves to collect facts
 17.1025 +  about functions spaces where the co-domain is a partial order, and
 17.1026 +  to make the interpretation in its context:%
 17.1027 +\end{isamarkuptext}%
 17.1028 +\isamarkuptrue%
 17.1029 +\ \ \isacommand{locale}\isamarkupfalse%
 17.1030 +\ fun{\isacharunderscore}partial{\isacharunderscore}order\ {\isacharequal}\ partial{\isacharunderscore}order\isanewline
 17.1031 +\isanewline
 17.1032 +\ \ \isacommand{sublocale}\isamarkupfalse%
 17.1033 +\ fun{\isacharunderscore}partial{\isacharunderscore}order\ {\isasymsubseteq}\isanewline
 17.1034 +\ \ \ \ \ \ f{\isacharcolon}\ partial{\isacharunderscore}order\ {\isachardoublequoteopen}{\isasymlambda}f\ g{\isachardot}\ {\isasymforall}x{\isachardot}\ f\ x\ {\isasymsqsubseteq}\ g\ x{\isachardoublequoteclose}\isanewline
 17.1035 +%
 17.1036 +\isadelimproof
 17.1037 +\ \ \ \ %
 17.1038 +\endisadelimproof
 17.1039 +%
 17.1040 +\isatagproof
 17.1041 +\isacommand{by}\isamarkupfalse%
 17.1042 +\ unfold{\isacharunderscore}locales\ {\isacharparenleft}fast{\isacharcomma}rule{\isacharcomma}fast{\isacharcomma}blast\ intro{\isacharcolon}\ trans{\isacharparenright}%
 17.1043 +\endisatagproof
 17.1044 +{\isafoldproof}%
 17.1045 +%
 17.1046 +\isadelimproof
 17.1047 +%
 17.1048 +\endisadelimproof
 17.1049 +%
 17.1050 +\begin{isamarkuptext}%
 17.1051 +It is quite common in abstract algebra that such a construction
 17.1052 +  maps a hierarchy of algebraic structures (or specifications) to a
 17.1053 +  related hierarchy.  By means of the same lifting, a function space
 17.1054 +  is a lattice if its co-domain is a lattice:%
 17.1055 +\end{isamarkuptext}%
 17.1056 +\isamarkuptrue%
 17.1057 +\ \ \isacommand{locale}\isamarkupfalse%
 17.1058 +\ fun{\isacharunderscore}lattice\ {\isacharequal}\ fun{\isacharunderscore}partial{\isacharunderscore}order\ {\isacharplus}\ lattice\isanewline
 17.1059 +\isanewline
 17.1060 +\ \ \isacommand{sublocale}\isamarkupfalse%
 17.1061 +\ fun{\isacharunderscore}lattice\ {\isasymsubseteq}\ f{\isacharcolon}\ lattice\ {\isachardoublequoteopen}{\isasymlambda}f\ g{\isachardot}\ {\isasymforall}x{\isachardot}\ f\ x\ {\isasymsqsubseteq}\ g\ x{\isachardoublequoteclose}\isanewline
 17.1062 +%
 17.1063 +\isadelimproof
 17.1064 +\ \ \ \ %
 17.1065 +\endisadelimproof
 17.1066 +%
 17.1067 +\isatagproof
 17.1068 +\isacommand{proof}\isamarkupfalse%
 17.1069 +\ unfold{\isacharunderscore}locales\isanewline
 17.1070 +\ \ \ \ \isacommand{fix}\isamarkupfalse%
 17.1071 +\ f\ g\isanewline
 17.1072 +\ \ \ \ \isacommand{have}\isamarkupfalse%
 17.1073 +\ {\isachardoublequoteopen}partial{\isacharunderscore}order{\isachardot}is{\isacharunderscore}inf\ {\isacharparenleft}{\isasymlambda}f\ g{\isachardot}\ {\isasymforall}x{\isachardot}\ f\ x\ {\isasymsqsubseteq}\ g\ x{\isacharparenright}\ f\ g\ {\isacharparenleft}{\isasymlambda}x{\isachardot}\ f\ x\ {\isasymsqinter}\ g\ x{\isacharparenright}{\isachardoublequoteclose}\isanewline
 17.1074 +\ \ \ \ \ \ \isacommand{apply}\isamarkupfalse%
 17.1075 +\ {\isacharparenleft}rule\ is{\isacharunderscore}infI{\isacharparenright}\ \isacommand{apply}\isamarkupfalse%
 17.1076 +\ rule{\isacharplus}\ \isacommand{apply}\isamarkupfalse%
 17.1077 +\ {\isacharparenleft}drule\ spec{\isacharcomma}\ assumption{\isacharparenright}{\isacharplus}\ \isacommand{done}\isamarkupfalse%
 17.1078 +\isanewline
 17.1079 +\ \ \ \ \isacommand{then}\isamarkupfalse%
 17.1080 +\ \isacommand{show}\isamarkupfalse%
 17.1081 +\ {\isachardoublequoteopen}{\isasymexists}inf{\isachardot}\ partial{\isacharunderscore}order{\isachardot}is{\isacharunderscore}inf\ {\isacharparenleft}{\isasymlambda}f\ g{\isachardot}\ {\isasymforall}x{\isachardot}\ f\ x\ {\isasymsqsubseteq}\ g\ x{\isacharparenright}\ f\ g\ inf{\isachardoublequoteclose}\isanewline
 17.1082 +\ \ \ \ \ \ \isacommand{by}\isamarkupfalse%
 17.1083 +\ fast\isanewline
 17.1084 +\ \ \isacommand{next}\isamarkupfalse%
 17.1085 +\isanewline
 17.1086 +\ \ \ \ \isacommand{fix}\isamarkupfalse%
 17.1087 +\ f\ g\isanewline
 17.1088 +\ \ \ \ \isacommand{have}\isamarkupfalse%
 17.1089 +\ {\isachardoublequoteopen}partial{\isacharunderscore}order{\isachardot}is{\isacharunderscore}sup\ {\isacharparenleft}{\isasymlambda}f\ g{\isachardot}\ {\isasymforall}x{\isachardot}\ f\ x\ {\isasymsqsubseteq}\ g\ x{\isacharparenright}\ f\ g\ {\isacharparenleft}{\isasymlambda}x{\isachardot}\ f\ x\ {\isasymsqunion}\ g\ x{\isacharparenright}{\isachardoublequoteclose}\isanewline
 17.1090 +\ \ \ \ \ \ \isacommand{apply}\isamarkupfalse%
 17.1091 +\ {\isacharparenleft}rule\ is{\isacharunderscore}supI{\isacharparenright}\ \isacommand{apply}\isamarkupfalse%
 17.1092 +\ rule{\isacharplus}\ \isacommand{apply}\isamarkupfalse%
 17.1093 +\ {\isacharparenleft}drule\ spec{\isacharcomma}\ assumption{\isacharparenright}{\isacharplus}\ \isacommand{done}\isamarkupfalse%
 17.1094 +\isanewline
 17.1095 +\ \ \ \ \isacommand{then}\isamarkupfalse%
 17.1096 +\ \isacommand{show}\isamarkupfalse%
 17.1097 +\ {\isachardoublequoteopen}{\isasymexists}sup{\isachardot}\ partial{\isacharunderscore}order{\isachardot}is{\isacharunderscore}sup\ {\isacharparenleft}{\isasymlambda}f\ g{\isachardot}\ {\isasymforall}x{\isachardot}\ f\ x\ {\isasymsqsubseteq}\ g\ x{\isacharparenright}\ f\ g\ sup{\isachardoublequoteclose}\isanewline
 17.1098 +\ \ \ \ \ \ \isacommand{by}\isamarkupfalse%
 17.1099 +\ fast\isanewline
 17.1100 +\ \ \isacommand{qed}\isamarkupfalse%
 17.1101 +%
 17.1102 +\endisatagproof
 17.1103 +{\isafoldproof}%
 17.1104 +%
 17.1105 +\isadelimproof
 17.1106 +%
 17.1107 +\endisadelimproof
 17.1108  %
 17.1109  \isamarkupsection{Further Reading%
 17.1110  }
 17.1111 @@ -715,13 +790,13 @@
 17.1112  \begin{isamarkuptext}%
 17.1113  More information on locales and their interpretation is
 17.1114    available.  For the locale hierarchy of import and interpretation
 17.1115 -  dependencies see \cite{Ballarin2006a}; interpretations in theories
 17.1116 -  and proofs are covered in \cite{Ballarin2006b}.  In the latter, we
 17.1117 +  dependencies see~\cite{Ballarin2006a}; interpretations in theories
 17.1118 +  and proofs are covered in~\cite{Ballarin2006b}.  In the latter, I
 17.1119    show how interpretation in proofs enables to reason about families
 17.1120    of algebraic structures, which cannot be expressed with locales
 17.1121    directly.
 17.1122  
 17.1123 -  Haftmann and Wenzel \cite{HaftmannWenzel2007} overcome a restriction
 17.1124 +  Haftmann and Wenzel~\cite{HaftmannWenzel2007} overcome a restriction
 17.1125    of axiomatic type classes through a combination with locale
 17.1126    interpretation.  The result is a Haskell-style class system with a
 17.1127    facility to generate ML and Haskell code.  Classes are sufficient for
 17.1128 @@ -730,10 +805,21 @@
 17.1129    category.  Order preserving maps, homomorphisms and vector spaces,
 17.1130    on the other hand, do not.
 17.1131  
 17.1132 -  The original work of Kamm\"uller on locales \cite{KammullerEtAl1999}
 17.1133 -  may be of interest from a historical perspective.  The mathematical
 17.1134 -  background on orders and lattices is taken from Jacobson's textbook
 17.1135 -  on algebra \cite[Chapter~8]{Jacobson1985}.%
 17.1136 +  The locales reimplementation for Isabelle 2009 provides, among other
 17.1137 +  improvements, a clean integration with Isabelle/Isar's local theory
 17.1138 +  mechanisms, which are described in another paper by Haftmann and
 17.1139 +  Wenzel~\cite{HaftmannWenzel2009}.
 17.1140 +
 17.1141 +  The original work of Kamm\"uller on locales~\cite{KammullerEtAl1999}
 17.1142 +  may be of interest from a historical perspective.  My previous
 17.1143 +  report on locales and locale expressions~\cite{Ballarin2004a}
 17.1144 +  describes a simpler form of expressions than available now and is
 17.1145 +  outdated. The mathematical background on orders and lattices is
 17.1146 +  taken from Jacobson's textbook on algebra~\cite[Chapter~8]{Jacobson1985}.
 17.1147 +
 17.1148 +  The sources of this tutorial, which include all proofs, are
 17.1149 +  available with the Isabelle distribution at
 17.1150 +  \url{http://isabelle.in.tum.de}.%
 17.1151  \end{isamarkuptext}%
 17.1152  \isamarkuptrue%
 17.1153  %
 17.1154 @@ -829,8 +915,9 @@
 17.1155    \multicolumn{3}{l}{Diagnostics} \\
 17.1156  
 17.1157    \textit{toplevel} & ::=
 17.1158 -  & \textbf{print\_locale} [ ``\textbf{!}'' ] \textit{locale} \\
 17.1159 -  & | & \textbf{print\_locales} 
 17.1160 +  & \textbf{print\_locales} \\
 17.1161 +  & | & \textbf{print\_locale} [ ``\textbf{!}'' ] \textit{locale} \\
 17.1162 +  & | & \textbf{print\_interps} \textit{locale}
 17.1163  \end{tabular}
 17.1164  \end{center}
 17.1165  \hrule
 17.1166 @@ -841,9 +928,26 @@
 17.1167  \isamarkuptrue%
 17.1168  %
 17.1169  \begin{isamarkuptext}%
 17.1170 +\textbf{Revision History.}  For the present third revision of
 17.1171 +  the tutorial, much of the explanatory text
 17.1172 +  was rewritten.  Inheritance of interpretation equations is
 17.1173 +  available with the forthcoming release of Isabelle, which at the
 17.1174 +  time of editing these notes is expected for the end of 2009.
 17.1175 +  The second revision accommodates changes introduced by the locales
 17.1176 +  reimplementation for Isabelle 2009.  Most notably locale expressions
 17.1177 +  have been generalised from renaming to instantiation.%
 17.1178 +\end{isamarkuptext}%
 17.1179 +\isamarkuptrue%
 17.1180 +%
 17.1181 +\begin{isamarkuptext}%
 17.1182  \textbf{Acknowledgements.}  Alexander Krauss, Tobias Nipkow,
 17.1183 -  Christian Sternagel and Makarius Wenzel have made useful comments on
 17.1184 -  a draft of this document.%
 17.1185 +  Randy Pollack, Christian Sternagel and Makarius Wenzel have made
 17.1186 +  useful comments on earlier versions of this document.  The section
 17.1187 +  on conditional interpretation was inspired by a number of e-mail
 17.1188 +  enquiries the author received from locale users, and which suggested
 17.1189 +  that this use case is important enough to deserve explicit
 17.1190 +  explanation.  The term \emph{conditional interpretation} is due to
 17.1191 +  Larry Paulson.%
 17.1192  \end{isamarkuptext}%
 17.1193  \isamarkuptrue%
 17.1194  %
    18.1 --- a/doc-src/Locales/Locales/document/root.bib	Wed Oct 21 16:54:04 2009 +0200
    18.2 +++ b/doc-src/Locales/Locales/document/root.bib	Wed Oct 21 16:57:57 2009 +0200
    18.3 @@ -42,6 +42,42 @@
    18.4    year = 2006
    18.5  }
    18.6  
    18.7 +% TYPES 2003
    18.8 +
    18.9 +@inproceedings{Ballarin2004a,
   18.10 +  author = "Clemens Ballarin",
   18.11 +  title = "Locales and Locale Expressions in {Isabelle/Isar}",
   18.12 +  pages = "34--50",
   18.13 +  crossref = "BerardiEtAl2004"
   18.14 +}
   18.15 +
   18.16 +@proceedings{BerardiEtAl2004,
   18.17 +  editor = "Stefano Berardi and Mario Coppo and Ferruccio Damiani",
   18.18 +  title = "Types for Proofs and Programs, TYPES 2003, Torino, Italy",
   18.19 +  booktitle = "Types for Proofs and Programs, TYPES 2003, Torino, Italy",
   18.20 +  publisher = "Springer",
   18.21 +  series = "LNCS 3085",
   18.22 +  year = 2004
   18.23 +}
   18.24 +
   18.25 +% TYPES 2008
   18.26 +
   18.27 +@inproceedings{HaftmannWenzel2009,
   18.28 +  author = "Florian Haftmann and Makarius Wenzel",
   18.29 +  title = "Local theory specifications in {Isabelle}/{Isar}",
   18.30 +  pages = "153--168",
   18.31 +  crossref = "BerardiEtAl2009"
   18.32 +}
   18.33 +
   18.34 +@proceedings{BerardiEtAl2009,
   18.35 +  editor = "Stefano Berardi and Ferruccio Damiani and Ugo de Liguoro",
   18.36 +  title = "Types for Proofs and Programs, TYPES 2008, Torino, Italy",
   18.37 +  booktitle = "Types for Proofs and Programs, TYPES 2008, Torino, Italy",
   18.38 +  series = "LNCS 5497",
   18.39 +  publisher = "Springer",
   18.40 +  year = 2009
   18.41 +}
   18.42 +
   18.43  % MKM 2006
   18.44  
   18.45  @inproceedings{Ballarin2006b,
    19.1 --- a/doc-src/Locales/Locales/document/root.tex	Wed Oct 21 16:54:04 2009 +0200
    19.2 +++ b/doc-src/Locales/Locales/document/root.tex	Wed Oct 21 16:57:57 2009 +0200
    19.3 @@ -6,6 +6,7 @@
    19.4  \usepackage{subfigure}
    19.5  \usepackage{../../../isabelle,../../../isabellesym}
    19.6  \usepackage{verbatim}
    19.7 +\usepackage{alltt}
    19.8  \usepackage{array}
    19.9  
   19.10  \usepackage{amssymb}
   19.11 @@ -22,26 +23,26 @@
   19.12  
   19.13  \begin{document}
   19.14  
   19.15 -\title{Tutorial to Locales and Locale Interpretation \\[1ex]
   19.16 -  \large 2nd revision, for Isabelle 2009}
   19.17 +\title{Tutorial to Locales and Locale Interpretation}
   19.18  \author{Clemens Ballarin}
   19.19  \date{}
   19.20  
   19.21  \maketitle
   19.22  
   19.23  \begin{abstract}
   19.24 -  Locales are Isabelle's mechanism for dealing with parametric theories.
   19.25 -  We present typical examples of locale specifications,
   19.26 -  along with interpretations between locales to change their
   19.27 -  hierarchic dependencies and interpretations to reuse locales in
   19.28 -  theory contexts and proofs.
   19.29 +  Locales are Isabelle's approach for dealing with parametric
   19.30 +  theories.  They have been designed as a module system for a
   19.31 +  theorem prover that can adequately represent the complex
   19.32 +  inter-dependencies between structures found in abstract algebra, but
   19.33 +  have proven fruitful also in other applications --- for example,
   19.34 +  software verification.
   19.35  
   19.36 -  This tutorial is intended for locale novices; familiarity with
   19.37 -  Isabelle and Isar is presumed.
   19.38 -  The second revision accommodates changes introduced by the locales
   19.39 -  reimplementation for Isabelle 2009.  Most notably, in complex
   19.40 -  specifications (\emph{locale expressions}) renaming has been
   19.41 -  generalised to instantiation.
   19.42 +  Both design and implementation of locales have evolved considerably
   19.43 +  since Kamm\"uller did his initial experiments.  Today, locales
   19.44 +  are a simple yet powerful extension of the Isar proof language.
   19.45 +  The present tutorial covers all major facilities of locales.  It is
   19.46 +  intended for locale novices; familiarity with Isabelle and Isar is
   19.47 +  presumed.
   19.48  \end{abstract}
   19.49  
   19.50  \parindent 0pt\parskip 0.5ex
    21.1 --- a/doc-src/Main/Docs/Main_Doc.thy	Wed Oct 21 16:54:04 2009 +0200
    21.2 +++ b/doc-src/Main/Docs/Main_Doc.thy	Wed Oct 21 16:57:57 2009 +0200
    21.3 @@ -164,6 +164,21 @@
    21.4  \end{tabular}
    21.5  
    21.6  
    21.7 +\section{Hilbert\_Choice}
    21.8 +
    21.9 +Hilbert's selection ($\varepsilon$) operator: @{term"SOME x. P"}.
   21.10 +\smallskip
   21.11 +
   21.12 +\begin{tabular}{@ {} l @ {~::~} l @ {}}
   21.13 +@{const Hilbert_Choice.inv_onto} & @{term_type_only Hilbert_Choice.inv_onto "'a set \<Rightarrow> ('a \<Rightarrow> 'b) \<Rightarrow> ('b \<Rightarrow> 'a)"}
   21.14 +\end{tabular}
   21.15 +
   21.16 +\subsubsection*{Syntax}
   21.17 +
   21.18 +\begin{tabular}{@ {} l @ {\quad$\equiv$\quad} l @ {}}
   21.19 +@{term inv} & @{term[source]"inv_onto UNIV"}
   21.20 +\end{tabular}
   21.21 +
   21.22  \section{Fixed Points}
   21.23  
   21.24  Theory: @{theory Inductive}.
    22.1 --- a/doc-src/Main/Docs/document/Main_Doc.tex	Wed Oct 21 16:54:04 2009 +0200
    22.2 +++ b/doc-src/Main/Docs/document/Main_Doc.tex	Wed Oct 21 16:57:57 2009 +0200
    22.3 @@ -175,6 +175,21 @@
    22.4  \end{tabular}
    22.5  
    22.6  
    22.7 +\section{Hilbert\_Choice}
    22.8 +
    22.9 +Hilbert's selection ($\varepsilon$) operator: \isa{SOME\ x{\isachardot}\ P}.
   22.10 +\smallskip
   22.11 +
   22.12 +\begin{tabular}{@ {} l @ {~::~} l @ {}}
   22.13 +\isa{inv{\isacharunderscore}onto} & \isa{{\isacharprime}a\ set\ {\isasymRightarrow}\ {\isacharparenleft}{\isacharprime}a\ {\isasymRightarrow}\ {\isacharprime}b{\isacharparenright}\ {\isasymRightarrow}\ {\isacharprime}b\ {\isasymRightarrow}\ {\isacharprime}a}
   22.14 +\end{tabular}
   22.15 +
   22.16 +\subsubsection*{Syntax}
   22.17 +
   22.18 +\begin{tabular}{@ {} l @ {\quad$\equiv$\quad} l @ {}}
   22.19 +\isa{inv} & \isa{{\isachardoublequote}inv{\isacharunderscore}onto\ UNIV{\isachardoublequote}}
   22.20 +\end{tabular}
   22.21 +
   22.22  \section{Fixed Points}
   22.23  
   22.24  Theory: \isa{Inductive}.
    23.1 --- a/doc-src/TutorialI/Overview/LNCS/Sets.thy	Wed Oct 21 16:54:04 2009 +0200
    23.2 +++ b/doc-src/TutorialI/Overview/LNCS/Sets.thy	Wed Oct 21 16:57:57 2009 +0200
    23.3 @@ -149,7 +149,7 @@
    23.4      proof (rule converse_rtrancl_induct)
    23.5        show "t \<in> lfp ?F"
    23.6        proof (subst lfp_unfold[OF mono_ef])
    23.7 -	show "t \<in> ?F(lfp ?F)" using tA by blast
    23.8 +        show "t \<in> ?F(lfp ?F)" using tA by blast
    23.9        qed
   23.10      next
   23.11        fix s s'
   23.12 @@ -157,7 +157,7 @@
   23.13           and IH: "s' \<in> lfp ?F"
   23.14        show "s \<in> lfp ?F"
   23.15        proof (subst lfp_unfold[OF mono_ef])
   23.16 -	show "s \<in> ?F(lfp ?F)" using prems by blast
   23.17 +        show "s \<in> ?F(lfp ?F)" using prems by blast
   23.18        qed
   23.19      qed
   23.20    qed
    24.1 --- a/doc-src/TutorialI/Protocol/Event.thy	Wed Oct 21 16:54:04 2009 +0200
    24.2 +++ b/doc-src/TutorialI/Protocol/Event.thy	Wed Oct 21 16:57:57 2009 +0200
    24.3 @@ -22,7 +22,7 @@
    24.4          | Notes agent       msg
    24.5         
    24.6  consts 
    24.7 -  bad    :: "agent set"				(*compromised agents*)
    24.8 +  bad    :: "agent set"                         -- {* compromised agents *}
    24.9    knows  :: "agent => event list => msg set"
   24.10  
   24.11  
   24.12 @@ -43,19 +43,19 @@
   24.13    knows_Cons:
   24.14      "knows A (ev # evs) =
   24.15         (if A = Spy then 
   24.16 -	(case ev of
   24.17 -	   Says A' B X => insert X (knows Spy evs)
   24.18 -	 | Gets A' X => knows Spy evs
   24.19 -	 | Notes A' X  => 
   24.20 -	     if A' \<in> bad then insert X (knows Spy evs) else knows Spy evs)
   24.21 -	else
   24.22 -	(case ev of
   24.23 -	   Says A' B X => 
   24.24 -	     if A'=A then insert X (knows A evs) else knows A evs
   24.25 -	 | Gets A' X    => 
   24.26 -	     if A'=A then insert X (knows A evs) else knows A evs
   24.27 -	 | Notes A' X    => 
   24.28 -	     if A'=A then insert X (knows A evs) else knows A evs))"
   24.29 +        (case ev of
   24.30 +           Says A' B X => insert X (knows Spy evs)
   24.31 +         | Gets A' X => knows Spy evs
   24.32 +         | Notes A' X  => 
   24.33 +             if A' \<in> bad then insert X (knows Spy evs) else knows Spy evs)
   24.34 +        else
   24.35 +        (case ev of
   24.36 +           Says A' B X => 
   24.37 +             if A'=A then insert X (knows A evs) else knows A evs
   24.38 +         | Gets A' X    => 
   24.39 +             if A'=A then insert X (knows A evs) else knows A evs
   24.40 +         | Notes A' X    => 
   24.41 +             if A'=A then insert X (knows A evs) else knows A evs))"
   24.42  
   24.43  (*
   24.44    Case A=Spy on the Gets event
   24.45 @@ -71,10 +71,10 @@
   24.46  primrec
   24.47    used_Nil:   "used []         = (UN B. parts (initState B))"
   24.48    used_Cons:  "used (ev # evs) =
   24.49 -		     (case ev of
   24.50 -			Says A B X => parts {X} \<union> used evs
   24.51 -		      | Gets A X   => used evs
   24.52 -		      | Notes A X  => parts {X} \<union> used evs)"
   24.53 +                     (case ev of
   24.54 +                        Says A B X => parts {X} \<union> used evs
   24.55 +                      | Gets A X   => used evs
   24.56 +                      | Notes A X  => parts {X} \<union> used evs)"
   24.57      --{*The case for @{term Gets} seems anomalous, but @{term Gets} always
   24.58          follows @{term Says} in real protocols.  Seems difficult to change.
   24.59          See @{text Gets_correct} in theory @{text "Guard/Extensions.thy"}. *}
    25.1 --- a/doc-src/TutorialI/Protocol/Message.thy	Wed Oct 21 16:54:04 2009 +0200
    25.2 +++ b/doc-src/TutorialI/Protocol/Message.thy	Wed Oct 21 16:57:57 2009 +0200
    25.3 @@ -61,8 +61,8 @@
    25.4       msg = Agent  agent
    25.5           | Nonce  nat
    25.6           | Key    key
    25.7 -	 | MPair  msg msg
    25.8 -	 | Crypt  key msg
    25.9 +         | MPair  msg msg
   25.10 +         | Crypt  key msg
   25.11  
   25.12  text {*
   25.13  \noindent
   25.14 @@ -855,8 +855,8 @@
   25.15      (Fake_insert_simp_tac ss 1
   25.16       THEN
   25.17       IF_UNSOLVED (Blast.depth_tac
   25.18 -		  (cs addIs [analz_insertI,
   25.19 -				   impOfSubs analz_subset_parts]) 4 1))
   25.20 +                  (cs addIs [analz_insertI,
   25.21 +                                   impOfSubs analz_subset_parts]) 4 1))
   25.22  
   25.23  fun spy_analz_tac (cs,ss) i =
   25.24    DETERM
    26.1 --- a/doc-src/TutorialI/Protocol/NS_Public.thy	Wed Oct 21 16:54:04 2009 +0200
    26.2 +++ b/doc-src/TutorialI/Protocol/NS_Public.thy	Wed Oct 21 16:57:57 2009 +0200
    26.3 @@ -221,8 +221,8 @@
    26.4  lemma A_trusts_NS2_lemma [rule_format]:
    26.5     "\<lbrakk>A \<notin> bad;  B \<notin> bad;  evs \<in> ns_public\<rbrakk>
    26.6      \<Longrightarrow> Crypt (pubK A) \<lbrace>Nonce NA, Nonce NB, Agent B\<rbrace> \<in> parts (knows Spy evs) \<longrightarrow>
    26.7 -	Says A B (Crypt(pubK B) \<lbrace>Nonce NA, Agent A\<rbrace>) \<in> set evs \<longrightarrow>
    26.8 -	Says B A (Crypt(pubK A) \<lbrace>Nonce NA, Nonce NB, Agent B\<rbrace>) \<in> set evs"
    26.9 +        Says A B (Crypt(pubK B) \<lbrace>Nonce NA, Agent A\<rbrace>) \<in> set evs \<longrightarrow>
   26.10 +        Says B A (Crypt(pubK A) \<lbrace>Nonce NA, Nonce NB, Agent B\<rbrace>) \<in> set evs"
   26.11  apply (erule ns_public.induct, simp_all)
   26.12  (*Fake, NS1*)
   26.13  apply (blast dest: Spy_not_see_NA)+
   26.14 @@ -240,8 +240,8 @@
   26.15  lemma B_trusts_NS1 [rule_format]:
   26.16       "evs \<in> ns_public
   26.17        \<Longrightarrow> Crypt (pubK B) \<lbrace>Nonce NA, Agent A\<rbrace> \<in> parts (knows Spy evs) \<longrightarrow>
   26.18 -	  Nonce NA \<notin> analz (knows Spy evs) \<longrightarrow>
   26.19 -	  Says A B (Crypt (pubK B) \<lbrace>Nonce NA, Agent A\<rbrace>) \<in> set evs"
   26.20 +          Nonce NA \<notin> analz (knows Spy evs) \<longrightarrow>
   26.21 +          Says A B (Crypt (pubK B) \<lbrace>Nonce NA, Agent A\<rbrace>) \<in> set evs"
   26.22  apply (erule ns_public.induct, simp_all)
   26.23  (*Fake*)
   26.24  apply (blast intro!: analz_insertI)
    27.1 --- a/doc-src/TutorialI/Protocol/Public.thy	Wed Oct 21 16:54:04 2009 +0200
    27.2 +++ b/doc-src/TutorialI/Protocol/Public.thy	Wed Oct 21 16:57:57 2009 +0200
    27.3 @@ -25,11 +25,11 @@
    27.4  primrec
    27.5          (*Agents know their private key and all public keys*)
    27.6    initState_Server:  "initState Server     =    
    27.7 - 		         insert (Key (priK Server)) (Key ` range pubK)"
    27.8 +                         insert (Key (priK Server)) (Key ` range pubK)"
    27.9    initState_Friend:  "initState (Friend i) =    
   27.10 - 		         insert (Key (priK (Friend i))) (Key ` range pubK)"
   27.11 +                         insert (Key (priK (Friend i))) (Key ` range pubK)"
   27.12    initState_Spy:     "initState Spy        =    
   27.13 - 		         (Key`invKey`pubK`bad) Un (Key ` range pubK)"
   27.14 +                         (Key`invKey`pubK`bad) Un (Key ` range pubK)"
   27.15  (*>*)
   27.16  
   27.17  text {*
    28.1 --- a/doc-src/TutorialI/Rules/Basic.thy	Wed Oct 21 16:54:04 2009 +0200
    28.2 +++ b/doc-src/TutorialI/Rules/Basic.thy	Wed Oct 21 16:57:57 2009 +0200
    28.3 @@ -1,4 +1,3 @@
    28.4 -(* ID:         $Id$ *)
    28.5  theory Basic imports Main begin
    28.6  
    28.7  lemma conj_rule: "\<lbrakk> P; Q \<rbrakk> \<Longrightarrow> P \<and> (Q \<and> P)"
    28.8 @@ -149,9 +148,9 @@
    28.9  
   28.10  lemma "\<lbrakk>\<not>(P\<longrightarrow>Q); \<not>(R\<longrightarrow>Q)\<rbrakk> \<Longrightarrow> R"
   28.11  apply (erule_tac Q="R\<longrightarrow>Q" in contrapos_np)
   28.12 -	--{* @{subgoals[display,indent=0,margin=65]} *}
   28.13 +        --{* @{subgoals[display,indent=0,margin=65]} *}
   28.14  apply (intro impI)
   28.15 -	--{* @{subgoals[display,indent=0,margin=65]} *}
   28.16 +        --{* @{subgoals[display,indent=0,margin=65]} *}
   28.17  by (erule notE)
   28.18  
   28.19  text {*
   28.20 @@ -161,11 +160,11 @@
   28.21  
   28.22  lemma "(P \<or> Q) \<and> R \<Longrightarrow> P \<or> Q \<and> R"
   28.23  apply (intro disjCI conjI)
   28.24 -	--{* @{subgoals[display,indent=0,margin=65]} *}
   28.25 +        --{* @{subgoals[display,indent=0,margin=65]} *}
   28.26  
   28.27  apply (elim conjE disjE)
   28.28   apply assumption
   28.29 -	--{* @{subgoals[display,indent=0,margin=65]} *}
   28.30 +        --{* @{subgoals[display,indent=0,margin=65]} *}
   28.31  
   28.32  by (erule contrapos_np, rule conjI)
   28.33  text{*
   28.34 @@ -241,18 +240,18 @@
   28.35  text{*rename_tac*}
   28.36  lemma "x < y \<Longrightarrow> \<forall>x y. P x (f y)"
   28.37  apply (intro allI)
   28.38 -	--{* @{subgoals[display,indent=0,margin=65]} *}
   28.39 +        --{* @{subgoals[display,indent=0,margin=65]} *}
   28.40  apply (rename_tac v w)
   28.41 -	--{* @{subgoals[display,indent=0,margin=65]} *}
   28.42 +        --{* @{subgoals[display,indent=0,margin=65]} *}
   28.43  oops
   28.44  
   28.45  
   28.46  lemma "\<lbrakk>\<forall>x. P x \<longrightarrow> P (h x); P a\<rbrakk> \<Longrightarrow> P(h (h a))"
   28.47  apply (frule spec)
   28.48 -	--{* @{subgoals[display,indent=0,margin=65]} *}
   28.49 +        --{* @{subgoals[display,indent=0,margin=65]} *}
   28.50  apply (drule mp, assumption)
   28.51  apply (drule spec)
   28.52 -	--{* @{subgoals[display,indent=0,margin=65]} *}
   28.53 +        --{* @{subgoals[display,indent=0,margin=65]} *}
   28.54  by (drule mp)
   28.55  
   28.56  lemma "\<lbrakk>\<forall>x. P x \<longrightarrow> P (f x); P a\<rbrakk> \<Longrightarrow> P(f (f a))"
   28.57 @@ -276,11 +275,11 @@
   28.58  
   28.59  lemma "\<lbrakk>\<forall>x. P x \<longrightarrow> P (h x); P a\<rbrakk> \<Longrightarrow> P(h (h a))"
   28.60  apply (frule spec)
   28.61 -	--{* @{subgoals[display,indent=0,margin=65]} *}
   28.62 +        --{* @{subgoals[display,indent=0,margin=65]} *}
   28.63  apply (drule mp, assumption)
   28.64 -	--{* @{subgoals[display,indent=0,margin=65]} *}
   28.65 +        --{* @{subgoals[display,indent=0,margin=65]} *}
   28.66  apply (drule_tac x = "h a" in spec)
   28.67 -	--{* @{subgoals[display,indent=0,margin=65]} *}
   28.68 +        --{* @{subgoals[display,indent=0,margin=65]} *}
   28.69  by (drule mp)
   28.70  
   28.71  text {*
   28.72 @@ -290,15 +289,15 @@
   28.73  
   28.74  lemma mult_dvd_mono: "\<lbrakk>i dvd m; j dvd n\<rbrakk> \<Longrightarrow> i*j dvd (m*n :: nat)"
   28.75  apply (simp add: dvd_def)
   28.76 -	--{* @{subgoals[display,indent=0,margin=65]} *}
   28.77 +        --{* @{subgoals[display,indent=0,margin=65]} *}
   28.78  apply (erule exE) 
   28.79 -	--{* @{subgoals[display,indent=0,margin=65]} *}
   28.80 +        --{* @{subgoals[display,indent=0,margin=65]} *}
   28.81  apply (erule exE) 
   28.82 -	--{* @{subgoals[display,indent=0,margin=65]} *}
   28.83 +        --{* @{subgoals[display,indent=0,margin=65]} *}
   28.84  apply (rename_tac l)
   28.85 -	--{* @{subgoals[display,indent=0,margin=65]} *}
   28.86 +        --{* @{subgoals[display,indent=0,margin=65]} *}
   28.87  apply (rule_tac x="k*l" in exI) 
   28.88 -	--{* @{subgoals[display,indent=0,margin=65]} *}
   28.89 +        --{* @{subgoals[display,indent=0,margin=65]} *}
   28.90  apply simp
   28.91  done
   28.92  
    29.1 --- a/doc-src/TutorialI/Rules/rules.tex	Wed Oct 21 16:54:04 2009 +0200
    29.2 +++ b/doc-src/TutorialI/Rules/rules.tex	Wed Oct 21 16:57:57 2009 +0200
    29.3 @@ -1357,7 +1357,7 @@
    29.4  some $x$ such that $P(x)$ is true, provided one exists.
