Conversion of ZF/UNITY/{FP,Union} to Isar script.
authorpaulson
Tue Jul 08 11:44:30 2003 +0200 (2003-07-08)
changeset 1409268da54626309
parent 14091 ad6ba9c55190
child 14093 24382760fd89
Conversion of ZF/UNITY/{FP,Union} to Isar script.
Introduction of X-symbols to the ML files.
src/ZF/IsaMakefile
src/ZF/UNITY/Comp.ML
src/ZF/UNITY/Constrains.ML
src/ZF/UNITY/FP.ML
src/ZF/UNITY/FP.thy
src/ZF/UNITY/Follows.ML
src/ZF/UNITY/GenPrefix.ML
src/ZF/UNITY/Guar.ML
src/ZF/UNITY/Increasing.ML
src/ZF/UNITY/Monotonicity.ML
src/ZF/UNITY/MultisetSum.ML
src/ZF/UNITY/Mutex.ML
src/ZF/UNITY/SubstAx.ML
src/ZF/UNITY/Union.ML
src/ZF/UNITY/Union.thy
src/ZF/UNITY/WFair.ML
     1.1 --- a/src/ZF/IsaMakefile	Mon Jul 07 17:58:21 2003 +0200
     1.2 +++ b/src/ZF/IsaMakefile	Tue Jul 08 11:44:30 2003 +0200
     1.3 @@ -116,10 +116,9 @@
     1.4  
     1.5  $(LOG)/ZF-UNITY.gz: $(OUT)/ZF UNITY/ROOT.ML \
     1.6    UNITY/Comp.ML UNITY/Comp.thy UNITY/Constrains.ML UNITY/Constrains.thy \
     1.7 -  UNITY/FP.ML UNITY/FP.thy UNITY/Guar.ML UNITY/Guar.thy \
     1.8 +  UNITY/FP.thy UNITY/Guar.ML UNITY/Guar.thy \
     1.9    UNITY/Mutex.ML UNITY/Mutex.thy UNITY/State.thy \
    1.10 -  UNITY/SubstAx.ML UNITY/SubstAx.thy UNITY/UNITY.thy \
    1.11 -  UNITY/Union.ML UNITY/Union.thy \
    1.12 +  UNITY/SubstAx.ML UNITY/SubstAx.thy UNITY/UNITY.thy UNITY/Union.thy \
    1.13    UNITY/AllocBase.thy UNITY/AllocImpl.thy\
    1.14    UNITY/ClientImpl.thy UNITY/Distributor.thy\
    1.15    UNITY/Follows.ML UNITY/Follows.thy\
     2.1 --- a/src/ZF/UNITY/Comp.ML	Mon Jul 07 17:58:21 2003 +0200
     2.2 +++ b/src/ZF/UNITY/Comp.ML	Tue Jul 08 11:44:30 2003 +0200
     2.3 @@ -1,5 +1,5 @@
     2.4  (*  Title:      ZF/UNITY/Comp.ML
     2.5 -    ID:         $Id$
     2.6 +    ID:         $Id \\<in> Comp.ML,v 1.8 2003/06/27 16:40:25 paulson Exp $
     2.7      Author:     Sidi O Ehmety, Computer Laboratory
     2.8      Copyright   1998  University of Cambridge
     2.9  Composition
    2.10 @@ -20,7 +20,7 @@
    2.11  qed "componentI";
    2.12  
    2.13  Goalw [component_def]
    2.14 -     "G:program ==> (F component G) <-> \
    2.15 +     "G \\<in> program ==> (F component G) <-> \
    2.16  \  (Init(G) <= Init(F) & Acts(F) <= Acts(G) & AllowedActs(G) <= AllowedActs(F))";
    2.17  by Auto_tac;
    2.18  by (rtac exI 1);
    2.19 @@ -29,13 +29,13 @@
    2.20  qed "component_eq_subset";
    2.21  
    2.22  Goalw [component_def] 
    2.23 -   "F:program ==> SKIP component F";
    2.24 +   "F \\<in> program ==> SKIP component F";
    2.25  by (res_inst_tac [("x", "F")] exI 1);
    2.26  by (force_tac (claset() addIs [Join_SKIP_left], simpset()) 1);
    2.27  qed "component_SKIP";
    2.28  
    2.29  Goalw [component_def] 
    2.30 -"F:program ==> F component F";
    2.31 +"F \\<in> program ==> F component F";
    2.32  by (res_inst_tac  [("x", "F")] exI 1);
    2.33  by (force_tac (claset() addIs [Join_SKIP_right], simpset()) 1);
    2.34  qed "component_refl";
    2.35 @@ -66,7 +66,7 @@
    2.36  by (auto_tac (claset(), simpset() addsimps Join_ac@[component_def]));
    2.37  qed "Join_absorb2";
    2.38  
    2.39 -Goal "H:program==>(JOIN(I,F) component H) <-> (ALL i:I. F(i) component H)";
    2.40 +Goal "H \\<in> program==>(JOIN(I,F) component H) <-> (\\<forall>i \\<in> I. F(i) component H)";
    2.41  by (case_tac "I=0" 1);
    2.42  by (Force_tac 1);
    2.43  by (asm_simp_tac (simpset() addsimps [component_eq_subset]) 1);
    2.44 @@ -77,7 +77,7 @@
    2.45  by (REPEAT(blast_tac (claset() addSEs [not_emptyE]) 1));
    2.46  qed "JN_component_iff";
    2.47  
    2.48 -Goalw [component_def] "i:I ==> F(i) component (JN i:I. (F(i)))";
    2.49 +Goalw [component_def] "i \\<in> I ==> F(i) component (\\<Squnion>i \\<in> I. (F(i)))";
    2.50  by (blast_tac (claset() addIs [JN_absorb]) 1);
    2.51  qed "component_JN";
    2.52  
    2.53 @@ -85,19 +85,19 @@
    2.54  by (blast_tac (claset() addIs [Join_assoc RS sym]) 1);
    2.55  qed "component_trans";
    2.56  
    2.57 -Goal "[| F:program; G:program |] ==>(F component G & G  component F) --> F = G";
    2.58 +Goal "[| F \\<in> program; G \\<in> program |] ==>(F component G & G  component F) --> F = G";
    2.59  by (asm_simp_tac (simpset() addsimps [component_eq_subset]) 1);
    2.60  by (Clarify_tac 1);
    2.61  by (rtac program_equalityI 1);
    2.62  by Auto_tac;
    2.63  qed "component_antisym";
    2.64  
    2.65 -Goal "H:program ==> ((F Join G) component H) <-> (F component H & G component H)";
    2.66 +Goal "H \\<in> program ==> ((F Join G) component H) <-> (F component H & G component H)";
    2.67  by (asm_simp_tac (simpset() addsimps [component_eq_subset]) 1);
    2.68  by (Blast_tac 1);
    2.69  qed "Join_component_iff";
    2.70  
    2.71 -Goal "[| F component G; G:A co B; F:program |] ==> F : A co B";
    2.72 +Goal "[| F component G; G \\<in> A co B; F \\<in> program |] ==> F \\<in> A co B";
    2.73  by (ftac constrainsD2 1);
    2.74  by (rotate_tac ~1 1);
    2.75  by (auto_tac (claset(), 
    2.76 @@ -119,15 +119,15 @@
    2.77  
    2.78  
    2.79  val prems = Goalw [preserves_def] 
    2.80 -"ALL z. F:stable({s:state. f(s) = z})  ==> F:preserves(f)";
    2.81 +"\\<forall>z. F \\<in> stable({s \\<in> state. f(s) = z})  ==> F \\<in> preserves(f)";
    2.82  by Auto_tac;
    2.83  by (blast_tac (claset() addDs [stableD2]) 1);
    2.84  qed "preserves_aux";
    2.85  bind_thm("preservesI", allI RS preserves_aux);
    2.86  
    2.87  Goalw [preserves_def, stable_def, constrains_def]
    2.88 -     "[| F:preserves(f);  act : Acts(F);  <s,t> : act |] ==> f(s) = f(t)";
    2.89 -by (subgoal_tac "s:state & t:state" 1);
    2.90 +     "[| F \\<in> preserves(f);  act \\<in> Acts(F);  <s,t> \\<in> act |] ==> f(s) = f(t)";
    2.91 +by (subgoal_tac "s \\<in> state & t \\<in> state" 1);
    2.92  by (blast_tac (claset() addSDs [Acts_type RS subsetD]) 2);
    2.93  by Auto_tac;
    2.94  by (dres_inst_tac [("x", "f(s)")] spec 1);
    2.95 @@ -136,16 +136,16 @@
    2.96  qed "preserves_imp_eq";
    2.97  
    2.98  Goalw [preserves_def]
    2.99 -"(F Join G : preserves(v)) <->  \
   2.100 -\     (programify(F) : preserves(v) & programify(G) : preserves(v))";
   2.101 +"(F Join G \\<in> preserves(v)) <->  \
   2.102 +\     (programify(F) \\<in> preserves(v) & programify(G) \\<in> preserves(v))";
   2.103  by (auto_tac (claset(), simpset() addsimps [INT_iff]));
   2.104  qed "Join_preserves";
   2.105   
   2.106 -Goal "(JOIN(I,F): preserves(v)) <-> (ALL i:I. programify(F(i)):preserves(v))";
   2.107 +Goal "(JOIN(I,F): preserves(v)) <-> (\\<forall>i \\<in> I. programify(F(i)):preserves(v))";
   2.108  by (auto_tac (claset(), simpset() addsimps [JN_stable, preserves_def, INT_iff]));
   2.109  qed "JN_preserves";
   2.110  
   2.111 -Goal "SKIP : preserves(v)";
   2.112 +Goal "SKIP \\<in> preserves(v)";
   2.113  by (auto_tac (claset(), simpset() addsimps [preserves_def, INT_iff]));
   2.114  qed "SKIP_preserves";
   2.115  
   2.116 @@ -163,7 +163,7 @@
   2.117  by (REPEAT(Blast_tac 1));
   2.118  qed "preserves_fun_pair";
   2.119  
   2.120 -Goal "F:preserves(fun_pair(v, w))  <-> F:preserves(v) Int preserves(w)";
   2.121 +Goal "F \\<in> preserves(fun_pair(v, w))  <-> F \\<in> preserves(v) Int preserves(w)";
   2.122  by (simp_tac (simpset() addsimps [preserves_fun_pair]) 1);
   2.123  qed "preserves_fun_pair_iff";
   2.124  AddIffs [preserves_fun_pair_iff];
   2.125 @@ -182,7 +182,7 @@
   2.126  by Auto_tac;
   2.127  qed "preserves_type";
   2.128  
   2.129 -Goal "F:preserves(f) ==> F:program";
   2.130 +Goal "F \\<in> preserves(f) ==> F \\<in> program";
   2.131  by (blast_tac (claset() addIs [preserves_type RS subsetD]) 1);
   2.132  qed "preserves_into_program";
   2.133  AddTCs [preserves_into_program];
   2.134 @@ -195,11 +195,11 @@
   2.135  by Auto_tac;
   2.136  qed "subset_preserves_comp";
   2.137  
   2.138 -Goal "F:preserves(f) ==> F:preserves(g comp f)";
   2.139 +Goal "F \\<in> preserves(f) ==> F \\<in> preserves(g comp f)";
   2.140  by (blast_tac (claset() addIs [subset_preserves_comp RS subsetD]) 1);
   2.141  qed "imp_preserves_comp";
   2.142  
   2.143 -Goal "preserves(f) <= stable({s:state. P(f(s))})";
   2.144 +Goal "preserves(f) <= stable({s \\<in> state. P(f(s))})";
   2.145  by (auto_tac (claset(),
   2.146                simpset() addsimps [preserves_def, stable_def, constrains_def]));
   2.147  by (rename_tac "s' s" 1);
   2.148 @@ -207,12 +207,12 @@
   2.149  by (ALLGOALS Force_tac);
   2.150  qed "preserves_subset_stable";
   2.151  
   2.152 -Goal "F:preserves(f) ==> F:stable({s:state. P(f(s))})";
   2.153 +Goal "F \\<in> preserves(f) ==> F \\<in> stable({s \\<in> state. P(f(s))})";
   2.154  by (blast_tac (claset() addIs [preserves_subset_stable RS subsetD]) 1);
   2.155  qed "preserves_imp_stable";
   2.156  
   2.157  Goalw  [increasing_def]
   2.158 - "[| F:preserves(f); ALL x:state. f(x):A |] ==> F:Increasing.increasing(A, r, f)";
   2.159 + "[| F \\<in> preserves(f); \\<forall>x \\<in> state. f(x):A |] ==> F \\<in> Increasing.increasing(A, r, f)";
   2.160  by (auto_tac (claset() addIs [preserves_into_program],
   2.161                simpset()));
   2.162  by (res_inst_tac [("P", "%x. <k, x>:r")]  preserves_imp_stable 1);
   2.163 @@ -227,7 +227,7 @@
   2.164  by (auto_tac (claset() addDs [ActsD], simpset()));
   2.165  qed "preserves_id_subset_stable";
   2.166  
   2.167 -Goal "[| F:preserves(%x. x); st_set(A) |] ==> F:stable(A)";
   2.168 +Goal "[| F \\<in> preserves(%x. x); st_set(A) |] ==> F \\<in> stable(A)";
   2.169  by (blast_tac (claset() addIs [preserves_id_subset_stable RS subsetD]) 1);
   2.170  qed "preserves_id_imp_stable";
   2.171  
   2.172 @@ -242,13 +242,13 @@
   2.173  
   2.174  (* component_of satisfies many of component's properties *)
   2.175  Goalw [component_of_def]
   2.176 -"F:program ==> F component_of F";
   2.177 +"F \\<in> program ==> F component_of F";
   2.178  by (res_inst_tac [("x", "SKIP")] exI 1);
   2.179  by Auto_tac;
   2.180  qed "component_of_refl";
   2.181  
   2.182  Goalw [component_of_def]
   2.183 -"F:program ==>SKIP component_of F";
   2.184 +"F \\<in> program ==>SKIP component_of F";
   2.185  by Auto_tac;
   2.186  by (res_inst_tac [("x", "F")] exI 1);
   2.187  by Auto_tac;
   2.188 @@ -272,7 +272,7 @@
   2.189  qed "localize_Acts_eq";
   2.190  
   2.191  Goalw [localize_def]
   2.192 - "AllowedActs(localize(v,F)) = AllowedActs(F) Int (UN G:preserves(v). Acts(G))";
   2.193 + "AllowedActs(localize(v,F)) = AllowedActs(F) Int (\\<Union>G \\<in> preserves(v). Acts(G))";
   2.194  by (rtac equalityI 1);
   2.195  by (auto_tac (claset() addDs [Acts_type RS subsetD], simpset()));
   2.196  qed "localize_AllowedActs_eq";
   2.197 @@ -282,21 +282,21 @@
   2.198  (** Theorems used in ClientImpl **)
   2.199  
   2.200  Goal
   2.201 - "[| F:stable({s:state. P(f(s), g(s))});  G:preserves(f);  G:preserves(g) |] \
   2.202 -\     ==> F Join G : stable({s:state. P(f(s), g(s))})";
   2.203 + "[| F \\<in> stable({s \\<in> state. P(f(s), g(s))});  G \\<in> preserves(f);  G \\<in> preserves(g) |] \
   2.204 +\     ==> F Join G \\<in> stable({s \\<in> state. P(f(s), g(s))})";
   2.205  by (auto_tac (claset() addDs [ActsD, preserves_into_program], 
   2.206                simpset() addsimps [stable_def, constrains_def]));
   2.207 -by (case_tac "act:Acts(F)" 1);
   2.208 +by (case_tac "act \\<in> Acts(F)" 1);
   2.209  by Auto_tac;
   2.210  by (dtac preserves_imp_eq 1);
   2.211  by (dtac preserves_imp_eq 3);
   2.212  by Auto_tac;
   2.213  qed "stable_localTo_stable2";
   2.214  
   2.215 -Goal "[| F : stable({s:state. <f(s), g(s)>:r});  G:preserves(f);   \
   2.216 -\        F Join G : Increasing(A, r, g); \
   2.217 -\        ALL x:state. f(x):A & g(x):A |]     \
   2.218 -\     ==> F Join G : Stable({s:state. <f(s), g(s)>:r})";
   2.219 +Goal "[| F \\<in> stable({s \\<in> state. <f(s), g(s)>:r});  G \\<in> preserves(f);   \
   2.220 +\        F Join G \\<in> Increasing(A, r, g); \
   2.221 +\        \\<forall>x \\<in> state. f(x):A & g(x):A |]     \
   2.222 +\     ==> F Join G \\<in> Stable({s \\<in> state. <f(s), g(s)>:r})";
   2.223  by (auto_tac (claset(), 
   2.224                simpset() addsimps [stable_def, Stable_def, Increasing_def, 
   2.225                                    Constrains_def, all_conj_distrib]));
   2.226 @@ -308,8 +308,8 @@
   2.227                simpset() addsimps [preserves_def, stable_def, constrains_def,
   2.228                                    ball_conj_distrib, all_conj_distrib]));
   2.229  (*We have a G-action, so delete assumptions about F-actions*)
   2.230 -by (thin_tac "ALL act:Acts(F). ?P(act)" 1);
   2.231 -by (thin_tac "\\<forall>k\\<in>A. ALL act:Acts(F). ?P(k,act)" 1);
   2.232 +by (thin_tac "\\<forall>act \\<in> Acts(F). ?P(act)" 1);
   2.233 +by (thin_tac "\\<forall>k\\<in>A. \\<forall>act \\<in> Acts(F). ?P(k,act)" 1);
   2.234  by (subgoal_tac "f(x) = f(xa)" 1);
   2.235  by (auto_tac (claset() addSDs [bspec], simpset())); 
   2.236  qed "Increasing_preserves_Stable";
   2.237 @@ -318,24 +318,24 @@
   2.238  (** Lemma used in AllocImpl **)
   2.239  
   2.240  Goalw [Constrains_def, constrains_def] 
   2.241 -"[| ALL x:I. F: A(x) Co B; F:program |] ==> F:(UN x:I. A(x)) Co B";
   2.242 +"[| \\<forall>x \\<in> I. F \\<in> A(x) Co B; F \\<in> program |] ==> F:(\\<Union>x \\<in> I. A(x)) Co B";
   2.243  by Auto_tac;
   2.244  qed "Constrains_UN_left";
   2.245  
   2.246  Goalw [stable_def, Stable_def, preserves_def]
   2.247 - "[| F:stable({s:state. P(f(s), g(s))}); \
   2.248 -\    ALL k:A. F Join G: Stable({s:state. P(k, g(s))}); \
   2.249 -\   G:preserves(f); ALL s:state. f(s):A|] ==> \
   2.250 -\   F Join G : Stable({s:state. P(f(s), g(s))})";
   2.251 -by (res_inst_tac [("A", "(UN k:A. {s:state. f(s)=k} Int {s:state. P(f(s), g(s))})")]
   2.252 + "[| F \\<in> stable({s \\<in> state. P(f(s), g(s))}); \
   2.253 +\    \\<forall>k \\<in> A. F Join G \\<in> Stable({s \\<in> state. P(k, g(s))}); \
   2.254 +\   G \\<in> preserves(f); \\<forall>s \\<in> state. f(s):A|] ==> \
   2.255 +\   F Join G \\<in> Stable({s \\<in> state. P(f(s), g(s))})";
   2.256 +by (res_inst_tac [("A", "(\\<Union>k \\<in> A. {s \\<in> state. f(s)=k} Int {s \\<in> state. P(f(s), g(s))})")]
   2.257                 Constrains_weaken_L 1);
   2.258  by (Blast_tac 2);
   2.259  by (rtac Constrains_UN_left 1);
   2.260  by Auto_tac;
   2.261 -by (res_inst_tac [("A", "{s:state. f(s)=k} Int {s:state. P(f(s), g(s))} Int \
   2.262 -\                        {s:state. P(k, g(s))}"),
   2.263 -                  ("A'", "({s:state. f(s)=k} Un {s:state. P(f(s), g(s))}) \
   2.264 -\                           Int {s:state. P(k, g(s))}")] Constrains_weaken 1);
   2.265 +by (res_inst_tac [("A", "{s \\<in> state. f(s)=k} Int {s \\<in> state. P(f(s), g(s))} Int \
   2.266 +\                        {s \\<in> state. P(k, g(s))}"),
   2.267 +                  ("A'", "({s \\<in> state. f(s)=k} Un {s \\<in> state. P(f(s), g(s))}) \
   2.268 +\                           Int {s \\<in> state. P(k, g(s))}")] Constrains_weaken 1);
   2.269  by (REPEAT(Blast_tac 2));
   2.270  by (rtac Constrains_Int 1);
   2.271  by (rtac constrains_imp_Constrains 1);
     3.1 --- a/src/ZF/UNITY/Constrains.ML	Mon Jul 07 17:58:21 2003 +0200
     3.2 +++ b/src/ZF/UNITY/Constrains.ML	Tue Jul 08 11:44:30 2003 +0200
     3.3 @@ -1,9 +1,9 @@
     3.4  (*  Title:      ZF/UNITY/Constrains.ML
     3.5 -    ID:         $Id$
     3.6 +    ID:         $Id \\<in> Constrains.ML,v 1.10 2003/06/20 10:10:45 paulson Exp $
     3.7      Author:     Sidi O Ehmety, Computer Laboratory
     3.8      Copyright   2001  University of Cambridge
     3.9  
    3.10 -Safety relations: restricted to the set of reachable states.
    3.11 +Safety relations \\<in> restricted to the set of reachable states.