    29.5  Isabelle uses \sdx{SOME} for the Greek letter~$\varepsilon$.
    29.6  
    29.7 -Here is the definition of~\cdx{inv}, which expresses inverses of
    29.8 +Here is the definition of~\cdx{inv},\footnote{In fact, \isa{inv} is defined via a second constant \isa{inv_onto}, which we ignore here.} which expresses inverses of
    29.9  functions:
   29.10  \begin{isabelle}
   29.11  inv\ f\ \isasymequiv \ \isasymlambda y.\ SOME\ x.\ f\ x\ =\ y%
    30.1 --- a/etc/proofgeneral-settings.el	Wed Oct 21 16:54:04 2009 +0200
    30.2 +++ b/etc/proofgeneral-settings.el	Wed Oct 21 16:57:57 2009 +0200
    30.3 @@ -2,6 +2,8 @@
    30.4  
    30.5  ;; Examples for sensible settings:
    30.6  
    30.7 +(custom-set-variables '(indent-tabs-mode nil))
    30.8 +
    30.9  ;(custom-set-variables '(isar-eta-contract nil))
   30.10  
   30.11  ;(custom-set-faces
    31.1 --- a/src/FOL/FOL.thy	Wed Oct 21 16:54:04 2009 +0200
    31.2 +++ b/src/FOL/FOL.thy	Wed Oct 21 16:57:57 2009 +0200
    31.3 @@ -174,13 +174,13 @@
    31.4    structure Blast = Blast
    31.5    (
    31.6      val thy = @{theory}
    31.7 -    type claset	= Cla.claset
    31.8 +    type claset = Cla.claset
    31.9      val equality_name = @{const_name "op ="}
   31.10      val not_name = @{const_name Not}
   31.11 -    val notE	= @{thm notE}
   31.12 -    val ccontr	= @{thm ccontr}
   31.13 +    val notE = @{thm notE}
   31.14 +    val ccontr = @{thm ccontr}
   31.15      val contr_tac = Cla.contr_tac
   31.16 -    val dup_intr	= Cla.dup_intr
   31.17 +    val dup_intr = Cla.dup_intr
   31.18      val hyp_subst_tac = Hypsubst.blast_hyp_subst_tac
   31.19      val rep_cs = Cla.rep_cs
   31.20      val cla_modifiers = Cla.cla_modifiers
    32.1 --- a/src/FOL/ex/Classical.thy	Wed Oct 21 16:54:04 2009 +0200
    32.2 +++ b/src/FOL/ex/Classical.thy	Wed Oct 21 16:57:57 2009 +0200
    32.3 @@ -418,7 +418,7 @@
    32.4  by fast
    32.5  
    32.6  text{*Halting problem: Formulation of Li Dafa (AAR Newsletter 27, Oct 1994.)
    32.7 -	author U. Egly*}
    32.8 +  author U. Egly*}
    32.9  lemma "((\<exists>x. A(x) & (\<forall>y. C(y) --> (\<forall>z. D(x,y,z)))) -->                
   32.10     (\<exists>w. C(w) & (\<forall>y. C(y) --> (\<forall>z. D(w,y,z)))))                   
   32.11    &                                                                      
    33.1 --- a/src/FOL/simpdata.ML	Wed Oct 21 16:54:04 2009 +0200
    33.2 +++ b/src/FOL/simpdata.ML	Wed Oct 21 16:57:57 2009 +0200
    33.3 @@ -27,7 +27,7 @@
    33.4  
    33.5  (*Congruence rules for = or <-> (instead of ==)*)
    33.6  fun mk_meta_cong rl =
    33.7 -  standard(mk_meta_eq (mk_meta_prems rl))
    33.8 +  Drule.standard (mk_meta_eq (mk_meta_prems rl))
    33.9    handle THM _ =>
   33.10    error("Premises and conclusion of congruence rules must use =-equality or <->");
   33.11  
    34.1 --- a/src/FOLP/simp.ML	Wed Oct 21 16:54:04 2009 +0200
    34.2 +++ b/src/FOLP/simp.ML	Wed Oct 21 16:57:57 2009 +0200
    34.3 @@ -519,7 +519,7 @@
    34.4  (* Compute Congruence rules for individual constants using the substition
    34.5     rules *)
    34.6  
    34.7 -val subst_thms = map standard subst_thms;
    34.8 +val subst_thms = map Drule.standard subst_thms;
    34.9  
   34.10  
   34.11  fun exp_app(0,t) = t
   34.12 @@ -543,7 +543,7 @@
   34.13  fun find_subst sg T =
   34.14  let fun find (thm::thms) =
   34.15          let val (Const(_,cT), va, vb) = dest_red(hd(prems_of thm));
   34.16 -            val [P] = OldTerm.add_term_vars(concl_of thm,[]) \\ [va,vb]
   34.17 +            val [P] = subtract (op =) [va, vb] (OldTerm.add_term_vars (concl_of thm, []));
   34.18              val eqT::_ = binder_types cT
   34.19          in if Sign.typ_instance sg (T,eqT) then SOME(thm,va,vb,P)
   34.20             else find thms
    35.1 --- a/src/HOL/Algebra/Bij.thy	Wed Oct 21 16:54:04 2009 +0200
    35.2 +++ b/src/HOL/Algebra/Bij.thy	Wed Oct 21 16:57:57 2009 +0200
    35.3 @@ -31,8 +31,8 @@
    35.4  
    35.5  subsection {*Bijections Form a Group *}
    35.6  
    35.7 -lemma restrict_Inv_Bij: "f \<in> Bij S \<Longrightarrow> (\<lambda>x \<in> S. (Inv S f) x) \<in> Bij S"
    35.8 -  by (simp add: Bij_def bij_betw_Inv)
    35.9 +lemma restrict_inv_onto_Bij: "f \<in> Bij S \<Longrightarrow> (\<lambda>x \<in> S. (inv_onto S f) x) \<in> Bij S"
   35.10 +  by (simp add: Bij_def bij_betw_inv_onto)
   35.11  
   35.12  lemma id_Bij: "(\<lambda>x\<in>S. x) \<in> Bij S "
   35.13    by (auto simp add: Bij_def bij_betw_def inj_on_def)
   35.14 @@ -41,8 +41,8 @@
   35.15    by (auto simp add: Bij_def bij_betw_compose) 
   35.16  
   35.17  lemma Bij_compose_restrict_eq:
   35.18 -     "f \<in> Bij S \<Longrightarrow> compose S (restrict (Inv S f) S) f = (\<lambda>x\<in>S. x)"
   35.19 -  by (simp add: Bij_def compose_Inv_id)
   35.20 +     "f \<in> Bij S \<Longrightarrow> compose S (restrict (inv_onto S f) S) f = (\<lambda>x\<in>S. x)"
   35.21 +  by (simp add: Bij_def compose_inv_onto_id)
   35.22  
   35.23  theorem group_BijGroup: "group (BijGroup S)"
   35.24  apply (simp add: BijGroup_def)
   35.25 @@ -52,22 +52,22 @@
   35.26    apply (simp add: compose_Bij)
   35.27    apply (blast intro: compose_assoc [symmetric] dest: Bij_imp_funcset)
   35.28   apply (simp add: id_Bij Bij_imp_funcset Bij_imp_extensional, simp)
   35.29 -apply (blast intro: Bij_compose_restrict_eq restrict_Inv_Bij)
   35.30 +apply (blast intro: Bij_compose_restrict_eq restrict_inv_onto_Bij)
   35.31  done
   35.32  
   35.33  
   35.34  subsection{*Automorphisms Form a Group*}
   35.35  
   35.36 -lemma Bij_Inv_mem: "\<lbrakk> f \<in> Bij S;  x \<in> S\<rbrakk> \<Longrightarrow> Inv S f x \<in> S"
   35.37 -by (simp add: Bij_def bij_betw_def Inv_mem)
   35.38 +lemma Bij_inv_onto_mem: "\<lbrakk> f \<in> Bij S;  x \<in> S\<rbrakk> \<Longrightarrow> inv_onto S f x \<in> S"
   35.39 +by (simp add: Bij_def bij_betw_def inv_onto_into)
   35.40  
   35.41 -lemma Bij_Inv_lemma:
   35.42 +lemma Bij_inv_onto_lemma:
   35.43   assumes eq: "\<And>x y. \<lbrakk>x \<in> S; y \<in> S\<rbrakk> \<Longrightarrow> h(g x y) = g (h x) (h y)"
   35.44   shows "\<lbrakk>h \<in> Bij S;  g \<in> S \<rightarrow> S \<rightarrow> S;  x \<in> S;  y \<in> S\<rbrakk>
   35.45 -        \<Longrightarrow> Inv S h (g x y) = g (Inv S h x) (Inv S h y)"
   35.46 +        \<Longrightarrow> inv_onto S h (g x y) = g (inv_onto S h x) (inv_onto S h y)"
   35.47  apply (simp add: Bij_def bij_betw_def)
   35.48  apply (subgoal_tac "\<exists>x'\<in>S. \<exists>y'\<in>S. x = h x' & y = h y'", clarify)
   35.49 - apply (simp add: eq [symmetric] Inv_f_f funcset_mem [THEN funcset_mem], blast)
   35.50 + apply (simp add: eq [symmetric] inv_f_f funcset_mem [THEN funcset_mem], blast)
   35.51  done
   35.52  
   35.53  
   35.54 @@ -84,17 +84,17 @@
   35.55  lemma (in group) mult_funcset: "mult G \<in> carrier G \<rightarrow> carrier G \<rightarrow> carrier G"
   35.56    by (simp add:  Pi_I group.axioms)
   35.57  
   35.58 -lemma (in group) restrict_Inv_hom:
   35.59 +lemma (in group) restrict_inv_onto_hom:
   35.60        "\<lbrakk>h \<in> hom G G; h \<in> Bij (carrier G)\<rbrakk>
   35.61 -       \<Longrightarrow> restrict (Inv (carrier G) h) (carrier G) \<in> hom G G"
   35.62 -  by (simp add: hom_def Bij_Inv_mem restrictI mult_funcset
   35.63 -                group.axioms Bij_Inv_lemma)
   35.64 +       \<Longrightarrow> restrict (inv_onto (carrier G) h) (carrier G) \<in> hom G G"
   35.65 +  by (simp add: hom_def Bij_inv_onto_mem restrictI mult_funcset
   35.66 +                group.axioms Bij_inv_onto_lemma)
   35.67  
   35.68  lemma inv_BijGroup:
   35.69 -     "f \<in> Bij S \<Longrightarrow> m_inv (BijGroup S) f = (\<lambda>x \<in> S. (Inv S f) x)"
   35.70 +     "f \<in> Bij S \<Longrightarrow> m_inv (BijGroup S) f = (\<lambda>x \<in> S. (inv_onto S f) x)"
   35.71  apply (rule group.inv_equality)
   35.72  apply (rule group_BijGroup)
   35.73 -apply (simp_all add: BijGroup_def restrict_Inv_Bij Bij_compose_restrict_eq)
   35.74 +apply (simp_all add:BijGroup_def restrict_inv_onto_Bij Bij_compose_restrict_eq)
   35.75  done
   35.76  
   35.77  lemma (in group) subgroup_auto:
   35.78 @@ -115,7 +115,7 @@
   35.79    assume "x \<in> auto G" 
   35.80    thus "inv\<^bsub>BijGroup (carrier G)\<^esub> x \<in> auto G"
   35.81      by (simp del: restrict_apply
   35.82 -             add: inv_BijGroup auto_def restrict_Inv_Bij restrict_Inv_hom)
   35.83 +        add: inv_BijGroup auto_def restrict_inv_onto_Bij restrict_inv_onto_hom)
   35.84  qed
   35.85  
   35.86  theorem (in group) AutoGroup: "group (AutoGroup G)"
    36.1 --- a/src/HOL/Algebra/Coset.thy	Wed Oct 21 16:54:04 2009 +0200
    36.2 +++ b/src/HOL/Algebra/Coset.thy	Wed Oct 21 16:57:57 2009 +0200
    36.3 @@ -609,7 +609,7 @@
    36.4      proof (simp add: r_congruent_def sym_def, clarify)
    36.5        fix x y
    36.6        assume [simp]: "x \<in> carrier G" "y \<in> carrier G" 
    36.7 -	 and "inv x \<otimes> y \<in> H"
    36.8 +         and "inv x \<otimes> y \<in> H"
    36.9        hence "inv (inv x \<otimes> y) \<in> H" by (simp add: m_inv_closed) 
   36.10        thus "inv y \<otimes> x \<in> H" by (simp add: inv_mult_group)
   36.11      qed
   36.12 @@ -618,10 +618,10 @@
   36.13      proof (simp add: r_congruent_def trans_def, clarify)
   36.14        fix x y z
   36.15        assume [simp]: "x \<in> carrier G" "y \<in> carrier G" "z \<in> carrier G"
   36.16 -	 and "inv x \<otimes> y \<in> H" and "inv y \<otimes> z \<in> H"
   36.17 +         and "inv x \<otimes> y \<in> H" and "inv y \<otimes> z \<in> H"
   36.18        hence "(inv x \<otimes> y) \<otimes> (inv y \<otimes> z) \<in> H" by simp
   36.19        hence "inv x \<otimes> (y \<otimes> inv y) \<otimes> z \<in> H"
   36.20 -	by (simp add: m_assoc del: r_inv Units_r_inv) 
   36.21 +        by (simp add: m_assoc del: r_inv Units_r_inv) 
   36.22        thus "inv x \<otimes> z \<in> H" by simp
   36.23      qed
   36.24    qed
    37.1 --- a/src/HOL/Algebra/Divisibility.thy	Wed Oct 21 16:54:04 2009 +0200
    37.2 +++ b/src/HOL/Algebra/Divisibility.thy	Wed Oct 21 16:57:57 2009 +0200
    37.3 @@ -2579,33 +2579,33 @@
    37.4             by force
    37.5  
    37.6        from this obtain p'
    37.7 -	  where "p' \<in> set (as@bs)"
    37.8 -	  and pp': "p \<sim> p'" by auto
    37.9 +          where "p' \<in> set (as@bs)"
   37.10 +          and pp': "p \<sim> p'" by auto
   37.11  
   37.12        hence "p' \<in> set as \<or> p' \<in> set bs" by simp
   37.13        moreover
   37.14        {
   37.15 -	assume p'elem: "p' \<in> set as"
   37.16 -	with ascarr have [simp]: "p' \<in> carrier G" by fast
   37.17 -
   37.18 -	note pp'
   37.19 -	also from afac p'elem
   37.20 -	     have "p' divides a" by (rule factors_dividesI) fact+
   37.21 -	finally
   37.22 -	     have "p divides a" by simp
   37.23 +        assume p'elem: "p' \<in> set as"
   37.24 +        with ascarr have [simp]: "p' \<in> carrier G" by fast
   37.25 +
   37.26 +        note pp'
   37.27 +        also from afac p'elem
   37.28 +             have "p' divides a" by (rule factors_dividesI) fact+
   37.29 +        finally
   37.30 +             have "p divides a" by simp
   37.31        }
   37.32        moreover
   37.33        {
   37.34 -	assume p'elem: "p' \<in> set bs"
   37.35 -	with bscarr have [simp]: "p' \<in> carrier G" by fast
   37.36 -
   37.37 -	note pp'
   37.38 -	also from bfac
   37.39 -	     have "p' divides b" by (rule factors_dividesI) fact+
   37.40 -	finally have "p divides b" by simp
   37.41 +        assume p'elem: "p' \<in> set bs"
   37.42 +        with bscarr have [simp]: "p' \<in> carrier G" by fast
   37.43 +
   37.44 +        note pp'
   37.45 +        also from bfac
   37.46 +             have "p' divides b" by (rule factors_dividesI) fact+
   37.47 +        finally have "p divides b" by simp
   37.48        }
   37.49        ultimately
   37.50 -	  show "p divides a \<or> p divides b" by fast
   37.51 +          show "p divides a \<or> p divides b" by fast
   37.52      qed
   37.53    qed
   37.54  qed
   37.55 @@ -3176,7 +3176,7 @@
   37.56    have "c = c \<otimes> \<one>" by simp
   37.57    also from abrelprime[symmetric]
   37.58         have "\<dots> \<sim> c \<otimes> somegcd G a b"
   37.59 -	 by (rule assoc_subst) (simp add: mult_cong_r)+
   37.60 +         by (rule assoc_subst) (simp add: mult_cong_r)+
   37.61    also have "\<dots> \<sim> somegcd G (c \<otimes> a) (c \<otimes> b)" by (rule gcd_mult) fact+
   37.62    finally
   37.63         have c: "c \<sim> somegcd G (c \<otimes> a) (c \<otimes> b)" by simp
   37.64 @@ -3188,13 +3188,13 @@
   37.65    have "somegcd G a (b \<otimes> c) \<sim> somegcd G a (c \<otimes> b)" by (simp add: m_comm)
   37.66    also from a
   37.67         have "\<dots> \<sim> somegcd G (somegcd G a (c \<otimes> a)) (c \<otimes> b)"
   37.68 -	 by (rule assoc_subst) (simp add: gcd_cong_l)+
   37.69 +         by (rule assoc_subst) (simp add: gcd_cong_l)+
   37.70    also from gcd_assoc
   37.71         have "\<dots> \<sim> somegcd G a (somegcd G (c \<otimes> a) (c \<otimes> b))"
   37.72         by (rule assoc_subst) simp+
   37.73    also from c[symmetric]
   37.74         have "\<dots> \<sim> somegcd G a c"
   37.75 -	 by (rule assoc_subst) (simp add: gcd_cong_r)+
   37.76 +         by (rule assoc_subst) (simp add: gcd_cong_r)+
   37.77    also note acrelprime
   37.78    finally
   37.79         show "somegcd G a (b \<otimes> c) \<sim> \<one>" by simp
    38.1 --- a/src/HOL/Algebra/FiniteProduct.thy	Wed Oct 21 16:54:04 2009 +0200
    38.2 +++ b/src/HOL/Algebra/FiniteProduct.thy	Wed Oct 21 16:57:57 2009 +0200
    38.3 @@ -423,17 +423,17 @@
    38.4        then have "finprod G f A = finprod G f (insert x B)" by simp
    38.5        also from insert have "... = f x \<otimes> finprod G f B"
    38.6        proof (intro finprod_insert)
    38.7 -	show "finite B" by fact
    38.8 +        show "finite B" by fact
    38.9        next
   38.10 -	show "x ~: B" by fact
   38.11 +        show "x ~: B" by fact
   38.12        next
   38.13 -	assume "x ~: B" "!!i. i \<in> insert x B \<Longrightarrow> f i = g i"
   38.14 -	  "g \<in> insert x B \<rightarrow> carrier G"
   38.15 -	thus "f \<in> B -> carrier G" by fastsimp
   38.16 +        assume "x ~: B" "!!i. i \<in> insert x B \<Longrightarrow> f i = g i"
   38.17 +          "g \<in> insert x B \<rightarrow> carrier G"
   38.18 +        thus "f \<in> B -> carrier G" by fastsimp
   38.19        next
   38.20 -	assume "x ~: B" "!!i. i \<in> insert x B \<Longrightarrow> f i = g i"
   38.21 -	  "g \<in> insert x B \<rightarrow> carrier G"
   38.22 -	thus "f x \<in> carrier G" by fastsimp
   38.23 +        assume "x ~: B" "!!i. i \<in> insert x B \<Longrightarrow> f i = g i"
   38.24 +          "g \<in> insert x B \<rightarrow> carrier G"
   38.25 +        thus "f x \<in> carrier G" by fastsimp
   38.26        qed
   38.27        also from insert have "... = g x \<otimes> finprod G g B" by fastsimp
   38.28        also from insert have "... = finprod G g (insert x B)"
    39.1 --- a/src/HOL/Algebra/Group.thy	Wed Oct 21 16:54:04 2009 +0200
    39.2 +++ b/src/HOL/Algebra/Group.thy	Wed Oct 21 16:57:57 2009 +0200
    39.3 @@ -553,11 +553,11 @@
    39.4  by (simp add: iso_def hom_def inj_on_def bij_betw_def Pi_def)
    39.5  
    39.6  lemma (in group) iso_sym:
    39.7 -     "h \<in> G \<cong> H \<Longrightarrow> Inv (carrier G) h \<in> H \<cong> G"
    39.8 -apply (simp add: iso_def bij_betw_Inv) 
    39.9 -apply (subgoal_tac "Inv (carrier G) h \<in> carrier H \<rightarrow> carrier G") 
   39.10 - prefer 2 apply (simp add: bij_betw_imp_funcset [OF bij_betw_Inv]) 
   39.11 -apply (simp add: hom_def bij_betw_def Inv_f_eq f_Inv_f Pi_def)
   39.12 +     "h \<in> G \<cong> H \<Longrightarrow> inv_onto (carrier G) h \<in> H \<cong> G"
   39.13 +apply (simp add: iso_def bij_betw_inv_onto) 
   39.14 +apply (subgoal_tac "inv_onto (carrier G) h \<in> carrier H \<rightarrow> carrier G") 
   39.15 + prefer 2 apply (simp add: bij_betw_imp_funcset [OF bij_betw_inv_onto]) 
   39.16 +apply (simp add: hom_def bij_betw_def inv_onto_f_eq f_inv_onto_f Pi_def)
   39.17  done
   39.18  
   39.19  lemma (in group) iso_trans: 
   39.20 @@ -785,16 +785,16 @@
   39.21        assume H: "H \<in> A"
   39.22        with L have subgroupH: "subgroup H G" by auto
   39.23        from subgroupH have groupH: "group (G (| carrier := H |))" (is "group ?H")
   39.24 -	by (rule subgroup_imp_group)
   39.25 +        by (rule subgroup_imp_group)
   39.26        from groupH have monoidH: "monoid ?H"
   39.27 -	by (rule group.is_monoid)
   39.28 +        by (rule group.is_monoid)
   39.29        from H have Int_subset: "?Int \<subseteq> H" by fastsimp
   39.30        then show "le ?L ?Int H" by simp
   39.31      next
   39.32        fix H
   39.33        assume H: "H \<in> Lower ?L A"
   39.34        with L Int_subgroup show "le ?L H ?Int"
   39.35 -	by (fastsimp simp: Lower_def intro: Inter_greatest)
   39.36 +        by (fastsimp simp: Lower_def intro: Inter_greatest)
   39.37      next
   39.38        show "A \<subseteq> carrier ?L" by (rule L)
   39.39      next
    40.1 --- a/src/HOL/Algebra/Lattice.thy	Wed Oct 21 16:54:04 2009 +0200
    40.2 +++ b/src/HOL/Algebra/Lattice.thy	Wed Oct 21 16:57:57 2009 +0200
    40.3 @@ -533,22 +533,22 @@
    40.4        assume y: "y \<in> Upper L (insert x A)"
    40.5        show "s \<sqsubseteq> y"
    40.6        proof (rule least_le [OF least_s], rule Upper_memI)
    40.7 -	fix z
    40.8 -	assume z: "z \<in> {a, x}"
    40.9 -	then show "z \<sqsubseteq> y"
   40.10 -	proof
   40.11 +        fix z
   40.12 +        assume z: "z \<in> {a, x}"
   40.13 +        then show "z \<sqsubseteq> y"
   40.14 +        proof
   40.15            have y': "y \<in> Upper L A"
   40.16              apply (rule subsetD [where A = "Upper L (insert x A)"])
   40.17               apply (rule Upper_antimono)
   40.18 -	     apply blast
   40.19 -	    apply (rule y)
   40.20 +             apply blast
   40.21 +            apply (rule y)
   40.22              done
   40.23            assume "z = a"
   40.24            with y' least_a show ?thesis by (fast dest: least_le)
   40.25 -	next
   40.26 -	  assume "z \<in> {x}"  (* FIXME "z = x"; declare specific elim rule for "insert x {}" (!?) *)
   40.27 +        next
   40.28 +          assume "z \<in> {x}"  (* FIXME "z = x"; declare specific elim rule for "insert x {}" (!?) *)
   40.29            with y L show ?thesis by blast
   40.30 -	qed
   40.31 +        qed
   40.32        qed (rule Upper_closed [THEN subsetD, OF y])
   40.33      next
   40.34        from L show "insert x A \<subseteq> carrier L" by simp
   40.35 @@ -569,9 +569,9 @@
   40.36      case True
   40.37      with insert show ?thesis
   40.38        by simp (simp add: least_cong [OF weak_sup_of_singleton]
   40.39 -	sup_of_singleton_closed sup_of_singletonI)
   40.40 -	(* The above step is hairy; least_cong can make simp loop.
   40.41 -	Would want special version of simp to apply least_cong. *)
   40.42 +        sup_of_singleton_closed sup_of_singletonI)
   40.43 +        (* The above step is hairy; least_cong can make simp loop.
   40.44 +        Would want special version of simp to apply least_cong. *)
   40.45    next
   40.46      case False
   40.47      with insert have "least L (\<Squnion>A) (Upper L A)" by simp
   40.48 @@ -774,22 +774,22 @@
   40.49        assume y: "y \<in> Lower L (insert x A)"
   40.50        show "y \<sqsubseteq> i"
   40.51        proof (rule greatest_le [OF greatest_i], rule Lower_memI)
   40.52 -	fix z
   40.53 -	assume z: "z \<in> {a, x}"
   40.54 -	then show "y \<sqsubseteq> z"
   40.55 -	proof
   40.56 +        fix z
   40.57 +        assume z: "z \<in> {a, x}"
   40.58 +        then show "y \<sqsubseteq> z"
   40.59 +        proof
   40.60            have y': "y \<in> Lower L A"
   40.61              apply (rule subsetD [where A = "Lower L (insert x A)"])
   40.62              apply (rule Lower_antimono)
   40.63 -	     apply blast
   40.64 -	    apply (rule y)
   40.65 +             apply blast
   40.66 +            apply (rule y)
   40.67              done
   40.68            assume "z = a"
   40.69            with y' greatest_a show ?thesis by (fast dest: greatest_le)
   40.70 -	next
   40.71 +        next
   40.72            assume "z \<in> {x}"
   40.73            with y L show ?thesis by blast
   40.74 -	qed
   40.75 +        qed
   40.76        qed (rule Lower_closed [THEN subsetD, OF y])
   40.77      next
   40.78        from L show "insert x A \<subseteq> carrier L" by simp
   40.79 @@ -809,7 +809,7 @@
   40.80      case True
   40.81      with insert show ?thesis
   40.82        by simp (simp add: greatest_cong [OF weak_inf_of_singleton]
   40.83 -	inf_of_singleton_closed inf_of_singletonI)
   40.84 +        inf_of_singleton_closed inf_of_singletonI)
   40.85    next
   40.86      case False
   40.87      from insert show ?thesis
   40.88 @@ -1291,7 +1291,7 @@
   40.89    proof
   40.90      from B show "greatest ?L (\<Inter> B \<inter> A) (Lower ?L B)"
   40.91        txt {* @{term "\<Inter> B"} is not the infimum of @{term B}:
   40.92 -	@{term "\<Inter> {} = UNIV"} which is in general bigger than @{term "A"}! *}
   40.93 +        @{term "\<Inter> {} = UNIV"} which is in general bigger than @{term "A"}! *}
   40.94        by (fastsimp intro!: greatest_LowerI simp: Lower_def)
   40.95    qed
   40.96  qed
    41.1 --- a/src/HOL/Algebra/UnivPoly.thy	Wed Oct 21 16:54:04 2009 +0200
    41.2 +++ b/src/HOL/Algebra/UnivPoly.thy	Wed Oct 21 16:57:57 2009 +0200
    41.3 @@ -349,19 +349,19 @@
    41.4        fix nn assume Succ: "n = Suc nn"
    41.5        have "coeff P (p \<otimes>\<^bsub>P\<^esub> \<one>\<^bsub>P\<^esub>) (Suc nn) = coeff P p (Suc nn)"
    41.6        proof -
    41.7 -	have "coeff P (p \<otimes>\<^bsub>P\<^esub> \<one>\<^bsub>P\<^esub>) (Suc nn) = (\<Oplus>i\<in>{..Suc nn}. coeff P p i \<otimes> (if Suc nn \<le> i then \<one> else \<zero>))" using R by simp
    41.8 -	also have "\<dots> = coeff P p (Suc nn) \<otimes> (if Suc nn \<le> Suc nn then \<one> else \<zero>) \<oplus> (\<Oplus>i\<in>{..nn}. coeff P p i \<otimes> (if Suc nn \<le> i then \<one> else \<zero>))"
    41.9 -	  using finsum_Suc [of "(\<lambda>i::nat. coeff P p i \<otimes> (if Suc nn \<le> i then \<one> else \<zero>))" "nn"] unfolding Pi_def using R by simp
   41.10 -	also have "\<dots> = coeff P p (Suc nn) \<otimes> (if Suc nn \<le> Suc nn then \<one> else \<zero>)"
   41.11 -	proof -
   41.12 -	  have "(\<Oplus>i\<in>{..nn}. coeff P p i \<otimes> (if Suc nn \<le> i then \<one> else \<zero>)) = (\<Oplus>i\<in>{..nn}. \<zero>)"
   41.13 -	    using finsum_cong [of "{..nn}" "{..nn}" "(\<lambda>i::nat. coeff P p i \<otimes> (if Suc nn \<le> i then \<one> else \<zero>))" "(\<lambda>i::nat. \<zero>)"] using R 
   41.14 -	    unfolding Pi_def by simp
   41.15 -	  also have "\<dots> = \<zero>" by simp
   41.16 -	  finally show ?thesis using r_zero R by simp
   41.17 -	qed
   41.18 -	also have "\<dots> = coeff P p (Suc nn)" using R by simp
   41.19 -	finally show ?thesis by simp
   41.20 +        have "coeff P (p \<otimes>\<^bsub>P\<^esub> \<one>\<^bsub>P\<^esub>) (Suc nn) = (\<Oplus>i\<in>{..Suc nn}. coeff P p i \<otimes> (if Suc nn \<le> i then \<one> else \<zero>))" using R by simp
   41.21 +        also have "\<dots> = coeff P p (Suc nn) \<otimes> (if Suc nn \<le> Suc nn then \<one> else \<zero>) \<oplus> (\<Oplus>i\<in>{..nn}. coeff P p i \<otimes> (if Suc nn \<le> i then \<one> else \<zero>))"
   41.22 +          using finsum_Suc [of "(\<lambda>i::nat. coeff P p i \<otimes> (if Suc nn \<le> i then \<one> else \<zero>))" "nn"] unfolding Pi_def using R by simp
   41.23 +        also have "\<dots> = coeff P p (Suc nn) \<otimes> (if Suc nn \<le> Suc nn then \<one> else \<zero>)"
   41.24 +        proof -
   41.25 +          have "(\<Oplus>i\<in>{..nn}. coeff P p i \<otimes> (if Suc nn \<le> i then \<one> else \<zero>)) = (\<Oplus>i\<in>{..nn}. \<zero>)"
   41.26 +            using finsum_cong [of "{..nn}" "{..nn}" "(\<lambda>i::nat. coeff P p i \<otimes> (if Suc nn \<le> i then \<one> else \<zero>))" "(\<lambda>i::nat. \<zero>)"] using R 
   41.27 +            unfolding Pi_def by simp
   41.28 +          also have "\<dots> = \<zero>" by simp
   41.29 +          finally show ?thesis using r_zero R by simp
   41.30 +        qed
   41.31 +        also have "\<dots> = coeff P p (Suc nn)" using R by simp
   41.32 +        finally show ?thesis by simp
   41.33        qed
   41.34        then show ?thesis using Succ by simp
   41.35      }
   41.36 @@ -627,11 +627,11 @@
   41.37      then show "monom P \<one> (Suc (Suc k)) = monom P \<one> 1 \<otimes>\<^bsub>P\<^esub> monom P \<one> (Suc k)"
   41.38      proof -
   41.39        have lhs: "monom P \<one> (Suc (Suc k)) = monom P \<one> 1 \<otimes>\<^bsub>P\<^esub> monom P \<one> k \<otimes>\<^bsub>P\<^esub> monom P \<one> 1"
   41.40 -	unfolding monom_one_Suc [of "Suc k"] unfolding hypo ..