    3.12  
    3.13  Proofs ported from HOL.
    3.14  *)
    3.15 @@ -35,7 +35,7 @@
    3.16  AddIffs [state_Int_reachable];
    3.17  
    3.18  Goal 
    3.19 -"F:program ==> reachable(F)={s:state. EX evs. <s,evs>:traces(Init(F), Acts(F))}";
    3.20 +"F \\<in> program ==> reachable(F)={s \\<in> state. \\<exists>evs. <s,evs>:traces(Init(F), Acts(F))}";
    3.21  by (rtac equalityI 1);
    3.22  by Safe_tac;
    3.23  by (blast_tac (claset() addDs [reachable_type RS subsetD]) 1);
    3.24 @@ -48,8 +48,8 @@
    3.25  by (blast_tac (claset() addIs reachable.intrs) 1);
    3.26  qed "Init_into_reachable";
    3.27  
    3.28 -Goal "[| F:program; G:program; \
    3.29 -\   Acts(G) <= Acts(F)  |] ==> G:stable(reachable(F))";
    3.30 +Goal "[| F \\<in> program; G \\<in> program; \
    3.31 +\   Acts(G) <= Acts(F)  |] ==> G \\<in> stable(reachable(F))";
    3.32  by (blast_tac (claset() 
    3.33     addIs [stableI, constrainsI, st_setI,
    3.34            reachable_type RS subsetD] @ reachable.intrs) 1);
    3.35 @@ -60,12 +60,12 @@
    3.36  
    3.37  (*The set of all reachable states is an invariant...*)
    3.38  Goalw [invariant_def, initially_def]
    3.39 -   "F:program ==> F:invariant(reachable(F))";
    3.40 +   "F \\<in> program ==> F \\<in> invariant(reachable(F))";
    3.41  by (blast_tac (claset() addIs [reachable_type RS subsetD]@reachable.intrs) 1);
    3.42  qed "invariant_reachable";
    3.43  
    3.44  (*...in fact the strongest invariant!*)
    3.45 -Goal "F:invariant(A) ==> reachable(F) <= A";
    3.46 +Goal "F \\<in> invariant(A) ==> reachable(F) <= A";
    3.47  by (cut_inst_tac [("F", "F")] Acts_type 1);
    3.48  by (cut_inst_tac [("F", "F")] Init_type 1);
    3.49  by (cut_inst_tac [("F", "F")] reachable_type 1);
    3.50 @@ -78,7 +78,7 @@
    3.51  
    3.52  (*** Co ***)
    3.53  
    3.54 -Goal "F:B co B'==>F:(reachable(F) Int B) co (reachable(F) Int B')";
    3.55 +Goal "F \\<in> B co B'==>F:(reachable(F) Int B) co (reachable(F) Int B')";
    3.56  by (forward_tac [constrains_type RS subsetD] 1);
    3.57  by (forward_tac [[asm_rl, asm_rl, subset_refl] MRS stable_reachable] 1);
    3.58  by (ALLGOALS(asm_full_simp_tac (simpset() addsimps [stable_def, constrains_Int])));
    3.59 @@ -86,7 +86,7 @@
    3.60  
    3.61  (*Resembles the previous definition of Constrains*)
    3.62  Goalw [Constrains_def]
    3.63 -"A Co B = {F:program. F:(reachable(F) Int A) co (reachable(F)  Int  B)}";
    3.64 +"A Co B = {F \\<in> program. F:(reachable(F) Int A) co (reachable(F)  Int  B)}";
    3.65  by (blast_tac (claset() addDs [constrains_reachable_Int, 
    3.66                                        constrains_type RS subsetD]
    3.67                          addIs [constrains_weaken]) 1);
    3.68 @@ -94,12 +94,12 @@
    3.69  val Constrains_def2 =  Constrains_eq_constrains RS  eq_reflection;
    3.70  
    3.71  Goalw [Constrains_def] 
    3.72 - "F:A co A' ==> F:A Co A'";
    3.73 + "F \\<in> A co A' ==> F \\<in> A Co A'";
    3.74  by (blast_tac (claset() addIs [constrains_weaken_L] addDs [constrainsD2]) 1);
    3.75  qed "constrains_imp_Constrains";
    3.76  
    3.77  val prems = Goalw [Constrains_def, constrains_def, st_set_def]
    3.78 -"[|(!!act s s'. [| act: Acts(F); <s,s'>:act; s:A |] ==> s':A'); F:program|]==>F:A Co A'";
    3.79 +"[|(!!act s s'. [| act \\<in> Acts(F); <s,s'>:act; s \\<in> A |] ==> s':A'); F \\<in> program|]==>F \\<in> A Co A'";
    3.80  by (auto_tac (claset(), simpset() addsimps prems));
    3.81  by (blast_tac (claset() addDs [reachable_type RS subsetD]) 1);
    3.82  qed "ConstrainsI";
    3.83 @@ -109,43 +109,43 @@
    3.84  by (Blast_tac 1);
    3.85  qed "Constrains_type";
    3.86  
    3.87 -Goal "F : 0 Co B <-> F:program";
    3.88 +Goal "F \\<in> 0 Co B <-> F \\<in> program";
    3.89  by (auto_tac (claset() addDs [Constrains_type RS subsetD]
    3.90                         addIs [constrains_imp_Constrains], simpset()));
    3.91  qed "Constrains_empty";
    3.92  AddIffs [Constrains_empty];
    3.93  
    3.94 -Goalw [Constrains_def] "F : A Co state <-> F:program";
    3.95 +Goalw [Constrains_def] "F \\<in> A Co state <-> F \\<in> program";
    3.96  by (auto_tac (claset() addDs [Constrains_type RS subsetD]
    3.97                         addIs [constrains_imp_Constrains], simpset()));
    3.98  qed "Constrains_state";
    3.99  AddIffs [Constrains_state];
   3.100  
   3.101  Goalw  [Constrains_def2] 
   3.102 -        "[| F : A Co A'; A'<=B' |] ==> F : A Co B'";
   3.103 +        "[| F \\<in> A Co A'; A'<=B' |] ==> F \\<in> A Co B'";
   3.104  by (blast_tac (claset()  addIs [constrains_weaken_R]) 1);
   3.105  qed "Constrains_weaken_R";
   3.106  
   3.107  Goalw  [Constrains_def2] 
   3.108 -    "[| F : A Co A'; B<=A |] ==> F : B Co A'";
   3.109 +    "[| F \\<in> A Co A'; B<=A |] ==> F \\<in> B Co A'";
   3.110  by (blast_tac (claset() addIs [constrains_weaken_L, st_set_subset]) 1);
   3.111  qed "Constrains_weaken_L";  
   3.112  
   3.113  Goalw [Constrains_def2]
   3.114 -   "[| F : A Co A'; B<=A; A'<=B' |] ==> F : B Co B'";
   3.115 +   "[| F \\<in> A Co A'; B<=A; A'<=B' |] ==> F \\<in> B Co B'";
   3.116  by (blast_tac (claset() addIs [constrains_weaken, st_set_subset]) 1);
   3.117  qed "Constrains_weaken";
   3.118  
   3.119  (** Union **)
   3.120  Goalw [Constrains_def2] 
   3.121 -"[| F : A Co A'; F : B Co B' |] ==> F : (A Un B) Co (A' Un B')";
   3.122 +"[| F \\<in> A Co A'; F \\<in> B Co B' |] ==> F \\<in> (A Un B) Co (A' Un B')";
   3.123  by Auto_tac;
   3.124  by (asm_full_simp_tac (simpset() addsimps [Int_Un_distrib]) 1);
   3.125  by (blast_tac (claset() addIs [constrains_Un]) 1);
   3.126  qed "Constrains_Un";
   3.127  
   3.128  val [major, minor] = Goalw [Constrains_def2]
   3.129 -"[|(!!i. i:I==>F:A(i) Co A'(i)); F:program|] ==> F:(UN i:I. A(i)) Co (UN i:I. A'(i))";
   3.130 +"[|(!!i. i \\<in> I==>F \\<in> A(i) Co A'(i)); F \\<in> program|] ==> F:(\\<Union>i \\<in> I. A(i)) Co (\\<Union>i \\<in> I. A'(i))";
   3.131  by (cut_facts_tac [minor] 1);
   3.132  by (auto_tac (claset() addDs [major]
   3.133                         addIs [constrains_UN],
   3.134 @@ -155,15 +155,15 @@
   3.135  (** Intersection **)
   3.136  
   3.137  Goalw [Constrains_def]
   3.138 -"[| F : A Co A'; F : B Co B'|]==> F:(A Int B) Co (A' Int B')";
   3.139 +"[| F \\<in> A Co A'; F \\<in> B Co B'|]==> F:(A Int B) Co (A' Int B')";
   3.140  by (subgoal_tac "reachable(F) Int (A Int B) = \
   3.141                \ (reachable(F) Int A) Int (reachable(F) Int B)" 1);
   3.142  by (ALLGOALS(force_tac (claset() addIs [constrains_Int], simpset())));
   3.143  qed "Constrains_Int";
   3.144  
   3.145  val [major,minor] = Goal 
   3.146 -"[| (!!i. i:I ==>F: A(i) Co A'(i)); F:program  |] \
   3.147 -\  ==> F:(INT i:I. A(i)) Co (INT i:I. A'(i))";
   3.148 +"[| (!!i. i \\<in> I ==>F \\<in> A(i) Co A'(i)); F \\<in> program  |] \
   3.149 +\  ==> F:(\\<Inter>i \\<in> I. A(i)) Co (\\<Inter>i \\<in> I. A'(i))";
   3.150  by (cut_facts_tac [minor] 1);
   3.151  by (asm_simp_tac (simpset() delsimps INT_simps
   3.152  	  	 	    addsimps [Constrains_def]@INT_extend_simps) 1);
   3.153 @@ -172,17 +172,17 @@
   3.154  by (auto_tac (claset(), simpset() addsimps [Constrains_def])); 
   3.155  qed "Constrains_INT";
   3.156  
   3.157 -Goalw [Constrains_def] "F : A Co A' ==> reachable(F) Int A <= A'";
   3.158 +Goalw [Constrains_def] "F \\<in> A Co A' ==> reachable(F) Int A <= A'";
   3.159  by (blast_tac (claset() addDs [constrains_imp_subset]) 1);
   3.160  qed "Constrains_imp_subset";
   3.161  
   3.162  Goalw [Constrains_def2]
   3.163 - "[| F : A Co B; F : B Co C |] ==> F : A Co C";
   3.164 + "[| F \\<in> A Co B; F \\<in> B Co C |] ==> F \\<in> A Co C";
   3.165  by (blast_tac (claset() addIs [constrains_trans, constrains_weaken]) 1);
   3.166  qed "Constrains_trans";
   3.167  
   3.168  Goalw [Constrains_def2]
   3.169 -"[| F : A Co (A' Un B); F : B Co B' |] ==> F : A Co (A' Un B')";
   3.170 +"[| F \\<in> A Co (A' Un B); F \\<in> B Co B' |] ==> F \\<in> A Co (A' Un B')";
   3.171  by (full_simp_tac (simpset() addsimps [Int_Un_distrib]) 1);
   3.172  by (blast_tac (claset() addIs [constrains_cancel]) 1);
   3.173  qed "Constrains_cancel";
   3.174 @@ -191,63 +191,63 @@
   3.175  (* Useful because there's no Stable_weaken.  [Tanja Vos] *)
   3.176  
   3.177  Goalw [stable_def, Stable_def] 
   3.178 -"F : stable(A) ==> F : Stable(A)";
   3.179 +"F \\<in> stable(A) ==> F \\<in> Stable(A)";
   3.180  by (etac constrains_imp_Constrains 1);
   3.181  qed "stable_imp_Stable";
   3.182  
   3.183 -Goal "[| F: Stable(A); A = B |] ==> F : Stable(B)";
   3.184 +Goal "[| F \\<in> Stable(A); A = B |] ==> F \\<in> Stable(B)";
   3.185  by (Blast_tac 1);
   3.186  qed "Stable_eq";
   3.187  
   3.188  Goal
   3.189 -"F : Stable(A) <->  (F:stable(reachable(F) Int A))";
   3.190 +"F \\<in> Stable(A) <->  (F \\<in> stable(reachable(F) Int A))";
   3.191  by (auto_tac (claset() addDs [constrainsD2], 
   3.192                simpset() addsimps [Stable_def, stable_def, Constrains_def2]));
   3.193  qed "Stable_eq_stable";
   3.194  
   3.195 -Goalw [Stable_def] "F:A Co A ==> F : Stable(A)";
   3.196 +Goalw [Stable_def] "F \\<in> A Co A ==> F \\<in> Stable(A)";
   3.197  by (assume_tac 1);
   3.198  qed "StableI";
   3.199  
   3.200 -Goalw [Stable_def] "F : Stable(A) ==> F : A Co A";
   3.201 +Goalw [Stable_def] "F \\<in> Stable(A) ==> F \\<in> A Co A";
   3.202  by (assume_tac 1);
   3.203  qed "StableD";
   3.204  
   3.205  Goalw [Stable_def]
   3.206 -    "[| F : Stable(A); F : Stable(A') |] ==> F : Stable(A Un A')";
   3.207 +    "[| F \\<in> Stable(A); F \\<in> Stable(A') |] ==> F \\<in> Stable(A Un A')";
   3.208  by (blast_tac (claset() addIs [Constrains_Un]) 1);
   3.209  qed "Stable_Un";
   3.210  
   3.211  Goalw [Stable_def]
   3.212 -    "[| F : Stable(A); F : Stable(A') |] ==> F : Stable (A Int A')";
   3.213 +    "[| F \\<in> Stable(A); F \\<in> Stable(A') |] ==> F \\<in> Stable (A Int A')";
   3.214  by (blast_tac (claset() addIs [Constrains_Int]) 1);
   3.215  qed "Stable_Int";
   3.216  
   3.217  Goalw [Stable_def]
   3.218 -    "[| F : Stable(C); F : A Co (C Un A') |]   \
   3.219 -\    ==> F : (C Un A) Co (C Un A')";
   3.220 +    "[| F \\<in> Stable(C); F \\<in> A Co (C Un A') |]   \
   3.221 +\    ==> F \\<in> (C Un A) Co (C Un A')";
   3.222  by (blast_tac (claset() addIs [Constrains_Un RS Constrains_weaken_R]) 1);
   3.223  qed "Stable_Constrains_Un";
   3.224  
   3.225  Goalw [Stable_def]
   3.226 -    "[| F : Stable(C); F : (C Int A) Co A' |]   \
   3.227 -\    ==> F : (C Int A) Co (C Int A')";
   3.228 +    "[| F \\<in> Stable(C); F \\<in> (C Int A) Co A' |]   \
   3.229 +\    ==> F \\<in> (C Int A) Co (C Int A')";
   3.230  by (blast_tac (claset() addIs [Constrains_Int RS Constrains_weaken]) 1);
   3.231  qed "Stable_Constrains_Int";
   3.232  
   3.233  val [major,minor] = Goalw [Stable_def]
   3.234 -"[| (!!i. i:I ==> F : Stable(A(i))); F:program |]==> F : Stable (UN i:I. A(i))";
   3.235 +"[| (!!i. i \\<in> I ==> F \\<in> Stable(A(i))); F \\<in> program |]==> F \\<in> Stable (\\<Union>i \\<in> I. A(i))";
   3.236  by (cut_facts_tac [minor] 1);
   3.237  by (blast_tac (claset() addIs [Constrains_UN,major]) 1);
   3.238  qed "Stable_UN";
   3.239  
   3.240  val [major,minor] = Goalw [Stable_def]
   3.241 -"[|(!!i. i:I ==> F:Stable(A(i))); F:program |]==> F : Stable (INT i:I. A(i))";
   3.242 +"[|(!!i. i \\<in> I ==> F \\<in> Stable(A(i))); F \\<in> program |]==> F \\<in> Stable (\\<Inter>i \\<in> I. A(i))";
   3.243  by (cut_facts_tac [minor] 1);
   3.244  by (blast_tac (claset() addIs [Constrains_INT, major]) 1);
   3.245  qed "Stable_INT";
   3.246  
   3.247 -Goal "F:program ==>F : Stable (reachable(F))";
   3.248 +Goal "F \\<in> program ==>F \\<in> Stable (reachable(F))";
   3.249  by (asm_simp_tac (simpset() 
   3.250      addsimps [Stable_eq_stable, Int_absorb]) 1);
   3.251  qed "Stable_reachable";
   3.252 @@ -258,12 +258,12 @@
   3.253  qed "Stable_type";
   3.254  
   3.255  (*** The Elimination Theorem.  The "free" m has become universally quantified!
   3.256 -     Should the premise be !!m instead of ALL m ?  Would make it harder to use
   3.257 +     Should the premise be !!m instead of \\<forall>m ?  Would make it harder to use
   3.258       in forward proof. ***)
   3.259  
   3.260  Goalw [Constrains_def]  
   3.261 -"[| ALL m:M. F : ({s:A. x(s) = m}) Co (B(m)); F:program |] \
   3.262 -\    ==> F : ({s:A. x(s):M}) Co (UN m:M. B(m))";
   3.263 +"[| \\<forall>m \\<in> M. F \\<in> ({s \\<in> A. x(s) = m}) Co (B(m)); F \\<in> program |] \
   3.264 +\    ==> F \\<in> ({s \\<in> A. x(s):M}) Co (\\<Union>m \\<in> M. B(m))";
   3.265  by Auto_tac;
   3.266  by (res_inst_tac [("A1","reachable(F)Int A")] (elimination RS constrains_weaken_L) 1);
   3.267  by (auto_tac (claset() addIs [constrains_weaken_L], simpset()));
   3.268 @@ -271,8 +271,8 @@
   3.269  
   3.270  (* As above, but for the special case of A=state *)
   3.271  Goal
   3.272 - "[| ALL m:M. F : {s:state. x(s) = m} Co B(m); F:program |] \
   3.273 -\    ==> F : {s:state. x(s):M} Co (UN m:M. B(m))";
   3.274 + "[| \\<forall>m \\<in> M. F \\<in> {s \\<in> state. x(s) = m} Co B(m); F \\<in> program |] \
   3.275 +\    ==> F \\<in> {s \\<in> state. x(s):M} Co (\\<Union>m \\<in> M. B(m))";
   3.276  by (blast_tac (claset() addIs [Elimination]) 1);
   3.277  qed "Elimination2";
   3.278  
   3.279 @@ -287,12 +287,12 @@
   3.280  (** Natural deduction rules for "Always A" **)
   3.281  
   3.282  Goalw [Always_def, initially_def]
   3.283 -"[| Init(F)<=A;  F : Stable(A) |] ==> F : Always(A)";
   3.284 +"[| Init(F)<=A;  F \\<in> Stable(A) |] ==> F \\<in> Always(A)";
   3.285  by (forward_tac [Stable_type RS subsetD] 1);
   3.286  by Auto_tac;
   3.287  qed "AlwaysI";
   3.288  
   3.289 -Goal "F : Always(A) ==> Init(F)<=A & F : Stable(A)";
   3.290 +Goal "F \\<in> Always(A) ==> Init(F)<=A & F \\<in> Stable(A)";
   3.291  by (asm_full_simp_tac (simpset() addsimps [Always_def, initially_def]) 1);
   3.292  qed "AlwaysD";
   3.293  
   3.294 @@ -300,7 +300,7 @@
   3.295  bind_thm ("Always_imp_Stable", AlwaysD RS conjunct2);
   3.296  
   3.297  (*The set of all reachable states is Always*)
   3.298 -Goal "F : Always(A) ==> reachable(F) <= A";
   3.299 +Goal "F \\<in> Always(A) ==> reachable(F) <= A";
   3.300  by (full_simp_tac (simpset() addsimps 
   3.301          [Stable_def, Constrains_def, constrains_def, Always_def, initially_def]) 1);
   3.302  by (rtac subsetI 1);
   3.303 @@ -309,13 +309,13 @@
   3.304  qed "Always_includes_reachable";
   3.305  
   3.306  Goalw [Always_def, invariant_def, Stable_def, stable_def]
   3.307 -     "F : invariant(A) ==> F : Always(A)";
   3.308 +     "F \\<in> invariant(A) ==> F \\<in> Always(A)";
   3.309  by (blast_tac (claset() addIs [constrains_imp_Constrains]) 1);
   3.310  qed "invariant_imp_Always";
   3.311  
   3.312  bind_thm ("Always_reachable", invariant_reachable RS invariant_imp_Always);
   3.313  
   3.314 -Goal "Always(A) = {F:program. F : invariant(reachable(F) Int A)}";
   3.315 +Goal "Always(A) = {F \\<in> program. F \\<in> invariant(reachable(F) Int A)}";
   3.316  by (simp_tac (simpset() addsimps [Always_def, invariant_def, Stable_def, 
   3.317                                    Constrains_def2, stable_def, initially_def]) 1);
   3.318  by (rtac equalityI 1);
   3.319 @@ -324,7 +324,7 @@
   3.320  qed "Always_eq_invariant_reachable";
   3.321  
   3.322  (*the RHS is the traditional definition of the "always" operator*)
   3.323 -Goal "Always(A) = {F:program. reachable(F) <= A}";
   3.324 +Goal "Always(A) = {F \\<in> program. reachable(F) <= A}";
   3.325  by (rtac equalityI 1);
   3.326  by (ALLGOALS(Clarify_tac));
   3.327  by (auto_tac (claset() addDs [invariant_includes_reachable],
   3.328 @@ -344,12 +344,12 @@
   3.329  qed "Always_state_eq";
   3.330  Addsimps [Always_state_eq];
   3.331  
   3.332 -Goal "F:program ==> F : Always(state)";
   3.333 +Goal "F \\<in> program ==> F \\<in> Always(state)";
   3.334  by (auto_tac (claset() addDs [reachable_type RS subsetD], simpset() 
   3.335      addsimps [Always_eq_includes_reachable]));
   3.336  qed "state_AlwaysI";
   3.337  
   3.338 -Goal "st_set(A) ==> Always(A) = (UN I: Pow(A). invariant(I))";
   3.339 +Goal "st_set(A) ==> Always(A) = (\\<Union>I \\<in> Pow(A). invariant(I))";
   3.340  by (simp_tac (simpset() addsimps [Always_eq_includes_reachable]) 1);
   3.341  by (rtac equalityI 1);
   3.342  by (ALLGOALS(Clarify_tac));
   3.343 @@ -359,7 +359,7 @@
   3.344                          addDs [invariant_type RS subsetD]) 1));
   3.345  qed "Always_eq_UN_invariant";
   3.346  
   3.347 -Goal "[| F : Always(A); A <= B |] ==> F : Always(B)";
   3.348 +Goal "[| F \\<in> Always(A); A <= B |] ==> F \\<in> Always(B)";
   3.349  by (auto_tac (claset(), simpset() addsimps [Always_eq_includes_reachable]));
   3.350  qed "Always_weaken";
   3.351  
   3.352 @@ -367,28 +367,28 @@
   3.353  (*** "Co" rules involving Always ***)
   3.354  val Int_absorb2 = rewrite_rule [iff_def] subset_Int_iff RS conjunct1 RS mp;
   3.355  
   3.356 -Goal "F:Always(I) ==> (F:(I Int A) Co A') <-> (F : A Co A')";
   3.357 +Goal "F \\<in> Always(I) ==> (F:(I Int A) Co A') <-> (F \\<in> A Co A')";
   3.358  by (asm_simp_tac
   3.359      (simpset() addsimps [Always_includes_reachable RS Int_absorb2,
   3.360                           Constrains_def, Int_assoc RS sym]) 1);
   3.361  qed "Always_Constrains_pre";
   3.362  
   3.363 -Goal "F:Always(I) ==> (F : A Co (I Int A')) <->(F : A Co A')";
   3.364 +Goal "F \\<in> Always(I) ==> (F \\<in> A Co (I Int A')) <->(F \\<in> A Co A')";
   3.365  by (asm_simp_tac
   3.366      (simpset() addsimps [Always_includes_reachable RS Int_absorb2,
   3.367                           Constrains_eq_constrains, Int_assoc RS sym]) 1);
   3.368  qed "Always_Constrains_post";
   3.369  
   3.370 -Goal "[| F : Always(I);  F : (I Int A) Co A' |] ==> F : A Co A'";
   3.371 +Goal "[| F \\<in> Always(I);  F \\<in> (I Int A) Co A' |] ==> F \\<in> A Co A'";
   3.372  by (blast_tac (claset() addIs [Always_Constrains_pre RS iffD1]) 1);
   3.373  qed "Always_ConstrainsI";
   3.374  
   3.375 -(* [| F : Always(I);  F : A Co A' |] ==> F : A Co (I Int A') *)
   3.376 +(* [| F \\<in> Always(I);  F \\<in> A Co A' |] ==> F \\<in> A Co (I Int A') *)
   3.377  bind_thm ("Always_ConstrainsD", Always_Constrains_post RS iffD2);
   3.378  
   3.379  (*The analogous proof of Always_LeadsTo_weaken doesn't terminate*)
   3.380  Goal 
   3.381 -"[|F:Always(C); F:A Co A'; C Int B<=A; C Int A'<=B'|]==>F:B Co B'";
   3.382 +"[|F \\<in> Always(C); F \\<in> A Co A'; C Int B<=A; C Int A'<=B'|]==>F \\<in> B Co B'";
   3.383  by (rtac Always_ConstrainsI 1);
   3.384  by (dtac Always_ConstrainsD 2);
   3.385  by (ALLGOALS(Asm_simp_tac));
   3.386 @@ -400,20 +400,20 @@
   3.387  by (auto_tac (claset(), simpset() addsimps [Always_eq_includes_reachable]));
   3.388  qed "Always_Int_distrib";
   3.389  
   3.390 -(* the premise i:I is need since INT is formally not defined for I=0 *)
   3.391 -Goal "i:I==>Always(INT i:I. A(i)) = (INT i:I. Always(A(i)))";
   3.392 +(* the premise i \\<in> I is need since \\<Inter>is formally not defined for I=0 *)
   3.393 +Goal "i \\<in> I==>Always(\\<Inter>i \\<in> I. A(i)) = (\\<Inter>i \\<in> I. Always(A(i)))";
   3.394  by (rtac equalityI 1);
   3.395  by (auto_tac (claset(), simpset() addsimps
   3.396                [Inter_iff, Always_eq_includes_reachable]));
   3.397  qed "Always_INT_distrib";
   3.398  
   3.399  
   3.400 -Goal "[| F:Always(A);  F:Always(B) |] ==> F:Always(A Int B)";
   3.401 +Goal "[| F \\<in> Always(A);  F \\<in> Always(B) |] ==> F \\<in> Always(A Int B)";
   3.402  by (asm_simp_tac (simpset() addsimps [Always_Int_distrib]) 1);
   3.403  qed "Always_Int_I";
   3.404  
   3.405  (*Allows a kind of "implication introduction"*)
   3.406 -Goal "[| F:Always(A) |] ==> (F : Always(C-A Un B)) <-> (F : Always(B))";
   3.407 +Goal "[| F \\<in> Always(A) |] ==> (F \\<in> Always(C-A Un B)) <-> (F \\<in> Always(B))";
   3.408  by (auto_tac (claset(), simpset() addsimps [Always_eq_includes_reachable]));
   3.409  qed "Always_Diff_Un_eq";
   3.410  
   3.411 @@ -421,7 +421,7 @@
   3.412    used by Always_Int_I) *)
   3.413  val Always_thin =
   3.414      read_instantiate_sg (sign_of thy)
   3.415 -                [("V", "?F : Always(?A)")] thin_rl;
   3.416 +                [("V", "?F \\<in> Always(?A)")] thin_rl;
   3.417  
   3.418  (*Combines two invariance ASSUMPTIONS into one.  USEFUL??*)
   3.419  val Always_Int_tac = dtac Always_Int_I THEN' assume_tac THEN' etac Always_thin;
   3.420 @@ -430,7 +430,7 @@
   3.421  val Always_Int_rule = foldr1 (fn (th1,th2) => [th1,th2] MRS Always_Int_I);
   3.422  
   3.423  (*To allow expansion of the program's definition when appropriate*)
   3.424 -val program_defs_ref = ref ([] : thm list);
   3.425 +val program_defs_ref = ref ([]: thm list);
   3.426  
   3.427  (*proves "co" properties when the program is specified*)
   3.428  
     4.1 --- a/src/ZF/UNITY/FP.ML	Mon Jul 07 17:58:21 2003 +0200
     4.2 +++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
     4.3 @@ -1,81 +0,0 @@
     4.4 -(*  Title:      ZF/UNITY/FP.ML
     4.5 -    ID:         $Id$
     4.6 -    Author:     Sidi O Ehmety, Computer Laboratory
     4.7 -    Copyright   2001  University of Cambridge
     4.8 -
     4.9 -Fixed Point of a Program
    4.10 -
    4.11 -From Misra, "A Logic for Concurrent Programming", 1994
    4.12 -
    4.13 -Theory ported form HOL.
    4.14 -*)
    4.15 -
    4.16 -Goalw [FP_Orig_def] "FP_Orig(F)<=state";
    4.17 -by (Blast_tac 1);
    4.18 -qed "FP_Orig_type";
    4.19 -
    4.20 -Goalw [st_set_def] "st_set(FP_Orig(F))";
    4.21 -by (rtac FP_Orig_type 1);
    4.22 -qed "st_set_FP_Orig";
    4.23 -AddIffs [st_set_FP_Orig];
    4.24 -
    4.25 -Goalw [FP_def] "FP(F)<=state";
    4.26 -by (Blast_tac 1);
    4.27 -qed "FP_type";
    4.28 -
    4.29 -Goalw [st_set_def] "st_set(FP(F))";
    4.30 -by (rtac FP_type 1);
    4.31 -qed "st_set_FP";
    4.32 -AddIffs [st_set_FP];
    4.33 -
    4.34 -Goalw [FP_Orig_def, stable_def] "F:program ==> F:stable(FP_Orig(F) Int B)";
    4.35 -by (stac Int_Union2 1);
    4.36 -by (blast_tac (claset() addIs [constrains_UN]) 1);
    4.37 -qed "stable_FP_Orig_Int";
    4.38 -
    4.39 -Goalw [FP_Orig_def, stable_def, st_set_def]
    4.40 -    "[| ALL B. F: stable (A Int B); st_set(A) |]  ==> A <= FP_Orig(F)";
    4.41 -by (Blast_tac 1);
    4.42 -qed "FP_Orig_weakest2";
    4.43 -
    4.44 -bind_thm("FP_Orig_weakest",  allI RS FP_Orig_weakest2);
    4.45 -
    4.46 -Goal "F:program ==> F : stable (FP(F) Int B)";
    4.47 -by (subgoal_tac "FP(F) Int B = (UN x:B. FP(F) Int {x})" 1);
    4.48 -by (Blast_tac 2);
    4.49 -by (asm_simp_tac (simpset() addsimps [Int_cons_right]) 1);
    4.50 -by (rewrite_goals_tac [FP_def, stable_def]);
    4.51 -by (rtac constrains_UN 1);
    4.52 -by (auto_tac (claset(), simpset() addsimps [cons_absorb]));
    4.53 -qed "stable_FP_Int";
    4.54 -
    4.55 -Goal "F:program ==> FP(F) <= FP_Orig(F)";
    4.56 -by (rtac (stable_FP_Int RS FP_Orig_weakest) 1);
    4.57 -by Auto_tac;
    4.58 -qed "FP_subset_FP_Orig";
    4.59 -
    4.60 -Goalw [FP_Orig_def, FP_def] "F:program ==> FP_Orig(F) <= FP(F)";
    4.61 -by (Clarify_tac 1);
    4.62 -by (dres_inst_tac [("x", "{x}")] spec 1);
    4.63 -by (asm_full_simp_tac (simpset() addsimps [Int_cons_right]) 1);
    4.64 -by (ftac stableD2 1);
    4.65 -by (auto_tac (claset(), simpset() addsimps [cons_absorb, st_set_def]));
    4.66 -qed "FP_Orig_subset_FP";
    4.67 -
    4.68 -
    4.69 -Goal "F:program ==> FP(F) = FP_Orig(F)";
    4.70 -by (rtac ([FP_subset_FP_Orig,FP_Orig_subset_FP] MRS equalityI) 1);
    4.71 -by (ALLGOALS(assume_tac));
    4.72 -qed "FP_equivalence";
    4.73 -
    4.74 -
    4.75 -Goal  "[| ALL B. F : stable(A Int B); F:program; st_set(A) |] ==> A <= FP(F)";
    4.76 -by (asm_simp_tac (simpset() addsimps [FP_equivalence, FP_Orig_weakest]) 1);
    4.77 -qed "FP_weakest2";
    4.78 -bind_thm("FP_weakest", allI RS FP_weakest2);
    4.79 -
    4.80 -Goalw [FP_def, stable_def, constrains_def, st_set_def]
    4.81 -"[| F:program;  st_set(A) |] ==> A-FP(F) = (UN act:Acts(F). A-{s:state. act``{s} <= {s}})";
    4.82 -by (Blast_tac 1);
    4.83 -qed "Diff_FP";
    4.84 -
     5.1 --- a/src/ZF/UNITY/FP.thy	Mon Jul 07 17:58:21 2003 +0200
     5.2 +++ b/src/ZF/UNITY/FP.thy	Tue Jul 08 11:44:30 2003 +0200
     5.3 @@ -3,20 +3,99 @@
     5.4      Author:     Sidi O Ehmety, Computer Laboratory
     5.5      Copyright   2001  University of Cambridge
     5.6  
     5.7 -Fixed Point of a Program
     5.8 -
     5.9  From Misra, "A Logic for Concurrent Programming", 1994
    5.10  
    5.11  Theory ported from HOL.
    5.12  *)
    5.13  
    5.14 -FP = UNITY +
    5.15 +header{*Fixed Point of a Program*}
    5.16 +
    5.17 +theory FP = UNITY:
    5.18  
    5.19  constdefs   
    5.20 -  FP_Orig :: i=>i
    5.21 -    "FP_Orig(F) == Union({A:Pow(state). ALL B. F : stable(A Int B)})"
    5.22 +  FP_Orig :: "i=>i"
    5.23 +    "FP_Orig(F) == Union({A \<in> Pow(state). \<forall>B. F \<in> stable(A Int B)})"
    5.24 +
    5.25 +  FP :: "i=>i"
    5.26 +    "FP(F) == {s\<in>state. F \<in> stable({s})}"
    5.27 +
    5.28 +
    5.29 +lemma FP_Orig_type: "FP_Orig(F) \<subseteq> state"
    5.30 +by (unfold FP_Orig_def, blast)
    5.31 +
    5.32 +lemma st_set_FP_Orig [iff]: "st_set(FP_Orig(F))"
    5.33 +apply (unfold st_set_def)
    5.34 +apply (rule FP_Orig_type)
    5.35 +done
    5.36 +
    5.37 +lemma FP_type: "FP(F) \<subseteq> state"
    5.38 +by (unfold FP_def, blast)
    5.39 +
    5.40 +lemma st_set_FP [iff]: "st_set(FP(F))"
    5.41 +apply (unfold st_set_def)
    5.42 +apply (rule FP_type)
    5.43 +done
    5.44 +
    5.45 +lemma stable_FP_Orig_Int: "F \<in> program ==> F \<in> stable(FP_Orig(F) Int B)"
    5.46 +apply (unfold FP_Orig_def stable_def)
    5.47 +apply (subst Int_Union2)
    5.48 +apply (blast intro: constrains_UN)
    5.49 +done
    5.50 +
    5.51 +lemma FP_Orig_weakest2: 
    5.52 +    "[| \<forall>B. F \<in> stable (A Int B); st_set(A) |]  ==> A \<subseteq> FP_Orig(F)"
    5.53 +apply (unfold FP_Orig_def stable_def st_set_def, blast)
    5.54 +done
    5.55 +
    5.56 +lemmas FP_Orig_weakest = allI [THEN FP_Orig_weakest2, standard]
    5.57  
    5.58 -  FP :: i=>i
    5.59 -    "FP(F) == {s:state. F : stable({s})}"
    5.60 +lemma stable_FP_Int: "F \<in> program ==> F \<in> stable (FP(F) Int B)"
    5.61 +apply (subgoal_tac "FP (F) Int B = (\<Union>x\<in>B. FP (F) Int {x}) ")
    5.62 + prefer 2 apply blast
    5.63 +apply (simp (no_asm_simp) add: Int_cons_right)
    5.64 +apply (unfold FP_def stable_def)
    5.65 +apply (rule constrains_UN)
    5.66 +apply (auto simp add: cons_absorb)
    5.67 +done
    5.68 +
    5.69 +lemma FP_subset_FP_Orig: "F \<in> program ==> FP(F) \<subseteq> FP_Orig(F)"
    5.70 +by (rule stable_FP_Int [THEN FP_Orig_weakest], auto)
    5.71 +
    5.72 +lemma FP_Orig_subset_FP: "F \<in> program ==> FP_Orig(F) \<subseteq> FP(F)"
    5.73 +apply (unfold FP_Orig_def FP_def, clarify)
    5.74 +apply (drule_tac x = "{x}" in spec)
    5.75 +apply (simp add: Int_cons_right)
    5.76 +apply (frule stableD2)
    5.77 +apply (auto simp add: cons_absorb st_set_def)
    5.78 +done
    5.79 +
    5.80 +lemma FP_equivalence: "F \<in> program ==> FP(F) = FP_Orig(F)"
    5.81 +by (blast intro!: FP_Orig_subset_FP FP_subset_FP_Orig)
    5.82 +
    5.83 +lemma FP_weakest [rule_format]:
    5.84 +     "[| \<forall>B. F \<in> stable(A Int B); F \<in> program; st_set(A) |] ==> A \<subseteq> FP(F)"
    5.85 +by (simp add: FP_equivalence FP_Orig_weakest)
    5.86 +
    5.87 +
    5.88 +lemma Diff_FP: 
    5.89 +     "[| F \<in> program;  st_set(A) |] 
    5.90 +      ==> A-FP(F) = (\<Union>act \<in> Acts(F). A - {s \<in> state. act``{s} \<subseteq> {s}})"
    5.91 +by (unfold FP_def stable_def constrains_def st_set_def, blast)
    5.92 +
    5.93 +ML
    5.94 +{*
    5.95 +val FP_Orig_type = thm "FP_Orig_type";
    5.96 +val st_set_FP_Orig = thm "st_set_FP_Orig";
    5.97 +val FP_type = thm "FP_type";
    5.98 +val st_set_FP = thm "st_set_FP";
    5.99 +val stable_FP_Orig_Int = thm "stable_FP_Orig_Int";
   5.100 +val FP_Orig_weakest2 = thm "FP_Orig_weakest2";
   5.101 +val stable_FP_Int = thm "stable_FP_Int";
   5.102 +val FP_subset_FP_Orig = thm "FP_subset_FP_Orig";
   5.103 +val FP_Orig_subset_FP = thm "FP_Orig_subset_FP";
   5.104 +val FP_equivalence = thm "FP_equivalence";
   5.105 +val FP_weakest = thm "FP_weakest";
   5.106 +val Diff_FP = thm "Diff_FP";
   5.107 +*}
   5.108  
   5.109  end
     6.1 --- a/src/ZF/UNITY/Follows.ML	Mon Jul 07 17:58:21 2003 +0200
     6.2 +++ b/src/ZF/UNITY/Follows.ML	Tue Jul 08 11:44:30 2003 +0200
     6.3 @@ -1,5 +1,5 @@
     6.4  (*  Title:      ZF/UNITY/Follows
     6.5 -    ID:         $Id$
     6.6 +    ID:         $Id \\<in> Follows.ML,v 1.4 2003/06/27 16:40:25 paulson Exp $
     6.7      Author:     Sidi O Ehmety, Cambridge University Computer Laboratory
     6.8      Copyright   2001  University of Cambridge
     6.9   
    6.10 @@ -9,30 +9,30 @@
    6.11  (*Does this hold for "invariant"?*)
    6.12  
    6.13  val prems =
    6.14 -Goal "[|A=A'; r=r'; !!x. x:state ==> f(x)=f'(x); !!x. x:state ==> g(x)=g'(x)|] ==> Follows(A, r, f, g) = Follows(A', r', f', g')";
    6.15 +Goal "[|A=A'; r=r'; !!x. x \\<in> state ==> f(x)=f'(x); !!x. x \\<in> state ==> g(x)=g'(x)|] ==> Follows(A, r, f, g) = Follows(A', r', f', g')";
    6.16  by (asm_full_simp_tac (simpset() addsimps [Increasing_def,Follows_def]@prems) 1);
    6.17  qed "Follows_cong";
    6.18  
    6.19  Goalw [mono1_def, metacomp_def] 
    6.20 -"[| mono1(A, r, B, s, h); ALL x:state. f(x):A & g(x):A |] ==> \
    6.21 -\  Always({x:state. <f(x), g(x)>:r})<=Always({x:state. <(h comp f)(x), (h comp g)(x)>:s})";
    6.22 +"[| mono1(A, r, B, s, h); \\<forall>x \\<in> state. f(x):A & g(x):A |] ==> \
    6.23 +\  Always({x \\<in> state. <f(x), g(x)> \\<in> r})<=Always({x \\<in> state. <(h comp f)(x), (h comp g)(x)> \\<in> s})";
    6.24  by (auto_tac (claset(), simpset() addsimps 
    6.25           [Always_eq_includes_reachable]));
    6.26  qed "subset_Always_comp";
    6.27  
    6.28  Goal 
    6.29 -"[| F:Always({x:state. <f(x), g(x)>:r}); \
    6.30 -\   mono1(A, r, B, s, h); ALL x:state. f(x):A & g(x):A |] ==> \
    6.31 -\   F:Always({x:state. <(h comp f)(x), (h comp g)(x)>:s})";
    6.32 +"[| F \\<in> Always({x \\<in> state. <f(x), g(x)> \\<in> r}); \
    6.33 +\   mono1(A, r, B, s, h); \\<forall>x \\<in> state. f(x):A & g(x):A |] ==> \
    6.34 +\   F \\<in> Always({x \\<in> state. <(h comp f)(x), (h comp g)(x)> \\<in> s})";
    6.35  by (blast_tac (claset() addIs [subset_Always_comp RS subsetD]) 1);
    6.36  qed "imp_Always_comp";
    6.37  
    6.38  Goal 
    6.39 -"[| F:Always({x:state. <f1(x), f(x)>:r});  \
    6.40 -\   F:Always({x:state. <g1(x), g(x)>:s}); \
    6.41 +"[| F \\<in> Always({x \\<in> state. <f1(x), f(x)> \\<in> r});  \
    6.42 +\   F \\<in> Always({x \\<in> state. <g1(x), g(x)> \\<in> s}); \
    6.43  \   mono2(A, r, B, s, C, t, h); \
    6.44 -\   ALL x:state. f1(x):A & f(x):A & g1(x):B & g(x):B |] \
    6.45 -\ ==> F:Always({x:state. <h(f1(x), g1(x)), h(f(x), g(x))>:t})";
    6.46 +\   \\<forall>x \\<in> state. f1(x):A & f(x):A & g1(x):B & g(x):B |] \
    6.47 +\ ==> F \\<in> Always({x \\<in> state. <h(f1(x), g1(x)), h(f(x), g(x))> \\<in> t})";
    6.48  by (auto_tac (claset(), simpset() addsimps 
    6.49           [Always_eq_includes_reachable, mono2_def]));
    6.50  by (auto_tac (claset() addSDs [subsetD], simpset()));
    6.51 @@ -42,9 +42,9 @@
    6.52  
    6.53  Goalw [mono1_def, metacomp_def]
    6.54  "[| mono1(A, r, B, s, h); refl(A,r); trans[B](s); \
    6.55 -\       ALL x:state. f(x):A & g(x):A |] ==> \
    6.56 -\ (INT j:A. {s:state. <j, g(s)>:r} LeadsTo {s:state. <j,f(s)>:r}) <= \
    6.57 -\(INT k:B. {x:state. <k, (h comp g)(x)>:s} LeadsTo {x:state. <k, (h comp f)(x)>:s})";
    6.58 +\       \\<forall>x \\<in> state. f(x):A & g(x):A |] ==> \
    6.59 +\ (\\<Inter>j \\<in> A. {s \\<in> state. <j, g(s)> \\<in> r} LeadsTo {s \\<in> state. <j,f(s)> \\<in> r}) <= \
    6.60 +\(\\<Inter>k \\<in> B. {x \\<in> state. <k, (h comp g)(x)> \\<in> s} LeadsTo {x \\<in> state. <k, (h comp f)(x)> \\<in> s})";
    6.61  by (Clarify_tac 1);
    6.62  by (ALLGOALS(full_simp_tac (simpset() addsimps [INT_iff])));
    6.63  by Auto_tac;
    6.64 @@ -61,20 +61,20 @@
    6.65  qed "subset_LeadsTo_comp";
    6.66  
    6.67  Goal
    6.68 -"[| F:(INT j:A. {s:state. <j, g(s)>:r} LeadsTo {s:state. <j,f(s)>:r}); \
    6.69 +"[| F:(\\<Inter>j \\<in> A. {s \\<in> state. <j, g(s)> \\<in> r} LeadsTo {s \\<in> state. <j,f(s)> \\<in> r}); \
    6.70  \   mono1(A, r, B, s, h); refl(A,r); trans[B](s); \
    6.71 -\   ALL x:state. f(x):A & g(x):A |] ==> \
    6.72 -\  F:(INT k:B. {x:state. <k, (h comp g)(x)>:s} LeadsTo {x:state. <k, (h comp f)(x)>:s})";
    6.73 +\   \\<forall>x \\<in> state. f(x):A & g(x):A |] ==> \
    6.74 +\  F:(\\<Inter>k \\<in> B. {x \\<in> state. <k, (h comp g)(x)> \\<in> s} LeadsTo {x \\<in> state. <k, (h comp f)(x)> \\<in> s})";
    6.75  by (rtac (subset_LeadsTo_comp RS subsetD) 1);
    6.76  by Auto_tac;
    6.77  qed "imp_LeadsTo_comp";
    6.78  
    6.79  Goalw [mono2_def, Increasing_def]
    6.80 -"[| F:Increasing(B, s, g); \
    6.81 -\ ALL j:A. F: {s:state. <j, f(s)>:r} LeadsTo {s:state. <j,f1(s)>:r}; \
    6.82 +"[| F \\<in> Increasing(B, s, g); \
    6.83 +\ \\<forall>j \\<in> A. F: {s \\<in> state. <j, f(s)> \\<in> r} LeadsTo {s \\<in> state. <j,f1(s)> \\<in> r}; \
    6.84  \ mono2(A, r, B, s, C, t, h); refl(A, r); refl(B, s); trans[C](t); \
    6.85 -\ ALL x:state. f1(x):A & f(x):A & g(x):B; k:C |] ==> \
    6.86 -\ F:{x:state. <k, h(f(x), g(x))>:t} LeadsTo {x:state. <k, h(f1(x), g(x))>:t}";
    6.87 +\ \\<forall>x \\<in> state. f1(x):A & f(x):A & g(x):B; k \\<in> C |] ==> \
    6.88 +\ F:{x \\<in> state. <k, h(f(x), g(x))> \\<in> t} LeadsTo {x \\<in> state. <k, h(f1(x), g(x))> \\<in> t}";
    6.89  by (rtac single_LeadsTo_I 1);
    6.90  by Auto_tac;
    6.91  by (dres_inst_tac [("x", "g(sa)"), ("A","B")] bspec 1);
    6.92 @@ -97,11 +97,11 @@
    6.93  qed "imp_LeadsTo_comp_right";
    6.94  
    6.95  Goalw [mono2_def, Increasing_def]
    6.96 -"[| F:Increasing(A, r, f); \
    6.97 -\ ALL j:B. F: {x:state. <j, g(x)>:s} LeadsTo {x:state. <j,g1(x)>:s}; \
    6.98 +"[| F \\<in> Increasing(A, r, f); \
    6.99 +\ \\<forall>j \\<in> B. F: {x \\<in> state. <j, g(x)> \\<in> s} LeadsTo {x \\<in> state. <j,g1(x)> \\<in> s}; \
   6.100  \ mono2(A, r, B, s, C, t, h); refl(A,r); refl(B, s); trans[C](t); \
   6.101 -\ ALL x:state. f(x):A & g1(x):B & g(x):B; k:C |] ==> \
   6.102 -\ F:{x:state. <k, h(f(x), g(x))>:t} LeadsTo {x:state. <k, h(f(x), g1(x))>:t}";
   6.103 +\ \\<forall>x \\<in> state. f(x):A & g1(x):B & g(x):B; k \\<in> C |] ==> \
   6.104 +\ F:{x \\<in> state. <k, h(f(x), g(x))> \\<in> t} LeadsTo {x \\<in> state. <k, h(f(x), g1(x))> \\<in> t}";
   6.105  by (rtac single_LeadsTo_I 1);
   6.106  by Auto_tac;
   6.107  by (dres_inst_tac [("x", "f(sa)"),("P","%k. F \\<in> Stable(?X(k))")] bspec 1);
   6.108 @@ -124,13 +124,13 @@
   6.109  
   6.110  (**  This general result is used to prove Follows Un, munion, etc. **)
   6.111  Goal
   6.112 -"[| F:Increasing(A, r, f1) Int  Increasing(B, s, g); \
   6.113 -\ ALL j:A. F: {s:state. <j, f(s)>:r} LeadsTo {s:state. <j,f1(s)>:r}; \
   6.114 -\ ALL j:B. F: {x:state. <j, g(x)>:s} LeadsTo {x:state. <j,g1(x)>:s}; \
   6.115 +"[| F \\<in> Increasing(A, r, f1) Int  Increasing(B, s, g); \
   6.116 +\ \\<forall>j \\<in> A. F: {s \\<in> state. <j, f(s)> \\<in> r} LeadsTo {s \\<in> state. <j,f1(s)> \\<in> r}; \
   6.117 +\ \\<forall>j \\<in> B. F: {x \\<in> state. <j, g(x)> \\<in> s} LeadsTo {x \\<in> state. <j,g1(x)> \\<in> s}; \
   6.118  \ mono2(A, r, B, s, C, t, h); refl(A,r); refl(B, s); trans[C](t); \
   6.119 -\ ALL x:state. f(x):A & g1(x):B & f1(x):A &g(x):B; k:C |]\
   6.120 -\ ==> F:{x:state. <k, h(f(x), g(x))>:t} LeadsTo {x:state. <k, h(f1(x), g1(x))>:t}";
   6.121 -by (res_inst_tac [("B", "{x:state. <k, h(f1(x), g(x))>:t}")] LeadsTo_Trans 1);
   6.122 +\ \\<forall>x \\<in> state. f(x):A & g1(x):B & f1(x):A &g(x):B; k \\<in> C |]\
   6.123 +\ ==> F:{x \\<in> state. <k, h(f(x), g(x))> \\<in> t} LeadsTo {x \\<in> state. <k, h(f1(x), g1(x))> \\<in> t}";
   6.124 +by (res_inst_tac [("B", "{x \\<in> state. <k, h(f1(x), g(x))> \\<in> t}")] LeadsTo_Trans 1);
   6.125  by (blast_tac (claset() addIs [imp_LeadsTo_comp_right]) 1);
   6.126  by (blast_tac (claset() addIs [imp_LeadsTo_comp_left]) 1);
   6.127  qed "imp_LeadsTo_comp2";
   6.128 @@ -140,19 +140,19 @@
   6.129  by (blast_tac (claset() addDs [Increasing_type RS subsetD]) 1);
   6.130  qed "Follows_type";
   6.131  
   6.132 -Goal "F:Follows(A, r, f, g) ==> F:program";
   6.133 +Goal "F \\<in> Follows(A, r, f, g) ==> F \\<in> program";
   6.134  by (blast_tac (claset() addDs [Follows_type RS subsetD]) 1);
   6.135  qed "Follows_into_program";
   6.136  AddTCs [Follows_into_program];
   6.137  
   6.138  Goalw [Follows_def] 
   6.139 -"F:Follows(A, r, f, g)==> \
   6.140 -\ F:program & (EX a. a:A) & (ALL x:state. f(x):A & g(x):A)";
   6.141 +"F \\<in> Follows(A, r, f, g)==> \
   6.142 +\ F \\<in> program & (\\<exists>a. a \\<in> A) & (\\<forall>x \\<in> state. f(x):A & g(x):A)";
   6.143  by (blast_tac (claset() addDs [IncreasingD]) 1);
   6.144  qed "FollowsD";
   6.145  
   6.146  Goalw [Follows_def]
   6.147 - "[| F:program; c:A; refl(A, r) |] ==> F:Follows(A, r, %x. c, %x. c)";
   6.148 + "[| F \\<in> program; c \\<in> A; refl(A, r) |] ==> F \\<in> Follows(A, r, %x. c, %x. c)";
   6.149  by Auto_tac;
   6.150  by (auto_tac (claset(), simpset() addsimps [refl_def]));
   6.151  qed "Follows_constantI";
   6.152 @@ -171,19 +171,19 @@
   6.153  qed "subset_Follows_comp";
   6.154  
   6.155  Goal
   6.156 -"[| F:Follows(A, r, f, g);  mono1(A, r, B, s, h); refl(A, r); trans[B](s) |] \
   6.157 -\ ==>  F:Follows(B, s,  h comp f, h comp g)";
   6.158 +"[| F \\<in> Follows(A, r, f, g);  mono1(A, r, B, s, h); refl(A, r); trans[B](s) |] \
   6.159 +\ ==>  F \\<in> Follows(B, s,  h comp f, h comp g)";
   6.160  by (blast_tac (claset() addIs [subset_Follows_comp RS subsetD]) 1);
   6.161  qed "imp_Follows_comp";
   6.162  
   6.163 -(* 2-place monotone operation: this general result is used to prove Follows_Un, Follows_munion *)
   6.164 +(* 2-place monotone operation \\<in> this general result is used to prove Follows_Un, Follows_munion *)
   6.165  
   6.166 -(* 2-place monotone operation: this general result is 
   6.167 +(* 2-place monotone operation \\<in> this general result is 
   6.168     used to prove Follows_Un, Follows_munion *)
   6.169  Goalw [Follows_def] 
   6.170 -"[| F:Follows(A, r, f1, f);  F:Follows(B, s, g1, g); \
   6.171 +"[| F \\<in> Follows(A, r, f1, f);  F \\<in> Follows(B, s, g1, g); \
   6.172  \  mono2(A, r, B, s, C, t, h); refl(A,r); refl(B, s); trans[C](t) |] \
   6.173 -\  ==> F:Follows(C, t, %x. h(f1(x), g1(x)), %x. h(f(x), g(x)))";
   6.174 +\  ==> F \\<in> Follows(C, t, %x. h(f1(x), g1(x)), %x. h(f(x), g(x)))";
   6.175  by (Clarify_tac 1);
   6.176  by (forw_inst_tac [("f", "g")] IncreasingD 1);
   6.177  by (forw_inst_tac [("f", "f")] IncreasingD 1);
   6.178 @@ -206,15 +206,15 @@
   6.179  by (REPEAT(blast_tac (claset() addDs [IncreasingD]) 1));
   6.180  qed "imp_Follows_comp2";
   6.181  
   6.182 -Goal "[| F : Follows(A, r, f, g);  F: Follows(A,r, g, h); \
   6.183 -\        trans[A](r) |] ==> F : Follows(A, r, f, h)";
   6.184 +Goal "[| F \\<in> Follows(A, r, f, g);  F \\<in> Follows(A,r, g, h); \
   6.185 +\        trans[A](r) |] ==> F \\<in> Follows(A, r, f, h)";
   6.186  by (forw_inst_tac [("f", "f")] FollowsD 1);
   6.187  by (forw_inst_tac [("f", "g")] FollowsD 1);
   6.188  by (rewrite_goal_tac [Follows_def] 1);
   6.189  by (asm_full_simp_tac (simpset() 
   6.190                   addsimps [Always_eq_includes_reachable, INT_iff]) 1);
   6.191  by Auto_tac;
   6.192 -by (res_inst_tac [("B", "{s:state. <k, g(s)>:r}")] LeadsTo_Trans 2);
   6.193 +by (res_inst_tac [("B", "{s \\<in> state. <k, g(s)> \\<in> r}")] LeadsTo_Trans 2);
   6.194  by (res_inst_tac [("b", "g(x)")] trans_onD 1);
   6.195  by (REPEAT(Blast_tac 1));
   6.196  qed "Follows_trans";
   6.197 @@ -222,46 +222,46 @@
   6.198  (** Destruction rules for Follows **)
   6.199  
   6.200  Goalw [Follows_def]
   6.201 -     "F : Follows(A, r, f,g) ==> F:Increasing(A, r, f)";
   6.202 +     "F \\<in> Follows(A, r, f,g) ==> F \\<in> Increasing(A, r, f)";
   6.203  by (Blast_tac 1);
   6.204  qed "Follows_imp_Increasing_left";
   6.205  
   6.206  Goalw [Follows_def]
   6.207 -     "F : Follows(A, r, f,g) ==> F:Increasing(A, r, g)";
   6.208 +     "F \\<in> Follows(A, r, f,g) ==> F \\<in> Increasing(A, r, g)";
   6.209  by (Blast_tac 1);
   6.210  qed "Follows_imp_Increasing_right";