   41.41 +        unfolding monom_one_Suc [of "Suc k"] unfolding hypo ..
   41.42        note cl = monom_closed [OF R.one_closed, of 1]
   41.43        note clk = monom_closed [OF R.one_closed, of k]
   41.44        have rhs: "monom P \<one> 1 \<otimes>\<^bsub>P\<^esub> monom P \<one> (Suc k) = monom P \<one> 1 \<otimes>\<^bsub>P\<^esub> monom P \<one> k \<otimes>\<^bsub>P\<^esub> monom P \<one> 1"
   41.45 -	unfolding monom_one_Suc [of k] unfolding sym [OF m_assoc  [OF cl clk cl]] ..
   41.46 +        unfolding monom_one_Suc [of k] unfolding sym [OF m_assoc  [OF cl clk cl]] ..
   41.47        from lhs rhs show ?thesis by simp
   41.48      qed
   41.49    }
   41.50 @@ -670,25 +670,25 @@
   41.51      case True 
   41.52      {
   41.53        show ?thesis
   41.54 -	unfolding True [symmetric]
   41.55 -	  coeff_mult [OF monom_closed [OF a_in_R, of n] monom_closed [OF b_in_R, of m], of "n + m"] 
   41.56 -	  coeff_monom [OF a_in_R, of n] coeff_monom [OF b_in_R, of m]
   41.57 -	using R.finsum_cong [of "{.. n + m}" "{.. n + m}" "(\<lambda>i. (if n = i then a else \<zero>) \<otimes> (if m = n + m - i then b else \<zero>))" 
   41.58 -	  "(\<lambda>i. if n = i then a \<otimes> b else \<zero>)"]
   41.59 -	  a_in_R b_in_R
   41.60 -	unfolding simp_implies_def
   41.61 -	using R.finsum_singleton [of n "{.. n + m}" "(\<lambda>i. a \<otimes> b)"]
   41.62 -	unfolding Pi_def by auto
   41.63 +        unfolding True [symmetric]
   41.64 +          coeff_mult [OF monom_closed [OF a_in_R, of n] monom_closed [OF b_in_R, of m], of "n + m"] 
   41.65 +          coeff_monom [OF a_in_R, of n] coeff_monom [OF b_in_R, of m]
   41.66 +        using R.finsum_cong [of "{.. n + m}" "{.. n + m}" "(\<lambda>i. (if n = i then a else \<zero>) \<otimes> (if m = n + m - i then b else \<zero>))" 
   41.67 +          "(\<lambda>i. if n = i then a \<otimes> b else \<zero>)"]
   41.68 +          a_in_R b_in_R
   41.69 +        unfolding simp_implies_def
   41.70 +        using R.finsum_singleton [of n "{.. n + m}" "(\<lambda>i. a \<otimes> b)"]
   41.71 +        unfolding Pi_def by auto
   41.72      }
   41.73    next
   41.74      case False
   41.75      {
   41.76        show ?thesis
   41.77 -	unfolding coeff_monom [OF R.m_closed [OF a_in_R b_in_R], of "n + m" k] apply (simp add: False)
   41.78 -	unfolding coeff_mult [OF monom_closed [OF a_in_R, of n] monom_closed [OF b_in_R, of m], of k]
   41.79 -	unfolding coeff_monom [OF a_in_R, of n] unfolding coeff_monom [OF b_in_R, of m] using False
   41.80 -	using R.finsum_cong [of "{..k}" "{..k}" "(\<lambda>i. (if n = i then a else \<zero>) \<otimes> (if m = k - i then b else \<zero>))" "(\<lambda>i. \<zero>)"]
   41.81 -	unfolding Pi_def simp_implies_def using a_in_R b_in_R by force
   41.82 +        unfolding coeff_monom [OF R.m_closed [OF a_in_R b_in_R], of "n + m" k] apply (simp add: False)
   41.83 +        unfolding coeff_mult [OF monom_closed [OF a_in_R, of n] monom_closed [OF b_in_R, of m], of k]
   41.84 +        unfolding coeff_monom [OF a_in_R, of n] unfolding coeff_monom [OF b_in_R, of m] using False
   41.85 +        using R.finsum_cong [of "{..k}" "{..k}" "(\<lambda>i. (if n = i then a else \<zero>) \<otimes> (if m = k - i then b else \<zero>))" "(\<lambda>i. \<zero>)"]
   41.86 +        unfolding Pi_def simp_implies_def using a_in_R b_in_R by force
   41.87      }
   41.88    qed
   41.89  qed (simp_all add: a_in_R b_in_R)
   41.90 @@ -1517,7 +1517,7 @@
   41.91        then have max_sl: "max (deg R p) (deg R q) < m" by simp
   41.92        then have "deg R (p \<oplus>\<^bsub>P\<^esub> q) < m" using deg_add [OF p_in_P q_in_P] by arith
   41.93        with deg_R_p deg_R_q show ?thesis using coeff_add [OF p_in_P q_in_P, of m]
   41.94 -	using deg_aboveD [of "p \<oplus>\<^bsub>P\<^esub> q" m] using p_in_P q_in_P by simp 
   41.95 +        using deg_aboveD [of "p \<oplus>\<^bsub>P\<^esub> q" m] using p_in_P q_in_P by simp 
   41.96      qed
   41.97    qed (simp add: p_in_P q_in_P)
   41.98    moreover have deg_ne: "deg R (p \<oplus>\<^bsub>P\<^esub> q) \<noteq> deg R r"
   41.99 @@ -1582,114 +1582,114 @@
  41.100        (*JE: we now apply the induction hypothesis with some additional facts required*)
  41.101        from f_in_P deg_g_le_deg_f show ?thesis
  41.102        proof (induct n \<equiv> "deg R f" arbitrary: "f" rule: nat_less_induct)
  41.103 -	fix n f
  41.104 -	assume hypo: "\<forall>m<n. \<forall>x. x \<in> carrier P \<longrightarrow>
  41.105 +        fix n f
  41.106 +        assume hypo: "\<forall>m<n. \<forall>x. x \<in> carrier P \<longrightarrow>
  41.107            deg R g \<le> deg R x \<longrightarrow> 
  41.108 -	  m = deg R x \<longrightarrow>
  41.109 -	  (\<exists>q r (k::nat). q \<in> carrier P \<and> r \<in> carrier P \<and> lcoeff g (^) k \<odot>\<^bsub>P\<^esub> x = g \<otimes>\<^bsub>P\<^esub> q \<oplus>\<^bsub>P\<^esub> r & (r = \<zero>\<^bsub>P\<^esub> | deg R r < deg R g))"
  41.110 -	  and prem: "n = deg R f" and f_in_P [simp]: "f \<in> carrier P"
  41.111 -	  and deg_g_le_deg_f: "deg R g \<le> deg R f"
  41.112 -	let ?k = "1::nat" and ?r = "(g \<otimes>\<^bsub>P\<^esub> (monom P (lcoeff f) (deg R f - deg R g))) \<oplus>\<^bsub>P\<^esub> \<ominus>\<^bsub>P\<^esub> (lcoeff g \<odot>\<^bsub>P\<^esub> f)"
  41.113 -	  and ?q = "monom P (lcoeff f) (deg R f - deg R g)"
  41.114 -	show "\<exists> q r (k::nat). q \<in> carrier P \<and> r \<in> carrier P \<and> lcoeff g (^) k \<odot>\<^bsub>P\<^esub> f = g \<otimes>\<^bsub>P\<^esub> q \<oplus>\<^bsub>P\<^esub> r & (r = \<zero>\<^bsub>P\<^esub> | deg R r < deg R g)"
  41.115 -	proof -
  41.116 -	  (*JE: we first extablish the existence of a triple satisfying the previous equation. 
  41.117 -	    Then we will have to prove the second part of the predicate.*)
  41.118 -	  have exist: "lcoeff g (^) ?k \<odot>\<^bsub>P\<^esub> f = g \<otimes>\<^bsub>P\<^esub> ?q \<oplus>\<^bsub>P\<^esub> \<ominus>\<^bsub>P\<^esub> ?r"
  41.119 -	    using minus_add
  41.120 -	    using sym [OF a_assoc [of "g \<otimes>\<^bsub>P\<^esub> ?q" "\<ominus>\<^bsub>P\<^esub> (g \<otimes>\<^bsub>P\<^esub> ?q)" "lcoeff g \<odot>\<^bsub>P\<^esub> f"]]
  41.121 -	    using r_neg by auto
  41.122 -	  show ?thesis
  41.123 -	  proof (cases "deg R (\<ominus>\<^bsub>P\<^esub> ?r) < deg R g")
  41.124 -	    (*JE: if the degree of the remainder satisfies the statement property we are done*)
  41.125 -	    case True
  41.126 -	    {
  41.127 -	      show ?thesis
  41.128 -	      proof (rule exI3 [of _ ?q "\<ominus>\<^bsub>P\<^esub> ?r" ?k], intro conjI)
  41.129 -		show "lcoeff g (^) ?k \<odot>\<^bsub>P\<^esub> f = g \<otimes>\<^bsub>P\<^esub> ?q \<oplus>\<^bsub>P\<^esub> \<ominus>\<^bsub>P\<^esub> ?r" using exist by simp
  41.130 -		show "\<ominus>\<^bsub>P\<^esub> ?r = \<zero>\<^bsub>P\<^esub> \<or> deg R (\<ominus>\<^bsub>P\<^esub> ?r) < deg R g" using True by simp
  41.131 -	      qed (simp_all)
  41.132 -	    }
  41.133 -	  next
  41.134 -	    case False note n_deg_r_l_deg_g = False
  41.135 -	    {
  41.136 -	      (*JE: otherwise, we verify the conditions of the induction hypothesis.*)
  41.137 -	      show ?thesis
  41.138 -	      proof (cases "deg R f = 0")
  41.139 -		(*JE: the solutions are different if the degree of f is zero or not*)
  41.140 -		case True
  41.141 -		{
  41.142 -		  have deg_g: "deg R g = 0" using True using deg_g_le_deg_f by simp
  41.143 -		  have "lcoeff g (^) (1::nat) \<odot>\<^bsub>P\<^esub> f = g \<otimes>\<^bsub>P\<^esub> f \<oplus>\<^bsub>P\<^esub> \<zero>\<^bsub>P\<^esub>"
  41.144 -		    unfolding deg_g apply simp
  41.145 -		    unfolding sym [OF monom_mult_is_smult [OF coeff_closed [OF g_in_P, of 0] f_in_P]]
  41.146 -		    using deg_zero_impl_monom [OF g_in_P deg_g] by simp
  41.147 -		  then show ?thesis using f_in_P by blast
  41.148 -		}
  41.149 -	      next
  41.150 -		case False note deg_f_nzero = False
  41.151 -		{
  41.152 -		  (*JE: now it only remains the case where the induction hypothesis can be used.*)
  41.153 -		  (*JE: we first prove that the degree of the remainder is smaller than the one of f*)
  41.154 -		  have deg_remainder_l_f: "deg R (\<ominus>\<^bsub>P\<^esub> ?r) < n"
  41.155 -		  proof -
  41.156 -		    have "deg R (\<ominus>\<^bsub>P\<^esub> ?r) = deg R ?r" using deg_uminus [of ?r] by simp
  41.157 -		    also have "\<dots> < deg R f"
  41.158 -		    proof (rule deg_lcoeff_cancel)
  41.159 -		      show "deg R (\<ominus>\<^bsub>P\<^esub> (lcoeff g \<odot>\<^bsub>P\<^esub> f)) \<le> deg R f"
  41.160 -			using deg_smult_ring [of "lcoeff g" f] using prem
  41.161 -			using lcoeff_nonzero2 [OF g_in_P g_not_zero] by simp
  41.162 -		      show "deg R (g \<otimes>\<^bsub>P\<^esub> ?q) \<le> deg R f"
  41.163 -			using monom_deg_mult [OF _ g_in_P, of f "lcoeff f"] and deg_g_le_deg_f
  41.164 -			by simp
  41.165 -		      show "coeff P (g \<otimes>\<^bsub>P\<^esub> ?q) (deg R f) = \<ominus> coeff P (\<ominus>\<^bsub>P\<^esub> (lcoeff g \<odot>\<^bsub>P\<^esub> f)) (deg R f)"
  41.166 -			unfolding coeff_mult [OF g_in_P monom_closed [OF lcoeff_closed [OF f_in_P], of "deg R f - deg R g"], of "deg R f"]
  41.167 -			unfolding coeff_monom [OF lcoeff_closed [OF f_in_P], of "(deg R f - deg R g)"]
  41.168 -			using R.finsum_cong' [of "{..deg R f}" "{..deg R f}" 
  41.169 -			  "(\<lambda>i. coeff P g i \<otimes> (if deg R f - deg R g = deg R f - i then lcoeff f else \<zero>))" 
  41.170 -			  "(\<lambda>i. if deg R g = i then coeff P g i \<otimes> lcoeff f else \<zero>)"]
  41.171 -			using R.finsum_singleton [of "deg R g" "{.. deg R f}" "(\<lambda>i. coeff P g i \<otimes> lcoeff f)"]
  41.172 -			unfolding Pi_def using deg_g_le_deg_f by force
  41.173 -		    qed (simp_all add: deg_f_nzero)
  41.174 -		    finally show "deg R (\<ominus>\<^bsub>P\<^esub> ?r) < n" unfolding prem .
  41.175 -		  qed
  41.176 -		  moreover have "\<ominus>\<^bsub>P\<^esub> ?r \<in> carrier P" by simp
  41.177 -		  moreover obtain m where deg_rem_eq_m: "deg R (\<ominus>\<^bsub>P\<^esub> ?r) = m" by auto
  41.178 -		  moreover have "deg R g \<le> deg R (\<ominus>\<^bsub>P\<^esub> ?r)" using n_deg_r_l_deg_g by simp
  41.179 -		    (*JE: now, by applying the induction hypothesis, we obtain new quotient, remainder and exponent.*)
  41.180 -		  ultimately obtain q' r' k'
  41.181 -		    where rem_desc: "lcoeff g (^) (k'::nat) \<odot>\<^bsub>P\<^esub> (\<ominus>\<^bsub>P\<^esub> ?r) = g \<otimes>\<^bsub>P\<^esub> q' \<oplus>\<^bsub>P\<^esub> r'"and rem_deg: "(r' = \<zero>\<^bsub>P\<^esub> \<or> deg R r' < deg R g)"
  41.182 -		    and q'_in_carrier: "q' \<in> carrier P" and r'_in_carrier: "r' \<in> carrier P"
  41.183 -		    using hypo by blast
  41.184 -		      (*JE: we now prove that the new quotient, remainder and exponent can be used to get 
  41.185 -		      the quotient, remainder and exponent of the long division theorem*)
  41.186 -		  show ?thesis
  41.187 -		  proof (rule exI3 [of _ "((lcoeff g (^) k') \<odot>\<^bsub>P\<^esub> ?q \<oplus>\<^bsub>P\<^esub> q')" r' "Suc k'"], intro conjI)
  41.188 -		    show "(lcoeff g (^) (Suc k')) \<odot>\<^bsub>P\<^esub> f = g \<otimes>\<^bsub>P\<^esub> ((lcoeff g (^) k') \<odot>\<^bsub>P\<^esub> ?q \<oplus>\<^bsub>P\<^esub> q') \<oplus>\<^bsub>P\<^esub> r'"
  41.189 -		    proof -
  41.190 -		      have "(lcoeff g (^) (Suc k')) \<odot>\<^bsub>P\<^esub> f = (lcoeff g (^) k') \<odot>\<^bsub>P\<^esub> (g \<otimes>\<^bsub>P\<^esub> ?q \<oplus>\<^bsub>P\<^esub> \<ominus>\<^bsub>P\<^esub> ?r)" 
  41.191 -			using smult_assoc1 exist by simp
  41.192 -		      also have "\<dots> = (lcoeff g (^) k') \<odot>\<^bsub>P\<^esub> (g \<otimes>\<^bsub>P\<^esub> ?q) \<oplus>\<^bsub>P\<^esub> ((lcoeff g (^) k') \<odot>\<^bsub>P\<^esub> ( \<ominus>\<^bsub>P\<^esub> ?r))"
  41.193 -			using UP_smult_r_distr by simp
  41.194 -		      also have "\<dots> = (lcoeff g (^) k') \<odot>\<^bsub>P\<^esub> (g \<otimes>\<^bsub>P\<^esub> ?q) \<oplus>\<^bsub>P\<^esub> (g \<otimes>\<^bsub>P\<^esub> q' \<oplus>\<^bsub>P\<^esub> r')"
  41.195 -			using rem_desc by simp
  41.196 -		      also have "\<dots> = (lcoeff g (^) k') \<odot>\<^bsub>P\<^esub> (g \<otimes>\<^bsub>P\<^esub> ?q) \<oplus>\<^bsub>P\<^esub> g \<otimes>\<^bsub>P\<^esub> q' \<oplus>\<^bsub>P\<^esub> r'"
  41.197 -			using sym [OF a_assoc [of "lcoeff g (^) k' \<odot>\<^bsub>P\<^esub> (g \<otimes>\<^bsub>P\<^esub> ?q)" "g \<otimes>\<^bsub>P\<^esub> q'" "r'"]]
  41.198 -			using q'_in_carrier r'_in_carrier by simp
  41.199 -		      also have "\<dots> = (lcoeff g (^) k') \<odot>\<^bsub>P\<^esub> (?q \<otimes>\<^bsub>P\<^esub> g) \<oplus>\<^bsub>P\<^esub> q' \<otimes>\<^bsub>P\<^esub> g \<oplus>\<^bsub>P\<^esub> r'"
  41.200 -			using q'_in_carrier by (auto simp add: m_comm)
  41.201 -		      also have "\<dots> = (((lcoeff g (^) k') \<odot>\<^bsub>P\<^esub> ?q) \<otimes>\<^bsub>P\<^esub> g) \<oplus>\<^bsub>P\<^esub> q' \<otimes>\<^bsub>P\<^esub> g \<oplus>\<^bsub>P\<^esub> r'" 
  41.202 -			using smult_assoc2 q'_in_carrier by auto
  41.203 -		      also have "\<dots> = ((lcoeff g (^) k') \<odot>\<^bsub>P\<^esub> ?q \<oplus>\<^bsub>P\<^esub> q') \<otimes>\<^bsub>P\<^esub> g \<oplus>\<^bsub>P\<^esub> r'"
  41.204 -			using sym [OF l_distr] and q'_in_carrier by auto
  41.205 -		      finally show ?thesis using m_comm q'_in_carrier by auto
  41.206 -		    qed
  41.207 -		  qed (simp_all add: rem_deg q'_in_carrier r'_in_carrier)
  41.208 -		}
  41.209 -	      qed
  41.210 -	    }
  41.211 -	  qed
  41.212 -	qed
  41.213 +          m = deg R x \<longrightarrow>
  41.214 +          (\<exists>q r (k::nat). q \<in> carrier P \<and> r \<in> carrier P \<and> lcoeff g (^) k \<odot>\<^bsub>P\<^esub> x = g \<otimes>\<^bsub>P\<^esub> q \<oplus>\<^bsub>P\<^esub> r & (r = \<zero>\<^bsub>P\<^esub> | deg R r < deg R g))"
  41.215 +          and prem: "n = deg R f" and f_in_P [simp]: "f \<in> carrier P"
  41.216 +          and deg_g_le_deg_f: "deg R g \<le> deg R f"
  41.217 +        let ?k = "1::nat" and ?r = "(g \<otimes>\<^bsub>P\<^esub> (monom P (lcoeff f) (deg R f - deg R g))) \<oplus>\<^bsub>P\<^esub> \<ominus>\<^bsub>P\<^esub> (lcoeff g \<odot>\<^bsub>P\<^esub> f)"
  41.218 +          and ?q = "monom P (lcoeff f) (deg R f - deg R g)"
  41.219 +        show "\<exists> q r (k::nat). q \<in> carrier P \<and> r \<in> carrier P \<and> lcoeff g (^) k \<odot>\<^bsub>P\<^esub> f = g \<otimes>\<^bsub>P\<^esub> q \<oplus>\<^bsub>P\<^esub> r & (r = \<zero>\<^bsub>P\<^esub> | deg R r < deg R g)"
  41.220 +        proof -
  41.221 +          (*JE: we first extablish the existence of a triple satisfying the previous equation. 
  41.222 +            Then we will have to prove the second part of the predicate.*)
  41.223 +          have exist: "lcoeff g (^) ?k \<odot>\<^bsub>P\<^esub> f = g \<otimes>\<^bsub>P\<^esub> ?q \<oplus>\<^bsub>P\<^esub> \<ominus>\<^bsub>P\<^esub> ?r"
  41.224 +            using minus_add
  41.225 +            using sym [OF a_assoc [of "g \<otimes>\<^bsub>P\<^esub> ?q" "\<ominus>\<^bsub>P\<^esub> (g \<otimes>\<^bsub>P\<^esub> ?q)" "lcoeff g \<odot>\<^bsub>P\<^esub> f"]]
  41.226 +            using r_neg by auto
  41.227 +          show ?thesis
  41.228 +          proof (cases "deg R (\<ominus>\<^bsub>P\<^esub> ?r) < deg R g")
  41.229 +            (*JE: if the degree of the remainder satisfies the statement property we are done*)
  41.230 +            case True
  41.231 +            {
  41.232 +              show ?thesis
  41.233 +              proof (rule exI3 [of _ ?q "\<ominus>\<^bsub>P\<^esub> ?r" ?k], intro conjI)
  41.234 +                show "lcoeff g (^) ?k \<odot>\<^bsub>P\<^esub> f = g \<otimes>\<^bsub>P\<^esub> ?q \<oplus>\<^bsub>P\<^esub> \<ominus>\<^bsub>P\<^esub> ?r" using exist by simp
  41.235 +                show "\<ominus>\<^bsub>P\<^esub> ?r = \<zero>\<^bsub>P\<^esub> \<or> deg R (\<ominus>\<^bsub>P\<^esub> ?r) < deg R g" using True by simp
  41.236 +              qed (simp_all)
  41.237 +            }
  41.238 +          next
  41.239 +            case False note n_deg_r_l_deg_g = False
  41.240 +            {
  41.241 +              (*JE: otherwise, we verify the conditions of the induction hypothesis.*)
  41.242 +              show ?thesis
  41.243 +              proof (cases "deg R f = 0")
  41.244 +                (*JE: the solutions are different if the degree of f is zero or not*)
  41.245 +                case True
  41.246 +                {
  41.247 +                  have deg_g: "deg R g = 0" using True using deg_g_le_deg_f by simp
  41.248 +                  have "lcoeff g (^) (1::nat) \<odot>\<^bsub>P\<^esub> f = g \<otimes>\<^bsub>P\<^esub> f \<oplus>\<^bsub>P\<^esub> \<zero>\<^bsub>P\<^esub>"
  41.249 +                    unfolding deg_g apply simp
  41.250 +                    unfolding sym [OF monom_mult_is_smult [OF coeff_closed [OF g_in_P, of 0] f_in_P]]
  41.251 +                    using deg_zero_impl_monom [OF g_in_P deg_g] by simp
  41.252 +                  then show ?thesis using f_in_P by blast
  41.253 +                }
  41.254 +              next
  41.255 +                case False note deg_f_nzero = False
  41.256 +                {
  41.257 +                  (*JE: now it only remains the case where the induction hypothesis can be used.*)
  41.258 +                  (*JE: we first prove that the degree of the remainder is smaller than the one of f*)
  41.259 +                  have deg_remainder_l_f: "deg R (\<ominus>\<^bsub>P\<^esub> ?r) < n"
  41.260 +                  proof -
  41.261 +                    have "deg R (\<ominus>\<^bsub>P\<^esub> ?r) = deg R ?r" using deg_uminus [of ?r] by simp
  41.262 +                    also have "\<dots> < deg R f"
  41.263 +                    proof (rule deg_lcoeff_cancel)
  41.264 +                      show "deg R (\<ominus>\<^bsub>P\<^esub> (lcoeff g \<odot>\<^bsub>P\<^esub> f)) \<le> deg R f"
  41.265 +                        using deg_smult_ring [of "lcoeff g" f] using prem
  41.266 +                        using lcoeff_nonzero2 [OF g_in_P g_not_zero] by simp
  41.267 +                      show "deg R (g \<otimes>\<^bsub>P\<^esub> ?q) \<le> deg R f"
  41.268 +                        using monom_deg_mult [OF _ g_in_P, of f "lcoeff f"] and deg_g_le_deg_f
  41.269 +                        by simp
  41.270 +                      show "coeff P (g \<otimes>\<^bsub>P\<^esub> ?q) (deg R f) = \<ominus> coeff P (\<ominus>\<^bsub>P\<^esub> (lcoeff g \<odot>\<^bsub>P\<^esub> f)) (deg R f)"
  41.271 +                        unfolding coeff_mult [OF g_in_P monom_closed [OF lcoeff_closed [OF f_in_P], of "deg R f - deg R g"], of "deg R f"]
  41.272 +                        unfolding coeff_monom [OF lcoeff_closed [OF f_in_P], of "(deg R f - deg R g)"]
  41.273 +                        using R.finsum_cong' [of "{..deg R f}" "{..deg R f}" 
  41.274 +                          "(\<lambda>i. coeff P g i \<otimes> (if deg R f - deg R g = deg R f - i then lcoeff f else \<zero>))" 
  41.275 +                          "(\<lambda>i. if deg R g = i then coeff P g i \<otimes> lcoeff f else \<zero>)"]
  41.276 +                        using R.finsum_singleton [of "deg R g" "{.. deg R f}" "(\<lambda>i. coeff P g i \<otimes> lcoeff f)"]
  41.277 +                        unfolding Pi_def using deg_g_le_deg_f by force
  41.278 +                    qed (simp_all add: deg_f_nzero)
  41.279 +                    finally show "deg R (\<ominus>\<^bsub>P\<^esub> ?r) < n" unfolding prem .
  41.280 +                  qed
  41.281 +                  moreover have "\<ominus>\<^bsub>P\<^esub> ?r \<in> carrier P" by simp
  41.282 +                  moreover obtain m where deg_rem_eq_m: "deg R (\<ominus>\<^bsub>P\<^esub> ?r) = m" by auto
  41.283 +                  moreover have "deg R g \<le> deg R (\<ominus>\<^bsub>P\<^esub> ?r)" using n_deg_r_l_deg_g by simp
  41.284 +                    (*JE: now, by applying the induction hypothesis, we obtain new quotient, remainder and exponent.*)
  41.285 +                  ultimately obtain q' r' k'
  41.286 +                    where rem_desc: "lcoeff g (^) (k'::nat) \<odot>\<^bsub>P\<^esub> (\<ominus>\<^bsub>P\<^esub> ?r) = g \<otimes>\<^bsub>P\<^esub> q' \<oplus>\<^bsub>P\<^esub> r'"and rem_deg: "(r' = \<zero>\<^bsub>P\<^esub> \<or> deg R r' < deg R g)"
  41.287 +                    and q'_in_carrier: "q' \<in> carrier P" and r'_in_carrier: "r' \<in> carrier P"
  41.288 +                    using hypo by blast
  41.289 +                      (*JE: we now prove that the new quotient, remainder and exponent can be used to get 
  41.290 +                      the quotient, remainder and exponent of the long division theorem*)
  41.291 +                  show ?thesis
  41.292 +                  proof (rule exI3 [of _ "((lcoeff g (^) k') \<odot>\<^bsub>P\<^esub> ?q \<oplus>\<^bsub>P\<^esub> q')" r' "Suc k'"], intro conjI)
  41.293 +                    show "(lcoeff g (^) (Suc k')) \<odot>\<^bsub>P\<^esub> f = g \<otimes>\<^bsub>P\<^esub> ((lcoeff g (^) k') \<odot>\<^bsub>P\<^esub> ?q \<oplus>\<^bsub>P\<^esub> q') \<oplus>\<^bsub>P\<^esub> r'"
  41.294 +                    proof -
  41.295 +                      have "(lcoeff g (^) (Suc k')) \<odot>\<^bsub>P\<^esub> f = (lcoeff g (^) k') \<odot>\<^bsub>P\<^esub> (g \<otimes>\<^bsub>P\<^esub> ?q \<oplus>\<^bsub>P\<^esub> \<ominus>\<^bsub>P\<^esub> ?r)" 
  41.296 +                        using smult_assoc1 exist by simp
  41.297 +                      also have "\<dots> = (lcoeff g (^) k') \<odot>\<^bsub>P\<^esub> (g \<otimes>\<^bsub>P\<^esub> ?q) \<oplus>\<^bsub>P\<^esub> ((lcoeff g (^) k') \<odot>\<^bsub>P\<^esub> ( \<ominus>\<^bsub>P\<^esub> ?r))"
  41.298 +                        using UP_smult_r_distr by simp
  41.299 +                      also have "\<dots> = (lcoeff g (^) k') \<odot>\<^bsub>P\<^esub> (g \<otimes>\<^bsub>P\<^esub> ?q) \<oplus>\<^bsub>P\<^esub> (g \<otimes>\<^bsub>P\<^esub> q' \<oplus>\<^bsub>P\<^esub> r')"
  41.300 +                        using rem_desc by simp
  41.301 +                      also have "\<dots> = (lcoeff g (^) k') \<odot>\<^bsub>P\<^esub> (g \<otimes>\<^bsub>P\<^esub> ?q) \<oplus>\<^bsub>P\<^esub> g \<otimes>\<^bsub>P\<^esub> q' \<oplus>\<^bsub>P\<^esub> r'"
  41.302 +                        using sym [OF a_assoc [of "lcoeff g (^) k' \<odot>\<^bsub>P\<^esub> (g \<otimes>\<^bsub>P\<^esub> ?q)" "g \<otimes>\<^bsub>P\<^esub> q'" "r'"]]
  41.303 +                        using q'_in_carrier r'_in_carrier by simp
  41.304 +                      also have "\<dots> = (lcoeff g (^) k') \<odot>\<^bsub>P\<^esub> (?q \<otimes>\<^bsub>P\<^esub> g) \<oplus>\<^bsub>P\<^esub> q' \<otimes>\<^bsub>P\<^esub> g \<oplus>\<^bsub>P\<^esub> r'"
  41.305 +                        using q'_in_carrier by (auto simp add: m_comm)
  41.306 +                      also have "\<dots> = (((lcoeff g (^) k') \<odot>\<^bsub>P\<^esub> ?q) \<otimes>\<^bsub>P\<^esub> g) \<oplus>\<^bsub>P\<^esub> q' \<otimes>\<^bsub>P\<^esub> g \<oplus>\<^bsub>P\<^esub> r'" 
  41.307 +                        using smult_assoc2 q'_in_carrier by auto
  41.308 +                      also have "\<dots> = ((lcoeff g (^) k') \<odot>\<^bsub>P\<^esub> ?q \<oplus>\<^bsub>P\<^esub> q') \<otimes>\<^bsub>P\<^esub> g \<oplus>\<^bsub>P\<^esub> r'"
  41.309 +                        using sym [OF l_distr] and q'_in_carrier by auto
  41.310 +                      finally show ?thesis using m_comm q'_in_carrier by auto
  41.311 +                    qed
  41.312 +                  qed (simp_all add: rem_deg q'_in_carrier r'_in_carrier)
  41.313 +                }
  41.314 +              qed
  41.315 +            }
  41.316 +          qed
  41.317 +        qed
  41.318        qed
  41.319      }
  41.320    qed
    42.1 --- a/src/HOL/Algebra/poly/UnivPoly2.thy	Wed Oct 21 16:54:04 2009 +0200
    42.2 +++ b/src/HOL/Algebra/poly/UnivPoly2.thy	Wed Oct 21 16:57:57 2009 +0200
    42.3 @@ -100,7 +100,7 @@
    42.4  begin
    42.5  
    42.6  definition
    42.7 -  up_add_def:	"p + q = Abs_UP (%n. Rep_UP p n + Rep_UP q n)"
    42.8 +  up_add_def: "p + q = Abs_UP (%n. Rep_UP p n + Rep_UP q n)"
    42.9  
   42.10  instance ..
   42.11  
   42.12 @@ -133,7 +133,7 @@
   42.13  
   42.14  definition
   42.15    up_mult_def:  "p * q = Abs_UP (%n::nat. setsum
   42.16 -		     (%i. Rep_UP p i * Rep_UP q (n-i)) {..n})"
   42.17 +                     (%i. Rep_UP p i * Rep_UP q (n-i)) {..n})"
   42.18  
   42.19  instance ..
   42.20  
   42.21 @@ -201,18 +201,18 @@
   42.22      have "(%i. f i + g i) : UP"
   42.23      proof -
   42.24        from fup obtain n where boundn: "bound n f"
   42.25 -	by (unfold UP_def) fast
   42.26 +        by (unfold UP_def) fast
   42.27        from gup obtain m where boundm: "bound m g"
   42.28 -	by (unfold UP_def) fast
   42.29 +        by (unfold UP_def) fast
   42.30        have "bound (max n m) (%i. (f i + g i))"
   42.31        proof
   42.32 -	fix i
   42.33 -	assume "max n m < i"
   42.34 -	with boundn and boundm show "f i + g i = 0"
   42.35 +        fix i
   42.36 +        assume "max n m < i"
   42.37 +        with boundn and boundm show "f i + g i = 0"
   42.38            by (fastsimp simp add: algebra_simps)
   42.39        qed
   42.40        then show "(%i. (f i + g i)) : UP"
   42.41 -	by (unfold UP_def) fast
   42.42 +        by (unfold UP_def) fast
   42.43      qed
   42.44    }
   42.45    then show ?thesis
   42.46 @@ -228,30 +228,30 @@
   42.47      have "(%n. setsum (%i. f i * g (n-i)) {..n}) : UP"
   42.48      proof -
   42.49        from fup obtain n where "bound n f"
   42.50 -	by (unfold UP_def) fast
   42.51 +        by (unfold UP_def) fast
   42.52        from gup obtain m where "bound m g"
   42.53 -	by (unfold UP_def) fast
   42.54 +        by (unfold UP_def) fast
   42.55        have "bound (n + m) (%n. setsum (%i. f i * g (n-i)) {..n})"
   42.56        proof
   42.57 -	fix k
   42.58 -	assume bound: "n + m < k"
   42.59 -	{
   42.60 -	  fix i
   42.61 -	  have "f i * g (k-i) = 0"
   42.62 -	  proof cases
   42.63 -	    assume "n < i"
   42.64 -	    with `bound n f` show ?thesis by (auto simp add: algebra_simps)
   42.65 -	  next
   42.66 -	    assume "~ (n < i)"
   42.67 -	    with bound have "m < k-i" by arith
   42.68 -	    with `bound m g` show ?thesis by (auto simp add: algebra_simps)
   42.69 -	  qed
   42.70 -	}
   42.71 -	then show "setsum (%i. f i * g (k-i)) {..k} = 0"
   42.72 -	  by (simp add: algebra_simps)
   42.73 +        fix k
   42.74 +        assume bound: "n + m < k"
   42.75 +        {
   42.76 +          fix i
   42.77 +          have "f i * g (k-i) = 0"
   42.78 +          proof cases
   42.79 +            assume "n < i"
   42.80 +            with `bound n f` show ?thesis by (auto simp add: algebra_simps)
   42.81 +          next
   42.82 +            assume "~ (n < i)"
   42.83 +            with bound have "m < k-i" by arith
   42.84 +            with `bound m g` show ?thesis by (auto simp add: algebra_simps)
   42.85 +          qed
   42.86 +        }
   42.87 +        then show "setsum (%i. f i * g (k-i)) {..k} = 0"
   42.88 +          by (simp add: algebra_simps)
   42.89        qed
   42.90        then show "(%n. setsum (%i. f i * g (n-i)) {..n}) : UP"
   42.91 -	by (unfold UP_def) fast
   42.92 +        by (unfold UP_def) fast
   42.93      qed
   42.94    }
   42.95    then show ?thesis
   42.96 @@ -290,17 +290,17 @@
   42.97      {
   42.98        fix k and a b c :: "nat=>'a::ring"
   42.99        have "k <= n ==> 
  42.100 -	setsum (%j. setsum (%i. a i * b (j-i)) {..j} * c (n-j)) {..k} = 
  42.101 -	setsum (%j. a j * setsum  (%i. b i * c (n-j-i)) {..k-j}) {..k}"
  42.102 -	(is "_ ==> ?eq k")
  42.103 +        setsum (%j. setsum (%i. a i * b (j-i)) {..j} * c (n-j)) {..k} = 
  42.104 +        setsum (%j. a j * setsum  (%i. b i * c (n-j-i)) {..k-j}) {..k}"
  42.105 +        (is "_ ==> ?eq k")
  42.106        proof (induct k)
  42.107 -	case 0 show ?case by simp
  42.108 +        case 0 show ?case by simp
  42.109        next
  42.110 -	case (Suc k)
  42.111 -	then have "k <= n" by arith
  42.112 -	then have "?eq k" by (rule Suc)
  42.113 -	then show ?case
  42.114 -	  by (simp add: Suc_diff_le natsum_ldistr)
  42.115 +        case (Suc k)
  42.116 +        then have "k <= n" by arith
  42.117 +        then have "?eq k" by (rule Suc)
  42.118 +        then show ?case
  42.119 +          by (simp add: Suc_diff_le natsum_ldistr)
  42.120        qed
  42.121      }
  42.122      then show "coeff ((p * q) * r) n = coeff (p * (q * r)) n"
  42.123 @@ -326,13 +326,13 @@
  42.124        fix k
  42.125        fix a b :: "nat=>'a::ring"
  42.126        have "k <= n ==> 
  42.127 -	setsum (%i. a i * b (n-i)) {..k} =
  42.128 -	setsum (%i. a (k-i) * b (i+n-k)) {..k}"
  42.129 -	(is "_ ==> ?eq k")
  42.130 +        setsum (%i. a i * b (n-i)) {..k} =
  42.131 +        setsum (%i. a (k-i) * b (i+n-k)) {..k}"
  42.132 +        (is "_ ==> ?eq k")
  42.133        proof (induct k)
  42.134 -	case 0 show ?case by simp
  42.135 +        case 0 show ?case by simp
  42.136        next
  42.137 -	case (Suc k) then show ?case by (subst natsum_Suc2) simp
  42.138 +        case (Suc k) then show ?case by (subst natsum_Suc2) simp
  42.139        qed
  42.140      }
  42.141      then show "coeff (p * q) n = coeff (q * p) n"
    43.1 --- a/src/HOL/Auth/CertifiedEmail.thy	Wed Oct 21 16:54:04 2009 +0200
    43.2 +++ b/src/HOL/Auth/CertifiedEmail.thy	Wed Oct 21 16:57:57 2009 +0200
    43.3 @@ -43,7 +43,7 @@
    43.4  
    43.5  | FakeSSL: --{*The Spy may open SSL sessions with TTP, who is the only agent
    43.6      equipped with the necessary credentials to serve as an SSL server.*}
    43.7 -	 "[| evsfssl \<in> certified_mail; X \<in> synth(analz(spies evsfssl))|]
    43.8 +         "[| evsfssl \<in> certified_mail; X \<in> synth(analz(spies evsfssl))|]
    43.9            ==> Notes TTP {|Agent Spy, Agent TTP, X|} # evsfssl \<in> certified_mail"
   43.10  
   43.11  | CM1: --{*The sender approaches the recipient.  The message is a number.*}
   43.12 @@ -54,14 +54,14 @@
   43.13      hs = Hash{|Number cleartext, Nonce q, response S R q, Crypt K (Number m)|};
   43.14      S2TTP = Crypt(pubEK TTP) {|Agent S, Number BothAuth, Key K, Agent R, hs|}|]
   43.15    ==> Says S R {|Agent S, Agent TTP, Crypt K (Number m), Number BothAuth, 
   43.16 -		 Number cleartext, Nonce q, S2TTP|} # evs1 
   43.17 -	\<in> certified_mail"
   43.18 +                 Number cleartext, Nonce q, S2TTP|} # evs1 
   43.19 +        \<in> certified_mail"
   43.20  
   43.21  | CM2: --{*The recipient records @{term S2TTP} while transmitting it and her
   43.22       password to @{term TTP} over an SSL channel.*}
   43.23   "[|evs2 \<in> certified_mail;
   43.24      Gets R {|Agent S, Agent TTP, em, Number BothAuth, Number cleartext, 
   43.25 -	     Nonce q, S2TTP|} \<in> set evs2;
   43.26 +             Nonce q, S2TTP|} \<in> set evs2;
   43.27      TTP \<noteq> R;  
   43.28      hr = Hash {|Number cleartext, Nonce q, response S R q, em|} |]
   43.29    ==> 
   43.30 @@ -289,14 +289,14 @@
   43.31   "evs \<in> certified_mail ==>
   43.32      Key K \<notin> analz (spies evs) -->
   43.33      (\<forall>AO. Crypt (pubEK TTP)
   43.34 -	   {|Agent S, Number AO, Key K, Agent R, hs|} \<in> used evs -->
   43.35 +           {|Agent S, Number AO, Key K, Agent R, hs|} \<in> used evs -->
   43.36      (\<exists>m ctxt q. 
   43.37          hs = Hash{|Number ctxt, Nonce q, response S R q, Crypt K (Number m)|} &
   43.38 -	Says S R
   43.39 -	   {|Agent S, Agent TTP, Crypt K (Number m), Number AO,
   43.40 -	     Number ctxt, Nonce q,
   43.41 -	     Crypt (pubEK TTP)
   43.42 -	      {|Agent S, Number AO, Key K, Agent R, hs |}|} \<in> set evs))" 
   43.43 +        Says S R
   43.44 +           {|Agent S, Agent TTP, Crypt K (Number m), Number AO,
   43.45 +             Number ctxt, Nonce q,
   43.46 +             Crypt (pubEK TTP)
   43.47 +              {|Agent S, Number AO, Key K, Agent R, hs |}|} \<in> set evs))" 
   43.48  apply (erule certified_mail.induct, analz_mono_contra)
   43.49  apply (drule_tac [5] CM2_S2TTP_parts_knows_Spy, simp)
   43.50  apply (simp add: used_Nil Crypt_notin_initState, simp_all)
   43.51 @@ -322,11 +322,11 @@
   43.52      evs \<in> certified_mail|]
   43.53    ==> \<exists>m ctxt q. 
   43.54          hs = Hash{|Number ctxt, Nonce q, response S R q, Crypt K (Number m)|} &
   43.55 -	Says S R
   43.56 -	   {|Agent S, Agent TTP, Crypt K (Number m), Number AO,
   43.57 -	     Number ctxt, Nonce q,
   43.58 -	     Crypt (pubEK TTP)
   43.59 -	      {|Agent S, Number AO, Key K, Agent R, hs |}|} \<in> set evs" 
   43.60 +        Says S R
   43.61 +           {|Agent S, Agent TTP, Crypt K (Number m), Number AO,
   43.62 +             Number ctxt, Nonce q,
   43.63 +             Crypt (pubEK TTP)
   43.64 +              {|Agent S, Number AO, Key K, Agent R, hs |}|} \<in> set evs" 
   43.65  by (blast intro: S2TTP_sender_lemma) 
   43.66  
   43.67  
   43.68 @@ -401,7 +401,7 @@
   43.69                       Number cleartext, Nonce q, S2TTP|} \<in> set evs;
   43.70           S2TTP = Crypt (pubEK TTP) {|Agent S, Number AO, Key K, Agent R, hs|};
   43.71           Key K \<in> analz (spies evs);
   43.72 -	 evs \<in> certified_mail;
   43.73 +         evs \<in> certified_mail;
   43.74           S\<noteq>Spy|]
   43.75        ==> R \<in> bad & Gets S (Crypt (priSK TTP) S2TTP) \<in> set evs"
   43.76  apply (erule rev_mp)
   43.77 @@ -428,7 +428,7 @@
   43.78        "[|Says S R {|Agent S, Agent TTP, Crypt K (Number m), Number AO, 
   43.79                       Number cleartext, Nonce q, S2TTP|} \<in> set evs;
   43.80           S2TTP = Crypt (pubEK TTP) {|Agent S, Number AO, Key K, Agent R, hs|};
   43.81 -	 evs \<in> certified_mail;
   43.82 +         evs \<in> certified_mail;
   43.83           S\<noteq>Spy; R \<notin> bad|]
   43.84        ==> Key K \<notin> analz(spies evs)"
   43.85  by (blast dest: S_fairness_bad_R) 
   43.86 @@ -438,10 +438,10 @@
   43.87   until @{term S} has access to the return receipt.*} 
   43.88  theorem S_guarantee:
   43.89       "[|Says S R {|Agent S, Agent TTP, Crypt K (Number m), Number AO, 
   43.90 -		    Number cleartext, Nonce q, S2TTP|} \<in> set evs;
   43.91 -	S2TTP = Crypt (pubEK TTP) {|Agent S, Number AO, Key K, Agent R, hs|};
   43.92 -	Notes R {|Agent TTP, Agent R, Key K, hs|} \<in> set evs;
   43.93 -	S\<noteq>Spy;  evs \<in> certified_mail|]
   43.94 +                    Number cleartext, Nonce q, S2TTP|} \<in> set evs;
   43.95 +        S2TTP = Crypt (pubEK TTP) {|Agent S, Number AO, Key K, Agent R, hs|};
   43.96 +        Notes R {|Agent TTP, Agent R, Key K, hs|} \<in> set evs;
   43.97 +        S\<noteq>Spy;  evs \<in> certified_mail|]
   43.98       ==> Gets S (Crypt (priSK TTP) S2TTP) \<in> set evs"
   43.99  apply (erule rev_mp)
  43.100  apply (erule ssubst)
    44.1 --- a/src/HOL/Auth/Event.thy	Wed Oct 21 16:54:04 2009 +0200
    44.2 +++ b/src/HOL/Auth/Event.thy	Wed Oct 21 16:57:57 2009 +0200
    44.3 @@ -22,7 +22,7 @@
    44.4          | Notes agent       msg
    44.5         
    44.6  consts 
    44.7 -  bad    :: "agent set"				(*compromised agents*)
    44.8 +  bad    :: "agent set"                         -- {* compromised agents *}
    44.9    knows  :: "agent => event list => msg set"
   44.10  
   44.11  
   44.12 @@ -43,19 +43,19 @@
   44.13    knows_Cons:
   44.14      "knows A (ev # evs) =
   44.15         (if A = Spy then 
   44.16 -	(case ev of
   44.17 -	   Says A' B X => insert X (knows Spy evs)
   44.18 -	 | Gets A' X => knows Spy evs
   44.19 -	 | Notes A' X  => 
   44.20 -	     if A' \<in> bad then insert X (knows Spy evs) else knows Spy evs)
   44.21 -	else
   44.22 -	(case ev of
   44.23 -	   Says A' B X => 
   44.24 -	     if A'=A then insert X (knows A evs) else knows A evs
   44.25 -	 | Gets A' X    => 
   44.26 -	     if A'=A then insert X (knows A evs) else knows A evs
   44.27 -	 | Notes A' X    => 
   44.28 -	     if A'=A then insert X (knows A evs) else knows A evs))"
   44.29 +        (case ev of
   44.30 +           Says A' B X => insert X (knows Spy evs)
   44.31 +         | Gets A' X => knows Spy evs
   44.32 +         | Notes A' X  => 
   44.33 +             if A' \<in> bad then insert X (knows Spy evs) else knows Spy evs)
   44.34 +        else
   44.35 +        (case ev of
   44.36 +           Says A' B X => 
   44.37 +             if A'=A then insert X (knows A evs) else knows A evs
   44.38 +         | Gets A' X    => 
   44.39 +             if A'=A then insert X (knows A evs) else knows A evs
   44.40 +         | Notes A' X    => 
   44.41 +             if A'=A then insert X (knows A evs) else knows A evs))"
   44.42  
   44.43  (*
   44.44    Case A=Spy on the Gets event
   44.45 @@ -71,10 +71,10 @@
   44.46  primrec
   44.47    used_Nil:   "used []         = (UN B. parts (initState B))"
   44.48    used_Cons:  "used (ev # evs) =
   44.49 -		     (case ev of
   44.50 -			Says A B X => parts {X} \<union> used evs
   44.51 -		      | Gets A X   => used evs
   44.52 -		      | Notes A X  => parts {X} \<union> used evs)"
   44.53 +                     (case ev of
   44.54 +                        Says A B X => parts {X} \<union> used evs
   44.55 +                      | Gets A X   => used evs
   44.56 +                      | Notes A X  => parts {X} \<union> used evs)"
   44.57      --{*The case for @{term Gets} seems anomalous, but @{term Gets} always
   44.58          follows @{term Says} in real protocols.  Seems difficult to change.
   44.59          See @{text Gets_correct} in theory @{text "Guard/Extensions.thy"}. *}
    45.1 --- a/src/HOL/Auth/KerberosIV.thy	Wed Oct 21 16:54:04 2009 +0200
    45.2 +++ b/src/HOL/Auth/KerberosIV.thy	Wed Oct 21 16:57:57 2009 +0200
    45.3 @@ -170,18 +170,18 @@
    45.4              B \<noteq> Tgs;  authK \<in> symKeys;
    45.5              Says A' Tgs \<lbrace>
    45.6               (Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK,
    45.7 -				 Number Ta\<rbrace>),
    45.8 +                                 Number Ta\<rbrace>),
    45.9               (Crypt authK \<lbrace>Agent A, Number T2\<rbrace>), Agent B\<rbrace>
   45.10 -	        \<in> set evs4;
   45.11 +                \<in> set evs4;
   45.12              \<not> expiredAK Ta evs4;
   45.13              \<not> expiredA T2 evs4;
   45.14              servKlife + (CT evs4) <= authKlife + Ta
   45.15           \<rbrakk>
   45.16            \<Longrightarrow> Says Tgs A
   45.17                  (Crypt authK \<lbrace>Key servK, Agent B, Number (CT evs4),
   45.18 -			       Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK,
   45.19 -		 			        Number (CT evs4)\<rbrace> \<rbrace>)
   45.20 -	        # evs4 \<in> kerbIV"
   45.21 +                               Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK,
   45.22 +                                                Number (CT evs4)\<rbrace> \<rbrace>)
   45.23 +                # evs4 \<in> kerbIV"
   45.24  (* Tgs creates a new session key per each request for a service, without
   45.25     checking if there is still a fresh one for that service.
   45.26     The cipher under Tgs' key is the authTicket, the cipher under B's key
   45.27 @@ -196,14 +196,14 @@
   45.28   | K5:  "\<lbrakk> evs5 \<in> kerbIV; authK \<in> symKeys; servK \<in> symKeys;
   45.29              Says A Tgs
   45.30                  \<lbrace>authTicket, Crypt authK \<lbrace>Agent A, Number T2\<rbrace>,
   45.31 -		  Agent B\<rbrace>
   45.32 +                  Agent B\<rbrace>
   45.33                \<in> set evs5;
   45.34              Says Tgs' A
   45.35               (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>)
   45.36                  \<in> set evs5;
   45.37              valid Ts wrt T2 \<rbrakk>
   45.38            \<Longrightarrow> Says A B \<lbrace>servTicket,
   45.39 -			 Crypt servK \<lbrace>Agent A, Number (CT evs5)\<rbrace> \<rbrace>
   45.40 +                         Crypt servK \<lbrace>Agent A, Number (CT evs5)\<rbrace> \<rbrace>
   45.41                 # evs5 \<in> kerbIV"
   45.42  (* Checks similar to those in K3. *)
   45.43  
   45.44 @@ -609,7 +609,7 @@
   45.45       evs \<in> kerbIV \<rbrakk>
   45.46    \<Longrightarrow> servK \<notin> range shrK &
   45.47        (\<exists>A. servTicket =
   45.48 -	      Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Ts\<rbrace>)
   45.49 +              Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Ts\<rbrace>)
   45.50         | servTicket \<in> analz (spies evs)"
   45.51  apply (frule Says_imp_spies [THEN analz.Inj], auto)
   45.52   apply (force dest!: servTicket_form)
   45.53 @@ -1336,15 +1336,15 @@
   45.54  
   45.55  lemma Confidentiality_lemma [rule_format]:
   45.56       "\<lbrakk> Says Tgs A
   45.57 -	    (Crypt authK
   45.58 -	       \<lbrace>Key servK, Agent B, Number Ts,
   45.59 -		 Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace>\<rbrace>)
   45.60 -	   \<in> set evs;
   45.61 -	Key authK \<notin> analz (spies evs);
   45.62 +            (Crypt authK
   45.63 +               \<lbrace>Key servK, Agent B, Number Ts,
   45.64 +                 Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace>\<rbrace>)
   45.65 +           \<in> set evs;
   45.66 +        Key authK \<notin> analz (spies evs);
   45.67          servK \<in> symKeys;
   45.68 -	A \<notin> bad;  B \<notin> bad; evs \<in> kerbIV \<rbrakk>
   45.69 +        A \<notin> bad;  B \<notin> bad; evs \<in> kerbIV \<rbrakk>
   45.70        \<Longrightarrow> Key servK \<in> analz (spies evs) \<longrightarrow>
   45.71 -	  expiredSK Ts evs"
   45.72 +          expiredSK Ts evs"
   45.73  apply (erule rev_mp)
   45.74  apply (erule rev_mp)
   45.75  apply (erule kerbIV.induct)
    46.1 --- a/src/HOL/Auth/KerberosIV_Gets.thy	Wed Oct 21 16:54:04 2009 +0200
    46.2 +++ b/src/HOL/Auth/KerberosIV_Gets.thy	Wed Oct 21 16:57:57 2009 +0200
    46.3 @@ -161,18 +161,18 @@
    46.4              B \<noteq> Tgs;  authK \<in> symKeys;
    46.5              Gets Tgs \<lbrace>
    46.6               (Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK,
    46.7 -				 Number Ta\<rbrace>),
    46.8 +                                 Number Ta\<rbrace>),
    46.9               (Crypt authK \<lbrace>Agent A, Number T2\<rbrace>), Agent B\<rbrace>
   46.10 -	        \<in> set evs4;
   46.11 +                \<in> set evs4;
   46.12              \<not> expiredAK Ta evs4;
   46.13              \<not> expiredA T2 evs4;
   46.14              servKlife + (CT evs4) <= authKlife + Ta
   46.15           \<rbrakk>
   46.16            \<Longrightarrow> Says Tgs A
   46.17                  (Crypt authK \<lbrace>Key servK, Agent B, Number (CT evs4),
   46.18 -			       Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK,
   46.19 -		 			        Number (CT evs4)\<rbrace> \<rbrace>)
   46.20 -	        # evs4 \<in> kerbIV_gets"
   46.21 +                               Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK,
   46.22 +                                                Number (CT evs4)\<rbrace> \<rbrace>)
   46.23 +                # evs4 \<in> kerbIV_gets"
   46.24  (* Tgs creates a new session key per each request for a service, without
   46.25     checking if there is still a fresh one for that service.