   6.211  
   6.212  Goalw [Follows_def]
   6.213 - "F :Follows(A, r, f, g) ==> F:Always({s:state. <f(s),g(s)>:r})";
   6.214 + "F :Follows(A, r, f, g) ==> F \\<in> Always({s \\<in> state. <f(s),g(s)> \\<in> r})";
   6.215  by (Blast_tac 1);
   6.216  qed "Follows_imp_Always";
   6.217  
   6.218  Goalw [Follows_def]
   6.219 - "[| F:Follows(A, r, f, g); k:A |]  ==> \
   6.220 -\ F: {s:state. <k,g(s)>:r } LeadsTo {s:state. <k,f(s)>:r}";
   6.221 + "[| F \\<in> Follows(A, r, f, g); k \\<in> A |]  ==> \
   6.222 +\ F: {s \\<in> state. <k,g(s)> \\<in> r } LeadsTo {s \\<in> state. <k,f(s)> \\<in> r}";
   6.223  by (Blast_tac 1);
   6.224  qed "Follows_imp_LeadsTo";
   6.225  
   6.226 -Goal "[| F : Follows(list(nat), gen_prefix(nat, Le), f, g); k:list(nat) |] \
   6.227 -\  ==> F : {s:state. k pfixLe g(s)} LeadsTo {s:state. k pfixLe f(s)}";
   6.228 +Goal "[| F \\<in> Follows(list(nat), gen_prefix(nat, Le), f, g); k \\<in> list(nat) |] \
   6.229 +\  ==> F \\<in> {s \\<in> state. k pfixLe g(s)} LeadsTo {s \\<in> state. k pfixLe f(s)}";
   6.230  by (blast_tac (claset() addIs [Follows_imp_LeadsTo]) 1);
   6.231  qed "Follows_LeadsTo_pfixLe";
   6.232  
   6.233 -Goal "[| F : Follows(list(nat), gen_prefix(nat, Ge), f, g); k:list(nat) |] \
   6.234 -\  ==> F : {s:state. k pfixGe g(s)} LeadsTo {s:state. k pfixGe f(s)}";
   6.235 +Goal "[| F \\<in> Follows(list(nat), gen_prefix(nat, Ge), f, g); k \\<in> list(nat) |] \
   6.236 +\  ==> F \\<in> {s \\<in> state. k pfixGe g(s)} LeadsTo {s \\<in> state. k pfixGe f(s)}";
   6.237  by (blast_tac (claset() addIs [Follows_imp_LeadsTo]) 1);
   6.238  qed "Follows_LeadsTo_pfixGe";
   6.239  
   6.240  Goalw  [Follows_def, Increasing_def, Stable_def]
   6.241 -"[| F:Always({s:state. f(s) = g(s)}); F:Follows(A, r, f, h);  \
   6.242 -\   ALL x:state. g(x):A |] ==> F : Follows(A, r, g, h)";
   6.243 +"[| F \\<in> Always({s \\<in> state. f(s) = g(s)}); F \\<in> Follows(A, r, f, h);  \
   6.244 +\   \\<forall>x \\<in> state. g(x):A |] ==> F \\<in> Follows(A, r, g, h)";
   6.245  by (asm_full_simp_tac (simpset() addsimps [INT_iff]) 1);
   6.246  by Auto_tac;
   6.247 -by (res_inst_tac [("C", "{s:state. f(s)=g(s)}"),
   6.248 -                 ("A", "{s:state. <ka, h(s)>:r}"),
   6.249 -                 ("A'", "{s:state. <ka, f(s)>:r}")] Always_LeadsTo_weaken 3);
   6.250 -by (eres_inst_tac [("A", "{s:state. <ka,f(s)>:r}"), 
   6.251 -                   ("A'", "{s:state. <ka,f(s)>:r}")] 
   6.252 +by (res_inst_tac [("C", "{s \\<in> state. f(s)=g(s)}"),
   6.253 +                 ("A", "{s \\<in> state. <ka, h(s)> \\<in> r}"),
   6.254 +                 ("A'", "{s \\<in> state. <ka, f(s)> \\<in> r}")] Always_LeadsTo_weaken 3);
   6.255 +by (eres_inst_tac [("A", "{s \\<in> state. <ka,f(s)> \\<in> r}"), 
   6.256 +                   ("A'", "{s \\<in> state. <ka,f(s)> \\<in> r}")] 
   6.257                    Always_Constrains_weaken 1);
   6.258  by Auto_tac;
   6.259  by (dtac Always_Int_I 1);
   6.260 @@ -271,16 +271,16 @@
   6.261  qed "Always_Follows1";
   6.262  
   6.263  Goalw [Follows_def, Increasing_def, Stable_def]
   6.264 -"[| F : Always({s:state. g(s) = h(s)}); \
   6.265 -\ F: Follows(A, r, f, g); ALL x:state. h(x):A |] ==> F : Follows(A, r, f, h)";
   6.266 +"[| F \\<in> Always({s \\<in> state. g(s) = h(s)}); \
   6.267 +\ F \\<in> Follows(A, r, f, g); \\<forall>x \\<in> state. h(x):A |] ==> F \\<in> Follows(A, r, f, h)";
   6.268  by (full_simp_tac (simpset() addsimps [INT_iff]) 1);
   6.269  by Auto_tac;
   6.270 -by (thin_tac "k:A" 3);
   6.271 -by (res_inst_tac [("C", "{s:state. g(s)=h(s)}"),
   6.272 -                  ("A", "{s:state. <ka, g(s)>:r}"),
   6.273 -                  ("A'", "{s:state. <ka, f(s)>:r}")] Always_LeadsTo_weaken 3);
   6.274 -by (eres_inst_tac [("A", "{s:state. <ka, g(s)>:r}"), 
   6.275 -                   ("A'", "{s:state. <ka, g(s)>:r}")] 
   6.276 +by (thin_tac "k \\<in> A" 3);
   6.277 +by (res_inst_tac [("C", "{s \\<in> state. g(s)=h(s)}"),
   6.278 +                  ("A", "{s \\<in> state. <ka, g(s)> \\<in> r}"),
   6.279 +                  ("A'", "{s \\<in> state. <ka, f(s)> \\<in> r}")] Always_LeadsTo_weaken 3);
   6.280 +by (eres_inst_tac [("A", "{s \\<in> state. <ka, g(s)> \\<in> r}"), 
   6.281 +                   ("A'", "{s \\<in> state. <ka, g(s)> \\<in> r}")] 
   6.282                    Always_Constrains_weaken 1);
   6.283  by Auto_tac;
   6.284  by (dtac Always_Int_I 1);
   6.285 @@ -311,31 +311,31 @@
   6.286  qed "part_order_SetLe";
   6.287  Addsimps [part_order_SetLe];
   6.288  
   6.289 -Goal "[| F: Increasing.increasing(Pow(A), SetLe(A), f);  \
   6.290 -\        F: Increasing.increasing(Pow(A), SetLe(A), g) |] \
   6.291 -\    ==> F : Increasing.increasing(Pow(A), SetLe(A), %x. f(x) Un g(x))";
   6.292 +Goal "[| F \\<in> Increasing.increasing(Pow(A), SetLe(A), f);  \
   6.293 +\        F \\<in> Increasing.increasing(Pow(A), SetLe(A), g) |] \
   6.294 +\    ==> F \\<in> Increasing.increasing(Pow(A), SetLe(A), %x. f(x) Un g(x))";
   6.295  by (res_inst_tac [("h", "op Un")] imp_increasing_comp2 1);
   6.296  by Auto_tac;
   6.297  qed "increasing_Un";
   6.298  
   6.299 -Goal "[| F: Increasing(Pow(A), SetLe(A), f);  \
   6.300 -\        F: Increasing(Pow(A), SetLe(A), g) |] \
   6.301 -\    ==> F : Increasing(Pow(A), SetLe(A), %x. f(x) Un g(x))";
   6.302 +Goal "[| F \\<in> Increasing(Pow(A), SetLe(A), f);  \
   6.303 +\        F \\<in> Increasing(Pow(A), SetLe(A), g) |] \
   6.304 +\    ==> F \\<in> Increasing(Pow(A), SetLe(A), %x. f(x) Un g(x))";
   6.305  by (res_inst_tac [("h", "op Un")] imp_Increasing_comp2 1);
   6.306  by Auto_tac;
   6.307  qed "Increasing_Un";
   6.308  
   6.309 -Goal "[| F:Always({s:state. f1(s) <= f(s)}); \
   6.310 -\    F : Always({s:state. g1(s) <= g(s)}) |] \
   6.311 -\     ==> F : Always({s:state. f1(s) Un g1(s) <= f(s) Un g(s)})";
   6.312 +Goal "[| F \\<in> Always({s \\<in> state. f1(s) <= f(s)}); \
   6.313 +\    F \\<in> Always({s \\<in> state. g1(s) <= g(s)}) |] \
   6.314 +\     ==> F \\<in> Always({s \\<in> state. f1(s) Un g1(s) <= f(s) Un g(s)})";
   6.315  by (asm_full_simp_tac (simpset() addsimps [Always_eq_includes_reachable]) 1);
   6.316  by (Blast_tac 1);
   6.317  qed "Always_Un";
   6.318  
   6.319  Goal
   6.320 -"[| F:Follows(Pow(A), SetLe(A), f1, f); \
   6.321 -\    F:Follows(Pow(A), SetLe(A), g1, g) |] \
   6.322 -\    ==> F:Follows(Pow(A), SetLe(A), %s. f1(s) Un g1(s), %s. f(s) Un g(s))";
   6.323 +"[| F \\<in> Follows(Pow(A), SetLe(A), f1, f); \
   6.324 +\    F \\<in> Follows(Pow(A), SetLe(A), g1, g) |] \
   6.325 +\    ==> F \\<in> Follows(Pow(A), SetLe(A), %s. f1(s) Un g1(s), %s. f(s) Un g(s))";
   6.326  by (res_inst_tac [("h", "op Un")] imp_Follows_comp2 1);
   6.327  by Auto_tac;
   6.328  qed "Follows_Un";
   6.329 @@ -348,13 +348,13 @@
   6.330  Addsimps [refl_MultLe];
   6.331  
   6.332  Goalw [MultLe_def, id_def, lam_def]
   6.333 - "[| multiset(M); mset_of(M)<=A |] ==> <M, M>:MultLe(A, r)";
   6.334 + "[| multiset(M); mset_of(M)<=A |] ==> <M, M> \\<in> MultLe(A, r)";
   6.335  by (auto_tac (claset(), simpset() addsimps [Mult_iff_multiset]));
   6.336  qed "MultLe_refl1";
   6.337  Addsimps [MultLe_refl1];
   6.338  
   6.339  Goalw [MultLe_def, id_def, lam_def]
   6.340 - "M:Mult(A) ==> <M, M>:MultLe(A, r)";
   6.341 + "M \\<in> Mult(A) ==> <M, M> \\<in> MultLe(A, r)";
   6.342  by Auto_tac;
   6.343  qed "MultLe_refl2";
   6.344  Addsimps [MultLe_refl2];
   6.345 @@ -370,7 +370,7 @@
   6.346  by Auto_tac;
   6.347  qed "MultLe_type";
   6.348  
   6.349 -Goal "[| <M, K>:MultLe(A, r); <K, N>:MultLe(A, r) |] ==> <M, N>:MultLe(A,r)";
   6.350 +Goal "[| <M, K> \\<in> MultLe(A, r); <K, N> \\<in> MultLe(A, r) |] ==> <M, N> \\<in> MultLe(A,r)";
   6.351  by (cut_facts_tac [inst "A" "A" trans_on_MultLe] 1);
   6.352  by (dtac trans_onD 1);
   6.353  by (assume_tac 1);
   6.354 @@ -406,23 +406,23 @@
   6.355  Addsimps [part_order_MultLe];
   6.356  
   6.357  Goalw [MultLe_def]
   6.358 -"[| multiset(M); mset_of(M)<= A|] ==> <0, M>:MultLe(A, r)";
   6.359 +"[| multiset(M); mset_of(M)<= A|] ==> <0, M> \\<in> MultLe(A, r)";
   6.360  by (case_tac "M=0" 1);
   6.361  by (auto_tac (claset(), simpset() addsimps (thms"FiniteFun.intros")));
   6.362 -by (subgoal_tac "<0 +# 0, 0 +# M>:multirel(A, r - id(A))" 1);
   6.363 +by (subgoal_tac "<0 +# 0, 0 +# M> \\<in> multirel(A, r - id(A))" 1);
   6.364  by (rtac one_step_implies_multirel 2);
   6.365  by (auto_tac (claset(), simpset() addsimps [Mult_iff_multiset]));
   6.366  qed "empty_le_MultLe";
   6.367  Addsimps [empty_le_MultLe];
   6.368  
   6.369 -Goal "M:Mult(A) ==> <0, M>:MultLe(A, r)";
   6.370 +Goal "M \\<in> Mult(A) ==> <0, M> \\<in> MultLe(A, r)";
   6.371  by (asm_full_simp_tac (simpset() addsimps [Mult_iff_multiset]) 1);
   6.372  qed "empty_le_MultLe2";
   6.373  Addsimps [empty_le_MultLe2];
   6.374  
   6.375  Goalw [MultLe_def] 
   6.376 -"[| <M, N>:MultLe(A, r); <K, L>:MultLe(A, r) |] ==>\
   6.377 -\ <M +# K, N +# L>:MultLe(A, r)";
   6.378 +"[| <M, N> \\<in> MultLe(A, r); <K, L> \\<in> MultLe(A, r) |] ==>\
   6.379 +\ <M +# K, N +# L> \\<in> MultLe(A, r)";
   6.380  by (auto_tac (claset() addIs [munion_multirel_mono1, 
   6.381                                munion_multirel_mono2,
   6.382                                munion_multirel_mono,
   6.383 @@ -430,25 +430,25 @@
   6.384                 simpset() addsimps [Mult_iff_multiset]));
   6.385  qed "munion_mono";
   6.386  
   6.387 -Goal "[| F:Increasing.increasing(Mult(A), MultLe(A,r), f);  \
   6.388 -\        F:Increasing.increasing(Mult(A), MultLe(A,r), g) |] \
   6.389 -\    ==> F : Increasing.increasing(Mult(A),MultLe(A,r), %x. f(x) +# g(x))";
   6.390 +Goal "[| F \\<in> Increasing.increasing(Mult(A), MultLe(A,r), f);  \
   6.391 +\        F \\<in> Increasing.increasing(Mult(A), MultLe(A,r), g) |] \
   6.392 +\    ==> F \\<in> Increasing.increasing(Mult(A),MultLe(A,r), %x. f(x) +# g(x))";
   6.393  by (res_inst_tac [("h", "munion")] imp_increasing_comp2 1);
   6.394  by Auto_tac;
   6.395  qed "increasing_munion";
   6.396  
   6.397 -Goal "[| F:Increasing(Mult(A), MultLe(A,r), f);  \
   6.398 -\        F:Increasing(Mult(A), MultLe(A,r), g)|] \
   6.399 -\    ==> F : Increasing(Mult(A),MultLe(A,r), %x. f(x) +# g(x))";
   6.400 +Goal "[| F \\<in> Increasing(Mult(A), MultLe(A,r), f);  \
   6.401 +\        F \\<in> Increasing(Mult(A), MultLe(A,r), g)|] \
   6.402 +\    ==> F \\<in> Increasing(Mult(A),MultLe(A,r), %x. f(x) +# g(x))";
   6.403  by (res_inst_tac [("h", "munion")] imp_Increasing_comp2 1);
   6.404  by Auto_tac;
   6.405  qed "Increasing_munion";
   6.406  
   6.407  Goal
   6.408 -"[| F:Always({s:state. <f1(s),f(s)>:MultLe(A,r)}); \
   6.409 -\         F:Always({s:state. <g1(s), g(s)>:MultLe(A,r)});\
   6.410 -\ ALL x:state. f1(x):Mult(A)&f(x):Mult(A) & g1(x):Mult(A) & g(x):Mult(A)|] \
   6.411 -\     ==> F : Always({s:state. <f1(s) +# g1(s), f(s) +# g(s)>:MultLe(A,r)})";
   6.412 +"[| F \\<in> Always({s \\<in> state. <f1(s),f(s)> \\<in> MultLe(A,r)}); \
   6.413 +\         F \\<in> Always({s \\<in> state. <g1(s), g(s)> \\<in> MultLe(A,r)});\
   6.414 +\ \\<forall>x \\<in> state. f1(x):Mult(A)&f(x):Mult(A) & g1(x):Mult(A) & g(x):Mult(A)|] \
   6.415 +\     ==> F \\<in> Always({s \\<in> state. <f1(s) +# g1(s), f(s) +# g(s)> \\<in> MultLe(A,r)})";
   6.416  by (res_inst_tac [("h", "munion")] imp_Always_comp2 1);
   6.417  by (ALLGOALS(Asm_full_simp_tac));
   6.418  by (blast_tac (claset() addIs [munion_mono]) 1);
   6.419 @@ -456,9 +456,9 @@
   6.420  qed "Always_munion";
   6.421  
   6.422  Goal
   6.423 -"[| F:Follows(Mult(A), MultLe(A, r), f1, f); \
   6.424 -\   F:Follows(Mult(A), MultLe(A, r), g1, g) |] \
   6.425 -\ ==> F:Follows(Mult(A), MultLe(A, r), %s. f1(s) +# g1(s), %s. f(s) +# g(s))";
   6.426 +"[| F \\<in> Follows(Mult(A), MultLe(A, r), f1, f); \
   6.427 +\   F \\<in> Follows(Mult(A), MultLe(A, r), g1, g) |] \
   6.428 +\ ==> F \\<in> Follows(Mult(A), MultLe(A, r), %s. f1(s) +# g1(s), %s. f(s) +# g(s))";
   6.429  by (res_inst_tac [("h", "munion")] imp_Follows_comp2 1);
   6.430  by Auto_tac;
   6.431  qed "Follows_munion";
   6.432 @@ -466,11 +466,11 @@
   6.433  (** Used in ClientImp **)
   6.434  
   6.435  Goal 
   6.436 -"!!f. [| ALL i:I. F : Follows(Mult(A), MultLe(A, r), f'(i), f(i)); \
   6.437 -\ ALL s. ALL i:I. multiset(f'(i, s)) & mset_of(f'(i, s))<=A & \
   6.438 +"!!f. [| \\<forall>i \\<in> I. F \\<in> Follows(Mult(A), MultLe(A, r), f'(i), f(i)); \
   6.439 +\ \\<forall>s. \\<forall>i \\<in> I. multiset(f'(i, s)) & mset_of(f'(i, s))<=A & \
   6.440  \                       multiset(f(i, s)) & mset_of(f(i, s))<=A ; \
   6.441 -\  Finite(I); F:program |] \
   6.442 -\       ==> F : Follows(Mult(A), \
   6.443 +\  Finite(I); F \\<in> program |] \
   6.444 +\       ==> F \\<in> Follows(Mult(A), \
   6.445  \                       MultLe(A, r), %x. msetsum(%i. f'(i, x), I, A), \
   6.446  \                                     %x. msetsum(%i. f(i,  x), I, A))";
   6.447  by (etac rev_mp 1);
     7.1 --- a/src/ZF/UNITY/GenPrefix.ML	Mon Jul 07 17:58:21 2003 +0200
     7.2 +++ b/src/ZF/UNITY/GenPrefix.ML	Tue Jul 08 11:44:30 2003 +0200
     7.3 @@ -1,5 +1,5 @@
     7.4  (*  Title:      ZF/UNITY/GenPrefix.ML
     7.5 -    ID:         $Id$
     7.6 +    ID:         $Id \\<in> GenPrefix.ML,v 1.8 2003/06/20 16:13:16 paulson Exp $
     7.7      Author:     Sidi O Ehmety, Cambridge University Computer Laboratory
     7.8      Copyright   2001  University of Cambridge
     7.9  
    7.10 @@ -224,14 +224,14 @@
    7.11  Addsimps [same_gen_prefix_gen_prefix];
    7.12  
    7.13  Goal "[| xs \\<in> list(A); ys \\<in> list(A); y \\<in> A |] ==> \
    7.14 -\   <xs, Cons(y,ys)> : gen_prefix(A,r)  <-> \
    7.15 +\   <xs, Cons(y,ys)> \\<in> gen_prefix(A,r)  <-> \
    7.16  \     (xs=[] | (\\<exists>z zs. xs=Cons(z,zs) & z \\<in> A & <z,y>:r & <zs,ys> \\<in> gen_prefix(A,r)))";
    7.17  by (induct_tac "xs" 1);
    7.18  by Auto_tac;
    7.19  qed "gen_prefix_Cons";
    7.20  
    7.21  Goal "[| refl(A,r);  <xs,ys> \\<in> gen_prefix(A, r); zs \\<in> list(A) |] \
    7.22 -\     ==>  <xs@zs, take(length(xs), ys) @ zs> : gen_prefix(A, r)";
    7.23 +\     ==>  <xs@zs, take(length(xs), ys) @ zs> \\<in> gen_prefix(A, r)";
    7.24  by (etac gen_prefix.induct 1);
    7.25  by (Asm_simp_tac 1);
    7.26  by (ALLGOALS(forward_tac [gen_prefix.dom_subset RS subsetD]));
    7.27 @@ -244,7 +244,7 @@
    7.28  
    7.29  Goal "[| refl(A, r);  <xs,ys> \\<in> gen_prefix(A,r);   \
    7.30  \        length(xs) = length(ys); zs \\<in> list(A) |] \
    7.31 -\     ==>  <xs@zs, ys @ zs> : gen_prefix(A, r)";
    7.32 +\     ==>  <xs@zs, ys @ zs> \\<in> gen_prefix(A, r)";
    7.33  by (dres_inst_tac [("zs", "zs")]  gen_prefix_take_append 1);
    7.34  by (REPEAT(assume_tac 1));
    7.35  by (subgoal_tac "take(length(xs), ys)=ys" 1);
    7.36 @@ -326,7 +326,7 @@
    7.37  by (force_tac (claset() addSIs [nat_0_le], simpset() addsimps [lt_nat_in_nat]) 1); 
    7.38  qed_spec_mp "nth_imp_gen_prefix";
    7.39  
    7.40 -Goal "(<xs,ys> : gen_prefix(A,r)) <-> \
    7.41 +Goal "(<xs,ys> \\<in> gen_prefix(A,r)) <-> \
    7.42  \     (xs \\<in> list(A) & ys \\<in> list(A) & length(xs) \\<le> length(ys) & \
    7.43  \     (\\<forall>i. i < length(xs) --> <nth(i,xs), nth(i, ys)>: r))";
    7.44  by (rtac iffI 1);
    7.45 @@ -436,7 +436,7 @@
    7.46  qed "prefix_length_le";
    7.47  
    7.48  Goalw [prefix_def] 
    7.49 -"<xs,ys> \\<in> prefix(A) ==> xs~=ys --> length(xs) < length(ys)";
    7.50 +"<xs,ys> \\<in> prefix(A) ==> xs\\<noteq>ys --> length(xs) < length(ys)";
    7.51  by (etac gen_prefix.induct 1);
    7.52  by (Clarify_tac 1);
    7.53  by (ALLGOALS(subgoal_tac "ys \\<in> list(A)&xs \\<in> list(A)"));
    7.54 @@ -532,7 +532,7 @@
    7.55  qed "common_prefix_linear";
    7.56  
    7.57  
    7.58 -(*** pfixLe, pfixGe: properties inherited from the translations ***)
    7.59 +(*** pfixLe, pfixGe \\<in> properties inherited from the translations ***)
    7.60  
    7.61  
    7.62  
    7.63 @@ -618,7 +618,7 @@
    7.64  by (rtac (gen_prefix_mono RS subsetD) 1);
    7.65  by Auto_tac;
    7.66  qed "prefix_imp_pfixGe";
    7.67 -(* Added by Sidi: prefix and take *)
    7.68 +(* Added by Sidi \\<in> prefix and take *)
    7.69  
    7.70  Goalw [prefix_def]
    7.71  "<xs, ys> \\<in> prefix(A) ==> xs = take(length(xs), ys)";
     8.1 --- a/src/ZF/UNITY/Guar.ML	Mon Jul 07 17:58:21 2003 +0200
     8.2 +++ b/src/ZF/UNITY/Guar.ML	Tue Jul 08 11:44:30 2003 +0200
     8.3 @@ -1,5 +1,5 @@
     8.4  (*  Title:      ZF/UNITY/Guar.ML
     8.5 -    ID:         $Id$
     8.6 +    ID:         $Id \\<in> Guar.ML,v 1.8 2003/06/27 11:15:41 paulson Exp $
     8.7      Author:     Sidi O Ehmety, Computer Laboratory
     8.8      Copyright   2001  University of Cambridge
     8.9  
    8.10 @@ -12,7 +12,7 @@
    8.11  *)
    8.12  
    8.13  Goal "OK(cons(i, I), F) <-> \
    8.14 -\ (i:I & OK(I, F)) | (i~:I & OK(I, F) & F(i) ok JOIN(I,F))";
    8.15 +\ (i \\<in> I & OK(I, F)) | (i\\<notin>I & OK(I, F) & F(i) ok JOIN(I,F))";
    8.16  by (asm_full_simp_tac (simpset() addsimps [OK_iff_ok]) 1);
    8.17  (** Auto_tac proves the goal in one-step, but takes more time **)
    8.18  by Safe_tac;
    8.19 @@ -23,13 +23,13 @@
    8.20  
    8.21  (*** existential properties ***)
    8.22  
    8.23 -Goalw [ex_prop_def] "ex_prop(X) ==> X<=program";
    8.24 +Goalw [ex_prop_def] "ex_prop(X) ==> X\\<subseteq>program";
    8.25  by (Asm_simp_tac 1);
    8.26  qed "ex_imp_subset_program";
    8.27  
    8.28  Goalw [ex_prop_def]
    8.29 - "GG:Fin(program) ==> (ex_prop(X) \
    8.30 -\ --> GG Int X~=0 --> OK(GG, (%G. G)) -->(JN G:GG. G):X)";
    8.31 + "GG \\<in> Fin(program) ==> (ex_prop(X) \
    8.32 +\ --> GG Int X\\<noteq>0 --> OK(GG, (%G. G)) -->(\\<Squnion>G \\<in> GG. G):X)";
    8.33  by (etac Fin_induct 1);
    8.34  by (ALLGOALS(asm_full_simp_tac 
    8.35           (simpset() addsimps [OK_cons_iff])));
    8.36 @@ -40,8 +40,8 @@
    8.37  qed_spec_mp "ex1";
    8.38  
    8.39  Goalw [ex_prop_def]
    8.40 -"X<=program ==> \
    8.41 -\(ALL GG. GG:Fin(program) & GG Int X ~= 0 --> OK(GG,(%G. G))-->(JN G:GG. G):X)\
    8.42 +"X\\<subseteq>program ==> \
    8.43 +\(\\<forall>GG. GG \\<in> Fin(program) & GG Int X \\<noteq> 0 --> OK(GG,(%G. G))-->(\\<Squnion>G \\<in> GG. G):X)\
    8.44  \  --> ex_prop(X)";
    8.45  by (Clarify_tac 1);
    8.46  by (dres_inst_tac [("x", "{F,G}")] spec 1);
    8.47 @@ -52,8 +52,8 @@
    8.48  
    8.49  (*Chandy & Sanders take this as a definition*)
    8.50  
    8.51 -Goal "ex_prop(X) <-> (X<=program & \
    8.52 -\ (ALL GG. GG:Fin(program) & GG Int X ~= 0& OK(GG,( %G. G))-->(JN G:GG. G):X))";
    8.53 +Goal "ex_prop(X) <-> (X\\<subseteq>program & \
    8.54 +\ (\\<forall>GG. GG \\<in> Fin(program) & GG Int X \\<noteq> 0& OK(GG,( %G. G))-->(\\<Squnion>G \\<in> GG. G):X))";
    8.55  by Auto_tac;
    8.56  by (ALLGOALS(blast_tac (claset() addIs [ex1, ex2 RS mp] 
    8.57                                   addDs [ex_imp_subset_program])));
    8.58 @@ -62,7 +62,7 @@
    8.59  (* Equivalent definition of ex_prop given at the end of section 3*)
    8.60  Goalw [ex_prop_def, component_of_def]
    8.61  "ex_prop(X) <-> \
    8.62 -\ X<=program & (ALL G:program. (G:X <-> (ALL H:program. (G component_of H) --> H:X)))";
    8.63 +\ X\\<subseteq>program & (\\<forall>G \\<in> program. (G \\<in> X <-> (\\<forall>H \\<in> program. (G component_of H) --> H \\<in> X)))";