   46.26     The cipher under Tgs' key is the authTicket, the cipher under B's key
   46.27 @@ -187,14 +187,14 @@
   46.28   | K5:  "\<lbrakk> evs5 \<in> kerbIV_gets; authK \<in> symKeys; servK \<in> symKeys;
   46.29              Says A Tgs
   46.30                  \<lbrace>authTicket, Crypt authK \<lbrace>Agent A, Number T2\<rbrace>,
   46.31 -		  Agent B\<rbrace>
   46.32 +                  Agent B\<rbrace>
   46.33                \<in> set evs5;
   46.34              Gets A
   46.35               (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>)
   46.36                  \<in> set evs5;
   46.37              valid Ts wrt T2 \<rbrakk>
   46.38            \<Longrightarrow> Says A B \<lbrace>servTicket,
   46.39 -			 Crypt servK \<lbrace>Agent A, Number (CT evs5)\<rbrace> \<rbrace>
   46.40 +                         Crypt servK \<lbrace>Agent A, Number (CT evs5)\<rbrace> \<rbrace>
   46.41                 # evs5 \<in> kerbIV_gets"
   46.42  (* Checks similar to those in K3. *)
   46.43  
   46.44 @@ -495,7 +495,7 @@
   46.45       evs \<in> kerbIV_gets \<rbrakk>
   46.46    \<Longrightarrow> servK \<notin> range shrK &
   46.47        (\<exists>A. servTicket =
   46.48 -	      Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Ts\<rbrace>)
   46.49 +              Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Ts\<rbrace>)
   46.50         | servTicket \<in> analz (spies evs)"
   46.51  apply (frule Gets_imp_knows_Spy [THEN analz.Inj], auto)
   46.52   apply (force dest!: servTicket_form)
   46.53 @@ -1231,15 +1231,15 @@
   46.54  
   46.55  lemma Confidentiality_lemma [rule_format]:
   46.56       "\<lbrakk> Says Tgs A
   46.57 -	    (Crypt authK
   46.58 -	       \<lbrace>Key servK, Agent B, Number Ts,
   46.59 -		 Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace>\<rbrace>)
   46.60 -	   \<in> set evs;
   46.61 -	Key authK \<notin> analz (spies evs);
   46.62 +            (Crypt authK
   46.63 +               \<lbrace>Key servK, Agent B, Number Ts,
   46.64 +                 Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace>\<rbrace>)
   46.65 +           \<in> set evs;
   46.66 +        Key authK \<notin> analz (spies evs);
   46.67          servK \<in> symKeys;
   46.68 -	A \<notin> bad;  B \<notin> bad; evs \<in> kerbIV_gets \<rbrakk>
   46.69 +        A \<notin> bad;  B \<notin> bad; evs \<in> kerbIV_gets \<rbrakk>
   46.70        \<Longrightarrow> Key servK \<in> analz (spies evs) \<longrightarrow>
   46.71 -	  expiredSK Ts evs"
   46.72 +          expiredSK Ts evs"
   46.73  apply (erule rev_mp)
   46.74  apply (erule rev_mp)
   46.75  apply (erule kerbIV_gets.induct)
    47.1 --- a/src/HOL/Auth/KerberosV.thy	Wed Oct 21 16:54:04 2009 +0200
    47.2 +++ b/src/HOL/Auth/KerberosV.thy	Wed Oct 21 16:57:57 2009 +0200
    47.3 @@ -137,9 +137,9 @@
    47.4              B \<noteq> Tgs;  authK \<in> symKeys;
    47.5              Says A' Tgs \<lbrace>
    47.6               (Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK,
    47.7 -				 Number Ta\<rbrace>),
    47.8 +                                 Number Ta\<rbrace>),
    47.9               (Crypt authK \<lbrace>Agent A, Number T2\<rbrace>), Agent B\<rbrace>
   47.10 -	        \<in> set evs4;
   47.11 +                \<in> set evs4;
   47.12              \<not> expiredAK Ta evs4;
   47.13              \<not> expiredA T2 evs4;
   47.14              servKlife + (CT evs4) <= authKlife + Ta
   47.15 @@ -155,14 +155,14 @@
   47.16              A \<noteq> Kas; A \<noteq> Tgs;
   47.17              Says A Tgs
   47.18                  \<lbrace>authTicket, Crypt authK \<lbrace>Agent A, Number T2\<rbrace>,
   47.19 -		  Agent B\<rbrace>
   47.20 +                  Agent B\<rbrace>
   47.21                \<in> set evs5;
   47.22              Says Tgs' A \<lbrace>Crypt authK \<lbrace>Key servK, Agent B, Number Ts\<rbrace>,
   47.23                            servTicket\<rbrace>
   47.24                  \<in> set evs5;
   47.25              valid Ts wrt T2 \<rbrakk>
   47.26            \<Longrightarrow> Says A B \<lbrace>servTicket,
   47.27 -			 Crypt servK \<lbrace>Agent A, Number (CT evs5)\<rbrace> \<rbrace>
   47.28 +                         Crypt servK \<lbrace>Agent A, Number (CT evs5)\<rbrace> \<rbrace>
   47.29                 # evs5 \<in> kerbV"
   47.30  
   47.31    | KV6:  "\<lbrakk> evs6 \<in> kerbV; B \<noteq> Kas; B \<noteq> Tgs;
   47.32 @@ -1081,14 +1081,14 @@
   47.33  
   47.34  lemma Confidentiality_lemma [rule_format]:
   47.35       "\<lbrakk> Says Tgs A
   47.36 -	    \<lbrace>Crypt authK \<lbrace>Key servK, Agent B, Number Ts\<rbrace>,
   47.37 -	      Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace>\<rbrace>
   47.38 -	   \<in> set evs;
   47.39 -	Key authK \<notin> analz (spies evs);
   47.40 +            \<lbrace>Crypt authK \<lbrace>Key servK, Agent B, Number Ts\<rbrace>,
   47.41 +              Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace>\<rbrace>
   47.42 +           \<in> set evs;
   47.43 +        Key authK \<notin> analz (spies evs);
   47.44          servK \<in> symKeys;
   47.45 -	A \<notin> bad;  B \<notin> bad; evs \<in> kerbV \<rbrakk>
   47.46 +        A \<notin> bad;  B \<notin> bad; evs \<in> kerbV \<rbrakk>
   47.47        \<Longrightarrow> Key servK \<in> analz (spies evs) \<longrightarrow>
   47.48 -	  expiredSK Ts evs"
   47.49 +          expiredSK Ts evs"
   47.50  apply (erule rev_mp)
   47.51  apply (erule rev_mp)
   47.52  apply (erule kerbV.induct)
    48.1 --- a/src/HOL/Auth/Kerberos_BAN.thy	Wed Oct 21 16:54:04 2009 +0200
    48.2 +++ b/src/HOL/Auth/Kerberos_BAN.thy	Wed Oct 21 16:57:57 2009 +0200
    48.3 @@ -77,45 +77,45 @@
    48.4     Nil:  "[] \<in> bankerberos"
    48.5  
    48.6   | Fake: "\<lbrakk> evsf \<in> bankerberos;  X \<in> synth (analz (spies evsf)) \<rbrakk>
    48.7 -	  \<Longrightarrow> Says Spy B X # evsf \<in> bankerberos"
    48.8 +          \<Longrightarrow> Says Spy B X # evsf \<in> bankerberos"
    48.9  
   48.10  
   48.11   | BK1:  "\<lbrakk> evs1 \<in> bankerberos \<rbrakk>
   48.12 -	  \<Longrightarrow> Says A Server \<lbrace>Agent A, Agent B\<rbrace> # evs1
   48.13 -		\<in>  bankerberos"
   48.14 +          \<Longrightarrow> Says A Server \<lbrace>Agent A, Agent B\<rbrace> # evs1
   48.15 +                \<in>  bankerberos"
   48.16  
   48.17  
   48.18   | BK2:  "\<lbrakk> evs2 \<in> bankerberos;  Key K \<notin> used evs2; K \<in> symKeys;
   48.19 -	     Says A' Server \<lbrace>Agent A, Agent B\<rbrace> \<in> set evs2 \<rbrakk>
   48.20 -	  \<Longrightarrow> Says Server A
   48.21 -		(Crypt (shrK A)
   48.22 -		   \<lbrace>Number (CT evs2), Agent B, Key K,
   48.23 -		    (Crypt (shrK B) \<lbrace>Number (CT evs2), Agent A, Key K\<rbrace>)\<rbrace>)
   48.24 -		# evs2 \<in> bankerberos"
   48.25 +             Says A' Server \<lbrace>Agent A, Agent B\<rbrace> \<in> set evs2 \<rbrakk>
   48.26 +          \<Longrightarrow> Says Server A
   48.27 +                (Crypt (shrK A)
   48.28 +                   \<lbrace>Number (CT evs2), Agent B, Key K,
   48.29 +                    (Crypt (shrK B) \<lbrace>Number (CT evs2), Agent A, Key K\<rbrace>)\<rbrace>)
   48.30 +                # evs2 \<in> bankerberos"
   48.31  
   48.32  
   48.33   | BK3:  "\<lbrakk> evs3 \<in> bankerberos;
   48.34 -	     Says S A (Crypt (shrK A) \<lbrace>Number Tk, Agent B, Key K, Ticket\<rbrace>)
   48.35 -	       \<in> set evs3;
   48.36 -	     Says A Server \<lbrace>Agent A, Agent B\<rbrace> \<in> set evs3;
   48.37 -	     \<not> expiredK Tk evs3 \<rbrakk>
   48.38 -	  \<Longrightarrow> Says A B \<lbrace>Ticket, Crypt K \<lbrace>Agent A, Number (CT evs3)\<rbrace> \<rbrace>
   48.39 -	       # evs3 \<in> bankerberos"
   48.40 +             Says S A (Crypt (shrK A) \<lbrace>Number Tk, Agent B, Key K, Ticket\<rbrace>)
   48.41 +               \<in> set evs3;
   48.42 +             Says A Server \<lbrace>Agent A, Agent B\<rbrace> \<in> set evs3;
   48.43 +             \<not> expiredK Tk evs3 \<rbrakk>
   48.44 +          \<Longrightarrow> Says A B \<lbrace>Ticket, Crypt K \<lbrace>Agent A, Number (CT evs3)\<rbrace> \<rbrace>
   48.45 +               # evs3 \<in> bankerberos"
   48.46  
   48.47  
   48.48   | BK4:  "\<lbrakk> evs4 \<in> bankerberos;
   48.49 -	     Says A' B \<lbrace>(Crypt (shrK B) \<lbrace>Number Tk, Agent A, Key K\<rbrace>),
   48.50 -			 (Crypt K \<lbrace>Agent A, Number Ta\<rbrace>) \<rbrace>: set evs4;
   48.51 -	     \<not> expiredK Tk evs4;  \<not> expiredA Ta evs4 \<rbrakk>
   48.52 -	  \<Longrightarrow> Says B A (Crypt K (Number Ta)) # evs4
   48.53 -		\<in> bankerberos"
   48.54 +             Says A' B \<lbrace>(Crypt (shrK B) \<lbrace>Number Tk, Agent A, Key K\<rbrace>),
   48.55 +                         (Crypt K \<lbrace>Agent A, Number Ta\<rbrace>) \<rbrace>: set evs4;
   48.56 +             \<not> expiredK Tk evs4;  \<not> expiredA Ta evs4 \<rbrakk>
   48.57 +          \<Longrightarrow> Says B A (Crypt K (Number Ta)) # evs4
   48.58 +                \<in> bankerberos"
   48.59  
   48.60 -	(*Old session keys may become compromised*)
   48.61 +        (*Old session keys may become compromised*)
   48.62   | Oops: "\<lbrakk> evso \<in> bankerberos;
   48.63           Says Server A (Crypt (shrK A) \<lbrace>Number Tk, Agent B, Key K, Ticket\<rbrace>)
   48.64 -	       \<in> set evso;
   48.65 -	     expiredK Tk evso \<rbrakk>
   48.66 -	  \<Longrightarrow> Notes Spy \<lbrace>Number Tk, Key K\<rbrace> # evso \<in> bankerberos"
   48.67 +               \<in> set evso;
   48.68 +             expiredK Tk evso \<rbrakk>
   48.69 +          \<Longrightarrow> Notes Spy \<lbrace>Number Tk, Key K\<rbrace> # evso \<in> bankerberos"
   48.70  
   48.71  
   48.72  declare Says_imp_knows_Spy [THEN parts.Inj, dest]
    49.1 --- a/src/HOL/Auth/Kerberos_BAN_Gets.thy	Wed Oct 21 16:54:04 2009 +0200
    49.2 +++ b/src/HOL/Auth/Kerberos_BAN_Gets.thy	Wed Oct 21 16:57:57 2009 +0200
    49.3 @@ -69,47 +69,47 @@
    49.4     Nil:  "[] \<in> bankerb_gets"
    49.5  
    49.6   | Fake: "\<lbrakk> evsf \<in> bankerb_gets;  X \<in> synth (analz (knows Spy evsf)) \<rbrakk>
    49.7 -	  \<Longrightarrow> Says Spy B X # evsf \<in> bankerb_gets"
    49.8 +          \<Longrightarrow> Says Spy B X # evsf \<in> bankerb_gets"
    49.9  
   49.10   | Reception: "\<lbrakk> evsr\<in> bankerb_gets; Says A B X \<in> set evsr \<rbrakk>
   49.11                  \<Longrightarrow> Gets B X # evsr \<in> bankerb_gets"
   49.12  
   49.13   | BK1:  "\<lbrakk> evs1 \<in> bankerb_gets \<rbrakk>
   49.14 -	  \<Longrightarrow> Says A Server \<lbrace>Agent A, Agent B\<rbrace> # evs1
   49.15 -		\<in>  bankerb_gets"
   49.16 +          \<Longrightarrow> Says A Server \<lbrace>Agent A, Agent B\<rbrace> # evs1
   49.17 +                \<in>  bankerb_gets"
   49.18  
   49.19  
   49.20   | BK2:  "\<lbrakk> evs2 \<in> bankerb_gets;  Key K \<notin> used evs2; K \<in> symKeys;
   49.21 -	     Gets Server \<lbrace>Agent A, Agent B\<rbrace> \<in> set evs2 \<rbrakk>
   49.22 -	  \<Longrightarrow> Says Server A
   49.23 -		(Crypt (shrK A)
   49.24 -		   \<lbrace>Number (CT evs2), Agent B, Key K,
   49.25 -		    (Crypt (shrK B) \<lbrace>Number (CT evs2), Agent A, Key K\<rbrace>)\<rbrace>)
   49.26 -		# evs2 \<in> bankerb_gets"
   49.27 +             Gets Server \<lbrace>Agent A, Agent B\<rbrace> \<in> set evs2 \<rbrakk>
   49.28 +          \<Longrightarrow> Says Server A
   49.29 +                (Crypt (shrK A)
   49.30 +                   \<lbrace>Number (CT evs2), Agent B, Key K,
   49.31 +                    (Crypt (shrK B) \<lbrace>Number (CT evs2), Agent A, Key K\<rbrace>)\<rbrace>)
   49.32 +                # evs2 \<in> bankerb_gets"
   49.33  
   49.34  
   49.35   | BK3:  "\<lbrakk> evs3 \<in> bankerb_gets;
   49.36 -	     Gets A (Crypt (shrK A) \<lbrace>Number Tk, Agent B, Key K, Ticket\<rbrace>)
   49.37 -	       \<in> set evs3;
   49.38 -	     Says A Server \<lbrace>Agent A, Agent B\<rbrace> \<in> set evs3;
   49.39 -	     \<not> expiredK Tk evs3 \<rbrakk>
   49.40 -	  \<Longrightarrow> Says A B \<lbrace>Ticket, Crypt K \<lbrace>Agent A, Number (CT evs3)\<rbrace> \<rbrace>
   49.41 -	       # evs3 \<in> bankerb_gets"
   49.42 +             Gets A (Crypt (shrK A) \<lbrace>Number Tk, Agent B, Key K, Ticket\<rbrace>)
   49.43 +               \<in> set evs3;
   49.44 +             Says A Server \<lbrace>Agent A, Agent B\<rbrace> \<in> set evs3;
   49.45 +             \<not> expiredK Tk evs3 \<rbrakk>
   49.46 +          \<Longrightarrow> Says A B \<lbrace>Ticket, Crypt K \<lbrace>Agent A, Number (CT evs3)\<rbrace> \<rbrace>
   49.47 +               # evs3 \<in> bankerb_gets"
   49.48  
   49.49  
   49.50   | BK4:  "\<lbrakk> evs4 \<in> bankerb_gets;
   49.51 -	     Gets B \<lbrace>(Crypt (shrK B) \<lbrace>Number Tk, Agent A, Key K\<rbrace>),
   49.52 -			 (Crypt K \<lbrace>Agent A, Number Ta\<rbrace>) \<rbrace>: set evs4;
   49.53 -	     \<not> expiredK Tk evs4;  \<not> expiredA Ta evs4 \<rbrakk>
   49.54 -	  \<Longrightarrow> Says B A (Crypt K (Number Ta)) # evs4
   49.55 -		\<in> bankerb_gets"
   49.56 +             Gets B \<lbrace>(Crypt (shrK B) \<lbrace>Number Tk, Agent A, Key K\<rbrace>),
   49.57 +                         (Crypt K \<lbrace>Agent A, Number Ta\<rbrace>) \<rbrace>: set evs4;
   49.58 +             \<not> expiredK Tk evs4;  \<not> expiredA Ta evs4 \<rbrakk>
   49.59 +          \<Longrightarrow> Says B A (Crypt K (Number Ta)) # evs4
   49.60 +                \<in> bankerb_gets"
   49.61  
   49.62 -	(*Old session keys may become compromised*)
   49.63 +        (*Old session keys may become compromised*)
   49.64   | Oops: "\<lbrakk> evso \<in> bankerb_gets;
   49.65           Says Server A (Crypt (shrK A) \<lbrace>Number Tk, Agent B, Key K, Ticket\<rbrace>)
   49.66 -	       \<in> set evso;
   49.67 -	     expiredK Tk evso \<rbrakk>
   49.68 -	  \<Longrightarrow> Notes Spy \<lbrace>Number Tk, Key K\<rbrace> # evso \<in> bankerb_gets"
   49.69 +               \<in> set evso;
   49.70 +             expiredK Tk evso \<rbrakk>
   49.71 +          \<Longrightarrow> Notes Spy \<lbrace>Number Tk, Key K\<rbrace> # evso \<in> bankerb_gets"
   49.72  
   49.73  
   49.74  declare Says_imp_knows_Spy [THEN parts.Inj, dest]
   49.75 @@ -359,7 +359,7 @@
   49.76     "\<lbrakk> Says B A (Crypt K (Number Ta)) \<in> set evs;
   49.77        B \<notin> bad; evs \<in> bankerb_gets \<rbrakk>
   49.78    \<Longrightarrow> \<exists> Tk. Gets B \<lbrace>Crypt (shrK B) \<lbrace>Number Tk, Agent A, Key K\<rbrace>,
   49.79 -	            Crypt K \<lbrace>Agent A, Number Ta\<rbrace>\<rbrace> \<in> set evs"
   49.80 +                    Crypt K \<lbrace>Agent A, Number Ta\<rbrace>\<rbrace> \<in> set evs"
   49.81  apply (erule rev_mp)
   49.82  apply (erule bankerb_gets.induct)
   49.83  apply auto
    50.1 --- a/src/HOL/Auth/Message.thy	Wed Oct 21 16:54:04 2009 +0200
    50.2 +++ b/src/HOL/Auth/Message.thy	Wed Oct 21 16:57:57 2009 +0200
    50.3 @@ -40,13 +40,13 @@
    50.4    agent = Server | Friend nat | Spy
    50.5  
    50.6  datatype
    50.7 -     msg = Agent  agent	    --{*Agent names*}
    50.8 +     msg = Agent  agent     --{*Agent names*}
    50.9           | Number nat       --{*Ordinary integers, timestamps, ...*}
   50.10           | Nonce  nat       --{*Unguessable nonces*}
   50.11           | Key    key       --{*Crypto keys*}
   50.12 -	 | Hash   msg       --{*Hashing*}
   50.13 -	 | MPair  msg msg   --{*Compound messages*}
   50.14 -	 | Crypt  key msg   --{*Encryption, public- or shared-key*}
   50.15 +         | Hash   msg       --{*Hashing*}
   50.16 +         | MPair  msg msg   --{*Compound messages*}
   50.17 +         | Crypt  key msg   --{*Encryption, public- or shared-key*}
   50.18  
   50.19  
   50.20  text{*Concrete syntax: messages appear as {|A,B,NA|}, etc...*}
   50.21 @@ -873,8 +873,8 @@
   50.22      (Fake_insert_simp_tac ss 1
   50.23       THEN
   50.24       IF_UNSOLVED (Blast.depth_tac
   50.25 -		  (cs addIs [@{thm analz_insertI},
   50.26 -				   impOfSubs @{thm analz_subset_parts}]) 4 1))
   50.27 +                  (cs addIs [@{thm analz_insertI},
   50.28 +                                   impOfSubs @{thm analz_subset_parts}]) 4 1))
   50.29  
   50.30  fun spy_analz_tac (cs,ss) i =
   50.31    DETERM
    51.1 --- a/src/HOL/Auth/NS_Public.thy	Wed Oct 21 16:54:04 2009 +0200
    51.2 +++ b/src/HOL/Auth/NS_Public.thy	Wed Oct 21 16:57:57 2009 +0200
    51.3 @@ -110,8 +110,8 @@
    51.4  lemma A_trusts_NS2_lemma [rule_format]: 
    51.5     "\<lbrakk>A \<notin> bad;  B \<notin> bad;  evs \<in> ns_public\<rbrakk>                     
    51.6      \<Longrightarrow> Crypt (pubEK A) \<lbrace>Nonce NA, Nonce NB, Agent B\<rbrace> \<in> parts (spies evs) \<longrightarrow>
    51.7 -	Says A B (Crypt(pubEK B) \<lbrace>Nonce NA, Agent A\<rbrace>) \<in> set evs \<longrightarrow>
    51.8 -	Says B A (Crypt(pubEK A) \<lbrace>Nonce NA, Nonce NB, Agent B\<rbrace>) \<in> set evs"
    51.9 +        Says A B (Crypt(pubEK B) \<lbrace>Nonce NA, Agent A\<rbrace>) \<in> set evs \<longrightarrow>
   51.10 +        Says B A (Crypt(pubEK A) \<lbrace>Nonce NA, Nonce NB, Agent B\<rbrace>) \<in> set evs"
   51.11  apply (erule ns_public.induct, simp_all)
   51.12  (*Fake, NS1*)
   51.13  apply (blast dest: Spy_not_see_NA)+
   51.14 @@ -129,8 +129,8 @@
   51.15  lemma B_trusts_NS1 [rule_format]:
   51.16       "evs \<in> ns_public                                         
   51.17        \<Longrightarrow> Crypt (pubEK B) \<lbrace>Nonce NA, Agent A\<rbrace> \<in> parts (spies evs) \<longrightarrow>
   51.18 -	  Nonce NA \<notin> analz (spies evs) \<longrightarrow>
   51.19 -	  Says A B (Crypt (pubEK B) \<lbrace>Nonce NA, Agent A\<rbrace>) \<in> set evs"
   51.20 +          Nonce NA \<notin> analz (spies evs) \<longrightarrow>
   51.21 +          Says A B (Crypt (pubEK B) \<lbrace>Nonce NA, Agent A\<rbrace>) \<in> set evs"
   51.22  apply (erule ns_public.induct, simp_all)
   51.23  (*Fake*)
   51.24  apply (blast intro!: analz_insertI)
    52.1 --- a/src/HOL/Auth/NS_Public_Bad.thy	Wed Oct 21 16:54:04 2009 +0200
    52.2 +++ b/src/HOL/Auth/NS_Public_Bad.thy	Wed Oct 21 16:57:57 2009 +0200
    52.3 @@ -116,8 +116,8 @@
    52.4  lemma A_trusts_NS2_lemma [rule_format]: 
    52.5     "\<lbrakk>A \<notin> bad;  B \<notin> bad;  evs \<in> ns_public\<rbrakk>                     
    52.6      \<Longrightarrow> Crypt (pubEK A) \<lbrace>Nonce NA, Nonce NB\<rbrace> \<in> parts (spies evs) \<longrightarrow>
    52.7 -	Says A B (Crypt(pubEK B) \<lbrace>Nonce NA, Agent A\<rbrace>) \<in> set evs \<longrightarrow>
    52.8 -	Says B A (Crypt(pubEK A) \<lbrace>Nonce NA, Nonce NB\<rbrace>) \<in> set evs"
    52.9 +        Says A B (Crypt(pubEK B) \<lbrace>Nonce NA, Agent A\<rbrace>) \<in> set evs \<longrightarrow>
   52.10 +        Says B A (Crypt(pubEK A) \<lbrace>Nonce NA, Nonce NB\<rbrace>) \<in> set evs"
   52.11  apply (erule ns_public.induct)
   52.12  apply (auto dest: Spy_not_see_NA unique_NA)
   52.13  done
   52.14 @@ -134,8 +134,8 @@
   52.15  lemma B_trusts_NS1 [rule_format]:
   52.16       "evs \<in> ns_public                                         
   52.17        \<Longrightarrow> Crypt (pubEK B) \<lbrace>Nonce NA, Agent A\<rbrace> \<in> parts (spies evs) \<longrightarrow>
   52.18 -	  Nonce NA \<notin> analz (spies evs) \<longrightarrow>
   52.19 -	  Says A B (Crypt (pubEK B) \<lbrace>Nonce NA, Agent A\<rbrace>) \<in> set evs"
   52.20 +          Nonce NA \<notin> analz (spies evs) \<longrightarrow>
   52.21 +          Says A B (Crypt (pubEK B) \<lbrace>Nonce NA, Agent A\<rbrace>) \<in> set evs"
   52.22  apply (erule ns_public.induct, simp_all)
   52.23  (*Fake*)
   52.24  apply (blast intro!: analz_insertI)
    53.1 --- a/src/HOL/Auth/NS_Shared.thy	Wed Oct 21 16:54:04 2009 +0200
    53.2 +++ b/src/HOL/Auth/NS_Shared.thy	Wed Oct 21 16:57:57 2009 +0200
    53.3 @@ -27,61 +27,61 @@
    53.4  
    53.5  inductive_set ns_shared :: "event list set"
    53.6   where
    53.7 -	(*Initial trace is empty*)
    53.8 +        (*Initial trace is empty*)
    53.9    Nil:  "[] \<in> ns_shared"
   53.10 -	(*The spy MAY say anything he CAN say.  We do not expect him to
   53.11 -	  invent new nonces here, but he can also use NS1.  Common to
   53.12 -	  all similar protocols.*)
   53.13 +        (*The spy MAY say anything he CAN say.  We do not expect him to
   53.14 +          invent new nonces here, but he can also use NS1.  Common to
   53.15 +          all similar protocols.*)
   53.16  | Fake: "\<lbrakk>evsf \<in> ns_shared;  X \<in> synth (analz (spies evsf))\<rbrakk>
   53.17 -	 \<Longrightarrow> Says Spy B X # evsf \<in> ns_shared"
   53.18 +         \<Longrightarrow> Says Spy B X # evsf \<in> ns_shared"
   53.19  
   53.20 -	(*Alice initiates a protocol run, requesting to talk to any B*)
   53.21 +        (*Alice initiates a protocol run, requesting to talk to any B*)
   53.22  | NS1:  "\<lbrakk>evs1 \<in> ns_shared;  Nonce NA \<notin> used evs1\<rbrakk>
   53.23 -	 \<Longrightarrow> Says A Server \<lbrace>Agent A, Agent B, Nonce NA\<rbrace> # evs1  \<in>  ns_shared"
   53.24 +         \<Longrightarrow> Says A Server \<lbrace>Agent A, Agent B, Nonce NA\<rbrace> # evs1  \<in>  ns_shared"
   53.25  
   53.26 -	(*Server's response to Alice's message.
   53.27 -	  !! It may respond more than once to A's request !!
   53.28 -	  Server doesn't know who the true sender is, hence the A' in
   53.29 -	      the sender field.*)
   53.30 +        (*Server's response to Alice's message.
   53.31 +          !! It may respond more than once to A's request !!
   53.32 +          Server doesn't know who the true sender is, hence the A' in
   53.33 +              the sender field.*)
   53.34  | NS2:  "\<lbrakk>evs2 \<in> ns_shared;  Key KAB \<notin> used evs2;  KAB \<in> symKeys;
   53.35 -	  Says A' Server \<lbrace>Agent A, Agent B, Nonce NA\<rbrace> \<in> set evs2\<rbrakk>
   53.36 -	 \<Longrightarrow> Says Server A
   53.37 -	       (Crypt (shrK A)
   53.38 -		  \<lbrace>Nonce NA, Agent B, Key KAB,
   53.39 -		    (Crypt (shrK B) \<lbrace>Key KAB, Agent A\<rbrace>)\<rbrace>)
   53.40 -	       # evs2 \<in> ns_shared"
   53.41 +          Says A' Server \<lbrace>Agent A, Agent B, Nonce NA\<rbrace> \<in> set evs2\<rbrakk>
   53.42 +         \<Longrightarrow> Says Server A
   53.43 +               (Crypt (shrK A)
   53.44 +                  \<lbrace>Nonce NA, Agent B, Key KAB,
   53.45 +                    (Crypt (shrK B) \<lbrace>Key KAB, Agent A\<rbrace>)\<rbrace>)
   53.46 +               # evs2 \<in> ns_shared"
   53.47  
   53.48 -	 (*We can't assume S=Server.  Agent A "remembers" her nonce.
   53.49 -	   Need A \<noteq> Server because we allow messages to self.*)
   53.50 +         (*We can't assume S=Server.  Agent A "remembers" her nonce.
   53.51 +           Need A \<noteq> Server because we allow messages to self.*)
   53.52  | NS3:  "\<lbrakk>evs3 \<in> ns_shared;  A \<noteq> Server;
   53.53 -	  Says S A (Crypt (shrK A) \<lbrace>Nonce NA, Agent B, Key K, X\<rbrace>) \<in> set evs3;
   53.54 -	  Says A Server \<lbrace>Agent A, Agent B, Nonce NA\<rbrace> \<in> set evs3\<rbrakk>
   53.55 -	 \<Longrightarrow> Says A B X # evs3 \<in> ns_shared"
   53.56 +          Says S A (Crypt (shrK A) \<lbrace>Nonce NA, Agent B, Key K, X\<rbrace>) \<in> set evs3;
   53.57 +          Says A Server \<lbrace>Agent A, Agent B, Nonce NA\<rbrace> \<in> set evs3\<rbrakk>
   53.58 +         \<Longrightarrow> Says A B X # evs3 \<in> ns_shared"
   53.59  
   53.60 -	(*Bob's nonce exchange.  He does not know who the message came
   53.61 -	  from, but responds to A because she is mentioned inside.*)
   53.62 +        (*Bob's nonce exchange.  He does not know who the message came
   53.63 +          from, but responds to A because she is mentioned inside.*)
   53.64  | NS4:  "\<lbrakk>evs4 \<in> ns_shared;  Nonce NB \<notin> used evs4;  K \<in> symKeys;
   53.65 -	  Says A' B (Crypt (shrK B) \<lbrace>Key K, Agent A\<rbrace>) \<in> set evs4\<rbrakk>
   53.66 -	 \<Longrightarrow> Says B A (Crypt K (Nonce NB)) # evs4 \<in> ns_shared"
   53.67 +          Says A' B (Crypt (shrK B) \<lbrace>Key K, Agent A\<rbrace>) \<in> set evs4\<rbrakk>
   53.68 +         \<Longrightarrow> Says B A (Crypt K (Nonce NB)) # evs4 \<in> ns_shared"
   53.69  
   53.70 -	(*Alice responds with Nonce NB if she has seen the key before.
   53.71 -	  Maybe should somehow check Nonce NA again.
   53.72 -	  We do NOT send NB-1 or similar as the Spy cannot spoof such things.
   53.73 -	  Letting the Spy add or subtract 1 lets him send all nonces.
   53.74 -	  Instead we distinguish the messages by sending the nonce twice.*)
   53.75 +        (*Alice responds with Nonce NB if she has seen the key before.
   53.76 +          Maybe should somehow check Nonce NA again.
   53.77 +          We do NOT send NB-1 or similar as the Spy cannot spoof such things.
   53.78 +          Letting the Spy add or subtract 1 lets him send all nonces.
   53.79 +          Instead we distinguish the messages by sending the nonce twice.*)
   53.80  | NS5:  "\<lbrakk>evs5 \<in> ns_shared;  K \<in> symKeys;
   53.81 -	  Says B' A (Crypt K (Nonce NB)) \<in> set evs5;
   53.82 -	  Says S  A (Crypt (shrK A) \<lbrace>Nonce NA, Agent B, Key K, X\<rbrace>)
   53.83 -	    \<in> set evs5\<rbrakk>
   53.84 -	 \<Longrightarrow> Says A B (Crypt K \<lbrace>Nonce NB, Nonce NB\<rbrace>) # evs5 \<in> ns_shared"
   53.85 +          Says B' A (Crypt K (Nonce NB)) \<in> set evs5;
   53.86 +          Says S  A (Crypt (shrK A) \<lbrace>Nonce NA, Agent B, Key K, X\<rbrace>)
   53.87 +            \<in> set evs5\<rbrakk>
   53.88 +         \<Longrightarrow> Says A B (Crypt K \<lbrace>Nonce NB, Nonce NB\<rbrace>) # evs5 \<in> ns_shared"
   53.89  
   53.90 -	(*This message models possible leaks of session keys.
   53.91 -	  The two Nonces identify the protocol run: the rule insists upon
   53.92 -	  the true senders in order to make them accurate.*)
   53.93 +        (*This message models possible leaks of session keys.
   53.94 +          The two Nonces identify the protocol run: the rule insists upon
   53.95 +          the true senders in order to make them accurate.*)
   53.96  | Oops: "\<lbrakk>evso \<in> ns_shared;  Says B A (Crypt K (Nonce NB)) \<in> set evso;
   53.97 -	  Says Server A (Crypt (shrK A) \<lbrace>Nonce NA, Agent B, Key K, X\<rbrace>)
   53.98 -	      \<in> set evso\<rbrakk>
   53.99 -	 \<Longrightarrow> Notes Spy \<lbrace>Nonce NA, Nonce NB, Key K\<rbrace> # evso \<in> ns_shared"
  53.100 +          Says Server A (Crypt (shrK A) \<lbrace>Nonce NA, Agent B, Key K, X\<rbrace>)
  53.101 +              \<in> set evso\<rbrakk>
  53.102 +         \<Longrightarrow> Notes Spy \<lbrace>Nonce NA, Nonce NB, Key K\<rbrace> # evso \<in> ns_shared"
  53.103  
  53.104  
  53.105  declare Says_imp_knows_Spy [THEN parts.Inj, dest]
  53.106 @@ -98,7 +98,7 @@
  53.107  apply (intro exI bexI)
  53.108  apply (rule_tac [2] ns_shared.Nil
  53.109         [THEN ns_shared.NS1, THEN ns_shared.NS2, THEN ns_shared.NS3,
  53.110 -	THEN ns_shared.NS4, THEN ns_shared.NS5])
  53.111 +        THEN ns_shared.NS4, THEN ns_shared.NS5])
  53.112  apply (possibility, simp add: used_Cons)
  53.113  done
  53.114  
  53.115 @@ -275,7 +275,7 @@
  53.116  apply blast
  53.117  txt{*NS3*}
  53.118  apply (blast dest!: Crypt_Spy_analz_bad A_trusts_NS2
  53.119 -	     dest:  Says_imp_knows_Spy analz.Inj unique_session_keys)
  53.120 +             dest:  Says_imp_knows_Spy analz.Inj unique_session_keys)
  53.121  txt{*Oops*}
  53.122  apply (blast dest: unique_session_keys)
  53.123  done
  53.124 @@ -355,8 +355,8 @@
  53.125    "\<lbrakk>B \<notin> bad;  evs \<in> ns_shared\<rbrakk> \<Longrightarrow>
  53.126       Key K \<notin> analz (spies evs) \<longrightarrow>
  53.127       Says Server A
  53.128 -	  (Crypt (shrK A) \<lbrace>NA, Agent B, Key K,
  53.129 -			    Crypt (shrK B) \<lbrace>Key K, Agent A\<rbrace>\<rbrace>) \<in> set evs \<longrightarrow>
  53.130 +          (Crypt (shrK A) \<lbrace>NA, Agent B, Key K,
  53.131 +                            Crypt (shrK B) \<lbrace>Key K, Agent A\<rbrace>\<rbrace>) \<in> set evs \<longrightarrow>
  53.132       Crypt K \<lbrace>Nonce NB, Nonce NB\<rbrace> \<in> parts (spies evs) \<longrightarrow>
  53.133       Says A B (Crypt K \<lbrace>Nonce NB, Nonce NB\<rbrace>) \<in> set evs"
  53.134  apply (erule ns_shared.induct, force)
  53.135 @@ -366,7 +366,7 @@
  53.136  apply (blast dest!: new_keys_not_used Crypt_imp_keysFor)
  53.137  txt{*NS5*}
  53.138  apply (blast dest!: A_trusts_NS2
  53.139 -	     dest: Says_imp_knows_Spy [THEN analz.Inj]
  53.140 +             dest: Says_imp_knows_Spy [THEN analz.Inj]
  53.141                     unique_session_keys Crypt_Spy_analz_bad)
  53.142  done
  53.143  
    54.1 --- a/src/HOL/Auth/OtwayRees.thy	Wed Oct 21 16:54:04 2009 +0200
    54.2 +++ b/src/HOL/Auth/OtwayRees.thy	Wed Oct 21 16:57:57 2009 +0200
    54.3 @@ -61,7 +61,7 @@
    54.4                   # evs3 : otway"
    54.5  
    54.6           (*Bob receives the Server's (?) message and compares the Nonces with
    54.7 -	   those in the message he previously sent the Server.
    54.8 +           those in the message he previously sent the Server.
    54.9             Need B \<noteq> Server because we allow messages to self.*)
   54.10   | OR4:  "[| evs4 \<in> otway;  B \<noteq> Server;
   54.11               Says B Server {|Nonce NA, Agent A, Agent B, X',
    55.1 --- a/src/HOL/Auth/OtwayReesBella.thy	Wed Oct 21 16:54:04 2009 +0200
    55.2 +++ b/src/HOL/Auth/OtwayReesBella.thy	Wed Oct 21 16:57:57 2009 +0200
    55.3 @@ -22,50 +22,50 @@
    55.4    Nil:  "[]\<in> orb"
    55.5  
    55.6  | Fake: "\<lbrakk>evsa\<in> orb;  X\<in> synth (analz (knows Spy evsa))\<rbrakk>
    55.7 - 	 \<Longrightarrow> Says Spy B X  # evsa \<in> orb"
    55.8 +         \<Longrightarrow> Says Spy B X  # evsa \<in> orb"
    55.9  
   55.10  | Reception: "\<lbrakk>evsr\<in> orb;  Says A B X \<in> set evsr\<rbrakk>
   55.11 -	      \<Longrightarrow> Gets B X # evsr \<in> orb"
   55.12 +              \<Longrightarrow> Gets B X # evsr \<in> orb"
   55.13  
   55.14  | OR1:  "\<lbrakk>evs1\<in> orb;  Nonce NA \<notin> used evs1\<rbrakk>
   55.15 -	 \<Longrightarrow> Says A B \<lbrace>Nonce M, Agent A, Agent B, 
   55.16 -		   Crypt (shrK A) \<lbrace>Nonce NA, Nonce M, Agent A, Agent B\<rbrace>\<rbrace> 
   55.17 -	       # evs1 \<in> orb"
   55.18 +         \<Longrightarrow> Says A B \<lbrace>Nonce M, Agent A, Agent B, 
   55.19 +                   Crypt (shrK A) \<lbrace>Nonce NA, Nonce M, Agent A, Agent B\<rbrace>\<rbrace> 
   55.20 +               # evs1 \<in> orb"
   55.21  
   55.22  | OR2:  "\<lbrakk>evs2\<in> orb;  Nonce NB \<notin> used evs2;
   55.23 -	   Gets B \<lbrace>Nonce M, Agent A, Agent B, X\<rbrace> \<in> set evs2\<rbrakk>
   55.24 -	\<Longrightarrow> Says B Server 
   55.25 -		\<lbrace>Nonce M, Agent A, Agent B, X, 
   55.26 -	   Crypt (shrK B) \<lbrace>Nonce NB, Nonce M, Nonce M, Agent A, Agent B\<rbrace>\<rbrace>
   55.27 -	       # evs2 \<in> orb"
   55.28 +           Gets B \<lbrace>Nonce M, Agent A, Agent B, X\<rbrace> \<in> set evs2\<rbrakk>
   55.29 +        \<Longrightarrow> Says B Server 
   55.30 +                \<lbrace>Nonce M, Agent A, Agent B, X, 
   55.31 +           Crypt (shrK B) \<lbrace>Nonce NB, Nonce M, Nonce M, Agent A, Agent B\<rbrace>\<rbrace>
   55.32 +               # evs2 \<in> orb"
   55.33  
   55.34  | OR3:  "\<lbrakk>evs3\<in> orb;  Key KAB \<notin> used evs3;
   55.35 -	  Gets Server 
   55.36 -	     \<lbrace>Nonce M, Agent A, Agent B, 
   55.37 -	       Crypt (shrK A) \<lbrace>Nonce NA, Nonce M, Agent A, Agent B\<rbrace>, 
   55.38 -	       Crypt (shrK B) \<lbrace>Nonce NB, Nonce M, Nonce M, Agent A, Agent B\<rbrace>\<rbrace>
   55.39 -	  \<in> set evs3\<rbrakk>
   55.40 -	\<Longrightarrow> Says Server B \<lbrace>Nonce M,
   55.41 -		    Crypt (shrK B) \<lbrace>Crypt (shrK A) \<lbrace>Nonce NA, Key KAB\<rbrace>,
   55.42 -				      Nonce NB, Key KAB\<rbrace>\<rbrace>
   55.43 -	       # evs3 \<in> orb"
   55.44 +          Gets Server 
   55.45 +             \<lbrace>Nonce M, Agent A, Agent B, 
   55.46 +               Crypt (shrK A) \<lbrace>Nonce NA, Nonce M, Agent A, Agent B\<rbrace>, 
   55.47 +               Crypt (shrK B) \<lbrace>Nonce NB, Nonce M, Nonce M, Agent A, Agent B\<rbrace>\<rbrace>
   55.48 +          \<in> set evs3\<rbrakk>
   55.49 +        \<Longrightarrow> Says Server B \<lbrace>Nonce M,
   55.50 +                    Crypt (shrK B) \<lbrace>Crypt (shrK A) \<lbrace>Nonce NA, Key KAB\<rbrace>,
   55.51 +                                      Nonce NB, Key KAB\<rbrace>\<rbrace>
   55.52 +               # evs3 \<in> orb"
   55.53  
   55.54    (*B can only check that the message he is bouncing is a ciphertext*)
   55.55    (*Sending M back is omitted*)   
   55.56  | OR4:  "\<lbrakk>evs4\<in> orb; B \<noteq> Server; \<forall> p q. X \<noteq> \<lbrace>p, q\<rbrace>; 
   55.57 -	  Says B Server \<lbrace>Nonce M, Agent A, Agent B, X', 
   55.58 -		Crypt (shrK B) \<lbrace>Nonce NB, Nonce M, Nonce M, Agent A, Agent B\<rbrace>\<rbrace>
   55.59 -	    \<in> set evs4;
   55.60 -	  Gets B \<lbrace>Nonce M, Crypt (shrK B) \<lbrace>X, Nonce NB, Key KAB\<rbrace>\<rbrace>
   55.61 -	    \<in> set evs4\<rbrakk>
   55.62 -	\<Longrightarrow> Says B A \<lbrace>Nonce M, X\<rbrace> # evs4 \<in> orb"
   55.63 +          Says B Server \<lbrace>Nonce M, Agent A, Agent B, X', 
   55.64 +                Crypt (shrK B) \<lbrace>Nonce NB, Nonce M, Nonce M, Agent A, Agent B\<rbrace>\<rbrace>
   55.65 +            \<in> set evs4;
   55.66 +          Gets B \<lbrace>Nonce M, Crypt (shrK B) \<lbrace>X, Nonce NB, Key KAB\<rbrace>\<rbrace>
   55.67 +            \<in> set evs4\<rbrakk>
   55.68 +        \<Longrightarrow> Says B A \<lbrace>Nonce M, X\<rbrace> # evs4 \<in> orb"
   55.69  
   55.70  
   55.71  | Oops: "\<lbrakk>evso\<in> orb;  
   55.72 -	   Says Server B \<lbrace>Nonce M,
   55.73 -		    Crypt (shrK B) \<lbrace>Crypt (shrK A) \<lbrace>Nonce NA, Key KAB\<rbrace>,
   55.74 -				      Nonce NB, Key KAB\<rbrace>\<rbrace> 
   55.75 -	     \<in> set evso\<rbrakk>
   55.76 +           Says Server B \<lbrace>Nonce M,
   55.77 +                    Crypt (shrK B) \<lbrace>Crypt (shrK A) \<lbrace>Nonce NA, Key KAB\<rbrace>,
   55.78 +                                      Nonce NB, Key KAB\<rbrace>\<rbrace> 
   55.79 +             \<in> set evso\<rbrakk>
   55.80   \<Longrightarrow> Notes Spy \<lbrace>Agent A, Agent B, Nonce NA, Nonce NB, Key KAB\<rbrace> # evso 
   55.81       \<in> orb"
   55.82  
    56.1 --- a/src/HOL/Auth/OtwayRees_AN.thy	Wed Oct 21 16:54:04 2009 +0200
    56.2 +++ b/src/HOL/Auth/OtwayRees_AN.thy	Wed Oct 21 16:57:57 2009 +0200
    56.3 @@ -35,7 +35,7 @@
    56.4          
    56.5   | Reception: --{*A message that has been sent can be received by the
    56.6                    intended recipient.*}
    56.7 -	      "[| evsr \<in> otway;  Says A B X \<in>set evsr |]
    56.8 +              "[| evsr \<in> otway;  Says A B X \<in>set evsr |]
    56.9                 ==> Gets B X # evsr \<in> otway"
   56.10  
   56.11   | OR1:  --{*Alice initiates a protocol run*}
   56.12 @@ -43,14 +43,14 @@
   56.13            ==> Says A B {|Agent A, Agent B, Nonce NA|} # evs1 \<in> otway"
   56.14  
   56.15   | OR2:  --{*Bob's response to Alice's message.*}
   56.16 -	 "[| evs2 \<in> otway;
   56.17 +         "[| evs2 \<in> otway;
   56.18               Gets B {|Agent A, Agent B, Nonce NA|} \<in>set evs2 |]
   56.19            ==> Says B Server {|Agent A, Agent B, Nonce NA, Nonce NB|}
   56.20                   # evs2 \<in> otway"
   56.21  
   56.22   | OR3:  --{*The Server receives Bob's message.  Then he sends a new
   56.23             session key to Bob with a packet for forwarding to Alice.*}
   56.24 -	 "[| evs3 \<in> otway;  Key KAB \<notin> used evs3;
   56.25 +         "[| evs3 \<in> otway;  Key KAB \<notin> used evs3;
   56.26               Gets Server {|Agent A, Agent B, Nonce NA, Nonce NB|}
   56.27                 \<in>set evs3 |]
   56.28            ==> Says Server B
   56.29 @@ -59,9 +59,9 @@
   56.30                # evs3 \<in> otway"
   56.31  
   56.32   | OR4:  --{*Bob receives the Server's (?) message and compares the Nonces with
   56.33 -	     those in the message he previously sent the Server.
   56.34 +             those in the message he previously sent the Server.
   56.35               Need @{term "B \<noteq> Server"} because we allow messages to self.*}
   56.36 -	 "[| evs4 \<in> otway;  B \<noteq> Server;
   56.37 +         "[| evs4 \<in> otway;  B \<noteq> Server;
   56.38               Says B Server {|Agent A, Agent B, Nonce NA, Nonce NB|} \<in>set evs4;
   56.39               Gets B {|X, Crypt(shrK B){|Nonce NB,Agent A,Agent B,Key K|}|}
   56.40                 \<in>set evs4 |]
   56.41 @@ -69,7 +69,7 @@
   56.42  
   56.43   | Oops: --{*This message models possible leaks of session keys.  The nonces
   56.44               identify the protocol run.*}
   56.45 -	 "[| evso \<in> otway;
   56.46 +         "[| evso \<in> otway;
   56.47               Says Server B
   56.48                        {|Crypt (shrK A) {|Nonce NA, Agent A, Agent B, Key K|},
   56.49                          Crypt (shrK B) {|Nonce NB, Agent A, Agent B, Key K|}|}
    57.1 --- a/src/HOL/Auth/OtwayRees_Bad.thy	Wed Oct 21 16:54:04 2009 +0200
    57.2 +++ b/src/HOL/Auth/OtwayRees_Bad.thy	Wed Oct 21 16:57:57 2009 +0200
    57.3 @@ -32,18 +32,18 @@
    57.4          
    57.5   | Reception: --{*A message that has been sent can be received by the
    57.6                    intended recipient.*}
    57.7 -	      "[| evsr \<in> otway;  Says A B X \<in>set evsr |]
    57.8 +              "[| evsr \<in> otway;  Says A B X \<in>set evsr |]
    57.9                 ==> Gets B X # evsr \<in> otway"
   57.10  
   57.11   | OR1:  --{*Alice initiates a protocol run*}
   57.12 -	 "[| evs1 \<in> otway;  Nonce NA \<notin> used evs1 |]
   57.13 +         "[| evs1 \<in> otway;  Nonce NA \<notin> used evs1 |]
   57.14            ==> Says A B {|Nonce NA, Agent A, Agent B,
   57.15                           Crypt (shrK A) {|Nonce NA, Agent A, Agent B|} |}
   57.16                   # evs1 \<in> otway"
   57.17  
   57.18   | OR2:  --{*Bob's response to Alice's message.
   57.19               This variant of the protocol does NOT encrypt NB.*}
   57.20 -	 "[| evs2 \<in> otway;  Nonce NB \<notin> used evs2;
   57.21 +         "[| evs2 \<in> otway;  Nonce NB \<notin> used evs2;
   57.22               Gets B {|Nonce NA, Agent A, Agent B, X|} \<in> set evs2 |]
   57.23            ==> Says B Server
   57.24                    {|Nonce NA, Agent A, Agent B, X, Nonce NB,
   57.25 @@ -53,7 +53,7 @@
   57.26   | OR3:  --{*The Server receives Bob's message and checks that the three NAs
   57.27             match.  Then he sends a new session key to Bob with a packet for
   57.28             forwarding to Alice.*}
   57.29 -	 "[| evs3 \<in> otway;  Key KAB \<notin> used evs3;
   57.30 +         "[| evs3 \<in> otway;  Key KAB \<notin> used evs3;
   57.31               Gets Server
   57.32                    {|Nonce NA, Agent A, Agent B,
   57.33                      Crypt (shrK A) {|Nonce NA, Agent A, Agent B|},
   57.34 @@ -67,9 +67,9 @@
   57.35                   # evs3 \<in> otway"
   57.36  
   57.37   | OR4:  --{*Bob receives the Server's (?) message and compares the Nonces with
   57.38 -	     those in the message he previously sent the Server.
   57.39 +             those in the message he previously sent the Server.
   57.40               Need @{term "B \<noteq> Server"} because we allow messages to self.*}
   57.41 -	 "[| evs4 \<in> otway;  B \<noteq> Server;
   57.42 +         "[| evs4 \<in> otway;  B \<noteq> Server;
   57.43               Says B Server {|Nonce NA, Agent A, Agent B, X', Nonce NB,
   57.44                               Crypt (shrK B) {|Nonce NA, Agent A, Agent B|}|}
   57.45                 \<in> set evs4;
   57.46 @@ -79,7 +79,7 @@
   57.47  
   57.48   | Oops: --{*This message models possible leaks of session keys.  The nonces
   57.49               identify the protocol run.*}
   57.50 -	 "[| evso \<in> otway;
   57.51 +         "[| evso \<in> otway;
   57.52               Says Server B {|Nonce NA, X, Crypt (shrK B) {|Nonce NB, Key K|}|}
   57.53                 \<in> set evso |]
   57.54            ==> Notes Spy {|Nonce NA, Nonce NB, Key K|} # evso \<in> otway"
    58.1 --- a/src/HOL/Auth/Recur.thy	Wed Oct 21 16:54:04 2009 +0200
    58.2 +++ b/src/HOL/Auth/Recur.thy	Wed Oct 21 16:57:57 2009 +0200
    58.3 @@ -101,7 +101,7 @@
    58.4       etc.
    58.5  
    58.6     Oops:  "[| evso \<in> recur;  Says Server B RB \<in> set evso;
    58.7 -	      RB \<in> responses evs';  Key K \<in> parts {RB} |]
    58.8 +              RB \<in> responses evs';  Key K \<in> parts {RB} |]
    58.9             ==> Notes Spy {|Key K, RB|} # evso \<in> recur"
   58.10    *)
   58.11  
   58.12 @@ -140,10 +140,10 @@
   58.13  apply (rule_tac [2] 
   58.14            recur.Nil
   58.15             [THEN recur.RA1 [of _ NA], 
   58.16 -	    THEN recur.RA2 [of _ NB],
   58.17 -	    THEN recur.RA3 [OF _ _ respond.One 
   58.18 +            THEN recur.RA2 [of _ NB],
   58.19 +            THEN recur.RA3 [OF _ _ respond.One 
   58.20                                       [THEN respond.Cons [of _ _ K _ K']]],
   58.21 -	    THEN recur.RA4], possibility)
   58.22 +            THEN recur.RA4], possibility)
   58.23  apply (auto simp add: used_Cons)
   58.24  done
   58.25  
   58.26 @@ -241,7 +241,7 @@
   58.27                     (K \<in> KK | Key K \<in> analz (insert RB H))"
   58.28  apply (erule responses.induct)
   58.29  apply (simp_all del: image_insert
   58.30 -	        add: analz_image_freshK_simps, auto)
   58.31 +                add: analz_image_freshK_simps, auto)
   58.32  done 
   58.33  
   58.34  
    59.1 --- a/src/HOL/Auth/Smartcard/EventSC.thy	Wed Oct 21 16:54:04 2009 +0200
    59.2 +++ b/src/HOL/Auth/Smartcard/EventSC.thy	Wed Oct 21 16:57:57 2009 +0200
    59.3 @@ -38,13 +38,13 @@
    59.4  specification (stolen)
    59.5    (*The server's card is secure by assumption\<dots>*)
    59.6    Card_Server_not_stolen [iff]: "Card Server \<notin> stolen"
    59.7 -  Card_Spy_not_stolen  	 [iff]: "Card Spy \<notin> stolen"
    59.8 +  Card_Spy_not_stolen    [iff]: "Card Spy \<notin> stolen"
    59.9    apply blast done
   59.10  
   59.11  specification (cloned)
   59.12    (*\<dots> the spy's card is secure because she already can use it freely*)
   59.13    Card_Server_not_cloned [iff]: "Card Server \<notin> cloned"
   59.14 -  Card_Spy_not_cloned  	 [iff]: "Card Spy \<notin> cloned"
   59.15 +  Card_Spy_not_cloned    [iff]: "Card Spy \<notin> cloned"
   59.16    apply blast done
   59.17  
   59.18  
   59.19 @@ -52,28 +52,28 @@
   59.20            assumption of secure means*)
   59.21    knows_Nil:   "knows A [] = initState A"
   59.22    knows_Cons:  "knows A (ev # evs) =
   59.23 -	 (case ev of
   59.24 -	    Says A' B X => 
   59.25 +         (case ev of
   59.26 +            Says A' B X => 
   59.27                  if (A=A' | A=Spy) then insert X (knows A evs) else knows A evs
   59.28 -	  | Notes A' X  => 
   59.29 -	        if (A=A' | (A=Spy & A'\<in>bad)) then insert X (knows A evs) 
   59.30 +          | Notes A' X  => 
   59.31 +                if (A=A' | (A=Spy & A'\<in>bad)) then insert X (knows A evs) 
   59.32                                               else knows A evs 
   59.33            | Gets A' X   =>
   59.34 -		if (A=A' & A \<noteq> Spy) then insert X (knows A evs) 
   59.35 +                if (A=A' & A \<noteq> Spy) then insert X (knows A evs) 
   59.36                                       else knows A evs
   59.37            | Inputs A' C X =>
   59.38 -	      if secureM then
   59.39 +              if secureM then
   59.40                  if A=A' then insert X (knows A evs) else knows A evs
   59.41 -	      else
   59.42 -	        if (A=A' | A=Spy) then insert X (knows A evs) else knows A evs
   59.43 +              else
   59.44 +                if (A=A' | A=Spy) then insert X (knows A evs) else knows A evs
   59.45            | C_Gets C X   => knows A evs
   59.46            | Outpts C A' X =>
   59.47 -	      if secureM then
   59.48 +              if secureM then
   59.49                  if A=A' then insert X (knows A evs) else knows A evs
   59.50                else
   59.51 -	        if A=Spy then insert X (knows A evs) else knows A evs
   59.52 +                if A=Spy then insert X (knows A evs) else knows A evs
   59.53            | A_Gets A' X   =>
   59.54 -		if (A=A' & A \<noteq> Spy) then insert X (knows A evs) 
   59.55 +                if (A=A' & A \<noteq> Spy) then insert X (knows A evs) 
   59.56                                       else knows A evs)"
   59.57  
   59.58  
   59.59 @@ -86,14 +86,14 @@
   59.60  primrec
   59.61    used_Nil:   "used []         = (UN B. parts (initState B))"
   59.62    used_Cons:  "used (ev # evs) =
   59.63 -	         (case ev of
   59.64 -		    Says A B X => parts {X} \<union> (used evs)
   59.65 -		  | Notes A X  => parts {X} \<union> (used evs)
   59.66 -		  | Gets A X   => used evs
   59.67 +                 (case ev of
   59.68 +                    Says A B X => parts {X} \<union> (used evs)
   59.69 +                  | Notes A X  => parts {X} \<union> (used evs)
   59.70 +                  | Gets A X   => used evs
   59.71                    | Inputs A C X  => parts{X} \<union> (used evs) 
   59.72 -		  | C_Gets C X   => used evs
   59.73 +                  | C_Gets C X   => used evs
   59.74                    | Outpts C A X  => parts{X} \<union> (used evs)
   59.75 -		  | A_Gets A X   => used evs)"
   59.76 +                  | A_Gets A X   => used evs)"
   59.77      --{*@{term Gets} always follows @{term Says} in real protocols. 
   59.78         Likewise, @{term C_Gets} will always have to follow @{term Inputs}
   59.79         and @{term A_Gets} will always have to follow @{term Outpts}*}
    60.1 --- a/src/HOL/Auth/Smartcard/Smartcard.thy	Wed Oct 21 16:54:04 2009 +0200
    60.2 +++ b/src/HOL/Auth/Smartcard/Smartcard.thy	Wed Oct 21 16:57:57 2009 +0200
    60.3 @@ -386,8 +386,8 @@
    60.4  
    60.5  val analz_image_freshK_ss = 
    60.6       @{simpset} delsimps [image_insert, image_Un]
    60.7 -	       delsimps [@{thm imp_disjL}]    (*reduces blow-up*)
    60.8 -	       addsimps @{thms analz_image_freshK_simps}
    60.9 +               delsimps [@{thm imp_disjL}]    (*reduces blow-up*)
   60.10 +               addsimps @{thms analz_image_freshK_simps}
   60.11  end
   60.12  *}
   60.13  
    61.1 --- a/src/HOL/Auth/TLS.thy	Wed Oct 21 16:54:04 2009 +0200
    61.2 +++ b/src/HOL/Auth/TLS.thy	Wed Oct 21 16:57:57 2009 +0200
    61.3 @@ -36,7 +36,7 @@
    61.4  Proofs would be simpler if ClientKeyExch included A's name within
    61.5  Crypt KB (Nonce PMS).  As things stand, there is much overlap between proofs
    61.6  about that message (which B receives) and the stronger event
    61.7 -	Notes A {|Agent B, Nonce PMS|}.
    61.8 +Notes A {|Agent B, Nonce PMS|}.
    61.9  *)
   61.10  
   61.11  header{*The TLS Protocol: Transport Layer Security*}
   61.12 @@ -112,30 +112,30 @@
   61.13   | SpyKeys: --{*The spy may apply @{term PRF} and @{term sessionK}
   61.14                  to available nonces*}
   61.15           "[| evsSK \<in> tls;
   61.16 -	     {Nonce NA, Nonce NB, Nonce M} <= analz (spies evsSK) |]
   61.17 +             {Nonce NA, Nonce NB, Nonce M} <= analz (spies evsSK) |]
   61.18            ==> Notes Spy {| Nonce (PRF(M,NA,NB)),
   61.19 -			   Key (sessionK((NA,NB,M),role)) |} # evsSK \<in> tls"
   61.20 +                           Key (sessionK((NA,NB,M),role)) |} # evsSK \<in> tls"
   61.21  
   61.22   | ClientHello:
   61.23 -	 --{*(7.4.1.2)
   61.24 -	   PA represents @{text CLIENT_VERSION}, @{text CIPHER_SUITES} and @{text COMPRESSION_METHODS}.
   61.25 -	   It is uninterpreted but will be confirmed in the FINISHED messages.
   61.26 -	   NA is CLIENT RANDOM, while SID is @{text SESSION_ID}.
   61.27 +         --{*(7.4.1.2)
   61.28 +           PA represents @{text CLIENT_VERSION}, @{text CIPHER_SUITES} and @{text COMPRESSION_METHODS}.
   61.29 +           It is uninterpreted but will be confirmed in the FINISHED messages.
   61.30 +           NA is CLIENT RANDOM, while SID is @{text SESSION_ID}.
   61.31             UNIX TIME is omitted because the protocol doesn't use it.
   61.32             May assume @{term "NA \<notin> range PRF"} because CLIENT RANDOM is 
   61.33             28 bytes while MASTER SECRET is 48 bytes*}
   61.34           "[| evsCH \<in> tls;  Nonce NA \<notin> used evsCH;  NA \<notin> range PRF |]
   61.35            ==> Says A B {|Agent A, Nonce NA, Number SID, Number PA|}
   61.36 -	        # evsCH  \<in>  tls"
   61.37 +                # evsCH  \<in>  tls"
   61.38  
   61.39   | ServerHello:
   61.40           --{*7.4.1.3 of the TLS Internet-Draft
   61.41 -	   PB represents @{text CLIENT_VERSION}, @{text CIPHER_SUITE} and @{text COMPRESSION_METHOD}.
   61.42 +           PB represents @{text CLIENT_VERSION}, @{text CIPHER_SUITE} and @{text COMPRESSION_METHOD}.
   61.43             SERVER CERTIFICATE (7.4.2) is always present.
   61.44             @{text CERTIFICATE_REQUEST} (7.4.4) is implied.*}
   61.45           "[| evsSH \<in> tls;  Nonce NB \<notin> used evsSH;  NB \<notin> range PRF;
   61.46               Says A' B {|Agent A, Nonce NA, Number SID, Number PA|}
   61.47 -	       \<in> set evsSH |]
   61.48 +               \<in> set evsSH |]
   61.49            ==> Says B A {|Nonce NB, Number SID, Number PB|} # evsSH  \<in>  tls"
   61.50  
   61.51   | Certificate:
   61.52 @@ -148,28 +148,28 @@
   61.53             She encrypts PMS using the supplied KB, which ought to be pubK B.
   61.54             We assume @{term "PMS \<notin> range PRF"} because a clash betweem the PMS
   61.55             and another MASTER SECRET is highly unlikely (even though
   61.56 -	   both items have the same length, 48 bytes).
   61.57 +           both items have the same length, 48 bytes).
   61.58             The Note event records in the trace that she knows PMS
   61.59                 (see REMARK at top). *}
   61.60           "[| evsCX \<in> tls;  Nonce PMS \<notin> used evsCX;  PMS \<notin> range PRF;
   61.61               Says B' A (certificate B KB) \<in> set evsCX |]
   61.62            ==> Says A B (Crypt KB (Nonce PMS))
   61.63 -	      # Notes A {|Agent B, Nonce PMS|}
   61.64 -	      # evsCX  \<in>  tls"
   61.65 +              # Notes A {|Agent B, Nonce PMS|}
   61.66 +              # evsCX  \<in>  tls"
   61.67  
   61.68   | CertVerify:
   61.69 -	--{*The optional Certificate Verify (7.4.8) message contains the
   61.70 +        --{*The optional Certificate Verify (7.4.8) message contains the
   61.71            specific components listed in the security analysis, F.1.1.2.
   61.72            It adds the pre-master-secret, which is also essential!
   61.73            Checking the signature, which is the only use of A's certificate,
   61.74            assures B of A's presence*}
   61.75           "[| evsCV \<in> tls;
   61.76               Says B' A {|Nonce NB, Number SID, Number PB|} \<in> set evsCV;
   61.77 -	     Notes A {|Agent B, Nonce PMS|} \<in> set evsCV |]
   61.78 +             Notes A {|Agent B, Nonce PMS|} \<in> set evsCV |]
   61.79            ==> Says A B (Crypt (priK A) (Hash{|Nonce NB, Agent B, Nonce PMS|}))
   61.80                # evsCV  \<in>  tls"
   61.81  
   61.82 -	--{*Finally come the FINISHED messages (7.4.8), confirming PA and PB
   61.83 +        --{*Finally come the FINISHED messages (7.4.8), confirming PA and PB
   61.84            among other things.  The master-secret is PRF(PMS,NA,NB).
   61.85            Either party may send its message first.*}
   61.86  
   61.87 @@ -181,60 +181,60 @@
   61.88            could simply put @{term "A\<noteq>Spy"} into the rule, but one should not
   61.89            expect the spy to be well-behaved.*}
   61.90           "[| evsCF \<in> tls;
   61.91 -	     Says A  B {|Agent A, Nonce NA, Number SID, Number PA|}
   61.92 -	       \<in> set evsCF;
   61.93 +             Says A  B {|Agent A, Nonce NA, Number SID, Number PA|}
   61.94 +               \<in> set evsCF;
   61.95               Says B' A {|Nonce NB, Number SID, Number PB|} \<in> set evsCF;
   61.96               Notes A {|Agent B, Nonce PMS|} \<in> set evsCF;
   61.97 -	     M = PRF(PMS,NA,NB) |]
   61.98 +             M = PRF(PMS,NA,NB) |]
   61.99            ==> Says A B (Crypt (clientK(NA,NB,M))
  61.100 -			(Hash{|Number SID, Nonce M,
  61.101 -			       Nonce NA, Number PA, Agent A,
  61.102 -			       Nonce NB, Number PB, Agent B|}))
  61.103 +                        (Hash{|Number SID, Nonce M,
  61.104 +                               Nonce NA, Number PA, Agent A,
  61.105 +                               Nonce NB, Number PB, Agent B|}))
  61.106                # evsCF  \<in>  tls"
  61.107  
  61.108   | ServerFinished:
  61.109 -	--{*Keeping A' and A'' distinct means B cannot even check that the
  61.110 +        --{*Keeping A' and A'' distinct means B cannot even check that the
  61.111            two messages originate from the same source. *}
  61.112           "[| evsSF \<in> tls;
  61.113 -	     Says A' B  {|Agent A, Nonce NA, Number SID, Number PA|}
  61.114 -	       \<in> set evsSF;
  61.115 -	     Says B  A  {|Nonce NB, Number SID, Number PB|} \<in> set evsSF;
  61.116 -	     Says A'' B (Crypt (pubK B) (Nonce PMS)) \<in> set evsSF;
  61.117 -	     M = PRF(PMS,NA,NB) |]
  61.118 +             Says A' B  {|Agent A, Nonce NA, Number SID, Number PA|}
  61.119 +               \<in> set evsSF;
  61.120 +             Says B  A  {|Nonce NB, Number SID, Number PB|} \<in> set evsSF;
  61.121 +             Says A'' B (Crypt (pubK B) (Nonce PMS)) \<in> set evsSF;
  61.122 +             M = PRF(PMS,NA,NB) |]
  61.123            ==> Says B A (Crypt (serverK(NA,NB,M))
  61.124 -			(Hash{|Number SID, Nonce M,
  61.125 -			       Nonce NA, Number PA, Agent A,
  61.126 -			       Nonce NB, Number PB, Agent B|}))
  61.127 +                        (Hash{|Number SID, Nonce M,
  61.128 +                               Nonce NA, Number PA, Agent A,
  61.129 +                               Nonce NB, Number PB, Agent B|}))
  61.130                # evsSF  \<in>  tls"
  61.131  
  61.132   | ClientAccepts:
  61.133 -	--{*Having transmitted ClientFinished and received an identical
  61.134 +        --{*Having transmitted ClientFinished and received an identical
  61.135            message encrypted with serverK, the client stores the parameters
  61.136            needed to resume this session.  The "Notes A ..." premise is
  61.137            used to prove @{text Notes_master_imp_Crypt_PMS}.*}
  61.138           "[| evsCA \<in> tls;
  61.139 -	     Notes A {|Agent B, Nonce PMS|} \<in> set evsCA;
  61.140 -	     M = PRF(PMS,NA,NB);
  61.141 -	     X = Hash{|Number SID, Nonce M,
  61.142 -	               Nonce NA, Number PA, Agent A,
  61.143 -		       Nonce NB, Number PB, Agent B|};
  61.144 +             Notes A {|Agent B, Nonce PMS|} \<in> set evsCA;
  61.145 +             M = PRF(PMS,NA,NB);
  61.146 +             X = Hash{|Number SID, Nonce M,
  61.147 +                       Nonce NA, Number PA, Agent A,
  61.148 +                       Nonce NB, Number PB, Agent B|};
  61.149               Says A  B (Crypt (clientK(NA,NB,M)) X) \<in> set evsCA;
  61.150               Says B' A (Crypt (serverK(NA,NB,M)) X) \<in> set evsCA |]
  61.151            ==>
  61.152               Notes A {|Number SID, Agent A, Agent B, Nonce M|} # evsCA  \<in>  tls"
  61.153  
  61.154   | ServerAccepts:
  61.155 -	--{*Having transmitted ServerFinished and received an identical
  61.156 +        --{*Having transmitted ServerFinished and received an identical
  61.157            message encrypted with clientK, the server stores the parameters
  61.158            needed to resume this session.  The "Says A'' B ..." premise is
  61.159            used to prove @{text Notes_master_imp_Crypt_PMS}.*}
  61.160           "[| evsSA \<in> tls;
  61.161 -	     A \<noteq> B;
  61.162 +             A \<noteq> B;
  61.163               Says A'' B (Crypt (pubK B) (Nonce PMS)) \<in> set evsSA;
  61.164 -	     M = PRF(PMS,NA,NB);
  61.165 -	     X = Hash{|Number SID, Nonce M,
  61.166 -	               Nonce NA, Number PA, Agent A,
  61.167 -		       Nonce NB, Number PB, Agent B|};
  61.168 +             M = PRF(PMS,NA,NB);
  61.169 +             X = Hash{|Number SID, Nonce M,
  61.170 +                       Nonce NA, Number PA, Agent A,
  61.171 +                       Nonce NB, Number PB, Agent B|};
  61.172               Says B  A (Crypt (serverK(NA,NB,M)) X) \<in> set evsSA;
  61.173               Says A' B (Crypt (clientK(NA,NB,M)) X) \<in> set evsSA |]
  61.174            ==>
  61.175 @@ -244,27 +244,27 @@
  61.176           --{*If A recalls the @{text SESSION_ID}, then she sends a FINISHED
  61.177               message using the new nonces and stored MASTER SECRET.*}
  61.178           "[| evsCR \<in> tls;
  61.179 -	     Says A  B {|Agent A, Nonce NA, Number SID, Number PA|}: set evsCR;
  61.180 +             Says A  B {|Agent A, Nonce NA, Number SID, Number PA|}: set evsCR;
  61.181               Says B' A {|Nonce NB, Number SID, Number PB|} \<in> set evsCR;
  61.182               Notes A {|Number SID, Agent A, Agent B, Nonce M|} \<in> set evsCR |]
  61.183            ==> Says A B (Crypt (clientK(NA,NB,M))
  61.184 -			(Hash{|Number SID, Nonce M,
  61.185 -			       Nonce NA, Number PA, Agent A,
  61.186 -			       Nonce NB, Number PB, Agent B|}))
  61.187 +                        (Hash{|Number SID, Nonce M,
  61.188 +                               Nonce NA, Number PA, Agent A,
  61.189 +                               Nonce NB, Number PB, Agent B|}))
  61.190                # evsCR  \<in>  tls"
  61.191  
  61.192   | ServerResume:
  61.193           --{*Resumption (7.3):  If B finds the @{text SESSION_ID} then he can 
  61.194               send a FINISHED message using the recovered MASTER SECRET*}
  61.195           "[| evsSR \<in> tls;
  61.196 -	     Says A' B {|Agent A, Nonce NA, Number SID, Number PA|}: set evsSR;
  61.197 -	     Says B  A {|Nonce NB, Number SID, Number PB|} \<in> set evsSR;
  61.198 +             Says A' B {|Agent A, Nonce NA, Number SID, Number PA|}: set evsSR;
  61.199 +             Says B  A {|Nonce NB, Number SID, Number PB|} \<in> set evsSR;
  61.200               Notes B {|Number SID, Agent A, Agent B, Nonce M|} \<in> set evsSR |]
  61.201            ==> Says B A (Crypt (serverK(NA,NB,M))
  61.202 -			(Hash{|Number SID, Nonce M,
  61.203 -			       Nonce NA, Number PA, Agent A,
  61.204 -			       Nonce NB, Number PB, Agent B|})) # evsSR
  61.205 -	        \<in>  tls"
  61.206 +                        (Hash{|Number SID, Nonce M,
  61.207 +                               Nonce NA, Number PA, Agent A,
  61.208 +                               Nonce NB, Number PB, Agent B|})) # evsSR
  61.209 +                \<in>  tls"
  61.210  
  61.211   | Oops:
  61.212           --{*The most plausible compromise is of an old session key.  Losing
  61.213 @@ -273,7 +273,7 @@
  61.214             otherwise the Spy could learn session keys merely by 
  61.215             replaying messages!*}
  61.216           "[| evso \<in> tls;  A \<noteq> Spy;
  61.217 -	     Says A B (Crypt (sessionK((NA,NB,M),role)) X) \<in> set evso |]
  61.218 +             Says A B (Crypt (sessionK((NA,NB,M),role)) X) \<in> set evso |]
  61.219            ==> Says A Spy (Key (sessionK((NA,NB,M),role))) # evso  \<in>  tls"
  61.220  
  61.221  (*
  61.222 @@ -328,7 +328,7 @@
  61.223  
  61.224  
  61.225  (** These proofs assume that the Nonce_supply nonces
  61.226 -	(which have the form  @ N. Nonce N \<notin> used evs)
  61.227 +        (which have the form  @ N. Nonce N \<notin> used evs)
  61.228      lie outside the range of PRF.  It seems reasonable, but as it is needed
  61.229      only for the possibility theorems, it is not taken as an axiom.