    8.64  by Safe_tac;
    8.65  by (stac Join_commute 4);
    8.66  by (dtac  ok_sym 4);
    8.67 @@ -74,21 +74,21 @@
    8.68  
    8.69  (*** universal properties ***)
    8.70  
    8.71 -Goalw [uv_prop_def] "uv_prop(X)==> X<=program";
    8.72 +Goalw [uv_prop_def] "uv_prop(X)==> X\\<subseteq>program";
    8.73  by (Asm_simp_tac 1);
    8.74  qed "uv_imp_subset_program";
    8.75  
    8.76  Goalw [uv_prop_def]
    8.77 -     "GG:Fin(program) ==> \
    8.78 -\ (uv_prop(X)--> GG <= X & OK(GG, (%G. G)) --> (JN G:GG. G):X)";
    8.79 +     "GG \\<in> Fin(program) ==> \
    8.80 +\ (uv_prop(X)--> GG \\<subseteq> X & OK(GG, (%G. G)) --> (\\<Squnion>G \\<in> GG. G):X)";
    8.81  by (etac Fin_induct 1);
    8.82  by (auto_tac (claset(), simpset() addsimps 
    8.83             [OK_cons_iff]));
    8.84  qed_spec_mp "uv1";
    8.85  
    8.86  Goalw [uv_prop_def]
    8.87 -"X<=program  ==> (ALL GG. GG:Fin(program) & GG <= X & OK(GG,(%G. G)) \
    8.88 -\ --> (JN G:GG. G):X)  --> uv_prop(X)";
    8.89 +"X\\<subseteq>program  ==> (\\<forall>GG. GG \\<in> Fin(program) & GG \\<subseteq> X & OK(GG,(%G. G)) \
    8.90 +\ --> (\\<Squnion>G \\<in> GG. G):X)  --> uv_prop(X)";
    8.91  by Auto_tac;
    8.92  by (Clarify_tac 2);
    8.93  by (dres_inst_tac [("x", "{F,G}")] spec 2);
    8.94 @@ -99,8 +99,8 @@
    8.95  
    8.96  (*Chandy & Sanders take this as a definition*)
    8.97  Goal 
    8.98 -"uv_prop(X) <-> X<=program & \
    8.99 -\ (ALL GG. GG:Fin(program) & GG <= X & OK(GG, %G. G) --> (JN G:GG. G): X)";
   8.100 +"uv_prop(X) <-> X\\<subseteq>program & \
   8.101 +\ (\\<forall>GG. GG \\<in> Fin(program) & GG \\<subseteq> X & OK(GG, %G. G) --> (\\<Squnion>G \\<in> GG. G): X)";
   8.102  by Auto_tac;
   8.103  by (REPEAT(blast_tac (claset() addIs [uv1,uv2 RS mp]
   8.104                                 addDs [uv_imp_subset_program]) 1));
   8.105 @@ -108,41 +108,41 @@
   8.106  
   8.107  (*** guarantees ***)
   8.108  val major::prems = Goal
   8.109 -     "[| (!!G. [| F ok G; F Join G:X; G:program |] ==> F Join G : Y); F:program |]  \
   8.110 -\   ==> F : X guarantees Y";
   8.111 +     "[| (!!G. [| F ok G; F Join G \\<in> X; G \\<in> program |] ==> F Join G \\<in> Y); F \\<in> program |]  \
   8.112 +\   ==> F \\<in> X guarantees Y";
   8.113  by (cut_facts_tac prems 1);
   8.114  by (simp_tac (simpset() addsimps [guar_def, component_def]) 1);
   8.115  by (blast_tac (claset() addIs [major]) 1);
   8.116  qed "guaranteesI";
   8.117  
   8.118  Goalw [guar_def, component_def]
   8.119 -     "[| F : X guarantees Y;  F ok G;  F Join G:X; G:program |] \
   8.120 -\     ==> F Join G : Y";
   8.121 +     "[| F \\<in> X guarantees Y;  F ok G;  F Join G \\<in> X; G \\<in> program |] \
   8.122 +\     ==> F Join G \\<in> Y";
   8.123  by (Asm_full_simp_tac 1);
   8.124  qed "guaranteesD";
   8.125  
   8.126  (*This version of guaranteesD matches more easily in the conclusion
   8.127 -  The major premise can no longer be  F<=H since we need to reason about G*)
   8.128 +  The major premise can no longer be  F\\<subseteq>H since we need to reason about G*)
   8.129  
   8.130  Goalw [guar_def]
   8.131 -     "[| F : X guarantees Y;  F Join G = H;  H : X;  F ok G; G:program |] \
   8.132 -\     ==> H : Y";
   8.133 +     "[| F \\<in> X guarantees Y;  F Join G = H;  H \\<in> X;  F ok G; G \\<in> program |] \
   8.134 +\     ==> H \\<in> Y";
   8.135  by (Blast_tac 1);
   8.136  qed "component_guaranteesD";
   8.137  
   8.138  Goalw [guar_def]
   8.139 -     "[| F: X guarantees X'; Y <= X; X' <= Y' |] ==> F: Y guarantees Y'";
   8.140 +     "[| F \\<in> X guarantees X'; Y \\<subseteq> X; X' \\<subseteq> Y' |] ==> F \\<in> Y guarantees Y'";
   8.141  by Auto_tac;
   8.142  qed "guarantees_weaken";
   8.143  
   8.144 -Goalw [guar_def] "X <= Y \
   8.145 +Goalw [guar_def] "X \\<subseteq> Y \
   8.146  \  ==> X guarantees Y = program";
   8.147  by (Blast_tac 1);
   8.148  qed "subset_imp_guarantees_program";
   8.149  
   8.150  (*Equivalent to subset_imp_guarantees_UNIV but more intuitive*)
   8.151 -Goalw [guar_def] "[| X <= Y; F:program |] \
   8.152 -\  ==> F : X guarantees Y";
   8.153 +Goalw [guar_def] "[| X \\<subseteq> Y; F \\<in> program |] \
   8.154 +\  ==> F \\<in> X guarantees Y";
   8.155  by (Blast_tac 1);
   8.156  qed "subset_imp_guarantees";
   8.157  
   8.158 @@ -189,7 +189,7 @@
   8.159  (** Distributive laws.  Re-orient to perform miniscoping **)
   8.160  
   8.161  Goalw [guar_def]
   8.162 -     "i:I ==>(UN i:I. X(i)) guarantees Y = (INT i:I. X(i) guarantees Y)";
   8.163 +     "i \\<in> I ==>(\\<Union>i \\<in> I. X(i)) guarantees Y = (\\<Inter>i \\<in> I. X(i) guarantees Y)";
   8.164  by (rtac equalityI 1);
   8.165  by Safe_tac;
   8.166  by (Force_tac 2);
   8.167 @@ -204,7 +204,7 @@
   8.168  qed "guarantees_Un_left";
   8.169  
   8.170  Goalw [guar_def]
   8.171 -     "i:I ==> X guarantees (INT i:I. Y(i)) = (INT i:I. X guarantees Y(i))";
   8.172 +     "i \\<in> I ==> X guarantees (\\<Inter>i \\<in> I. Y(i)) = (\\<Inter>i \\<in> I. X guarantees Y(i))";
   8.173  by (rtac equalityI 1);
   8.174  by Safe_tac;
   8.175  by (REPEAT(Blast_tac 1));
   8.176 @@ -215,13 +215,13 @@
   8.177  by (Blast_tac 1);
   8.178  qed "guarantees_Int_right";
   8.179  
   8.180 -Goal "[| F : Z guarantees X;  F : Z guarantees Y |] \
   8.181 -\    ==> F : Z guarantees (X Int Y)";
   8.182 +Goal "[| F \\<in> Z guarantees X;  F \\<in> Z guarantees Y |] \
   8.183 +\    ==> F \\<in> Z guarantees (X Int Y)";
   8.184  by (asm_simp_tac (simpset() addsimps [guarantees_Int_right]) 1);
   8.185  qed "guarantees_Int_right_I";
   8.186  
   8.187 -Goal "i:I==> (F : X guarantees (INT i:I. Y(i))) <-> \
   8.188 -\     (ALL i:I. F : X guarantees Y(i))";
   8.189 +Goal "i \\<in> I==> (F \\<in> X guarantees (\\<Inter>i \\<in> I. Y(i))) <-> \
   8.190 +\     (\\<forall>i \\<in> I. F \\<in> X guarantees Y(i))";
   8.191  by (asm_simp_tac (simpset() addsimps [guarantees_INT_right, INT_iff]) 1);
   8.192  by (Blast_tac 1);
   8.193  qed "guarantees_INT_right_iff";
   8.194 @@ -240,14 +240,14 @@
   8.195  **)
   8.196  
   8.197  Goalw [guar_def]
   8.198 -    "[| F : V guarantees X;  F : (X Int Y) guarantees Z |]\
   8.199 -\    ==> F : (V Int Y) guarantees Z";
   8.200 +    "[| F \\<in> V guarantees X;  F \\<in> (X Int Y) guarantees Z |]\
   8.201 +\    ==> F \\<in> (V Int Y) guarantees Z";
   8.202  by (Blast_tac 1);
   8.203  qed "combining1";
   8.204  
   8.205  Goalw [guar_def]
   8.206 -    "[| F : V guarantees (X Un Y);  F : Y guarantees Z |]\
   8.207 -\    ==> F : V guarantees (X Un Z)";
   8.208 +    "[| F \\<in> V guarantees (X Un Y);  F \\<in> Y guarantees Z |]\
   8.209 +\    ==> F \\<in> V guarantees (X Un Z)";
   8.210  by (Blast_tac 1);
   8.211  qed "combining2";
   8.212  
   8.213 @@ -255,16 +255,16 @@
   8.214  (** The following two follow Chandy-Sanders, but the use of object-quantifiers
   8.215      does not suit Isabelle... **)
   8.216  
   8.217 -(*Premise should be (!!i. i: I ==> F: X guarantees Y i) *)
   8.218 +(*Premise should be (!!i. i \\<in> I ==> F \\<in> X guarantees Y i) *)
   8.219  Goalw [guar_def]
   8.220 -     "[| ALL i:I. F : X guarantees Y(i); i:I |] \
   8.221 -\   ==> F : X guarantees (INT i:I. Y(i))";
   8.222 +     "[| \\<forall>i \\<in> I. F \\<in> X guarantees Y(i); i \\<in> I |] \
   8.223 +\   ==> F \\<in> X guarantees (\\<Inter>i \\<in> I. Y(i))";
   8.224  by (Blast_tac 1);
   8.225  qed "all_guarantees";
   8.226  
   8.227 -(*Premises should be [| F: X guarantees Y i; i: I |] *)
   8.228 +(*Premises should be [| F \\<in> X guarantees Y i; i \\<in> I |] *)
   8.229  Goalw [guar_def]
   8.230 -     "EX i:I. F : X guarantees Y(i) ==> F : X guarantees (UN i:I. Y(i))";
   8.231 +     "\\<exists>i \\<in> I. F \\<in> X guarantees Y(i) ==> F \\<in> X guarantees (\\<Union>i \\<in> I. Y(i))";
   8.232  by (Blast_tac 1);
   8.233  qed "ex_guarantees";
   8.234  
   8.235 @@ -272,7 +272,7 @@
   8.236  (*** Additional guarantees laws, by lcp ***)
   8.237  
   8.238  Goalw [guar_def]
   8.239 -    "[| F: U guarantees V;  G: X guarantees Y; F ok G |] \
   8.240 +    "[| F \\<in> U guarantees V;  G \\<in> X guarantees Y; F ok G |] \
   8.241  \    ==> F Join G: (U Int X) guarantees (V Int Y)"; 
   8.242  by (Simp_tac 1);
   8.243  by Safe_tac;
   8.244 @@ -283,7 +283,7 @@
   8.245  qed "guarantees_Join_Int";
   8.246  
   8.247  Goalw [guar_def]
   8.248 -    "[| F: U guarantees V;  G: X guarantees Y; F ok G |]  \
   8.249 +    "[| F \\<in> U guarantees V;  G \\<in> X guarantees Y; F ok G |]  \
   8.250  \    ==> F Join G: (U Un X) guarantees (V Un Y)";
   8.251  by (Simp_tac 1);
   8.252  by Safe_tac;
   8.253 @@ -297,23 +297,23 @@
   8.254  qed "guarantees_Join_Un";
   8.255  
   8.256  Goalw [guar_def]
   8.257 -     "[| ALL i:I. F(i) : X(i) guarantees Y(i);  OK(I,F); i:I |] \
   8.258 -\     ==> (JN i:I. F(i)) : (INT i:I. X(i)) guarantees (INT i:I. Y(i))";
   8.259 +     "[| \\<forall>i \\<in> I. F(i) \\<in> X(i) guarantees Y(i);  OK(I,F); i \\<in> I |] \
   8.260 +\     ==> (\\<Squnion>i \\<in> I. F(i)) \\<in> (\\<Inter>i \\<in> I. X(i)) guarantees (\\<Inter>i \\<in> I. Y(i))";
   8.261  by Safe_tac;
   8.262  by (Blast_tac 2);
   8.263  by (dres_inst_tac [("x", "xa")] bspec 1);
   8.264  by (ALLGOALS(asm_full_simp_tac (simpset() addsimps [INT_iff])));
   8.265  by Safe_tac;
   8.266  by (rotate_tac ~1 1);
   8.267 -by (dres_inst_tac [("x", "(JN x:(I-{xa}). F(x)) Join G")] bspec 1);
   8.268 +by (dres_inst_tac [("x", "(\\<Squnion>x \\<in> (I-{xa}). F(x)) Join G")] bspec 1);
   8.269  by (auto_tac
   8.270      (claset() addIs [OK_imp_ok],
   8.271       simpset() addsimps [Join_assoc RS sym, JN_Join_diff, JN_absorb]));
   8.272  qed "guarantees_JN_INT";
   8.273  
   8.274  Goalw [guar_def]
   8.275 -    "[| ALL i:I. F(i) : X(i) guarantees Y(i);  OK(I,F) |] \
   8.276 -\    ==> JOIN(I,F) : (UN i:I. X(i)) guarantees (UN i:I. Y(i))";
   8.277 +    "[| \\<forall>i \\<in> I. F(i) \\<in> X(i) guarantees Y(i);  OK(I,F) |] \
   8.278 +\    ==> JOIN(I,F) \\<in> (\\<Union>i \\<in> I. X(i)) guarantees (\\<Union>i \\<in> I. Y(i))";
   8.279  by Auto_tac;
   8.280  by (dres_inst_tac [("x", "y")] bspec 1);
   8.281  by (ALLGOALS(Asm_full_simp_tac));
   8.282 @@ -329,21 +329,21 @@
   8.283  (*** guarantees laws for breaking down the program, by lcp ***)
   8.284  
   8.285  Goalw [guar_def]
   8.286 -     "[| F: X guarantees Y;  F ok G |] ==> F Join G: X guarantees Y";
   8.287 +     "[| F \\<in> X guarantees Y;  F ok G |] ==> F Join G \\<in> X guarantees Y";
   8.288  by (Simp_tac 1);
   8.289  by Safe_tac;
   8.290  by (asm_full_simp_tac (simpset() addsimps [Join_assoc]) 1);
   8.291  qed "guarantees_Join_I1";
   8.292  
   8.293 -Goal "[| G: X guarantees Y;  F ok G |] ==> F Join G: X guarantees Y";
   8.294 +Goal "[| G \\<in> X guarantees Y;  F ok G |] ==> F Join G \\<in> X guarantees Y";
   8.295  by (asm_full_simp_tac (simpset() addsimps [inst "G" "G" Join_commute, 
   8.296                                             inst "G" "G" ok_commute]) 1);
   8.297  by (blast_tac (claset() addIs [guarantees_Join_I1]) 1);
   8.298  qed "guarantees_Join_I2";
   8.299  
   8.300  Goalw [guar_def]
   8.301 -     "[| i:I; F(i): X guarantees Y;  OK(I,F) |] \
   8.302 -\     ==> (JN i:I. F(i)) : X guarantees Y";
   8.303 +     "[| i \\<in> I; F(i): X guarantees Y;  OK(I,F) |] \
   8.304 +\     ==> (\\<Squnion>i \\<in> I. F(i)) \\<in> X guarantees Y";
   8.305  by Safe_tac;
   8.306  by (dres_inst_tac [("x", "JOIN(I-{i},F) Join G")] bspec 1);
   8.307  by (Simp_tac 1);
   8.308 @@ -353,11 +353,11 @@
   8.309  
   8.310  (*** well-definedness ***)
   8.311  
   8.312 -Goalw [welldef_def] "F Join G: welldef ==> programify(F): welldef";
   8.313 +Goalw [welldef_def] "F Join G \\<in> welldef ==> programify(F): welldef";
   8.314  by Auto_tac;
   8.315  qed "Join_welldef_D1";
   8.316  
   8.317 -Goalw [welldef_def] "F Join G: welldef ==> programify(G): welldef";
   8.318 +Goalw [welldef_def] "F Join G \\<in> welldef ==> programify(G): welldef";
   8.319  by Auto_tac;
   8.320  qed "Join_welldef_D2";
   8.321  
   8.322 @@ -369,36 +369,36 @@
   8.323  
   8.324  (* More results on guarantees, added by Sidi Ehmety from Chandy & Sander, section 6 *)
   8.325  
   8.326 -Goalw [wg_def] "wg(F, X) <= program";
   8.327 +Goalw [wg_def] "wg(F, X) \\<subseteq> program";
   8.328  by Auto_tac;
   8.329  qed "wg_type";
   8.330  
   8.331 -Goalw [guar_def] "X guarantees Y <= program";
   8.332 +Goalw [guar_def] "X guarantees Y \\<subseteq> program";
   8.333  by Auto_tac;
   8.334  qed "guarantees_type";
   8.335  
   8.336 -Goalw [wg_def] "G:wg(F, X) ==> G:program & F:program";
   8.337 +Goalw [wg_def] "G \\<in> wg(F, X) ==> G \\<in> program & F \\<in> program";
   8.338  by Auto_tac;
   8.339  by (blast_tac (claset() addDs [guarantees_type RS subsetD]) 1);
   8.340  qed "wgD2";
   8.341  
   8.342  Goalw [guar_def, component_of_def]
   8.343 -"(F:X guarantees Y) <-> \
   8.344 -\  F:program & (ALL H:program. H:X --> (F component_of H --> H:Y))";
   8.345 +"(F \\<in> X guarantees Y) <-> \
   8.346 +\  F \\<in> program & (\\<forall>H \\<in> program. H \\<in> X --> (F component_of H --> H \\<in> Y))";
   8.347  by Safe_tac;
   8.348  by (REPEAT(Force_tac 1));
   8.349  qed "guarantees_equiv";
   8.350  
   8.351 -Goalw [wg_def] "!!X. [| F:(X guarantees Y); X <= program |] ==> X <= wg(F,Y)";
   8.352 +Goalw [wg_def] "!!X. [| F \\<in> (X guarantees Y); X \\<subseteq> program |] ==> X \\<subseteq> wg(F,Y)";
   8.353  by Auto_tac;
   8.354  qed "wg_weakest";
   8.355  
   8.356  Goalw [wg_def, guar_def] 
   8.357 -"F:program ==> F:wg(F,Y) guarantees Y";
   8.358 +"F \\<in> program ==> F \\<in> wg(F,Y) guarantees Y";
   8.359  by (Blast_tac 1);
   8.360  qed "wg_guarantees";
   8.361  
   8.362 -Goalw [wg_def] "(H: wg(F,X)) <-> ((F component_of H --> H:X) & F:program & H:program)";
   8.363 +Goalw [wg_def] "(H \\<in> wg(F,X)) <-> ((F component_of H --> H \\<in> X) & F \\<in> program & H \\<in> program)";
   8.364  by (simp_tac (simpset() addsimps [guarantees_equiv]) 1);
   8.365  by (rtac iffI 1);
   8.366  by Safe_tac;
   8.367 @@ -408,37 +408,37 @@
   8.368  qed "wg_equiv";
   8.369  
   8.370  Goal
   8.371 -"F component_of H ==> H:wg(F,X) <-> (H:X & F:program & H:program)";
   8.372 +"F component_of H ==> H \\<in> wg(F,X) <-> (H \\<in> X & F \\<in> program & H \\<in> program)";
   8.373  by (asm_simp_tac (simpset() addsimps [wg_equiv]) 1);
   8.374  qed "component_of_wg";
   8.375  
   8.376  Goal
   8.377 -"ALL FF:Fin(program). FF Int X ~= 0 --> OK(FF, %F. F) \
   8.378 -\  --> (ALL F:FF. ((JN F:FF. F): wg(F,X)) <-> ((JN F:FF. F):X))";
   8.379 +"\\<forall>FF \\<in> Fin(program). FF Int X \\<noteq> 0 --> OK(FF, %F. F) \
   8.380 +\  --> (\\<forall>F \\<in> FF. ((\\<Squnion>F \\<in> FF. F): wg(F,X)) <-> ((\\<Squnion>F \\<in> FF. F):X))";
   8.381  by (Clarify_tac 1);
   8.382 -by (subgoal_tac "F component_of (JN F:FF. F)" 1);
   8.383 +by (subgoal_tac "F component_of (\\<Squnion>F \\<in> FF. F)" 1);
   8.384  by (dres_inst_tac [("X", "X")] component_of_wg 1);
   8.385  by (force_tac (claset() addSDs [thm"Fin.dom_subset" RS subsetD RS PowD],
   8.386                 simpset()) 1);
   8.387  by (ALLGOALS(asm_full_simp_tac (simpset() addsimps [component_of_def])));
   8.388 -by (res_inst_tac [("x", "JN F:(FF-{F}). F")] exI 1);
   8.389 +by (res_inst_tac [("x", "\\<Squnion>F \\<in> (FF-{F}). F")] exI 1);
   8.390  by (auto_tac (claset() addIs [JN_Join_diff] addDs [ok_sym], 
   8.391                simpset() addsimps [OK_iff_ok]));
   8.392  qed "wg_finite";
   8.393  
   8.394  
   8.395 -(* "!!FF. [| FF:Fin(program); FF Int X ~=0; OK(FF, %F. F); G:FF |] 
   8.396 +(* "!!FF. [| FF \\<in> Fin(program); FF Int X \\<noteq>0; OK(FF, %F. F); G \\<in> FF |] 
   8.397     ==> JOIN(FF, %F. F):wg(G, X) <-> JOIN(FF, %F. F):X"  *)
   8.398  val wg_finite2 = wg_finite RS bspec RS mp RS mp RS bspec;
   8.399  
   8.400 -Goal "ex_prop(X) ==> (F:X) <-> (ALL H:program. H : wg(F,X) & F:program)";
   8.401 +Goal "ex_prop(X) ==> (F \\<in> X) <-> (\\<forall>H \\<in> program. H \\<in> wg(F,X) & F \\<in> program)";
   8.402  by (full_simp_tac (simpset() addsimps [ex_prop_equiv, wg_equiv]) 1);
   8.403  by (Blast_tac 1);
   8.404  qed "wg_ex_prop";
   8.405  
   8.406  (** From Charpentier and Chandy "Theorems About Composition" **)
   8.407  (* Proposition 2 *)
   8.408 -Goalw [wx_def] "wx(X)<=X";
   8.409 +Goalw [wx_def] "wx(X)\\<subseteq>X";
   8.410  by Auto_tac;
   8.411  qed "wx_subset";
   8.412  
   8.413 @@ -450,13 +450,13 @@
   8.414  by (REPEAT(Force_tac 1));
   8.415  qed "wx_ex_prop";
   8.416  
   8.417 -Goalw [wx_def] "ALL Z. Z<=program --> Z<= X --> ex_prop(Z) --> Z <= wx(X)";
   8.418 +Goalw [wx_def] "\\<forall>Z. Z\\<subseteq>program --> Z\\<subseteq> X --> ex_prop(Z) --> Z \\<subseteq> wx(X)";
   8.419  by Auto_tac;
   8.420  qed "wx_weakest";
   8.421  
   8.422  (* Proposition 6 *)
   8.423  Goalw [ex_prop_def]
   8.424 - "ex_prop({F:program. ALL G:program. F ok G --> F Join G:X})";
   8.425 + "ex_prop({F \\<in> program. \\<forall>G \\<in> program. F ok G --> F Join G \\<in> X})";
   8.426  by Safe_tac;
   8.427  by (dres_inst_tac [("x", "G Join Ga")] bspec 1);
   8.428  by (Simp_tac 1);
   8.429 @@ -474,7 +474,7 @@
   8.430  (* Equivalence with the other definition of wx *)
   8.431  
   8.432  Goalw [wx_def]
   8.433 - "wx(X) = {F:program. ALL G:program. F ok G --> (F Join G):X}";
   8.434 + "wx(X) = {F \\<in> program. \\<forall>G \\<in> program. F ok G --> (F Join G):X}";
   8.435  by (rtac equalityI 1);
   8.436  by Safe_tac;
   8.437  by (Blast_tac 1);
   8.438 @@ -486,7 +486,7 @@
   8.439  by Safe_tac;
   8.440  by (Blast_tac 1);
   8.441  by (Blast_tac 1);
   8.442 -by (res_inst_tac [("B", "{F:program. ALL G:program. F ok G --> F Join G:X}")] 
   8.443 +by (res_inst_tac [("B", "{F \\<in> program. \\<forall>G \\<in> program. F ok G --> F Join G \\<in> X}")] 
   8.444                     UnionI 1);
   8.445  by Safe_tac;
   8.446  by (rtac wx'_ex_prop 2);
   8.447 @@ -516,7 +516,7 @@
   8.448  (* Rules given in section 7 of Chandy and Sander's
   8.449      Reasoning About Program composition paper *)
   8.450  
   8.451 -Goal "[| Init(F) <= A; F:program |] ==> F:(stable(A)) guarantees (Always(A))";
   8.452 +Goal "[| Init(F) \\<subseteq> A; F \\<in> program |] ==> F \\<in> stable(A) guarantees Always(A)";
   8.453  by (rtac guaranteesI 1);
   8.454  by (assume_tac 2);
   8.455  by (simp_tac (simpset() addsimps [Join_commute]) 1);
   8.456 @@ -526,7 +526,7 @@
   8.457  qed "stable_guarantees_Always";
   8.458  
   8.459  (* To be moved to WFair.ML *)
   8.460 -Goal "[| F:A co A Un B; F:transient(A); st_set(B) |] ==> F:A leadsTo B";
   8.461 +Goal "[| F \\<in> A co A Un B; F \\<in> transient(A); st_set(B) |] ==> F \\<in> A leadsTo B";
   8.462  by (ftac constrainsD2 1);
   8.463  by (dres_inst_tac [("B", "A-B")] constrains_weaken_L 1);
   8.464  by (dres_inst_tac [("B", "A-B")] transient_strengthen 2);
   8.465 @@ -534,7 +534,7 @@
   8.466  by (ALLGOALS(Blast_tac));
   8.467  qed "leadsTo_Basis'";
   8.468  
   8.469 -Goal "[| F:transient(A); st_set(B) |] ==> F: (A co A Un B) guarantees (A leadsTo (B-A))";
   8.470 +Goal "[| F \\<in> transient(A); st_set(B) |] ==> F: (A co A Un B) guarantees (A leadsTo (B-A))";
   8.471  by (rtac guaranteesI 1);
   8.472  by (blast_tac (claset() addDs [transient_type RS subsetD]) 2);
   8.473  by (rtac leadsTo_Basis' 1);
     9.1 --- a/src/ZF/UNITY/Increasing.ML	Mon Jul 07 17:58:21 2003 +0200
     9.2 +++ b/src/ZF/UNITY/Increasing.ML	Tue Jul 08 11:44:30 2003 +0200
     9.3 @@ -1,5 +1,5 @@
     9.4  (*  Title:      ZF/UNITY/GenIncreasing
     9.5 -    ID:         $Id$
     9.6 +    ID:         $Id \\<in> Increasing.ML,v 1.3 2003/06/27 16:40:25 paulson Exp $
     9.7      Author:     Sidi O Ehmety, Cambridge University Computer Laboratory
     9.8      Copyright   1998  University of Cambridge
     9.9  
    9.10 @@ -12,25 +12,25 @@
    9.11  by (Blast_tac 1);
    9.12  qed "increasing_type";
    9.13  
    9.14 -Goalw [increasing_def] "F:increasing[A](r, f) ==> F:program";
    9.15 +Goalw [increasing_def] "F \\<in> increasing[A](r, f) ==> F \\<in> program";
    9.16  by (Blast_tac 1);
    9.17  qed "increasing_into_program";
    9.18  
    9.19  Goalw [increasing_def]
    9.20 -"[| F:increasing[A](r, f); x:A |] ==>F:stable({s:state. <x, f(s)>:r})";
    9.21 +"[| F \\<in> increasing[A](r, f); x \\<in> A |] ==>F \\<in> stable({s \\<in> state. <x, f(s)>:r})";
    9.22  by (Blast_tac 1);
    9.23  qed "increasing_imp_stable";
    9.24  
    9.25  Goalw [increasing_def]
    9.26 -"F:increasing[A](r,f) ==> F:program & (EX a. a:A) & (ALL s:state. f(s):A)";
    9.27 -by (subgoal_tac "EX x. x:state" 1);
    9.28 +"F \\<in> increasing[A](r,f) ==> F \\<in> program & (\\<exists>a. a \\<in> A) & (\\<forall>s \\<in> state. f(s):A)";
    9.29 +by (subgoal_tac "\\<exists>x. x \\<in> state" 1);
    9.30  by (auto_tac (claset() addDs [stable_type RS subsetD]
    9.31                         addIs [st0_in_state], simpset()));
    9.32  qed "increasingD";
    9.33  
    9.34  Goalw [increasing_def, stable_def]
    9.35 - "F:increasing[A](r, %s. c) <-> F:program & c:A";
    9.36 -by (subgoal_tac "EX x. x:state" 1);
    9.37 + "F \\<in> increasing[A](r, %s. c) <-> F \\<in> program & c \\<in> A";
    9.38 +by (subgoal_tac "\\<exists>x. x \\<in> state" 1);
    9.39  by (auto_tac (claset() addDs [stable_type RS subsetD]
    9.40                         addIs [st0_in_state], simpset()));
    9.41  qed "increasing_constant";
    9.42 @@ -43,7 +43,7 @@
    9.43  by (Clarify_tac 1);
    9.44  by (Asm_full_simp_tac 1);
    9.45  by (Clarify_tac 1);
    9.46 -by (subgoal_tac "xa:state" 1);
    9.47 +by (subgoal_tac "xa \\<in> state" 1);
    9.48  by (blast_tac (claset() addSDs [ActsD]) 2);
    9.49  by (subgoal_tac "<f(xb), f(xb)>:r" 1);
    9.50  by (force_tac (claset(), simpset() addsimps [refl_def]) 2);
    9.51 @@ -59,8 +59,8 @@
    9.52  by (ALLGOALS(Asm_simp_tac));
    9.53  qed "subset_increasing_comp";
    9.54  
    9.55 -Goal "[| F:increasing[A](r, f); mono1(A, r, B, s, g); \
    9.56 -\        refl(A, r); trans[B](s) |] ==> F:increasing[B](s, g comp f)";
    9.57 +Goal "[| F \\<in> increasing[A](r, f); mono1(A, r, B, s, g); \
    9.58 +\        refl(A, r); trans[B](s) |] ==> F \\<in> increasing[B](s, g comp f)";
    9.59  by (rtac (subset_increasing_comp RS subsetD) 1);
    9.60  by Auto_tac;
    9.61  qed "imp_increasing_comp";
    9.62 @@ -80,7 +80,7 @@
    9.63  (** Increasing **)
    9.64  
    9.65  Goalw [increasing_def, Increasing_def]
    9.66 -     "F : increasing[A](r, f) ==> F : Increasing[A](r, f)";
    9.67 +     "F \\<in> increasing[A](r, f) ==> F \\<in> Increasing[A](r, f)";
    9.68  by (auto_tac (claset() addIs [stable_imp_Stable], simpset())); 
    9.69  qed "increasing_imp_Increasing";
    9.70  
    9.71 @@ -88,24 +88,24 @@
    9.72  by Auto_tac;
    9.73  qed "Increasing_type";
    9.74  
    9.75 -Goalw [Increasing_def] "F:Increasing[A](r, f) ==> F:program";
    9.76 +Goalw [Increasing_def] "F \\<in> Increasing[A](r, f) ==> F \\<in> program";
    9.77  by Auto_tac;
    9.78  qed "Increasing_into_program";
    9.79  
    9.80  Goalw [Increasing_def]
    9.81 -"[| F:Increasing[A](r, f); a:A |] ==> F: Stable({s:state. <a,f(s)>:r})";
    9.82 +"[| F \\<in> Increasing[A](r, f); a \\<in> A |] ==> F \\<in> Stable({s \\<in> state. <a,f(s)>:r})";
    9.83  by (Blast_tac 1);
    9.84  qed "Increasing_imp_Stable";
    9.85  
    9.86  Goalw [Increasing_def]
    9.87 -"F:Increasing[A](r, f) ==> F:program & (EX a. a:A) & (ALL s:state. f(s):A)";
    9.88 -by (subgoal_tac "EX x. x:state" 1);
    9.89 +"F \\<in> Increasing[A](r, f) ==> F \\<in> program & (\\<exists>a. a \\<in> A) & (\\<forall>s \\<in> state. f(s):A)";
    9.90 +by (subgoal_tac "\\<exists>x. x \\<in> state" 1);
    9.91  by (auto_tac (claset() addIs [st0_in_state], simpset()));
    9.92  qed "IncreasingD";
    9.93  
    9.94  Goal
    9.95 -"F:Increasing[A](r, %s. c) <-> F:program & (c:A)";
    9.96 -by (subgoal_tac "EX x. x:state" 1);
    9.97 +"F \\<in> Increasing[A](r, %s. c) <-> F \\<in> program & (c \\<in> A)";
    9.98 +by (subgoal_tac "\\<exists>x. x \\<in> state" 1);
    9.99  by (auto_tac (claset() addSDs [IncreasingD]
   9.100                         addIs [st0_in_state,
   9.101                     increasing_imp_Increasing], simpset()));
   9.102 @@ -118,7 +118,7 @@
   9.103  \  Increasing[A](r, f) <= Increasing[B](s, g comp f)";
   9.104  by Safe_tac;
   9.105  by (ALLGOALS(asm_full_simp_tac (simpset() addsimps [ActsD])));
   9.106 -by (subgoal_tac "xb:state & xa:state" 1);
   9.107 +by (subgoal_tac "xb \\<in> state & xa \\<in> state" 1);
   9.108  by (asm_simp_tac (simpset() addsimps [ActsD]) 2);
   9.109  by (subgoal_tac "<f(xb), f(xb)>:r" 1);
   9.110  by (force_tac (claset(), simpset() addsimps [refl_def]) 2);
   9.111 @@ -136,8 +136,8 @@
   9.112  by (ALLGOALS(Asm_full_simp_tac));
   9.113  qed "subset_Increasing_comp";
   9.114  
   9.115 -Goal "[| F:Increasing[A](r, f); mono1(A, r, B, s, g); refl(A, r); trans[B](s) |]  \
   9.116 -\ ==> F:Increasing[B](s, g comp f)";
   9.117 +Goal "[| F \\<in> Increasing[A](r, f); mono1(A, r, B, s, g); refl(A, r); trans[B](s) |]  \
   9.118 +\ ==> F \\<in> Increasing[B](s, g comp f)";
   9.119  by (rtac (subset_Increasing_comp RS subsetD) 1);
   9.120  by Auto_tac;
   9.121  qed "imp_Increasing_comp";
   9.122 @@ -158,14 +158,14 @@
   9.123  
   9.124  Goalw [increasing_def, stable_def, 
   9.125         part_order_def, constrains_def, mono2_def]
   9.126 -"[| F:increasing[A](r, f); F:increasing[B](s, g); \
   9.127 +"[| F \\<in> increasing[A](r, f); F \\<in> increasing[B](s, g); \
   9.128  \   mono2(A, r, B, s, C, t, h); refl(A, r); refl(B, s); trans[C](t) |] ==> \
   9.129 -\  F:increasing[C](t, %x. h(f(x), g(x)))";
   9.130 +\  F \\<in> increasing[C](t, %x. h(f(x), g(x)))";
   9.131  by (Clarify_tac 1);
   9.132  by (Asm_full_simp_tac 1);
   9.133  by (Clarify_tac 1);
   9.134  by (rename_tac "xa xb" 1);
   9.135 -by (subgoal_tac "xb:state & xa:state" 1);
   9.136 +by (subgoal_tac "xb \\<in> state & xa \\<in> state" 1);
   9.137  by (blast_tac (claset() addSDs [ActsD]) 2);
   9.138  by (subgoal_tac "<f(xb), f(xb)>:r & <g(xb), g(xb)>:s" 1);
   9.139  by (force_tac (claset(), simpset() addsimps [refl_def]) 2);
   9.140 @@ -194,12 +194,12 @@
   9.141  
   9.142  Goalw [Increasing_def, stable_def, 
   9.143         part_order_def, constrains_def, mono2_def, Stable_def, Constrains_def]
   9.144 -"[| F:Increasing[A](r, f); F:Increasing[B](s, g); \
   9.145 +"[| F \\<in> Increasing[A](r, f); F \\<in> Increasing[B](s, g); \
   9.146  \ mono2(A, r, B, s, C, t, h); refl(A, r); refl(B, s); trans[C](t) |] ==> \
   9.147 -\ F:Increasing[C](t, %x. h(f(x), g(x)))";
   9.148 +\ F \\<in> Increasing[C](t, %x. h(f(x), g(x)))";
   9.149  by Safe_tac;
   9.150  by (ALLGOALS(asm_full_simp_tac (simpset() addsimps [ActsD])));
   9.151 -by (subgoal_tac "xa:state & x:state" 1);
   9.152 +by (subgoal_tac "xa \\<in> state & x \\<in> state" 1);
   9.153  by (blast_tac (claset() addSDs [ActsD]) 2);
   9.154  by (subgoal_tac "<f(xa), f(xa)>:r & <g(xa), g(xa)>:s" 1);
   9.155  by (force_tac (claset(), simpset() addsimps [refl_def]) 2);
    10.1 --- a/src/ZF/UNITY/Monotonicity.ML	Mon Jul 07 17:58:21 2003 +0200
    10.2 +++ b/src/ZF/UNITY/Monotonicity.ML	Tue Jul 08 11:44:30 2003 +0200
    10.3 @@ -1,5 +1,5 @@
    10.4  (*  Title:      ZF/UNITY/Monotonicity.ML
    10.5 -    ID:         $Id$
    10.6 +    ID:         $Id \\<in> Monotonicity.ML,v 1.2 2003/06/26 13:48:33 paulson Exp $
    10.7      Author:     Sidi O Ehmety, Cambridge University Computer Laboratory
    10.8      Copyright   2002  University of Cambridge
    10.9  
   10.10 @@ -12,12 +12,12 @@
   10.11  *)
   10.12  
   10.13  Goalw [mono1_def]
   10.14 -  "[| mono1(A, r, B, s, f); <x, y>:r; x:A; y:A |] ==> <f(x), f(y)>:s";
   10.15 +  "[| mono1(A, r, B, s, f); <x, y>:r; x \\<in> A; y \\<in> A |] ==> <f(x), f(y)>:s";
   10.16  by Auto_tac;
   10.17  qed "mono1D";
   10.18  
   10.19  Goalw [mono2_def]
   10.20 -"[| mono2(A, r, B, s, C, t, f);  <x, y>:r; <u,v>:s; x:A; y:A; u:B; v:B |] ==> \
   10.21 +"[| mono2(A, r, B, s, C, t, f);  <x, y>:r; <u,v>:s; x \\<in> A; y \\<in> A; u \\<in> B; v \\<in> B |] ==> \
   10.22  \  <f(x, u), f(y,v)>:t";
   10.23  by Auto_tac;
   10.24  qed "mono2D";
   10.25 @@ -26,7 +26,7 @@
   10.26  (** Monotonicity of take **)
   10.27  
   10.28  (*????premises too strong*)
   10.29 -Goal "[| i le j; xs:list(A); i:nat; j:nat |] ==> <take(i, xs), take(j, xs)>:prefix(A)";
   10.30 +Goal "[| i le j; xs \\<in> list(A); i \\<in> nat; j \\<in> nat |] ==> <take(i, xs), take(j, xs)>:prefix(A)";
   10.31  by (case_tac "length(xs) le i" 1);
   10.32  by (subgoal_tac "length(xs) le j" 1);
   10.33  by (blast_tac (claset() addIs [le_trans]) 2);
   10.34 @@ -44,11 +44,11 @@
   10.35  by (asm_full_simp_tac (simpset() addsimps [take_add, prefix_iff, take_type, drop_type]) 1);
   10.36  qed "take_mono_left";
   10.37  
   10.38 -Goal "[| <xs, ys>:prefix(A); i:nat |] ==> <take(i, xs), take(i, ys)>:prefix(A)"; 
   10.39 +Goal "[| <xs, ys>:prefix(A); i \\<in> nat |] ==> <take(i, xs), take(i, ys)>:prefix(A)"; 
   10.40  by (auto_tac (claset(), simpset() addsimps [prefix_iff]));
   10.41  qed "take_mono_right";
   10.42  
   10.43 -Goal "[| i le j; <xs, ys>:prefix(A); i:nat; j:nat |] ==> <take(i, xs), take(j, ys)>:prefix(A)";
   10.44 +Goal "[| i le j; <xs, ys>:prefix(A); i \\<in> nat; j \\<in> nat |] ==> <take(i, xs), take(j, ys)>:prefix(A)";
   10.45  by (res_inst_tac [("b", "take(j, xs)")] prefix_trans 1);
   10.46  by (auto_tac (claset() addDs [prefix_type RS subsetD]
   10.47                         addIs [take_mono_left, take_mono_right], simpset()));
    11.1 --- a/src/ZF/UNITY/MultisetSum.ML	Mon Jul 07 17:58:21 2003 +0200
    11.2 +++ b/src/ZF/UNITY/MultisetSum.ML	Tue Jul 08 11:44:30 2003 +0200
    11.3 @@ -1,5 +1,5 @@
    11.4  (*  Title:      ZF/UNITY/MultusetSum.thy
    11.5 -    ID:         $Id$
    11.6 +    ID:         $Id \\<in> MultisetSum.ML,v 1.2 2003/06/24 14:33:00 paulson Exp $
    11.7      Author:     Sidi O Ehmety
    11.8      Copyright:  2002 University of Cambridge
    11.9  Setsum for multisets.
   11.10 @@ -16,7 +16,7 @@
   11.11  Addsimps [general_setsum_0];
   11.12  
   11.13  Goalw [general_setsum_def] 
   11.14 -"[| C:Fin(A); a:A; a~:C; e:B; ALL x:A. g(x):B; lcomm(B, B, f) |] ==> \
   11.15 +"[| C \\<in> Fin(A); a \\<in> A; a\\<notin>C; e \\<in> B; \\<forall>x \\<in> A. g(x):B; lcomm(B, B, f) |] ==> \
   11.16  \ general_setsum(cons(a, C), B, e, f, g) = \
   11.17  \   f(g(a), general_setsum(C, B, e, f,g))";
   11.18  by  (auto_tac (claset(), simpset() addsimps [Fin_into_Finite RS Finite_cons, 
   11.19 @@ -45,7 +45,7 @@
   11.20  (** msetsum **)
   11.21  
   11.22  Goal
   11.23 -"[| C:Fin(A); ALL x:A. multiset(g(x))& mset_of(g(x))<=B  |]  \
   11.24 +"[| C \\<in> Fin(A); \\<forall>x \\<in> A. multiset(g(x))& mset_of(g(x))<=B  |]  \
   11.25  \  ==> multiset(general_setsum(C, B -||> nat - {0}, 0, \\<lambda>u v. u +# v, g))";
   11.26  by (etac Fin_induct 1);
   11.27  by Auto_tac;
   11.28 @@ -59,7 +59,7 @@
   11.29  Addsimps [msetsum_0];
   11.30  
   11.31  Goalw [msetsum_def]
   11.32 -"[| C:Fin(A); a~:C; a:A; ALL x:A. multiset(g(x)) & mset_of(g(x))<=B  |]  \
   11.33 +"[| C \\<in> Fin(A); a\\<notin>C; a \\<in> A; \\<forall>x \\<in> A. multiset(g(x)) & mset_of(g(x))<=B  |]  \
   11.34  \  ==> msetsum(g, cons(a, C), B) = g(a) +#  msetsum(g, C, B)";
   11.35  by (stac general_setsum_cons 1); 
   11.36  by (auto_tac (claset(), simpset() addsimps [multiset_general_setsum, Mult_iff_multiset]));
   11.37 @@ -73,7 +73,7 @@
   11.38  qed "msetsum_multiset";
   11.39  
   11.40  Goal 
   11.41 -"[| C:Fin(A); ALL x:A. multiset(g(x)) & mset_of(g(x))<=B |] \ 
   11.42 +"[| C \\<in> Fin(A); \\<forall>x \\<in> A. multiset(g(x)) & mset_of(g(x))<=B |] \ 
   11.43  \ ==> mset_of(msetsum(g, C, B))<=B";
   11.44  by (etac Fin_induct 1);
   11.45  by Auto_tac;
   11.46 @@ -83,15 +83,15 @@
   11.47  
   11.48  (*The reversed orientation looks more natural, but LOOPS as a simprule!*)
   11.49  Goal 
   11.50 -"[| C:Fin(A); D:Fin(A); ALL x:A. multiset(g(x)) & mset_of(g(x))<=B |] \
   11.51 +"[| C \\<in> Fin(A); D \\<in> Fin(A); \\<forall>x \\<in> A. multiset(g(x)) & mset_of(g(x))<=B |] \
   11.52  \     ==> msetsum(g, C Un D, B) +# msetsum(g, C Int D, B) \
   11.53  \       = msetsum(g, C, B) +# msetsum(g, D, B)";
   11.54  by (etac Fin_induct 1);
   11.55  by (subgoal_tac "cons(x, y) Un D = cons(x, y Un D)" 2);
   11.56  by (auto_tac (claset(), simpset() addsimps [msetsum_multiset]));
   11.57 -by (subgoal_tac "y Un D:Fin(A) & y Int D : Fin(A)" 1);
   11.58 +by (subgoal_tac "y Un D \\<in> Fin(A) & y Int D \\<in> Fin(A)" 1);
   11.59  by (Clarify_tac 1);
   11.60 -by (case_tac "x:D" 1);
   11.61 +by (case_tac "x \\<in> D" 1);
   11.62  by (subgoal_tac "cons(x, y) Int D = y Int D" 2);
   11.63  by (subgoal_tac "cons(x, y) Int D = cons(x, y Int D)" 1);
   11.64  by (ALLGOALS(asm_simp_tac (simpset() addsimps [cons_absorb,
   11.65 @@ -101,34 +101,34 @@
   11.66  qed "msetsum_Un_Int";
   11.67  
   11.68  
   11.69 -Goal "[| C:Fin(A); D:Fin(A); C Int D = 0; \
   11.70 -\  ALL x:A. multiset(g(x)) & mset_of(g(x))<=B |] \
   11.71 +Goal "[| C \\<in> Fin(A); D \\<in> Fin(A); C Int D = 0; \
   11.72 +\  \\<forall>x \\<in> A. multiset(g(x)) & mset_of(g(x))<=B |] \
   11.73  \     ==> msetsum(g, C Un D, B) = msetsum(g, C, B) +# msetsum(g,D, B)";  
   11.74  by (stac (msetsum_Un_Int RS sym) 1);
   11.75  by (auto_tac (claset(),  simpset() addsimps [msetsum_multiset]));
   11.76  qed "msetsum_Un_disjoint";
   11.77  
   11.78 -Goal "I:Fin(A) ==> (ALL i:I. C(i):Fin(B)) --> (UN i:I. C(i)):Fin(B)";
   11.79 +Goal "I \\<in> Fin(A) ==> (\\<forall>i \\<in> I. C(i):Fin(B)) --> (\\<Union>i \\<in> I. C(i)):Fin(B)";
   11.80  by (etac Fin_induct 1);
   11.81  by Auto_tac;
   11.82  qed_spec_mp "UN_Fin_lemma";
   11.83   
   11.84 -Goal "!!I. [| I:Fin(K); ALL i:K. C(i):Fin(A) |] ==> \
   11.85 -\ (ALL x:A. multiset(f(x)) & mset_of(f(x))<=B) -->  \
   11.86 -\ (ALL i:I. ALL j:I. i~=j --> C(i) Int C(j) = 0) --> \
   11.87 -\   msetsum(f, UN i:I. C(i), B) = msetsum (%i. msetsum(f, C(i),B), I, B)"; 
   11.88 +Goal "!!I. [| I \\<in> Fin(K); \\<forall>i \\<in> K. C(i):Fin(A) |] ==> \
   11.89 +\ (\\<forall>x \\<in> A. multiset(f(x)) & mset_of(f(x))<=B) -->  \
   11.90 +\ (\\<forall>i \\<in> I. \\<forall>j \\<in> I. i\\<noteq>j --> C(i) Int C(j) = 0) --> \
   11.91 +\   msetsum(f, \\<Union>i \\<in> I. C(i), B) = msetsum (%i. msetsum(f, C(i),B), I, B)"; 
   11.92  by (etac Fin_induct 1);
   11.93  by (ALLGOALS(Clarify_tac));
   11.94  by Auto_tac;
   11.95 -by (subgoal_tac "ALL i:y. x ~= i" 1);
   11.96 +by (subgoal_tac "\\<forall>i \\<in> y. x \\<noteq> i" 1);
   11.97   by (Blast_tac 2); 
   11.98 -by (subgoal_tac "C(x) Int (UN i:y. C(i)) = 0" 1);
   11.99 +by (subgoal_tac "C(x) Int (\\<Union>i \\<in> y. C(i)) = 0" 1);
  11.100   by (Blast_tac 2);
  11.101 -by (subgoal_tac " (UN i:y. C(i)):Fin(A) & C(x):Fin(A)" 1);
  11.102 +by (subgoal_tac " (\\<Union>i \\<in> y. C(i)):Fin(A) & C(x):Fin(A)" 1);
  11.103  by (blast_tac (claset() addIs [UN_Fin_lemma] addDs [FinD]) 2);
  11.104  by (Clarify_tac 1);
  11.105  by (asm_simp_tac (simpset() addsimps [msetsum_Un_disjoint]) 1);
  11.106 -by (subgoal_tac "ALL x:K. multiset(msetsum(f, C(x), B)) &\
  11.107 +by (subgoal_tac "\\<forall>x \\<in> K. multiset(msetsum(f, C(x), B)) &\
  11.108                  \ mset_of(msetsum(f, C(x), B)) <= B" 1);
  11.109  by (Asm_simp_tac 1);
  11.110  by (Clarify_tac 1);
  11.111 @@ -137,11 +137,11 @@
  11.112  qed_spec_mp "msetsum_UN_disjoint";
  11.113  
  11.114  Goal 
  11.115 -"[| C:Fin(A); \
  11.116 -\ ALL x:A. multiset(f(x)) & mset_of(f(x))<=B; \
  11.117 -\ ALL x:A. multiset(g(x)) & mset_of(g(x))<=B |] ==>\
  11.118 +"[| C \\<in> Fin(A); \
  11.119 +\ \\<forall>x \\<in> A. multiset(f(x)) & mset_of(f(x))<=B; \
  11.120 +\ \\<forall>x \\<in> A. multiset(g(x)) & mset_of(g(x))<=B |] ==>\
  11.121  \ msetsum(%x. f(x) +# g(x), C, B) = msetsum(f, C, B) +# msetsum(g, C, B)";
  11.122 -by (subgoal_tac "ALL x:A. multiset(f(x) +# g(x)) & mset_of(f(x) +# g(x))<=B" 1);
  11.123 +by (subgoal_tac "\\<forall>x \\<in> A. multiset(f(x) +# g(x)) & mset_of(f(x) +# g(x))<=B" 1);
  11.124  by (etac Fin_induct 1);
  11.125  by (ALLGOALS(Asm_simp_tac));
  11.126  by (resolve_tac [trans] 1);
  11.127 @@ -153,7 +153,7 @@
  11.128  
  11.129  
  11.130  val prems = Goal
  11.131 - "[| C=D; !!x. x:D ==> f(x) = g(x) |] ==> \
  11.132 + "[| C=D; !!x. x \\<in> D ==> f(x) = g(x) |] ==> \
  11.133  \    msetsum(f, C, B) = msetsum(g, D, B)";
  11.134  by (asm_full_simp_tac (simpset() addsimps [msetsum_def, general_setsum_def]@prems addcongs [fold_cong]) 1);
  11.135  qed  "msetsum_cong";
  11.136 @@ -163,11 +163,11 @@
  11.137  qed "multiset_union_diff";
  11.138  
  11.139  
  11.140 -Goal "[| C:Fin(A); D:Fin(A); \
  11.141 -\ ALL x:A. multiset(f(x)) & mset_of(f(x))<=B  |] \
  11.142 +Goal "[| C \\<in> Fin(A); D \\<in> Fin(A); \
  11.143 +\ \\<forall>x \\<in> A. multiset(f(x)) & mset_of(f(x))<=B  |] \
  11.144  \  ==> msetsum(f, C Un D, B) = \
  11.145  \         msetsum(f, C, B) +# msetsum(f, D, B) -# msetsum(f, C Int D, B)";
  11.146 -by (subgoal_tac "C Un D:Fin(A) & C Int D:Fin(A)" 1);
  11.147 +by (subgoal_tac "C Un D \\<in> Fin(A) & C Int D \\<in> Fin(A)" 1);
  11.148  by (Clarify_tac 1);
  11.149  by (stac (msetsum_Un_Int RS sym) 1);
  11.150  by (ALLGOALS(asm_simp_tac (simpset() addsimps 
  11.151 @@ -182,7 +182,7 @@
  11.152  Addsimps [nsetsum_0];
  11.153  
  11.154  Goalw [nsetsum_def, general_setsum_def] 
  11.155 -"[| Finite(C); x~:C |] \
  11.156 +"[| Finite(C); x\\<notin>C |] \
  11.157  \  ==> nsetsum(g, cons(x, C))= g(x) #+ nsetsum(g, C)";
  11.158  by (auto_tac (claset(), simpset() addsimps [Finite_cons]));
  11.159  by (res_inst_tac [("A", "cons(x, C)")] (thm"fold_typing.fold_cons") 1);
    12.1 --- a/src/ZF/UNITY/Mutex.ML	Mon Jul 07 17:58:21 2003 +0200
    12.2 +++ b/src/ZF/UNITY/Mutex.ML	Tue Jul 08 11:44:30 2003 +0200
    12.3 @@ -1,12 +1,12 @@
    12.4  (*  Title:      ZF/UNITY/Mutex.ML
    12.5 -    ID:         $Id$
    12.6 +    ID:         $Id \\<in> Mutex.ML,v 1.4 2003/05/27 09:39:05 paulson Exp $
    12.7      Author:     Sidi O Ehmety, Computer Laboratory
    12.8      Copyright   2001  University of Cambridge
    12.9  
   12.10  Based on "A Family of 2-Process Mutual Exclusion Algorithms" by J Misra
   12.11  
   12.12  Variables' types are introduced globally so that type verification
   12.13 -reduces to the usual ZF typechecking: an ill-tyed expression will
   12.14 +reduces to the usual ZF typechecking \\<in> an ill-tyed expression will
   12.15  reduce to the empty set.