  61.230  **)
  61.231 @@ -381,11 +381,11 @@
  61.232            \<forall>evs. (@ N. Nonce N \<notin> used evs) \<notin> range PRF;
  61.233            A \<noteq> B |]
  61.234        ==> \<exists>NA PA NB PB X. \<exists>evs \<in> tls.
  61.235 -		X = Hash{|Number SID, Nonce M,
  61.236 -			  Nonce NA, Number PA, Agent A,
  61.237 -			  Nonce NB, Number PB, Agent B|}  &
  61.238 -		Says A B (Crypt (clientK(NA,NB,M)) X) \<in> set evs  &
  61.239 -		Says B A (Crypt (serverK(NA,NB,M)) X) \<in> set evs"
  61.240 +                X = Hash{|Number SID, Nonce M,
  61.241 +                          Nonce NA, Number PA, Agent A,
  61.242 +                          Nonce NB, Number PB, Agent B|}  &
  61.243 +                Says A B (Crypt (clientK(NA,NB,M)) X) \<in> set evs  &
  61.244 +                Says B A (Crypt (serverK(NA,NB,M)) X) \<in> set evs"
  61.245  apply (intro exI bexI)
  61.246  apply (rule_tac [2] tls.ClientHello
  61.247                      [THEN tls.ServerHello,
  61.248 @@ -570,7 +570,7 @@
  61.249            (priK B \<in> KK | B \<in> bad)"
  61.250  apply (erule tls.induct)
  61.251  apply (simp_all (no_asm_simp)
  61.252 -		del: image_insert
  61.253 +                del: image_insert
  61.254                  add: image_Un [THEN sym]
  61.255                       insert_Key_image Un_assoc [THEN sym])
  61.256  txt{*Fake*}
  61.257 @@ -598,16 +598,16 @@
  61.258  lemma analz_image_keys [rule_format]:
  61.259       "evs \<in> tls ==>
  61.260        \<forall>KK. KK <= range sessionK -->
  61.261 -	      (Nonce N \<in> analz (Key`KK Un (spies evs))) =
  61.262 -	      (Nonce N \<in> analz (spies evs))"
  61.263 +              (Nonce N \<in> analz (Key`KK Un (spies evs))) =
  61.264 +              (Nonce N \<in> analz (spies evs))"
  61.265  apply (erule tls.induct, frule_tac [7] CX_KB_is_pubKB)
  61.266  apply (safe del: iffI)
  61.267  apply (safe del: impI iffI intro!: analz_image_keys_lemma)
  61.268  apply (simp_all (no_asm_simp)               (*faster*)
  61.269                  del: image_insert imp_disjL (*reduces blow-up*)
  61.270 -		add: image_Un [THEN sym]  Un_assoc [THEN sym]
  61.271 -		     insert_Key_singleton
  61.272 -		     range_sessionkeys_not_priK analz_image_priK)
  61.273 +                add: image_Un [THEN sym]  Un_assoc [THEN sym]
  61.274 +                     insert_Key_singleton
  61.275 +                     range_sessionkeys_not_priK analz_image_priK)
  61.276  apply (simp_all add: insert_absorb)
  61.277  txt{*Fake*}
  61.278  apply spy_analz
  61.279 @@ -901,11 +901,11 @@
  61.280             down to 433s on albatross*)
  61.281  
  61.282  (*5/5/01: conversion to Isar script
  61.283 -	  loads in 137s (perch)
  61.284 +          loads in 137s (perch)
  61.285            the last ML version loaded in 122s on perch, a 600MHz machine:
  61.286 -		twice as fast as pike.  No idea why it's so much slower!
  61.287 -	  The Isar script is slower still, perhaps because simp_all simplifies
  61.288 -	  the assumptions be default.
  61.289 +                twice as fast as pike.  No idea why it's so much slower!
  61.290 +          The Isar script is slower still, perhaps because simp_all simplifies
  61.291 +          the assumptions be default.
  61.292  *)
  61.293  
  61.294  end
    62.1 --- a/src/HOL/Auth/Yahalom.thy	Wed Oct 21 16:54:04 2009 +0200
    62.2 +++ b/src/HOL/Auth/Yahalom.thy	Wed Oct 21 16:57:57 2009 +0200
    62.3 @@ -58,7 +58,7 @@
    62.4             uses the new session key to send Bob his Nonce.  The premise
    62.5             @{term "A \<noteq> Server"} is needed for @{text Says_Server_not_range}.
    62.6             Alice can check that K is symmetric by its length.*}
    62.7 -	 "[| evs4 \<in> yahalom;  A \<noteq> Server;  K \<in> symKeys;
    62.8 +         "[| evs4 \<in> yahalom;  A \<noteq> Server;  K \<in> symKeys;
    62.9               Gets A {|Crypt(shrK A) {|Agent B, Key K, Nonce NA, Nonce NB|}, X|}
   62.10                  \<in> set evs4;
   62.11               Says A B {|Agent A, Nonce NA|} \<in> set evs4 |]
   62.12 @@ -481,9 +481,9 @@
   62.13  text{*A vital theorem for B, that nonce NB remains secure from the Spy.*}
   62.14  lemma Spy_not_see_NB :
   62.15       "[| Says B Server
   62.16 -	        {|Agent B, Crypt (shrK B) {|Agent A, Nonce NA, Nonce NB|}|}
   62.17 -	   \<in> set evs;
   62.18 -	 (\<forall>k. Notes Spy {|Nonce NA, Nonce NB, k|} \<notin> set evs);
   62.19 +                {|Agent B, Crypt (shrK B) {|Agent A, Nonce NA, Nonce NB|}|}
   62.20 +           \<in> set evs;
   62.21 +         (\<forall>k. Notes Spy {|Nonce NA, Nonce NB, k|} \<notin> set evs);
   62.22           A \<notin> bad;  B \<notin> bad;  evs \<in> yahalom |]
   62.23        ==> Nonce NB \<notin> analz (knows Spy evs)"
   62.24  apply (erule rev_mp, erule rev_mp)
    63.1 --- a/src/HOL/Auth/Yahalom2.thy	Wed Oct 21 16:54:04 2009 +0200
    63.2 +++ b/src/HOL/Auth/Yahalom2.thy	Wed Oct 21 16:57:57 2009 +0200
    63.3 @@ -51,7 +51,7 @@
    63.4             Both agents are quoted in the 2nd certificate to prevent attacks!*)
    63.5   | YM3:  "[| evs3 \<in> yahalom;  Key KAB \<notin> used evs3;
    63.6               Gets Server {|Agent B, Nonce NB,
    63.7 -			   Crypt (shrK B) {|Agent A, Nonce NA|}|}
    63.8 +                           Crypt (shrK B) {|Agent A, Nonce NA|}|}
    63.9                 \<in> set evs3 |]
   63.10            ==> Says Server A
   63.11                 {|Nonce NB,
    64.1 --- a/src/HOL/Auth/ZhouGollmann.thy	Wed Oct 21 16:54:04 2009 +0200
    64.2 +++ b/src/HOL/Auth/ZhouGollmann.thy	Wed Oct 21 16:57:57 2009 +0200
    64.3 @@ -35,7 +35,7 @@
    64.4    Nil:  "[] \<in> zg"
    64.5  
    64.6  | Fake: "[| evsf \<in> zg;  X \<in> synth (analz (spies evsf)) |]
    64.7 -	 ==> Says Spy B X  # evsf \<in> zg"
    64.8 +         ==> Says Spy B X  # evsf \<in> zg"
    64.9  
   64.10  | Reception:  "[| evsr \<in> zg; Says A B X \<in> set evsr |] ==> Gets B X # evsr \<in> zg"
   64.11  
   64.12 @@ -44,26 +44,26 @@
   64.13      We just assume that the protocol's objective is to deliver K fairly,
   64.14      rather than to keep M secret.*)
   64.15  | ZG1: "[| evs1 \<in> zg;  Nonce L \<notin> used evs1; C = Crypt K (Number m);
   64.16 -	   K \<in> symKeys;
   64.17 -	   NRO = Crypt (priK A) {|Number f_nro, Agent B, Nonce L, C|}|]
   64.18 +           K \<in> symKeys;
   64.19 +           NRO = Crypt (priK A) {|Number f_nro, Agent B, Nonce L, C|}|]
   64.20         ==> Says A B {|Number f_nro, Agent B, Nonce L, C, NRO|} # evs1 \<in> zg"
   64.21  
   64.22    (*B must check that NRO is A's signature to learn the sender's name*)
   64.23  | ZG2: "[| evs2 \<in> zg;
   64.24 -	   Gets B {|Number f_nro, Agent B, Nonce L, C, NRO|} \<in> set evs2;
   64.25 -	   NRO = Crypt (priK A) {|Number f_nro, Agent B, Nonce L, C|};
   64.26 -	   NRR = Crypt (priK B) {|Number f_nrr, Agent A, Nonce L, C|}|]
   64.27 +           Gets B {|Number f_nro, Agent B, Nonce L, C, NRO|} \<in> set evs2;
   64.28 +           NRO = Crypt (priK A) {|Number f_nro, Agent B, Nonce L, C|};
   64.29 +           NRR = Crypt (priK B) {|Number f_nrr, Agent A, Nonce L, C|}|]
   64.30         ==> Says B A {|Number f_nrr, Agent A, Nonce L, NRR|} # evs2  \<in>  zg"
   64.31  
   64.32    (*A must check that NRR is B's signature to learn the sender's name;
   64.33      without spy, the matching label would be enough*)
   64.34  | ZG3: "[| evs3 \<in> zg; C = Crypt K M; K \<in> symKeys;
   64.35 -	   Says A B {|Number f_nro, Agent B, Nonce L, C, NRO|} \<in> set evs3;
   64.36 -	   Gets A {|Number f_nrr, Agent A, Nonce L, NRR|} \<in> set evs3;
   64.37 -	   NRR = Crypt (priK B) {|Number f_nrr, Agent A, Nonce L, C|};
   64.38 -	   sub_K = Crypt (priK A) {|Number f_sub, Agent B, Nonce L, Key K|}|]
   64.39 +           Says A B {|Number f_nro, Agent B, Nonce L, C, NRO|} \<in> set evs3;
   64.40 +           Gets A {|Number f_nrr, Agent A, Nonce L, NRR|} \<in> set evs3;
   64.41 +           NRR = Crypt (priK B) {|Number f_nrr, Agent A, Nonce L, C|};
   64.42 +           sub_K = Crypt (priK A) {|Number f_sub, Agent B, Nonce L, Key K|}|]
   64.43         ==> Says A TTP {|Number f_sub, Agent B, Nonce L, Key K, sub_K|}
   64.44 -	     # evs3 \<in> zg"
   64.45 +             # evs3 \<in> zg"
   64.46  
   64.47   (*TTP checks that sub_K is A's signature to learn who issued K, then
   64.48     gives credentials to A and B.  The Notes event models the availability of
   64.49 @@ -72,15 +72,15 @@
   64.50     also allowing lemma @{text Crypt_used_imp_spies} to omit the condition
   64.51     @{term "K \<noteq> priK TTP"}. *)
   64.52  | ZG4: "[| evs4 \<in> zg; K \<in> symKeys;
   64.53 -	   Gets TTP {|Number f_sub, Agent B, Nonce L, Key K, sub_K|}
   64.54 -	     \<in> set evs4;
   64.55 -	   sub_K = Crypt (priK A) {|Number f_sub, Agent B, Nonce L, Key K|};
   64.56 -	   con_K = Crypt (priK TTP) {|Number f_con, Agent A, Agent B,
   64.57 -				      Nonce L, Key K|}|]
   64.58 +           Gets TTP {|Number f_sub, Agent B, Nonce L, Key K, sub_K|}
   64.59 +             \<in> set evs4;
   64.60 +           sub_K = Crypt (priK A) {|Number f_sub, Agent B, Nonce L, Key K|};
   64.61 +           con_K = Crypt (priK TTP) {|Number f_con, Agent A, Agent B,
   64.62 +                                      Nonce L, Key K|}|]
   64.63         ==> Says TTP Spy con_K
   64.64             #
   64.65 -	   Notes TTP {|Number f_con, Agent A, Agent B, Nonce L, Key K, con_K|}
   64.66 -	   # evs4 \<in> zg"
   64.67 +           Notes TTP {|Number f_con, Agent A, Agent B, Nonce L, Key K, con_K|}
   64.68 +           # evs4 \<in> zg"
   64.69  
   64.70  
   64.71  declare Says_imp_knows_Spy [THEN analz.Inj, dest]
    65.1 --- a/src/HOL/Bali/AxCompl.thy	Wed Oct 21 16:54:04 2009 +0200
    65.2 +++ b/src/HOL/Bali/AxCompl.thy	Wed Oct 21 16:57:57 2009 +0200
    65.3 @@ -319,13 +319,13 @@
    65.4        case 0
    65.5        with is_cls
    65.6        show ?thesis
    65.7 -	by - (rule ax_impossible [THEN conseq1],fastsimp dest: nyinitcls_emptyD)
    65.8 +        by - (rule ax_impossible [THEN conseq1],fastsimp dest: nyinitcls_emptyD)
    65.9      next
   65.10        case (Suc m)
   65.11        with mgf_hyp have mgf_hyp': "\<And> t. G,A\<turnstile>{=:m} t\<succ> {G\<rightarrow>}"
   65.12 -	by simp
   65.13 +        by simp
   65.14        from is_cls obtain c where c: "the (class G C) = c"
   65.15 -	by auto
   65.16 +        by auto
   65.17        let ?Q= "(\<lambda>Y s' (x,s) . 
   65.18            G\<turnstile> (x,init_class_obj G C s) 
   65.19               \<midarrow> (if C=Object then Skip else Init (super (the (class G C))))\<rightarrow> s'
   65.20 @@ -333,45 +333,45 @@
   65.21        from c
   65.22        show ?thesis
   65.23        proof (rule ax_derivs.Init [where ?Q="?Q"])
   65.24 -	let ?P' = "Normal ((\<lambda>Y s' s. s' = supd (init_class_obj G C) s 
   65.25 +        let ?P' = "Normal ((\<lambda>Y s' s. s' = supd (init_class_obj G C) s 
   65.26                             \<and> normal s \<and> \<not> initd C s) \<and>. G\<turnstile>init\<le>m)" 
   65.27 -	show "G,A\<turnstile>{Normal (?P \<and>. Not \<circ> initd C ;. supd (init_class_obj G C))}
   65.28 +        show "G,A\<turnstile>{Normal (?P \<and>. Not \<circ> initd C ;. supd (init_class_obj G C))}
   65.29                    .(if C = Object then Skip else Init (super c)). 
   65.30                    {?Q}"
   65.31 -	proof (rule conseq1 [where ?P'="?P'"])
   65.32 -	  show "G,A\<turnstile>{?P'} .(if C = Object then Skip else Init (super c)). {?Q}"
   65.33 -	  proof (cases "C=Object")
   65.34 -	    case True
   65.35 -	    have "G,A\<turnstile>{?P'} .Skip. {?Q}"
   65.36 -	      by (rule ax_derivs.Skip [THEN conseq1])
   65.37 -	         (auto simp add: True intro: eval.Skip)
   65.38 +        proof (rule conseq1 [where ?P'="?P'"])
   65.39 +          show "G,A\<turnstile>{?P'} .(if C = Object then Skip else Init (super c)). {?Q}"
   65.40 +          proof (cases "C=Object")
   65.41 +            case True
   65.42 +            have "G,A\<turnstile>{?P'} .Skip. {?Q}"
   65.43 +              by (rule ax_derivs.Skip [THEN conseq1])
   65.44 +                 (auto simp add: True intro: eval.Skip)
   65.45              with True show ?thesis 
   65.46 -	      by simp
   65.47 -	  next
   65.48 -	    case False
   65.49 -	    from mgf_hyp'
   65.50 -	    have "G,A\<turnstile>{?P'} .Init (super c). {?Q}"
   65.51 -	      by (rule MGFnD' [THEN conseq12]) (fastsimp simp add: False c)
   65.52 -	    with False show ?thesis
   65.53 -	      by simp
   65.54 -	  qed
   65.55 -	next
   65.56 -	  from Suc is_cls
   65.57 -	  show "Normal (?P \<and>. Not \<circ> initd C ;. supd (init_class_obj G C))
   65.58 +              by simp
   65.59 +          next
   65.60 +            case False
   65.61 +            from mgf_hyp'
   65.62 +            have "G,A\<turnstile>{?P'} .Init (super c). {?Q}"
   65.63 +              by (rule MGFnD' [THEN conseq12]) (fastsimp simp add: False c)
   65.64 +            with False show ?thesis
   65.65 +              by simp
   65.66 +          qed
   65.67 +        next
   65.68 +          from Suc is_cls
   65.69 +          show "Normal (?P \<and>. Not \<circ> initd C ;. supd (init_class_obj G C))
   65.70                  \<Rightarrow> ?P'"
   65.71 -	    by (fastsimp elim: nyinitcls_le_SucD)
   65.72 -	qed
   65.73 +            by (fastsimp elim: nyinitcls_le_SucD)
   65.74 +        qed
   65.75        next
   65.76 -	from mgf_hyp'
   65.77 -	show "\<forall>l. G,A\<turnstile>{?Q \<and>. (\<lambda>s. l = locals (snd s)) ;. set_lvars empty} 
   65.78 +        from mgf_hyp'
   65.79 +        show "\<forall>l. G,A\<turnstile>{?Q \<and>. (\<lambda>s. l = locals (snd s)) ;. set_lvars empty} 
   65.80                        .init c.
   65.81                        {set_lvars l .; ?R}"
   65.82 -	  apply (rule MGFnD' [THEN conseq12, THEN allI])
   65.83 -	  apply (clarsimp simp add: split_paired_all)
   65.84 -	  apply (rule eval.Init [OF c])
   65.85 -	  apply (insert c)
   65.86 -	  apply auto
   65.87 -	  done
   65.88 +          apply (rule MGFnD' [THEN conseq12, THEN allI])
   65.89 +          apply (clarsimp simp add: split_paired_all)
   65.90 +          apply (rule eval.Init [OF c])
   65.91 +          apply (insert c)
   65.92 +          apply auto
   65.93 +          done
   65.94        qed
   65.95      qed
   65.96      thus "G,A\<turnstile>{Normal ?P  \<and>. Not \<circ> initd C} .Init C. {?R}"
   65.97 @@ -399,7 +399,7 @@
   65.98                   mode: "mode = invmode statM e" and
   65.99                      T: "T =Inl (resTy statM)" and
  65.100          eq_accC_accC': "accC=accC'"
  65.101 -	by cases fastsimp+
  65.102 +        by cases fastsimp+
  65.103    let ?Q="(\<lambda>Y s1 (x,s) . x = None \<and> 
  65.104                (\<exists>a. G\<turnstile>Norm s \<midarrow>e-\<succ>a\<rightarrow> s1 \<and> 
  65.105                     (normal s1 \<longrightarrow> G, store s1\<turnstile>a\<Colon>\<preceq>RefT statT)
  65.106 @@ -435,29 +435,29 @@
  65.107                (\<exists>P. \<lparr>prg=G,cls=accC',lcl=L\<rparr>\<turnstile> dom (locals (store s1)) \<guillemotright>\<langle>ps\<rangle>\<^sub>l\<guillemotright> P))
  65.108              \<and> s1\<Colon>\<preceq>(G, L)"
  65.109        proof -
  65.110 -	from da obtain C where
  65.111 -	  da_e:  "\<lparr>prg=G,cls=accC,lcl=L\<rparr>\<turnstile>
  65.112 +        from da obtain C where
  65.113 +          da_e:  "\<lparr>prg=G,cls=accC,lcl=L\<rparr>\<turnstile>
  65.114                      dom (locals (store ((Norm s0)::state)))\<guillemotright>\<langle>e\<rangle>\<^sub>e\<guillemotright> C" and
  65.115 -	  da_ps: "\<lparr>prg=G,cls=accC,lcl=L\<rparr>\<turnstile> nrm C \<guillemotright>\<langle>ps\<rangle>\<^sub>l\<guillemotright> E" 
  65.116 -	  by cases (simp add: eq_accC_accC')
  65.117 -	from eval_e conf_s0 wt_e da_e wf
  65.118 -	obtain "(abrupt s1 = None \<longrightarrow> G,store s1\<turnstile>a\<Colon>\<preceq>RefT statT)"
  65.119 -	  and  "s1\<Colon>\<preceq>(G, L)"
  65.120 -	  by (rule eval_type_soundE) simp
  65.121 -	moreover
  65.122 -	{
  65.123 -	  assume normal_s1: "normal s1"
  65.124 -	  have "\<exists>P. \<lparr>prg=G,cls=accC,lcl=L\<rparr>\<turnstile> dom (locals (store s1)) \<guillemotright>\<langle>ps\<rangle>\<^sub>l\<guillemotright> P"
  65.125 -	  proof -
  65.126 -	    from eval_e wt_e da_e wf normal_s1
  65.127 -	    have "nrm C \<subseteq>  dom (locals (store s1))"
  65.128 -	      by (cases rule: da_good_approxE') iprover
  65.129 -	    with da_ps show ?thesis
  65.130 -	      by (rule da_weakenE) iprover
  65.131 -	  qed
  65.132 -	}
  65.133 -	ultimately show ?thesis
  65.134 -	  using eq_accC_accC' by simp
  65.135 +          da_ps: "\<lparr>prg=G,cls=accC,lcl=L\<rparr>\<turnstile> nrm C \<guillemotright>\<langle>ps\<rangle>\<^sub>l\<guillemotright> E" 
  65.136 +          by cases (simp add: eq_accC_accC')
  65.137 +        from eval_e conf_s0 wt_e da_e wf
  65.138 +        obtain "(abrupt s1 = None \<longrightarrow> G,store s1\<turnstile>a\<Colon>\<preceq>RefT statT)"
  65.139 +          and  "s1\<Colon>\<preceq>(G, L)"
  65.140 +          by (rule eval_type_soundE) simp
  65.141 +        moreover
  65.142 +        {
  65.143 +          assume normal_s1: "normal s1"
  65.144 +          have "\<exists>P. \<lparr>prg=G,cls=accC,lcl=L\<rparr>\<turnstile> dom (locals (store s1)) \<guillemotright>\<langle>ps\<rangle>\<^sub>l\<guillemotright> P"
  65.145 +          proof -
  65.146 +            from eval_e wt_e da_e wf normal_s1
  65.147 +            have "nrm C \<subseteq>  dom (locals (store s1))"
  65.148 +              by (cases rule: da_good_approxE') iprover
  65.149 +            with da_ps show ?thesis
  65.150 +              by (rule da_weakenE) iprover
  65.151 +          qed
  65.152 +        }
  65.153 +        ultimately show ?thesis
  65.154 +          using eq_accC_accC' by simp
  65.155        qed
  65.156      qed
  65.157    next
  65.158 @@ -467,36 +467,36 @@
  65.159        show "?PS a"
  65.160        proof (rule MGFnD' [OF mgf_ps, THEN conseq12],
  65.161               clarsimp simp add: eq_accC_accC' [symmetric])
  65.162 -	fix s0 s1 s2 vs
  65.163 -	assume conf_s1: "s1\<Colon>\<preceq>(G, L)"
  65.164 -	assume eval_e: "G\<turnstile>Norm s0 \<midarrow>e-\<succ>a\<rightarrow> s1"
  65.165 -	assume conf_a: "abrupt s1 = None \<longrightarrow> G,store s1\<turnstile>a\<Colon>\<preceq>RefT statT"
  65.166 -	assume eval_ps: "G\<turnstile>s1 \<midarrow>ps\<doteq>\<succ>vs\<rightarrow> s2"
  65.167 -	assume da_ps: "abrupt s1 = None \<longrightarrow> 
  65.168 +        fix s0 s1 s2 vs
  65.169 +        assume conf_s1: "s1\<Colon>\<preceq>(G, L)"
  65.170 +        assume eval_e: "G\<turnstile>Norm s0 \<midarrow>e-\<succ>a\<rightarrow> s1"
  65.171 +        assume conf_a: "abrupt s1 = None \<longrightarrow> G,store s1\<turnstile>a\<Colon>\<preceq>RefT statT"
  65.172 +        assume eval_ps: "G\<turnstile>s1 \<midarrow>ps\<doteq>\<succ>vs\<rightarrow> s2"
  65.173 +        assume da_ps: "abrupt s1 = None \<longrightarrow> 
  65.174                         (\<exists>P. \<lparr>prg=G,cls=accC,lcl=L\<rparr>\<turnstile> 
  65.175                                 dom (locals (store s1)) \<guillemotright>\<langle>ps\<rangle>\<^sub>l\<guillemotright> P)"
  65.176 -	show "(\<exists>s1. G\<turnstile>Norm s0 \<midarrow>e-\<succ>a\<rightarrow> s1 \<and>
  65.177 +        show "(\<exists>s1. G\<turnstile>Norm s0 \<midarrow>e-\<succ>a\<rightarrow> s1 \<and>
  65.178                  (abrupt s1 = None \<longrightarrow> G,store s1\<turnstile>a\<Colon>\<preceq>RefT statT) \<and>
  65.179                  G\<turnstile>s1 \<midarrow>ps\<doteq>\<succ>vs\<rightarrow> s2) \<and>
  65.180                s2\<Colon>\<preceq>(G, L)"
  65.181 -	proof (cases "normal s1")
  65.182 -	  case True
  65.183 -	  with da_ps obtain P where
  65.184 -	   "\<lparr>prg=G,cls=accC,lcl=L\<rparr>\<turnstile> dom (locals (store s1)) \<guillemotright>\<langle>ps\<rangle>\<^sub>l\<guillemotright> P"
  65.185 -	    by auto
  65.186 -	  from eval_ps conf_s1 wt_args this wf
  65.187 -	  have "s2\<Colon>\<preceq>(G, L)"
  65.188 -	    by (rule eval_type_soundE)
  65.189 -	  with eval_e conf_a eval_ps 
  65.190 -	  show ?thesis 
  65.191 -	    by auto
  65.192 -	next
  65.193 -	  case False
  65.194 -	  with eval_ps have "s2=s1" by auto
  65.195 -	  with eval_e conf_a eval_ps conf_s1 
  65.196 -	  show ?thesis 
  65.197 -	    by auto
  65.198 -	qed
  65.199 +        proof (cases "normal s1")
  65.200 +          case True
  65.201 +          with da_ps obtain P where
  65.202 +           "\<lparr>prg=G,cls=accC,lcl=L\<rparr>\<turnstile> dom (locals (store s1)) \<guillemotright>\<langle>ps\<rangle>\<^sub>l\<guillemotright> P"
  65.203 +            by auto
  65.204 +          from eval_ps conf_s1 wt_args this wf
  65.205 +          have "s2\<Colon>\<preceq>(G, L)"
  65.206 +            by (rule eval_type_soundE)
  65.207 +          with eval_e conf_a eval_ps 
  65.208 +          show ?thesis 
  65.209 +            by auto
  65.210 +        next
  65.211 +          case False
  65.212 +          with eval_ps have "s2=s1" by auto
  65.213 +          with eval_e conf_a eval_ps conf_s1 
  65.214 +          show ?thesis 
  65.215 +            by auto
  65.216 +        qed
  65.217        qed
  65.218      qed
  65.219    next
  65.220 @@ -517,52 +517,52 @@
  65.221        from mgf_methds [rule_format]
  65.222        show "?METHD a vs invC declC l"
  65.223        proof (rule MGFnD' [THEN conseq12],clarsimp)
  65.224 -	fix s4 s2 s1::state
  65.225 -	fix s0 v
  65.226 -	let ?D= "invocation_declclass G mode (store s2) a statT 
  65.227 +        fix s4 s2 s1::state
  65.228 +        fix s0 v
  65.229 +        let ?D= "invocation_declclass G mode (store s2) a statT 
  65.230                      \<lparr>name=mn,parTs=pTs'\<rparr>"
  65.231 -	let ?s3= "init_lvars G ?D \<lparr>name=mn, parTs=pTs'\<rparr> mode a vs s2"
  65.232 -	assume inv_prop: "abrupt ?s3=None 
  65.233 +        let ?s3= "init_lvars G ?D \<lparr>name=mn, parTs=pTs'\<rparr> mode a vs s2"
  65.234 +        assume inv_prop: "abrupt ?s3=None 
  65.235               \<longrightarrow> G\<turnstile>mode\<rightarrow>invocation_class mode (store s2) a statT\<preceq>statT"
  65.236 -	assume conf_s2: "s2\<Colon>\<preceq>(G, L)"
  65.237 -	assume conf_a: "abrupt s1 = None \<longrightarrow> G,store s1\<turnstile>a\<Colon>\<preceq>RefT statT"
  65.238 -	assume eval_e: "G\<turnstile>Norm s0 \<midarrow>e-\<succ>a\<rightarrow> s1"
  65.239 -	assume eval_ps: "G\<turnstile>s1 \<midarrow>ps\<doteq>\<succ>vs\<rightarrow> s2"
  65.240 -	assume eval_mthd: "G\<turnstile>?s3 \<midarrow>Methd ?D \<lparr>name=mn,parTs=pTs'\<rparr>-\<succ>v\<rightarrow> s4"
  65.241 -	show "G\<turnstile>Norm s0 \<midarrow>{accC,statT,mode}e\<cdot>mn( {pTs'}ps)-\<succ>v
  65.242 +        assume conf_s2: "s2\<Colon>\<preceq>(G, L)"
  65.243 +        assume conf_a: "abrupt s1 = None \<longrightarrow> G,store s1\<turnstile>a\<Colon>\<preceq>RefT statT"
  65.244 +        assume eval_e: "G\<turnstile>Norm s0 \<midarrow>e-\<succ>a\<rightarrow> s1"
  65.245 +        assume eval_ps: "G\<turnstile>s1 \<midarrow>ps\<doteq>\<succ>vs\<rightarrow> s2"
  65.246 +        assume eval_mthd: "G\<turnstile>?s3 \<midarrow>Methd ?D \<lparr>name=mn,parTs=pTs'\<rparr>-\<succ>v\<rightarrow> s4"
  65.247 +        show "G\<turnstile>Norm s0 \<midarrow>{accC,statT,mode}e\<cdot>mn( {pTs'}ps)-\<succ>v
  65.248                          \<rightarrow> (set_lvars (locals (store s2))) s4"
  65.249 -	proof -
  65.250 -	  obtain D where D: "D=?D" by simp
  65.251 -	  obtain s3 where s3: "s3=?s3" by simp
  65.252 -	  obtain s3' where 
  65.253 -	    s3': "s3' = check_method_access G accC statT mode 
  65.254 +        proof -
  65.255 +          obtain D where D: "D=?D" by simp
  65.256 +          obtain s3 where s3: "s3=?s3" by simp
  65.257 +          obtain s3' where 
  65.258 +            s3': "s3' = check_method_access G accC statT mode 
  65.259                             \<lparr>name=mn,parTs=pTs'\<rparr> a s3"
  65.260 -	    by simp
  65.261 -	  have eq_s3'_s3: "s3'=s3"
  65.262 -	  proof -
  65.263 -	    from inv_prop s3 mode
  65.264 -	    have "normal s3 \<Longrightarrow> 
  65.265 +            by simp
  65.266 +          have eq_s3'_s3: "s3'=s3"
  65.267 +          proof -
  65.268 +            from inv_prop s3 mode
  65.269 +            have "normal s3 \<Longrightarrow> 
  65.270               G\<turnstile>invmode statM e\<rightarrow>invocation_class mode (store s2) a statT\<preceq>statT"
  65.271 -	      by auto
  65.272 -	    with eval_ps wt_e statM conf_s2 conf_a [rule_format] 
  65.273 -	    have "check_method_access G accC statT (invmode statM e)
  65.274 +              by auto
  65.275 +            with eval_ps wt_e statM conf_s2 conf_a [rule_format] 
  65.276 +            have "check_method_access G accC statT (invmode statM e)
  65.277                        \<lparr>name=mn,parTs=pTs'\<rparr> a s3 = s3"
  65.278 -	      by (rule error_free_call_access) (auto simp add: s3 mode wf)
  65.279 -	    thus ?thesis 
  65.280 -	      by (simp add: s3' mode)
  65.281 -	  qed
  65.282 -	  with eval_mthd D s3
  65.283 -	  have "G\<turnstile>s3' \<midarrow>Methd D \<lparr>name=mn,parTs=pTs'\<rparr>-\<succ>v\<rightarrow> s4"
  65.284 -	    by simp
  65.285 -	  with eval_e eval_ps D _ s3' 
  65.286 -	  show ?thesis
  65.287 -	    by (rule eval_Call) (auto simp add: s3 mode D)
  65.288 -	qed
  65.289 +              by (rule error_free_call_access) (auto simp add: s3 mode wf)
  65.290 +            thus ?thesis 
  65.291 +              by (simp add: s3' mode)
  65.292 +          qed
  65.293 +          with eval_mthd D s3
  65.294 +          have "G\<turnstile>s3' \<midarrow>Methd D \<lparr>name=mn,parTs=pTs'\<rparr>-\<succ>v\<rightarrow> s4"
  65.295 +            by simp
  65.296 +          with eval_e eval_ps D _ s3' 
  65.297 +          show ?thesis
  65.298 +            by (rule eval_Call) (auto simp add: s3 mode D)
  65.299 +        qed
  65.300        qed
  65.301      qed
  65.302    qed
  65.303  qed
  65.304 -	  	  
  65.305 +                  
  65.306  lemma eval_expression_no_jump':
  65.307    assumes eval: "G\<turnstile>s0 \<midarrow>e-\<succ>v\<rightarrow> s1"
  65.308    and   no_jmp: "abrupt s0 \<noteq> Some (Jump j)"
  65.309 @@ -610,36 +610,36 @@
  65.310        case True
  65.311        with normal_t eval_e normal_termination
  65.312        show ?thesis
  65.313 -	by (auto intro: eval.Loop)
  65.314 +        by (auto intro: eval.Loop)
  65.315      next
  65.316        case False
  65.317        note abrupt_s' = this
  65.318        from eval_e _ wt wf
  65.319        have no_cont: "abrupt s' \<noteq> Some (Jump (Cont l))"
  65.320 -	by (rule eval_expression_no_jump') (insert normal_t,simp)
  65.321 +        by (rule eval_expression_no_jump') (insert normal_t,simp)
  65.322        have
  65.323 -	"if the_Bool v 
  65.324 +        "if the_Bool v 
  65.325               then (G\<turnstile>s' \<midarrow>c\<rightarrow> s' \<and> 
  65.326                     G\<turnstile>(abupd (absorb (Cont l)) s') \<midarrow>l\<bullet> While(e) c\<rightarrow> s')
  65.327 -	     else s' = s'"
  65.328 +             else s' = s'"
  65.329        proof (cases "the_Bool v")
  65.330 -	case False thus ?thesis by simp
  65.331 +        case False thus ?thesis by simp
  65.332        next
  65.333 -	case True
  65.334 -	with abrupt_s' have "G\<turnstile>s' \<midarrow>c\<rightarrow> s'" by auto
  65.335 -	moreover from abrupt_s' no_cont 
  65.336 -	have no_absorb: "(abupd (absorb (Cont l)) s')=s'"
  65.337 -	  by (cases s') (simp add: absorb_def split: split_if)
  65.338 -	moreover
  65.339 -	from no_absorb abrupt_s'
  65.340 -	have "G\<turnstile>(abupd (absorb (Cont l)) s') \<midarrow>l\<bullet> While(e) c\<rightarrow> s'"
  65.341 -	  by auto
  65.342 -	ultimately show ?thesis
  65.343 -	  using True by simp
  65.344 +        case True
  65.345 +        with abrupt_s' have "G\<turnstile>s' \<midarrow>c\<rightarrow> s'" by auto
  65.346 +        moreover from abrupt_s' no_cont 
  65.347 +        have no_absorb: "(abupd (absorb (Cont l)) s')=s'"
  65.348 +          by (cases s') (simp add: absorb_def split: split_if)
  65.349 +        moreover
  65.350 +        from no_absorb abrupt_s'
  65.351 +        have "G\<turnstile>(abupd (absorb (Cont l)) s') \<midarrow>l\<bullet> While(e) c\<rightarrow> s'"
  65.352 +          by auto
  65.353 +        ultimately show ?thesis
  65.354 +          using True by simp
  65.355        qed
  65.356        with eval_e 
  65.357        show ?thesis
  65.358 -	using normal_t by (auto intro: eval.Loop)
  65.359 +        using normal_t by (auto intro: eval.Loop)
  65.360      qed
  65.361    qed
  65.362  next
  65.363 @@ -690,49 +690,49 @@
  65.364                                    Y = In1 b \<and> G\<turnstile>t \<midarrow>e-\<succ>b\<rightarrow> s')) 
  65.365                                \<and>. G\<turnstile>init\<le>n)\<leftarrow>=False\<down>=\<diamondsuit>}"
  65.366        proof (rule ax_derivs.Loop)
  65.367 -	from mfg_e
  65.368 -	show "G,A\<turnstile>{(\<lambda>Y s' s. (s, s') \<in> (unroll G l e c)\<^sup>*) \<and>. G\<turnstile>init\<le>n} 
  65.369 +        from mfg_e
  65.370 +        show "G,A\<turnstile>{(\<lambda>Y s' s. (s, s') \<in> (unroll G l e c)\<^sup>*) \<and>. G\<turnstile>init\<le>n} 
  65.371                     e-\<succ>
  65.372                    {(\<lambda>Y s' s. (\<exists>t b. (s, t) \<in> (unroll G l e c)\<^sup>* \<and> 
  65.373                                       Y = In1 b \<and> G\<turnstile>t \<midarrow>e-\<succ>b\<rightarrow> s')) 
  65.374                     \<and>. G\<turnstile>init\<le>n}"
  65.375 -	proof (rule MGFnD' [THEN conseq12],clarsimp)
  65.376 -	  fix s Z s' v
  65.377 -	  assume "(Z, s) \<in> (unroll G l e c)\<^sup>*"
  65.378 -	  moreover
  65.379 -	  assume "G\<turnstile>s \<midarrow>e-\<succ>v\<rightarrow> s'"
  65.380 -	  ultimately
  65.381 -	  show "\<exists>t. (Z, t) \<in> (unroll G l e c)\<^sup>* \<and> G\<turnstile>t \<midarrow>e-\<succ>v\<rightarrow> s'"
  65.382 -	    by blast
  65.383 -	qed
  65.384 +        proof (rule MGFnD' [THEN conseq12],clarsimp)
  65.385 +          fix s Z s' v
  65.386 +          assume "(Z, s) \<in> (unroll G l e c)\<^sup>*"
  65.387 +          moreover
  65.388 +          assume "G\<turnstile>s \<midarrow>e-\<succ>v\<rightarrow> s'"
  65.389 +          ultimately
  65.390 +          show "\<exists>t. (Z, t) \<in> (unroll G l e c)\<^sup>* \<and> G\<turnstile>t \<midarrow>e-\<succ>v\<rightarrow> s'"
  65.391 +            by blast
  65.392 +        qed
  65.393        next
  65.394 -	from mfg_c
  65.395 -	show "G,A\<turnstile>{Normal (((\<lambda>Y s' s. \<exists>t b. (s, t) \<in> (unroll G l e c)\<^sup>* \<and>
  65.396 +        from mfg_c
  65.397 +        show "G,A\<turnstile>{Normal (((\<lambda>Y s' s. \<exists>t b. (s, t) \<in> (unroll G l e c)\<^sup>* \<and>
  65.398                                         Y = \<lfloor>b\<rfloor>\<^sub>e \<and> G\<turnstile>t \<midarrow>e-\<succ>b\<rightarrow> s') 
  65.399                            \<and>. G\<turnstile>init\<le>n)\<leftarrow>=True)}
  65.400                    .c.