   12.16  
   12.17  *)
   12.18 @@ -15,27 +15,27 @@
   12.19  
   12.20  Addsimps  [p_type, u_type, v_type, m_type, n_type];
   12.21  
   12.22 -Goalw [state_def] "s:state ==>s`u:bool";
   12.23 +Goalw [state_def] "s \\<in> state ==>s`u \\<in> bool";
   12.24  by (dres_inst_tac [("a", "u")] apply_type 1);
   12.25  by Auto_tac;
   12.26  qed "u_value_type";
   12.27  
   12.28 -Goalw [state_def] "s:state ==> s`v:bool";
   12.29 +Goalw [state_def] "s \\<in> state ==> s`v \\<in> bool";
   12.30  by (dres_inst_tac [("a", "v")] apply_type 1);
   12.31  by Auto_tac;
   12.32  qed "v_value_type";
   12.33  
   12.34 -Goalw [state_def] "s:state ==> s`p:bool";
   12.35 +Goalw [state_def] "s \\<in> state ==> s`p \\<in> bool";
   12.36  by (dres_inst_tac [("a", "p")] apply_type 1);
   12.37  by Auto_tac;
   12.38  qed "p_value_type";
   12.39  
   12.40 -Goalw [state_def] "s:state ==> s`m:int";
   12.41 +Goalw [state_def] "s \\<in> state ==> s`m \\<in> int";
   12.42  by (dres_inst_tac [("a", "m")] apply_type 1);
   12.43  by Auto_tac;
   12.44  qed "m_value_type";
   12.45  
   12.46 -Goalw [state_def] "s:state ==>s`n:int";
   12.47 +Goalw [state_def] "s \\<in> state ==>s`n \\<in> int";
   12.48  by (dres_inst_tac [("a", "n")] apply_type 1);
   12.49  by Auto_tac;
   12.50  qed "n_value_type";
   12.51 @@ -46,7 +46,7 @@
   12.52            m_value_type, n_value_type];
   12.53  (** Mutex is a program **)
   12.54  
   12.55 -Goalw [Mutex_def] "Mutex:program";
   12.56 +Goalw [Mutex_def] "Mutex \\<in> program";
   12.57  by Auto_tac;
   12.58  qed "Mutex_in_program";
   12.59  Addsimps [Mutex_in_program];
   12.60 @@ -64,17 +64,17 @@
   12.61  
   12.62  Addsimps (map simp_of_set [IU_def, IV_def, bad_IU_def]);
   12.63  
   12.64 -Goal "Mutex : Always(IU)";
   12.65 +Goal "Mutex \\<in> Always(IU)";
   12.66  by (always_tac 1);
   12.67  by Auto_tac;
   12.68  qed "IU";
   12.69  
   12.70 -Goal "Mutex : Always(IV)";
   12.71 +Goal "Mutex \\<in> Always(IV)";
   12.72  by (always_tac 1);
   12.73  qed "IV";
   12.74  
   12.75 -(*The safety property: mutual exclusion*)
   12.76 -Goal "Mutex : Always({s:state. ~(s`m = #3 & s`n = #3)})";
   12.77 +(*The safety property \\<in> mutual exclusion*)
   12.78 +Goal "Mutex \\<in> Always({s \\<in> state. ~(s`m = #3 & s`n = #3)})";
   12.79  by (rtac ([IU, IV] MRS Always_Int_I RS Always_weaken) 1);
   12.80  by Auto_tac;
   12.81  qed "mutual_exclusion";
   12.82 @@ -87,7 +87,7 @@
   12.83  by Auto_tac;
   12.84  qed "less_lemma";
   12.85  
   12.86 -Goal "Mutex : Always(bad_IU)";
   12.87 +Goal "Mutex \\<in> Always(bad_IU)";
   12.88  by (always_tac 1);
   12.89  by (auto_tac (claset(), simpset() addsimps [not_zle_iff_zless]));
   12.90  by (auto_tac (claset(), simpset() addsimps [bool_def]));
   12.91 @@ -96,37 +96,37 @@
   12.92  by Auto_tac;
   12.93  by (simp_tac (simpset() addsimps [not_zless_iff_zle RS iff_sym]) 1);
   12.94  by Auto_tac;
   12.95 -(*Resulting state: n=1, p=false, m=4, u=false.  
   12.96 +(*Resulting state \\<in> n=1, p=false, m=4, u=false.  
   12.97    Execution of V1 (the command of process v guarded by n=1) sets p:=true,
   12.98    violating the invariant!*)
   12.99 -(*Check that subgoals remain: proof failed.*)
  12.100 +(*Check that subgoals remain \\<in> proof failed.*)
  12.101  getgoal 1;
  12.102  
  12.103  
  12.104  (*** Progress for U ***)
  12.105  
  12.106  Goalw [Unless_def] 
  12.107 -"Mutex : {s:state. s`m=#2} Unless {s:state. s`m=#3}";
  12.108 +"Mutex \\<in> {s \\<in> state. s`m=#2} Unless {s \\<in> state. s`m=#3}";
  12.109  by (constrains_tac 1);
  12.110  qed "U_F0";
  12.111  
  12.112 -Goal "Mutex : {s:state. s`m=#1} LeadsTo {s:state. s`p = s`v & s`m = #2}";
  12.113 +Goal "Mutex \\<in> {s \\<in> state. s`m=#1} LeadsTo {s \\<in> state. s`p = s`v & s`m = #2}";
  12.114  by (ensures_tac "U1" 1);
  12.115  qed "U_F1";
  12.116  
  12.117 -Goal "Mutex : {s:state. s`p =0 & s`m = #2} LeadsTo {s:state. s`m = #3}";
  12.118 +Goal "Mutex \\<in> {s \\<in> state. s`p =0 & s`m = #2} LeadsTo {s \\<in> state. s`m = #3}";
  12.119  by (cut_facts_tac [IU] 1);
  12.120  by (ensures_tac "U2" 1);
  12.121  qed "U_F2";
  12.122  
  12.123 -Goal "Mutex : {s:state. s`m = #3} LeadsTo {s:state. s`p=1}";
  12.124 -by (res_inst_tac [("B", "{s:state. s`m = #4}")] LeadsTo_Trans 1);
  12.125 +Goal "Mutex \\<in> {s \\<in> state. s`m = #3} LeadsTo {s \\<in> state. s`p=1}";
  12.126 +by (res_inst_tac [("B", "{s \\<in> state. s`m = #4}")] LeadsTo_Trans 1);
  12.127  by (ensures_tac "U4" 2);
  12.128  by (ensures_tac "U3" 1);
  12.129  qed "U_F3";
  12.130  
  12.131  
  12.132 -Goal "Mutex : {s:state. s`m = #2} LeadsTo {s:state. s`p=1}";
  12.133 +Goal "Mutex \\<in> {s \\<in> state. s`m = #2} LeadsTo {s \\<in> state. s`p=1}";
  12.134  by (rtac ([LeadsTo_weaken_L, Int_lower2 RS subset_imp_LeadsTo] 
  12.135            MRS LeadsTo_Diff) 1);
  12.136  by (rtac ([U_F2, U_F3] MRS LeadsTo_Trans) 1);
  12.137 @@ -134,12 +134,12 @@
  12.138  by (auto_tac (claset() addSDs [p_value_type], simpset() addsimps [bool_def]));
  12.139  val U_lemma2 = result();
  12.140  
  12.141 -Goal "Mutex : {s:state. s`m = #1} LeadsTo {s:state. s`p =1}";
  12.142 +Goal "Mutex \\<in> {s \\<in> state. s`m = #1} LeadsTo {s \\<in> state. s`p =1}";
  12.143  by (rtac ([U_F1 RS LeadsTo_weaken_R, U_lemma2] MRS LeadsTo_Trans) 1);
  12.144  by Auto_tac;
  12.145  val U_lemma1 = result();
  12.146  
  12.147 -Goal "i:int ==> (#1 $<= i & i $<= #3) <-> (i=#1 | i=#2 | i=#3)";
  12.148 +Goal "i \\<in> int ==> (#1 $<= i & i $<= #3) <-> (i=#1 | i=#2 | i=#3)";
  12.149  by Auto_tac;
  12.150  by (auto_tac (claset(), simpset() addsimps [neq_iff_zless]));
  12.151  by (dres_inst_tac [("j", "#3"), ("i", "i")] zle_zless_trans 4);
  12.152 @@ -152,7 +152,7 @@
  12.153  qed "eq_123";
  12.154  
  12.155  
  12.156 -Goal "Mutex : {s:state. #1 $<= s`m & s`m $<= #3} LeadsTo {s:state. s`p=1}";
  12.157 +Goal "Mutex \\<in> {s \\<in> state. #1 $<= s`m & s`m $<= #3} LeadsTo {s \\<in> state. s`p=1}";
  12.158  by (simp_tac (simpset() addsimps [m_value_type RS eq_123, Collect_disj_eq,
  12.159                                    LeadsTo_Un_distrib,
  12.160                                    U_lemma1, U_lemma2, U_F3] ) 1);
  12.161 @@ -160,7 +160,7 @@
  12.162  
  12.163  
  12.164  (*Misra's F4*)
  12.165 -Goal "Mutex : {s:state. s`u = 1} LeadsTo {s:state. s`p=1}";
  12.166 +Goal "Mutex \\<in> {s \\<in> state. s`u = 1} LeadsTo {s \\<in> state. s`p=1}";
  12.167  by (rtac ([IU, U_lemma123] MRS Always_LeadsTo_weaken) 1);
  12.168  by Auto_tac;
  12.169  qed "u_Leadsto_p";
  12.170 @@ -169,26 +169,26 @@
  12.171  (*** Progress for V ***)
  12.172  
  12.173  Goalw [Unless_def] 
  12.174 -"Mutex : {s:state. s`n=#2} Unless {s:state. s`n=#3}";
  12.175 +"Mutex \\<in> {s \\<in> state. s`n=#2} Unless {s \\<in> state. s`n=#3}";
  12.176  by (constrains_tac 1);
  12.177  qed "V_F0";
  12.178  
  12.179 -Goal "Mutex : {s:state. s`n=#1} LeadsTo {s:state. s`p = not(s`u) & s`n = #2}";
  12.180 +Goal "Mutex \\<in> {s \\<in> state. s`n=#1} LeadsTo {s \\<in> state. s`p = not(s`u) & s`n = #2}";
  12.181  by (ensures_tac "V1" 1);
  12.182  qed "V_F1";
  12.183  
  12.184 -Goal "Mutex : {s:state. s`p=1 & s`n = #2} LeadsTo {s:state. s`n = #3}";
  12.185 +Goal "Mutex \\<in> {s \\<in> state. s`p=1 & s`n = #2} LeadsTo {s \\<in> state. s`n = #3}";
  12.186  by (cut_facts_tac [IV] 1);
  12.187  by (ensures_tac "V2" 1);
  12.188  qed "V_F2";
  12.189  
  12.190 -Goal "Mutex : {s:state. s`n = #3} LeadsTo {s:state. s`p=0}";
  12.191 -by (res_inst_tac [("B", "{s:state. s`n = #4}")] LeadsTo_Trans 1);
  12.192 +Goal "Mutex \\<in> {s \\<in> state. s`n = #3} LeadsTo {s \\<in> state. s`p=0}";
  12.193 +by (res_inst_tac [("B", "{s \\<in> state. s`n = #4}")] LeadsTo_Trans 1);
  12.194  by (ensures_tac "V4" 2);
  12.195  by (ensures_tac "V3" 1);
  12.196  qed "V_F3";
  12.197  
  12.198 -Goal "Mutex : {s:state. s`n = #2} LeadsTo {s:state. s`p=0}";
  12.199 +Goal "Mutex \\<in> {s \\<in> state. s`n = #2} LeadsTo {s \\<in> state. s`p=0}";
  12.200  by (rtac ([LeadsTo_weaken_L, Int_lower2 RS subset_imp_LeadsTo] 
  12.201            MRS LeadsTo_Diff) 1);
  12.202  by (rtac ([V_F2, V_F3] MRS LeadsTo_Trans) 1);
  12.203 @@ -196,19 +196,19 @@
  12.204  by (auto_tac (claset() addSDs [p_value_type], simpset() addsimps [bool_def]));
  12.205  val V_lemma2 = result();
  12.206  
  12.207 -Goal "Mutex : {s:state. s`n = #1} LeadsTo {s:state. s`p = 0}";
  12.208 +Goal "Mutex \\<in> {s \\<in> state. s`n = #1} LeadsTo {s \\<in> state. s`p = 0}";
  12.209  by (rtac ([V_F1 RS LeadsTo_weaken_R, V_lemma2] MRS LeadsTo_Trans) 1);
  12.210  by Auto_tac;
  12.211  val V_lemma1 = result();
  12.212  
  12.213 -Goal "Mutex : {s:state. #1 $<= s`n & s`n $<= #3} LeadsTo {s:state. s`p = 0}";
  12.214 +Goal "Mutex \\<in> {s \\<in> state. #1 $<= s`n & s`n $<= #3} LeadsTo {s \\<in> state. s`p = 0}";
  12.215  by (simp_tac (simpset() addsimps 
  12.216       [n_value_type RS eq_123, Collect_disj_eq, LeadsTo_Un_distrib,
  12.217                    V_lemma1, V_lemma2, V_F3] ) 1);
  12.218  val V_lemma123 = result();
  12.219  
  12.220  (*Misra's F4*)
  12.221 -Goal "Mutex : {s:state. s`v = 1} LeadsTo {s:state. s`p = 0}";
  12.222 +Goal "Mutex \\<in> {s \\<in> state. s`v = 1} LeadsTo {s \\<in> state. s`p = 0}";
  12.223  by (rtac ([IV, V_lemma123] MRS Always_LeadsTo_weaken) 1);
  12.224  by Auto_tac;
  12.225  qed "v_Leadsto_not_p";
  12.226 @@ -216,7 +216,7 @@
  12.227  (** Absence of starvation **)
  12.228  
  12.229  (*Misra's F6*)
  12.230 -Goal "Mutex : {s:state. s`m = #1} LeadsTo {s:state. s`m = #3}";
  12.231 +Goal "Mutex \\<in> {s \\<in> state. s`m = #1} LeadsTo {s \\<in> state. s`m = #3}";
  12.232  by (rtac (LeadsTo_cancel2 RS LeadsTo_Un_duplicate) 1);
  12.233  by (rtac U_F2 2);
  12.234  by (simp_tac (simpset() addsimps [Collect_conj_eq] ) 1);
  12.235 @@ -230,7 +230,7 @@
  12.236  
  12.237  
  12.238  (*The same for V*)
  12.239 -Goal "Mutex : {s:state. s`n = #1} LeadsTo {s:state. s`n = #3}";
  12.240 +Goal "Mutex \\<in> {s \\<in> state. s`n = #1} LeadsTo {s \\<in> state. s`n = #3}";
  12.241  by (rtac (LeadsTo_cancel2 RS LeadsTo_Un_duplicate) 1);
  12.242  by (rtac V_F2 2);
  12.243  by (simp_tac (simpset() addsimps [Collect_conj_eq] ) 1);
    13.1 --- a/src/ZF/UNITY/SubstAx.ML	Mon Jul 07 17:58:21 2003 +0200
    13.2 +++ b/src/ZF/UNITY/SubstAx.ML	Tue Jul 08 11:44:30 2003 +0200
    13.3 @@ -1,5 +1,5 @@
    13.4  (*  Title:      ZF/UNITY/SubstAx.ML
    13.5 -    ID:         $Id$
    13.6 +    ID:         $Id \\<in> SubstAx.ML,v 1.8 2003/05/27 09:39:06 paulson Exp $
    13.7      Author:     Sidi O Ehmety, Computer Laboratory
    13.8      Copyright   2001  University of Cambridge
    13.9  
   13.10 @@ -12,7 +12,7 @@
   13.11  
   13.12  (* Equivalence with the HOL-like definition *)
   13.13  Goalw [LeadsTo_def]
   13.14 -"st_set(B)==> A LeadsTo B = {F:program. F:(reachable(F) Int A) leadsTo B}";
   13.15 +"st_set(B)==> A LeadsTo B = {F \\<in> program. F:(reachable(F) Int A) leadsTo B}";
   13.16  by (blast_tac (claset() addDs [psp_stable2, leadsToD2, constrainsD2] 
   13.17                          addIs [leadsTo_weaken]) 1);
   13.18  qed "LeadsTo_eq";
   13.19 @@ -24,41 +24,41 @@
   13.20  (*** Specialized laws for handling invariants ***)
   13.21  
   13.22  (** Conjoining an Always property **)
   13.23 -Goal "F : Always(I) ==> (F:(I Int A) LeadsTo A') <-> (F: A LeadsTo A')";
   13.24 +Goal "F \\<in> Always(I) ==> (F:(I Int A) LeadsTo A') <-> (F \\<in> A LeadsTo A')";
   13.25  by (asm_full_simp_tac
   13.26      (simpset() addsimps [LeadsTo_def, Always_eq_includes_reachable,
   13.27                Int_absorb2, Int_assoc RS sym, leadsToD2]) 1);
   13.28  qed "Always_LeadsTo_pre";
   13.29  
   13.30 -Goalw [LeadsTo_def] "F:Always(I) ==> (F : A LeadsTo (I Int A')) <-> (F : A LeadsTo A')";
   13.31 +Goalw [LeadsTo_def] "F \\<in> Always(I) ==> (F \\<in> A LeadsTo (I Int A')) <-> (F \\<in> A LeadsTo A')";
   13.32  by (asm_full_simp_tac (simpset() addsimps [Always_eq_includes_reachable, 
   13.33            Int_absorb2, Int_assoc RS sym,leadsToD2]) 1);
   13.34  qed "Always_LeadsTo_post";
   13.35  
   13.36  (* Like 'Always_LeadsTo_pre RS iffD1', but with premises in the good order *)
   13.37 -Goal "[| F:Always(C); F : (C Int A) LeadsTo A' |] ==> F: A LeadsTo A'";
   13.38 +Goal "[| F \\<in> Always(C); F \\<in> (C Int A) LeadsTo A' |] ==> F \\<in> A LeadsTo A'";
   13.39  by (blast_tac (claset() addIs [Always_LeadsTo_pre RS iffD1]) 1);
   13.40  qed "Always_LeadsToI";
   13.41  
   13.42  (* Like 'Always_LeadsTo_post RS iffD2', but with premises in the good order *)
   13.43 -Goal "[| F:Always(C);  F:A LeadsTo A' |] ==> F : A LeadsTo (C Int A')";
   13.44 +Goal "[| F \\<in> Always(C);  F \\<in> A LeadsTo A' |] ==> F \\<in> A LeadsTo (C Int A')";
   13.45  by (blast_tac (claset() addIs [Always_LeadsTo_post RS iffD2]) 1);
   13.46  qed "Always_LeadsToD";
   13.47  
   13.48 -(*** Introduction rules: Basis, Trans, Union ***)
   13.49 +(*** Introduction rules \\<in> Basis, Trans, Union ***)
   13.50  
   13.51 -Goal "F : A Ensures B ==> F : A LeadsTo B";
   13.52 +Goal "F \\<in> A Ensures B ==> F \\<in> A LeadsTo B";
   13.53  by (auto_tac (claset(), simpset() addsimps 
   13.54                     [Ensures_def, LeadsTo_def]));
   13.55  qed "LeadsTo_Basis";
   13.56  
   13.57 -Goal "[| F : A LeadsTo B;  F : B LeadsTo C |] ==> F : A LeadsTo C";
   13.58 +Goal "[| F \\<in> A LeadsTo B;  F \\<in> B LeadsTo C |] ==> F \\<in> A LeadsTo C";
   13.59  by (full_simp_tac (simpset() addsimps [LeadsTo_def]) 1);
   13.60  by (blast_tac (claset() addIs [leadsTo_Trans]) 1);
   13.61  qed "LeadsTo_Trans";
   13.62  
   13.63  val [major, program] = Goalw [LeadsTo_def]
   13.64 -"[|(!!A. A:S ==> F : A LeadsTo B); F:program|]==>F:Union(S) LeadsTo B";
   13.65 +"[|(!!A. A \\<in> S ==> F \\<in> A LeadsTo B); F \\<in> program|]==>F \\<in> Union(S) LeadsTo B";
   13.66  by (cut_facts_tac [program] 1);
   13.67  by Auto_tac;
   13.68  by (stac Int_Union_Union2 1);
   13.69 @@ -69,7 +69,7 @@
   13.70  
   13.71  (*** Derived rules ***)
   13.72  
   13.73 -Goal "F : A leadsTo B ==> F : A LeadsTo B";
   13.74 +Goal "F \\<in> A leadsTo B ==> F \\<in> A LeadsTo B";
   13.75  by (ftac leadsToD2 1);
   13.76  by (Clarify_tac 1);
   13.77  by (asm_simp_tac (simpset() addsimps [LeadsTo_eq]) 1);
   13.78 @@ -77,16 +77,16 @@
   13.79  qed "leadsTo_imp_LeadsTo";
   13.80  
   13.81  (*Useful with cancellation, disjunction*)
   13.82 -Goal "F : A LeadsTo (A' Un A') ==> F : A LeadsTo A'";
   13.83 +Goal "F \\<in> A LeadsTo (A' Un A') ==> F \\<in> A LeadsTo A'";
   13.84  by (asm_full_simp_tac (simpset() addsimps Un_ac) 1);
   13.85  qed "LeadsTo_Un_duplicate";
   13.86  
   13.87 -Goal "F : A LeadsTo (A' Un C Un C) ==> F : A LeadsTo (A' Un C)";
   13.88 +Goal "F \\<in> A LeadsTo (A' Un C Un C) ==> F \\<in> A LeadsTo (A' Un C)";
   13.89  by (asm_full_simp_tac (simpset() addsimps Un_ac) 1);
   13.90  qed "LeadsTo_Un_duplicate2";
   13.91  
   13.92  val [major, program] = Goalw [LeadsTo_def] 
   13.93 -"[|(!!i. i:I ==> F : A(i) LeadsTo B); F:program|]==>F:(UN i:I. A(i)) LeadsTo B";
   13.94 +"[|(!!i. i \\<in> I ==> F \\<in> A(i) LeadsTo B); F \\<in> program|]==>F:(\\<Union>i \\<in> I. A(i)) LeadsTo B";
   13.95  by (cut_facts_tac [program] 1);
   13.96  by (asm_simp_tac (simpset() delsimps UN_simps addsimps [Int_UN_distrib]) 1);
   13.97  by (rtac leadsTo_UN 1);
   13.98 @@ -95,7 +95,7 @@
   13.99  qed "LeadsTo_UN";
  13.100  
  13.101  (*Binary union introduction rule*)
  13.102 -Goal "[| F : A LeadsTo C; F : B LeadsTo C |] ==> F : (A Un B) LeadsTo C";
  13.103 +Goal "[| F \\<in> A LeadsTo C; F \\<in> B LeadsTo C |] ==> F \\<in> (A Un B) LeadsTo C";
  13.104  by (stac Un_eq_Union 1);
  13.105  by (rtac LeadsTo_Union 1);
  13.106  by (auto_tac (claset() addDs [LeadsTo_type RS subsetD], simpset()));
  13.107 @@ -103,83 +103,83 @@
  13.108  
  13.109  (*Lets us look at the starting state*)
  13.110  val [major, program] = Goal 
  13.111 -"[|(!!s. s:A ==> F:{s} LeadsTo B); F:program|]==>F:A LeadsTo B";
  13.112 +"[|(!!s. s \\<in> A ==> F:{s} LeadsTo B); F \\<in> program|]==>F \\<in> A LeadsTo B";
  13.113  by (cut_facts_tac [program] 1);