  65.401                    {abupd (absorb (Cont l)) .;
  65.402                     ((\<lambda>Y s' s. (s, s') \<in> (unroll G l e c)\<^sup>*) \<and>. G\<turnstile>init\<le>n)}"
  65.403 -	proof (rule MGFnD' [THEN conseq12],clarsimp)
  65.404 -	  fix Z s' s v t
  65.405 -	  assume unroll: "(Z, t) \<in> (unroll G l e c)\<^sup>*"
  65.406 -	  assume eval_e: "G\<turnstile>t \<midarrow>e-\<succ>v\<rightarrow> Norm s" 
  65.407 -	  assume true: "the_Bool v"
  65.408 -	  assume eval_c: "G\<turnstile>Norm s \<midarrow>c\<rightarrow> s'"
  65.409 -	  show "(Z, abupd (absorb (Cont l)) s') \<in> (unroll G l e c)\<^sup>*"
  65.410 -	  proof -
  65.411 -	    note unroll
  65.412 -	    also
  65.413 -	    from eval_e true eval_c
  65.414 -	    have "(t,abupd (absorb (Cont l)) s') \<in> unroll G l e c" 
  65.415 -	      by (unfold unroll_def) force
  65.416 -	    ultimately show ?thesis ..
  65.417 -	  qed
  65.418 -	qed
  65.419 +        proof (rule MGFnD' [THEN conseq12],clarsimp)
  65.420 +          fix Z s' s v t
  65.421 +          assume unroll: "(Z, t) \<in> (unroll G l e c)\<^sup>*"
  65.422 +          assume eval_e: "G\<turnstile>t \<midarrow>e-\<succ>v\<rightarrow> Norm s" 
  65.423 +          assume true: "the_Bool v"
  65.424 +          assume eval_c: "G\<turnstile>Norm s \<midarrow>c\<rightarrow> s'"
  65.425 +          show "(Z, abupd (absorb (Cont l)) s') \<in> (unroll G l e c)\<^sup>*"
  65.426 +          proof -
  65.427 +            note unroll
  65.428 +            also
  65.429 +            from eval_e true eval_c
  65.430 +            have "(t,abupd (absorb (Cont l)) s') \<in> unroll G l e c" 
  65.431 +              by (unfold unroll_def) force
  65.432 +            ultimately show ?thesis ..
  65.433 +          qed
  65.434 +        qed
  65.435        qed
  65.436      next
  65.437        show 
  65.438 -	"\<forall>Y s Z.
  65.439 +        "\<forall>Y s Z.
  65.440           (Normal ((\<lambda>Y' s' s. s' = s \<and> normal s) \<and>. G\<turnstile>init\<le>n)) Y s Z 
  65.441           \<longrightarrow> (\<forall>Y' s'.
  65.442                 (\<forall>Y Z'. 
  65.443 @@ -742,28 +742,28 @@
  65.444                       \<and>. G\<turnstile>init\<le>n)\<leftarrow>=False\<down>=\<diamondsuit>) Y' s' Z') 
  65.445                 \<longrightarrow> G\<turnstile>Z \<midarrow>\<langle>l\<bullet> While(e) c\<rangle>\<^sub>s\<succ>\<rightarrow> (Y', s'))"
  65.446        proof (clarsimp)
  65.447 -	fix Y' s' s
  65.448 -	assume asm:
  65.449 -	  "\<forall>Z'. (Z', Norm s) \<in> (unroll G l e c)\<^sup>* 
  65.450 +        fix Y' s' s
  65.451 +        assume asm:
  65.452 +          "\<forall>Z'. (Z', Norm s) \<in> (unroll G l e c)\<^sup>* 
  65.453                   \<longrightarrow> card (nyinitcls G s') \<le> n \<and>
  65.454                       (\<exists>v. (\<exists>t. (Z', t) \<in> (unroll G l e c)\<^sup>* \<and> G\<turnstile>t \<midarrow>e-\<succ>v\<rightarrow> s') \<and>
  65.455                       (fst s' = None \<longrightarrow> \<not> the_Bool v)) \<and> Y' = \<diamondsuit>"
  65.456 -	show "Y' = \<diamondsuit> \<and> G\<turnstile>Norm s \<midarrow>l\<bullet> While(e) c\<rightarrow> s'"
  65.457 -	proof -
  65.458 -	  from asm obtain v t where 
  65.459 -	    -- {* @{term "Z'"} gets instantiated with @{term "Norm s"} *}  
  65.460 -	    unroll: "(Norm s, t) \<in> (unroll G l e c)\<^sup>*" and
  65.461 +        show "Y' = \<diamondsuit> \<and> G\<turnstile>Norm s \<midarrow>l\<bullet> While(e) c\<rightarrow> s'"
  65.462 +        proof -
  65.463 +          from asm obtain v t where 
  65.464 +            -- {* @{term "Z'"} gets instantiated with @{term "Norm s"} *}  
  65.465 +            unroll: "(Norm s, t) \<in> (unroll G l e c)\<^sup>*" and
  65.466              eval_e: "G\<turnstile>t \<midarrow>e-\<succ>v\<rightarrow> s'" and
  65.467              normal_termination: "normal s' \<longrightarrow> \<not> the_Bool v" and
  65.468 -	     Y': "Y' = \<diamondsuit>"
  65.469 -	    by auto
  65.470 -	  from unroll eval_e normal_termination wt_e wf
  65.471 -	  have "G\<turnstile>Norm s \<midarrow>l\<bullet> While(e) c\<rightarrow> s'"
  65.472 -	    by (rule unroll_while)
  65.473 -	  with Y' 
  65.474 -	  show ?thesis
  65.475 -	    by simp
  65.476 -	qed
  65.477 +             Y': "Y' = \<diamondsuit>"
  65.478 +            by auto
  65.479 +          from unroll eval_e normal_termination wt_e wf
  65.480 +          have "G\<turnstile>Norm s \<midarrow>l\<bullet> While(e) c\<rightarrow> s'"
  65.481 +            by (rule unroll_while)
  65.482 +          with Y' 
  65.483 +          show ?thesis
  65.484 +            by simp
  65.485 +        qed
  65.486        qed
  65.487      qed
  65.488    qed
  65.489 @@ -810,39 +810,39 @@
  65.490        show "(\<exists>E. \<lparr>prg=G, cls=accC', lcl=L\<rparr>\<turnstile> dom (locals (store s')) \<guillemotright>\<langle>e\<rangle>\<^sub>e\<guillemotright> E) \<and>
  65.491              s'\<Colon>\<preceq>(G, L)"
  65.492        proof -
  65.493 -	from da 
  65.494 -	obtain E where
  65.495 -	  "\<lparr>prg=G, cls=accC', lcl=L\<rparr>\<turnstile> dom (locals s) \<guillemotright>\<langle>e\<rangle>\<^sub>e\<guillemotright> E"
  65.496 -	  by cases simp
  65.497 -	moreover
  65.498 -	from eval_init
  65.499 -	have "dom (locals s) \<subseteq> dom (locals (store s'))"
  65.500 -	  by (rule dom_locals_eval_mono [elim_format]) simp
  65.501 -	ultimately obtain E' where
  65.502 -	  "\<lparr>prg=G, cls=accC', lcl=L\<rparr>\<turnstile> dom (locals (store s')) \<guillemotright>\<langle>e\<rangle>\<^sub>e\<guillemotright> E'"
  65.503 -	  by (rule da_weakenE)
  65.504 -	moreover
  65.505 -	have "s'\<Colon>\<preceq>(G, L)"
  65.506 -	proof -
  65.507 -	  have wt_init: "\<lparr>prg=G, cls=accC, lcl=L\<rparr>\<turnstile>(Init statDeclC)\<Colon>\<surd>"
  65.508 -	  proof -
  65.509 -	    from wf wt_e 
  65.510 -	    have iscls_statC: "is_class G statC"
  65.511 -	      by (auto dest: ty_expr_is_type type_is_class)
  65.512 -	    with wf accfield 
  65.513 -	    have iscls_statDeclC: "is_class G statDeclC"
  65.514 -	      by (auto dest!: accfield_fields dest: fields_declC)
  65.515 -	    thus ?thesis by simp
  65.516 -	  qed
  65.517 -	  obtain I where 
  65.518 -	    da_init: "\<lparr>prg=G,cls=accC,lcl=L\<rparr>
  65.519 +        from da 
  65.520 +        obtain E where
  65.521 +          "\<lparr>prg=G, cls=accC', lcl=L\<rparr>\<turnstile> dom (locals s) \<guillemotright>\<langle>e\<rangle>\<^sub>e\<guillemotright> E"
  65.522 +          by cases simp
  65.523 +        moreover
  65.524 +        from eval_init
  65.525 +        have "dom (locals s) \<subseteq> dom (locals (store s'))"
  65.526 +          by (rule dom_locals_eval_mono [elim_format]) simp
  65.527 +        ultimately obtain E' where
  65.528 +          "\<lparr>prg=G, cls=accC', lcl=L\<rparr>\<turnstile> dom (locals (store s')) \<guillemotright>\<langle>e\<rangle>\<^sub>e\<guillemotright> E'"
  65.529 +          by (rule da_weakenE)
  65.530 +        moreover
  65.531 +        have "s'\<Colon>\<preceq>(G, L)"
  65.532 +        proof -
  65.533 +          have wt_init: "\<lparr>prg=G, cls=accC, lcl=L\<rparr>\<turnstile>(Init statDeclC)\<Colon>\<surd>"
  65.534 +          proof -
  65.535 +            from wf wt_e 
  65.536 +            have iscls_statC: "is_class G statC"
  65.537 +              by (auto dest: ty_expr_is_type type_is_class)
  65.538 +            with wf accfield 
  65.539 +            have iscls_statDeclC: "is_class G statDeclC"
  65.540 +              by (auto dest!: accfield_fields dest: fields_declC)
  65.541 +            thus ?thesis by simp
  65.542 +          qed
  65.543 +          obtain I where 
  65.544 +            da_init: "\<lparr>prg=G,cls=accC,lcl=L\<rparr>
  65.545                 \<turnstile> dom (locals (store ((Norm s)::state))) \<guillemotright>\<langle>Init statDeclC\<rangle>\<^sub>s\<guillemotright> I"
  65.546 -	    by (auto intro: da_Init [simplified] assigned.select_convs)
  65.547 -	  from eval_init conf_s wt_init da_init  wf
  65.548 -	  show ?thesis
  65.549 -	    by (rule eval_type_soundE)
  65.550 -	qed
  65.551 -	ultimately show ?thesis by iprover
  65.552 +            by (auto intro: da_Init [simplified] assigned.select_convs)
  65.553 +          from eval_init conf_s wt_init da_init  wf
  65.554 +          show ?thesis
  65.555 +            by (rule eval_type_soundE)
  65.556 +        qed
  65.557 +        ultimately show ?thesis by iprover
  65.558        qed
  65.559      qed
  65.560    next
  65.561 @@ -857,30 +857,30 @@
  65.562        assume da_e: "\<lparr>prg=G,cls=accC',lcl=L\<rparr>\<turnstile> dom (locals (store s1)) \<guillemotright>\<langle>e\<rangle>\<^sub>e\<guillemotright> E"
  65.563        show "G\<turnstile>Norm s0 \<midarrow>{accC,statDeclC,stat}e..fn=\<succ>fst ?fvar\<rightarrow> snd ?fvar"
  65.564        proof -
  65.565 -	obtain v s2' where
  65.566 -	  v: "v=fst ?fvar" and s2': "s2'=snd ?fvar"
  65.567 -	  by simp
  65.568 -	obtain s3 where
  65.569 -	  s3: "s3= check_field_access G accC' statDeclC fn stat a s2'"
  65.570 -	  by simp
  65.571 -	have eq_s3_s2': "s3=s2'"
  65.572 -	proof -
  65.573 -	  from eval_e conf_s1 wt_e da_e wf obtain
  65.574 -	    conf_s2: "s2\<Colon>\<preceq>(G, L)"  and
  65.575 -	    conf_a: "normal s2 \<Longrightarrow> G,store s2\<turnstile>a\<Colon>\<preceq>Class statC"
  65.576 -	    by (rule eval_type_soundE) simp
  65.577 -	  from accfield wt_e eval_init eval_e conf_s2 conf_a _ wf
  65.578 -	  show ?thesis
  65.579 -	    by (rule  error_free_field_access 
  65.580 +        obtain v s2' where
  65.581 +          v: "v=fst ?fvar" and s2': "s2'=snd ?fvar"
  65.582 +          by simp
  65.583 +        obtain s3 where
  65.584 +          s3: "s3= check_field_access G accC' statDeclC fn stat a s2'"
  65.585 +          by simp
  65.586 +        have eq_s3_s2': "s3=s2'"
  65.587 +        proof -
  65.588 +          from eval_e conf_s1 wt_e da_e wf obtain
  65.589 +            conf_s2: "s2\<Colon>\<preceq>(G, L)"  and
  65.590 +            conf_a: "normal s2 \<Longrightarrow> G,store s2\<turnstile>a\<Colon>\<preceq>Class statC"
  65.591 +            by (rule eval_type_soundE) simp
  65.592 +          from accfield wt_e eval_init eval_e conf_s2 conf_a _ wf
  65.593 +          show ?thesis
  65.594 +            by (rule  error_free_field_access 
  65.595                        [where ?v=v and ?s2'=s2',elim_format])
  65.596 -	       (simp add: s3 v s2' stat)+
  65.597 +               (simp add: s3 v s2' stat)+
  65.598          qed
  65.599 -	from eval_init eval_e 
  65.600 -	show ?thesis
  65.601 -	  apply (rule eval.FVar [where ?s2'=s2'])
  65.602 -	  apply  (simp add: s2')
  65.603 -	  apply  (simp add: s3 [symmetric]   eq_s3_s2' eq_accC s2' [symmetric])
  65.604 -	  done
  65.605 +        from eval_init eval_e 
  65.606 +        show ?thesis
  65.607 +          apply (rule eval.FVar [where ?s2'=s2'])
  65.608 +          apply  (simp add: s2')
  65.609 +          apply  (simp add: s3 [symmetric]   eq_s3_s2' eq_accC s2' [symmetric])
  65.610 +          done
  65.611        qed
  65.612      qed
  65.613    qed
  65.614 @@ -918,7 +918,7 @@
  65.615        fix s0
  65.616        assume "\<lparr>prg=G,cls=accC,lcl=L\<rparr>\<turnstile> dom (locals s0) \<guillemotright>\<langle>c1 Finally c2\<rangle>\<^sub>s\<guillemotright> C"
  65.617        thus "\<exists>C1. \<lparr>prg=G,cls=accC,lcl=L\<rparr>\<turnstile> dom (locals s0) \<guillemotright>\<langle>c1\<rangle>\<^sub>s\<guillemotright> C1"
  65.618 -	by cases (auto simp add: inj_term_simps)
  65.619 +        by cases (auto simp add: inj_term_simps)
  65.620      qed
  65.621    next
  65.622      from mgf_c2
  65.623 @@ -933,25 +933,25 @@
  65.624        show "G\<turnstile>Norm s0 \<midarrow>c1 Finally c2
  65.625                 \<rightarrow> abupd (abrupt_if (\<exists>y. abrupt s1 = Some y) (abrupt s1)) s2"
  65.626        proof -
  65.627 -	obtain abr1 str1 where s1: "s1=(abr1,str1)"
  65.628 -	  by (cases s1)
  65.629 -	with eval_c1 eval_c2 obtain
  65.630 -	  eval_c1': "G\<turnstile>Norm s0 \<midarrow>c1\<rightarrow> (abr1,str1)" and
  65.631 -	  eval_c2': "G\<turnstile>Norm str1 \<midarrow>c2\<rightarrow> s2"
  65.632 -	  by simp
  65.633 -	obtain s3 where 
  65.634 -	  s3: "s3 = (if \<exists>err. abr1 = Some (Error err) 
  65.635 -	                then (abr1, str1)
  65.636 +        obtain abr1 str1 where s1: "s1=(abr1,str1)"
  65.637 +          by (cases s1)
  65.638 +        with eval_c1 eval_c2 obtain
  65.639 +          eval_c1': "G\<turnstile>Norm s0 \<midarrow>c1\<rightarrow> (abr1,str1)" and
  65.640 +          eval_c2': "G\<turnstile>Norm str1 \<midarrow>c2\<rightarrow> s2"
  65.641 +          by simp
  65.642 +        obtain s3 where 
  65.643 +          s3: "s3 = (if \<exists>err. abr1 = Some (Error err) 
  65.644 +                        then (abr1, str1)
  65.645                          else abupd (abrupt_if (abr1 \<noteq> None) abr1) s2)"
  65.646 -	  by simp
  65.647 -	from eval_c1' conf_s0 wt_c1 _ wf 
  65.648 -	have "error_free (abr1,str1)"
  65.649 -	  by (rule eval_type_soundE) (insert da_c1,auto)
  65.650 -	with s3 have eq_s3: "s3=abupd (abrupt_if (abr1 \<noteq> None) abr1) s2"
  65.651 -	  by (simp add: error_free_def)
  65.652 -	from eval_c1' eval_c2' s3
  65.653 -	show ?thesis
  65.654 -	  by (rule eval.Fin [elim_format]) (simp add: s1 eq_s3)
  65.655 +          by simp
  65.656 +        from eval_c1' conf_s0 wt_c1 _ wf 
  65.657 +        have "error_free (abr1,str1)"
  65.658 +          by (rule eval_type_soundE) (insert da_c1,auto)
  65.659 +        with s3 have eq_s3: "s3=abupd (abrupt_if (abr1 \<noteq> None) abr1) s2"
  65.660 +          by (simp add: error_free_def)
  65.661 +        from eval_c1' eval_c2' s3
  65.662 +        show ?thesis
  65.663 +          by (rule eval.Fin [elim_format]) (simp add: s1 eq_s3)
  65.664        qed
  65.665      qed 
  65.666    qed
  65.667 @@ -1009,7 +1009,7 @@
  65.668        fix s0
  65.669        assume da: "\<lparr>prg=G,cls=accC,lcl=L\<rparr>\<turnstile> dom (locals s0) \<guillemotright>\<langle>Body D c\<rangle>\<^sub>e\<guillemotright> E"
  65.670        thus "jumpNestingOkS {Ret} c"
  65.671 -	by cases simp
  65.672 +        by cases simp
  65.673      qed
  65.674    next
  65.675      from mgf_c
  65.676 @@ -1022,22 +1022,22 @@
  65.677        show "G\<turnstile>Norm s0 \<midarrow>Body D c-\<succ>the (locals (store s2) Result)
  65.678                \<rightarrow> abupd (absorb Ret) s2"
  65.679        proof -
  65.680 -	from wt obtain d where 
  65.681 +        from wt obtain d where 
  65.682            d: "class G D=Some d" and
  65.683            wt_c: "\<lparr>prg = G, cls = accC, lcl = L\<rparr>\<turnstile>c\<Colon>\<surd>"
  65.684 -	  by cases auto
  65.685 -	obtain s3 where 
  65.686 -	  s3: "s3= (if \<exists>l. fst s2 = Some (Jump (Break l)) \<or>
  65.687 +          by cases auto
  65.688 +        obtain s3 where 
  65.689 +          s3: "s3= (if \<exists>l. fst s2 = Some (Jump (Break l)) \<or>
  65.690                             fst s2 = Some (Jump (Cont l))
  65.691                         then abupd (\<lambda>x. Some (Error CrossMethodJump)) s2 
  65.692                         else s2)"
  65.693 -	  by simp
  65.694 -	from eval_init eval_c nestingOk wt_c d wf
  65.695 -	have eq_s3_s2: "s3=s2"
  65.696 -	  by (rule Body_no_break [elim_format]) (simp add: s3)
  65.697 -	from eval_init eval_c s3
  65.698 -	show ?thesis
  65.699 -	  by (rule eval.Body [elim_format]) (simp add: eq_s3_s2)
  65.700 +          by simp
  65.701 +        from eval_init eval_c nestingOk wt_c d wf
  65.702 +        have eq_s3_s2: "s3=s2"
  65.703 +          by (rule Body_no_break [elim_format]) (simp add: s3)
  65.704 +        from eval_init eval_c s3
  65.705 +        show ?thesis
  65.706 +          by (rule eval.Body [elim_format]) (simp add: eq_s3_s2)
  65.707        qed
  65.708      qed
  65.709    qed
  65.710 @@ -1062,312 +1062,312 @@
  65.711      proof (induct rule: var_expr_stmt.inducts)
  65.712        case (LVar v)
  65.713        show "G,A\<turnstile>{=:n} \<langle>LVar v\<rangle>\<^sub>v\<succ> {G\<rightarrow>}"
  65.714 -	apply (rule MGFn_NormalI)
  65.715 -	apply (rule ax_derivs.LVar [THEN conseq1])
  65.716 -	apply (clarsimp)
  65.717 -	apply (rule eval.LVar)
  65.718 -	done
  65.719 +        apply (rule MGFn_NormalI)
  65.720 +        apply (rule ax_derivs.LVar [THEN conseq1])
  65.721 +        apply (clarsimp)
  65.722 +        apply (rule eval.LVar)
  65.723 +        done
  65.724      next
  65.725        case (FVar accC statDeclC stat e fn)
  65.726        from MGFn_Init [OF hyp] and `G,A\<turnstile>{=:n} \<langle>e\<rangle>\<^sub>e\<succ> {G\<rightarrow>}` and wf
  65.727        show ?case
  65.728 -	by (rule MGFn_FVar)
  65.729 +        by (rule MGFn_FVar)
  65.730      next
  65.731        case (AVar e1 e2)
  65.732        note mgf_e1 = `G,A\<turnstile>{=:n} \<langle>e1\<rangle>\<^sub>e\<succ> {G\<rightarrow>}`
  65.733        note mgf_e2 = `G,A\<turnstile>{=:n} \<langle>e2\<rangle>\<^sub>e\<succ> {G\<rightarrow>}`
  65.734        show "G,A\<turnstile>{=:n} \<langle>e1.[e2]\<rangle>\<^sub>v\<succ> {G\<rightarrow>}"
  65.735 -	apply (rule MGFn_NormalI)
  65.736 -	apply (rule ax_derivs.AVar)
  65.737 -	apply  (rule MGFnD [OF mgf_e1, THEN ax_NormalD])
  65.738 -	apply (rule allI)
  65.739 -	apply (rule MGFnD' [OF mgf_e2, THEN conseq12])
  65.740 -	apply (fastsimp intro: eval.AVar)
  65.741 -	done
  65.742 +        apply (rule MGFn_NormalI)
  65.743 +        apply (rule ax_derivs.AVar)
  65.744 +        apply  (rule MGFnD [OF mgf_e1, THEN ax_NormalD])
  65.745 +        apply (rule allI)
  65.746 +        apply (rule MGFnD' [OF mgf_e2, THEN conseq12])
  65.747 +        apply (fastsimp intro: eval.AVar)
  65.748 +        done
  65.749      next
  65.750        case (InsInitV c v)
  65.751        show ?case
  65.752 -	by (rule MGFn_NormalI) (rule ax_derivs.InsInitV)
  65.753 +        by (rule MGFn_NormalI) (rule ax_derivs.InsInitV)
  65.754      next
  65.755        case (NewC C)
  65.756        show ?case
  65.757 -	apply (rule MGFn_NormalI)
  65.758 -	apply (rule ax_derivs.NewC)
  65.759 -	apply (rule MGFn_InitD [OF hyp, THEN conseq2])
  65.760 -	apply (fastsimp intro: eval.NewC)
  65.761 -	done
  65.762 +        apply (rule MGFn_NormalI)
  65.763 +        apply (rule ax_derivs.NewC)
  65.764 +        apply (rule MGFn_InitD [OF hyp, THEN conseq2])
  65.765 +        apply (fastsimp intro: eval.NewC)
  65.766 +        done
  65.767      next
  65.768        case (NewA T e)
  65.769        thus ?case
  65.770 -	apply -
  65.771 -	apply (rule MGFn_NormalI) 
  65.772 -	apply (rule ax_derivs.NewA 
  65.773 +        apply -
  65.774 +        apply (rule MGFn_NormalI) 
  65.775 +        apply (rule ax_derivs.NewA 
  65.776                 [where ?Q = "(\<lambda>Y' s' s. normal s \<and> G\<turnstile>s \<midarrow>In1r (init_comp_ty T) 
  65.777                                \<succ>\<rightarrow> (Y',s')) \<and>. G\<turnstile>init\<le>n"])
  65.778 -	apply  (simp add: init_comp_ty_def split add: split_if)
  65.779 -	apply  (rule conjI, clarsimp)
  65.780 -	apply   (rule MGFn_InitD [OF hyp, THEN conseq2])
  65.781 -	apply   (clarsimp intro: eval.Init)
  65.782 -	apply  clarsimp
  65.783 -	apply  (rule ax_derivs.Skip [THEN conseq1])
  65.784 -	apply  (clarsimp intro: eval.Skip)
  65.785 -	apply (erule MGFnD' [THEN conseq12])
  65.786 -	apply (fastsimp intro: eval.NewA)
  65.787 -	done
  65.788 +        apply  (simp add: init_comp_ty_def split add: split_if)
  65.789 +        apply  (rule conjI, clarsimp)
  65.790 +        apply   (rule MGFn_InitD [OF hyp, THEN conseq2])
  65.791 +        apply   (clarsimp intro: eval.Init)
  65.792 +        apply  clarsimp
  65.793 +        apply  (rule ax_derivs.Skip [THEN conseq1])
  65.794 +        apply  (clarsimp intro: eval.Skip)
  65.795 +        apply (erule MGFnD' [THEN conseq12])
  65.796 +        apply (fastsimp intro: eval.NewA)
  65.797 +        done
  65.798      next
  65.799        case (Cast C e)
  65.800        thus ?case
  65.801 -	apply -
  65.802 -	apply (rule MGFn_NormalI)
  65.803 -	apply (erule MGFnD'[THEN conseq12,THEN ax_derivs.Cast])
  65.804 -	apply (fastsimp intro: eval.Cast)
  65.805 -	done