  13.114  by (stac (UN_singleton RS sym) 1 THEN rtac LeadsTo_UN 1);
  13.115  by (ftac major 1);
  13.116  by Auto_tac;
  13.117  qed "single_LeadsTo_I";
  13.118  
  13.119 -Goal "[| A <= B; F:program |] ==> F : A LeadsTo B";
  13.120 +Goal "[| A <= B; F \\<in> program |] ==> F \\<in> A LeadsTo B";
  13.121  by (asm_simp_tac (simpset() addsimps [LeadsTo_def]) 1);
  13.122  by (blast_tac (claset() addIs [subset_imp_leadsTo]) 1);
  13.123  qed "subset_imp_LeadsTo";
  13.124  
  13.125 -Goal "F:0 LeadsTo A <-> F:program";
  13.126 +Goal "F:0 LeadsTo A <-> F \\<in> program";
  13.127  by (auto_tac (claset() addDs [LeadsTo_type RS subsetD]
  13.128                         addIs [empty_subsetI RS subset_imp_LeadsTo], simpset()));
  13.129  qed "empty_LeadsTo";
  13.130  AddIffs [empty_LeadsTo];
  13.131  
  13.132 -Goal "F : A LeadsTo state <-> F:program";
  13.133 +Goal "F \\<in> A LeadsTo state <-> F \\<in> program";
  13.134  by (auto_tac (claset() addDs [LeadsTo_type RS subsetD], 
  13.135                simpset() addsimps [LeadsTo_eq]));
  13.136  qed "LeadsTo_state";
  13.137  AddIffs [LeadsTo_state];
  13.138  
  13.139  Goalw [LeadsTo_def]
  13.140 - "[| F:A LeadsTo A';  A'<=B'|] ==> F : A LeadsTo B'";
  13.141 + "[| F \\<in> A LeadsTo A';  A'<=B'|] ==> F \\<in> A LeadsTo B'";
  13.142  by (auto_tac (claset() addIs[leadsTo_weaken_R], simpset()));
  13.143  qed_spec_mp "LeadsTo_weaken_R";
  13.144  
  13.145 -Goalw [LeadsTo_def] "[| F : A LeadsTo A'; B <= A |] ==> F : B LeadsTo A'";
  13.146 +Goalw [LeadsTo_def] "[| F \\<in> A LeadsTo A'; B <= A |] ==> F \\<in> B LeadsTo A'";
  13.147  by (auto_tac (claset() addIs[leadsTo_weaken_L], simpset()));
  13.148  qed_spec_mp "LeadsTo_weaken_L";
  13.149  
  13.150 -Goal "[| F : A LeadsTo A'; B<=A; A'<=B' |] ==> F : B LeadsTo B'";
  13.151 +Goal "[| F \\<in> A LeadsTo A'; B<=A; A'<=B' |] ==> F \\<in> B LeadsTo B'";
  13.152  by (blast_tac (claset() addIs [LeadsTo_weaken_R, 
  13.153                      LeadsTo_weaken_L, LeadsTo_Trans]) 1);
  13.154  qed "LeadsTo_weaken";
  13.155  
  13.156  Goal 
  13.157 -"[| F:Always(C);  F:A LeadsTo A'; C Int B <= A;   C Int A' <= B' |] \
  13.158 -\     ==> F : B LeadsTo B'";
  13.159 +"[| F \\<in> Always(C);  F \\<in> A LeadsTo A'; C Int B <= A;   C Int A' <= B' |] \
  13.160 +\     ==> F \\<in> B LeadsTo B'";
  13.161  by (blast_tac (claset() addDs [Always_LeadsToI]
  13.162                          addIs [LeadsTo_weaken, Always_LeadsToD]) 1);
  13.163  qed "Always_LeadsTo_weaken";
  13.164  
  13.165  (** Two theorems for "proof lattices" **)
  13.166  
  13.167 -Goal "F : A LeadsTo B ==> F:(A Un B) LeadsTo B";
  13.168 +Goal "F \\<in> A LeadsTo B ==> F:(A Un B) LeadsTo B";
  13.169  by (blast_tac (claset() addDs [LeadsTo_type RS subsetD]
  13.170                           addIs [LeadsTo_Un, subset_imp_LeadsTo]) 1);
  13.171  qed "LeadsTo_Un_post";
  13.172  
  13.173 -Goal "[| F : A LeadsTo B;  F : B LeadsTo C |] \
  13.174 -\     ==> F : (A Un B) LeadsTo C";
  13.175 +Goal "[| F \\<in> A LeadsTo B;  F \\<in> B LeadsTo C |] \
  13.176 +\     ==> F \\<in> (A Un B) LeadsTo C";
  13.177  by (blast_tac (claset() addIs [LeadsTo_Un, subset_imp_LeadsTo, 
  13.178                                 LeadsTo_weaken_L, LeadsTo_Trans]
  13.179                          addDs [LeadsTo_type RS subsetD]) 1);
  13.180  qed "LeadsTo_Trans_Un";
  13.181  
  13.182  (** Distributive laws **)
  13.183 -Goal "(F : (A Un B) LeadsTo C)  <-> (F : A LeadsTo C & F : B LeadsTo C)";
  13.184 +Goal "(F \\<in> (A Un B) LeadsTo C)  <-> (F \\<in> A LeadsTo C & F \\<in> B LeadsTo C)";
  13.185  by (blast_tac (claset() addIs [LeadsTo_Un, LeadsTo_weaken_L]) 1);
  13.186  qed "LeadsTo_Un_distrib";
  13.187  
  13.188 -Goal "(F : (UN i:I. A(i)) LeadsTo B) <->  (ALL i : I. F : A(i) LeadsTo B) & F:program";
  13.189 +Goal "(F \\<in> (\\<Union>i \\<in> I. A(i)) LeadsTo B) <->  (\\<forall>i \\<in> I. F \\<in> A(i) LeadsTo B) & F \\<in> program";
  13.190  by (blast_tac (claset() addDs [LeadsTo_type RS subsetD]
  13.191                          addIs [LeadsTo_UN, LeadsTo_weaken_L]) 1);
  13.192  qed "LeadsTo_UN_distrib";
  13.193  
  13.194 -Goal "(F:Union(S) LeadsTo B)  <->  (ALL A : S. F : A LeadsTo B) & F:program";
  13.195 +Goal "(F \\<in> Union(S) LeadsTo B)  <->  (\\<forall>A \\<in> S. F \\<in> A LeadsTo B) & F \\<in> program";
  13.196  by (blast_tac (claset() addDs [LeadsTo_type RS subsetD] 
  13.197                          addIs [LeadsTo_Union, LeadsTo_weaken_L]) 1);
  13.198  qed "LeadsTo_Union_distrib";
  13.199  
  13.200  (** More rules using the premise "Always(I)" **)
  13.201  
  13.202 -Goal "[| F:(A-B) Co (A Un B);  F:transient (A-B) |] ==> F : A Ensures B";
  13.203 +Goal "[| F:(A-B) Co (A Un B);  F \\<in> transient (A-B) |] ==> F \\<in> A Ensures B";
  13.204  by (asm_full_simp_tac
  13.205      (simpset() addsimps [Ensures_def, Constrains_eq_constrains]) 1);
  13.206  by (blast_tac (claset() addIs [ensuresI, constrains_weaken, 
  13.207 @@ -187,9 +187,9 @@
  13.208                          addDs [constrainsD2]) 1);
  13.209  qed "EnsuresI";
  13.210  
  13.211 -Goal "[| F : Always(I); F : (I Int (A-A')) Co (A Un A'); \
  13.212 -\        F : transient (I Int (A-A')) |]   \
  13.213 -\ ==> F : A LeadsTo A'";
  13.214 +Goal "[| F \\<in> Always(I); F \\<in> (I Int (A-A')) Co (A Un A'); \
  13.215 +\        F \\<in> transient (I Int (A-A')) |]   \
  13.216 +\ ==> F \\<in> A LeadsTo A'";
  13.217  by (rtac Always_LeadsToI 1);
  13.218  by (assume_tac 1);
  13.219  by (blast_tac (claset() addIs [EnsuresI, LeadsTo_Basis,
  13.220 @@ -197,15 +197,15 @@
  13.221                                 transient_strengthen]) 1);
  13.222  qed "Always_LeadsTo_Basis";
  13.223  
  13.224 -(*Set difference: maybe combine with leadsTo_weaken_L??
  13.225 +(*Set difference \\<in> maybe combine with leadsTo_weaken_L??
  13.226    This is the most useful form of the "disjunction" rule*)
  13.227 -Goal "[| F : (A-B) LeadsTo C;  F : (A Int B) LeadsTo C |] ==> F : A LeadsTo C";
  13.228 +Goal "[| F \\<in> (A-B) LeadsTo C;  F \\<in> (A Int B) LeadsTo C |] ==> F \\<in> A LeadsTo C";
  13.229  by (blast_tac (claset() addIs [LeadsTo_Un, LeadsTo_weaken]) 1);
  13.230  qed "LeadsTo_Diff";
  13.231  
  13.232  val [major, minor] = Goal 
  13.233 -"[|(!!i. i:I ==> F: A(i) LeadsTo A'(i)); F:program |] \
  13.234 -\     ==> F : (UN i:I. A(i)) LeadsTo (UN i:I. A'(i))";
  13.235 +"[|(!!i. i \\<in> I ==> F \\<in> A(i) LeadsTo A'(i)); F \\<in> program |] \
  13.236 +\     ==> F \\<in> (\\<Union>i \\<in> I. A(i)) LeadsTo (\\<Union>i \\<in> I. A'(i))";
  13.237  by (cut_facts_tac [minor] 1);
  13.238  by (rtac LeadsTo_Union 1);
  13.239  by (ALLGOALS(Clarify_tac));
  13.240 @@ -214,13 +214,13 @@
  13.241  qed "LeadsTo_UN_UN";
  13.242  
  13.243  (*Binary union version*)
  13.244 -Goal "[| F:A LeadsTo A'; F:B LeadsTo B' |] ==> F:(A Un B) LeadsTo (A' Un B')";
  13.245 +Goal "[| F \\<in> A LeadsTo A'; F \\<in> B LeadsTo B' |] ==> F:(A Un B) LeadsTo (A' Un B')";
  13.246  by (blast_tac (claset() addIs [LeadsTo_Un, LeadsTo_weaken_R]) 1);
  13.247  qed "LeadsTo_Un_Un";
  13.248  
  13.249  (** The cancellation law **)
  13.250  
  13.251 -Goal "[| F: A LeadsTo(A' Un B); F: B LeadsTo B' |] ==> F:A LeadsTo (A' Un B')";
  13.252 +Goal "[| F \\<in> A LeadsTo(A' Un B); F \\<in> B LeadsTo B' |] ==> F \\<in> A LeadsTo (A' Un B')";
  13.253  by (blast_tac (claset() addIs [LeadsTo_Un_Un, subset_imp_LeadsTo, LeadsTo_Trans]
  13.254                          addDs [LeadsTo_type RS subsetD]) 1);
  13.255  qed "LeadsTo_cancel2";
  13.256 @@ -229,13 +229,13 @@
  13.257  by Auto_tac;
  13.258  qed "Un_Diff";
  13.259  
  13.260 -Goal "[| F : A LeadsTo (A' Un B); F : (B-A') LeadsTo B' |] ==> F : A LeadsTo (A' Un B')";
  13.261 +Goal "[| F \\<in> A LeadsTo (A' Un B); F \\<in> (B-A') LeadsTo B' |] ==> F \\<in> A LeadsTo (A' Un B')";
  13.262  by (rtac LeadsTo_cancel2 1);
  13.263  by (assume_tac 2);
  13.264  by (asm_simp_tac (simpset() addsimps [Un_Diff]) 1);
  13.265  qed "LeadsTo_cancel_Diff2";
  13.266  
  13.267 -Goal "[| F : A LeadsTo (B Un A'); F : B LeadsTo B' |] ==> F : A LeadsTo (B' Un A')";
  13.268 +Goal "[| F \\<in> A LeadsTo (B Un A'); F \\<in> B LeadsTo B' |] ==> F \\<in> A LeadsTo (B' Un A')";
  13.269  by (asm_full_simp_tac (simpset() addsimps [Un_commute]) 1);
  13.270  by (blast_tac (claset() addSIs [LeadsTo_cancel2]) 1);
  13.271  qed "LeadsTo_cancel1";
  13.272 @@ -244,7 +244,7 @@
  13.273  by Auto_tac;
  13.274  qed "Diff_Un2";
  13.275  
  13.276 -Goal "[| F : A LeadsTo (B Un A'); F : (B-A') LeadsTo B' |] ==> F : A LeadsTo (B' Un A')";
  13.277 +Goal "[| F \\<in> A LeadsTo (B Un A'); F \\<in> (B-A') LeadsTo B' |] ==> F \\<in> A LeadsTo (B' Un A')";
  13.278  by (rtac LeadsTo_cancel1 1);
  13.279  by (assume_tac 2);
  13.280  by (asm_simp_tac (simpset() addsimps [Diff_Un2]) 1);
  13.281 @@ -253,38 +253,38 @@
  13.282  (** The impossibility law **)
  13.283  
  13.284  (*The set "A" may be non-empty, but it contains no reachable states*)
  13.285 -Goal "F : A LeadsTo 0 ==> F : Always (state -A)";
  13.286 +Goal "F \\<in> A LeadsTo 0 ==> F \\<in> Always (state -A)";
  13.287  by (full_simp_tac (simpset() 
  13.288             addsimps [LeadsTo_def,Always_eq_includes_reachable]) 1);
  13.289  by (cut_facts_tac [reachable_type] 1);
  13.290  by (auto_tac (claset() addSDs [leadsTo_empty], simpset()));
  13.291  qed "LeadsTo_empty";
  13.292  
  13.293 -(** PSP: Progress-Safety-Progress **)
  13.294 +(** PSP \\<in> Progress-Safety-Progress **)
  13.295  
  13.296 -(*Special case of PSP: Misra's "stable conjunction"*)
  13.297 -Goal "[| F : A LeadsTo A';  F : Stable(B) |]==> F:(A Int B) LeadsTo (A' Int B)";
  13.298 +(*Special case of PSP \\<in> Misra's "stable conjunction"*)
  13.299 +Goal "[| F \\<in> A LeadsTo A';  F \\<in> Stable(B) |]==> F:(A Int B) LeadsTo (A' Int B)";
  13.300  by (asm_full_simp_tac (simpset() addsimps [LeadsTo_def, Stable_eq_stable]) 1);
  13.301  by (Clarify_tac 1);
  13.302  by (dtac psp_stable 1);
  13.303  by (REPEAT(asm_full_simp_tac (simpset() addsimps (Int_absorb::Int_ac)) 1));
  13.304  qed "PSP_Stable";
  13.305  
  13.306 -Goal "[| F : A LeadsTo A'; F : Stable(B) |] ==> F : (B Int A) LeadsTo (B Int A')";
  13.307 +Goal "[| F \\<in> A LeadsTo A'; F \\<in> Stable(B) |] ==> F \\<in> (B Int A) LeadsTo (B Int A')";
  13.308  by (asm_simp_tac (simpset() addsimps PSP_Stable::Int_ac) 1);
  13.309  qed "PSP_Stable2";
  13.310  
  13.311 -Goal "[| F:A LeadsTo A'; F:B Co B'|]==> F : (A Int B') LeadsTo ((A' Int B) Un (B' - B))";
  13.312 +Goal "[| F \\<in> A LeadsTo A'; F \\<in> B Co B'|]==> F \\<in> (A Int B') LeadsTo ((A' Int B) Un (B' - B))";
  13.313  by (full_simp_tac (simpset() addsimps [LeadsTo_def, Constrains_eq_constrains]) 1);
  13.314  by (blast_tac (claset() addDs [psp] addIs [leadsTo_weaken]) 1);
  13.315  qed "PSP";
  13.316  
  13.317 -Goal "[| F : A LeadsTo A'; F : B Co B' |]==> F:(B' Int A) LeadsTo ((B Int A') Un (B' - B))";
  13.318 +Goal "[| F \\<in> A LeadsTo A'; F \\<in> B Co B' |]==> F:(B' Int A) LeadsTo ((B Int A') Un (B' - B))";
  13.319  by (asm_simp_tac (simpset() addsimps PSP::Int_ac) 1);
  13.320  qed "PSP2";
  13.321  
  13.322  Goal
  13.323 -"[| F : A LeadsTo A'; F : B Unless B'|]==> F:(A Int B) LeadsTo ((A' Int B) Un B')";
  13.324 +"[| F \\<in> A LeadsTo A'; F \\<in> B Unless B'|]==> F:(A Int B) LeadsTo ((A' Int B) Un B')";
  13.325  by (rewtac Unless_def);
  13.326  by (dtac PSP 1);
  13.327  by (assume_tac 1);
  13.328 @@ -295,10 +295,10 @@
  13.329  
  13.330  (** Meta or object quantifier ????? **)
  13.331  Goal "[| wf(r);     \
  13.332 -\        ALL m:I. F : (A Int f-``{m}) LeadsTo                     \
  13.333 +\        \\<forall>m \\<in> I. F \\<in> (A Int f-``{m}) LeadsTo                     \
  13.334  \                           ((A Int f-``(converse(r) `` {m})) Un B); \
  13.335 -\        field(r)<=I; A<=f-``I; F:program |] \
  13.336 -\     ==> F : A LeadsTo B";
  13.337 +\        field(r)<=I; A<=f-``I; F \\<in> program |] \
  13.338 +\     ==> F \\<in> A LeadsTo B";
  13.339  by (full_simp_tac (simpset() addsimps [LeadsTo_def]) 1);
  13.340  by Auto_tac; 
  13.341  by (eres_inst_tac [("I", "I"), ("f", "f")] leadsTo_wf_induct 1);
  13.342 @@ -314,8 +314,8 @@
  13.343  qed "LeadsTo_wf_induct";
  13.344  
  13.345  
  13.346 -Goal "[| ALL m:nat. F:(A Int f-``{m}) LeadsTo ((A Int f-``m) Un B); \
  13.347 -\     A<=f-``nat; F:program |] ==> F : A LeadsTo B";
  13.348 +Goal "[| \\<forall>m \\<in> nat. F:(A Int f-``{m}) LeadsTo ((A Int f-``m) Un B); \
  13.349 +\     A<=f-``nat; F \\<in> program |] ==> F \\<in> A LeadsTo B";
  13.350  by (res_inst_tac [("A1", "nat"),("f1", "%x. x")]
  13.351          (wf_measure RS LeadsTo_wf_induct) 1);
  13.352  by (ALLGOALS(asm_full_simp_tac 
  13.353 @@ -333,11 +333,11 @@
  13.354  
  13.355  *****)
  13.356  
  13.357 -(*** Completion: Binary and General Finite versions ***)
  13.358 +(*** Completion \\<in> Binary and General Finite versions ***)
  13.359  
  13.360 -Goal "[| F : A LeadsTo (A' Un C);  F : A' Co (A' Un C); \
  13.361 -\        F : B LeadsTo (B' Un C);  F : B' Co (B' Un C) |] \
  13.362 -\     ==> F : (A Int B) LeadsTo ((A' Int B') Un C)";
  13.363 +Goal "[| F \\<in> A LeadsTo (A' Un C);  F \\<in> A' Co (A' Un C); \
  13.364 +\        F \\<in> B LeadsTo (B' Un C);  F \\<in> B' Co (B' Un C) |] \
  13.365 +\     ==> F \\<in> (A Int B) LeadsTo ((A' Int B') Un C)";
  13.366  by (full_simp_tac
  13.367      (simpset() addsimps [LeadsTo_def, Constrains_eq_constrains, 
  13.368                           Int_Un_distrib]) 1);
  13.369 @@ -346,10 +346,10 @@
  13.370  by (blast_tac (claset() addIs [completion, leadsTo_weaken]) 1);
  13.371  qed "Completion";
  13.372  
  13.373 -Goal "[| I:Fin(X);F:program |] \
  13.374 -\     ==> (ALL i:I. F : (A(i)) LeadsTo (A'(i) Un C)) -->  \
  13.375 -\         (ALL i:I. F : (A'(i)) Co (A'(i) Un C)) --> \
  13.376 -\         F : (INT i:I. A(i)) LeadsTo ((INT i:I. A'(i)) Un C)";
  13.377 +Goal "[| I \\<in> Fin(X);F \\<in> program |] \
  13.378 +\     ==> (\\<forall>i \\<in> I. F \\<in> (A(i)) LeadsTo (A'(i) Un C)) -->  \
  13.379 +\         (\\<forall>i \\<in> I. F \\<in> (A'(i)) Co (A'(i) Un C)) --> \
  13.380 +\         F \\<in> (\\<Inter>i \\<in> I. A(i)) LeadsTo ((\\<Inter>i \\<in> I. A'(i)) Un C)";
  13.381  by (etac Fin_induct 1);
  13.382  by (auto_tac (claset(), simpset() delsimps INT_simps
  13.383                                    addsimps [Inter_0]));
  13.384 @@ -360,17 +360,17 @@
  13.385  val lemma = result();
  13.386  
  13.387  val prems = Goal
  13.388 -     "[| I:Fin(X); !!i. i:I ==> F : A(i) LeadsTo (A'(i) Un C); \
  13.389 -\        !!i. i:I ==> F : A'(i) Co (A'(i) Un C); \
  13.390 -\        F:program |]   \
  13.391 -\     ==> F : (INT i:I. A(i)) LeadsTo ((INT i:I. A'(i)) Un C)";
  13.392 +     "[| I \\<in> Fin(X); !!i. i \\<in> I ==> F \\<in> A(i) LeadsTo (A'(i) Un C); \
  13.393 +\        !!i. i \\<in> I ==> F \\<in> A'(i) Co (A'(i) Un C); \
  13.394 +\        F \\<in> program |]   \
  13.395 +\     ==> F \\<in> (\\<Inter>i \\<in> I. A(i)) LeadsTo ((\\<Inter>i \\<in> I. A'(i)) Un C)";
  13.396  by (blast_tac (claset() addIs (lemma RS mp RS mp)::prems) 1);
  13.397  qed "Finite_completion";
  13.398  
  13.399  Goalw [Stable_def]
  13.400 -     "[| F : A LeadsTo A';  F : Stable(A');   \
  13.401 -\        F : B LeadsTo B';  F : Stable(B') |] \
  13.402 -\   ==> F : (A Int B) LeadsTo (A' Int B')";
  13.403 +     "[| F \\<in> A LeadsTo A';  F \\<in> Stable(A');   \
  13.404 +\        F \\<in> B LeadsTo B';  F \\<in> Stable(B') |] \
  13.405 +\   ==> F \\<in> (A Int B) LeadsTo (A' Int B')";
  13.406  by (res_inst_tac [("C1", "0")] (Completion RS LeadsTo_weaken_R) 1);
  13.407  by (Asm_full_simp_tac 5);
  13.408  by (rtac subset_refl 5);
  13.409 @@ -378,10 +378,10 @@
  13.410  qed "Stable_completion";
  13.411  
  13.412  val prems = Goalw [Stable_def]
  13.413 -     "[| I:Fin(X); \
  13.414 -\        (!!i. i:I ==> F : A(i) LeadsTo A'(i)); \
  13.415 -\        (!!i. i:I ==>F: Stable(A'(i)));   F:program  |] \
  13.416 -\     ==> F : (INT i:I. A(i)) LeadsTo (INT i:I. A'(i))";
  13.417 +     "[| I \\<in> Fin(X); \
  13.418 +\        (!!i. i \\<in> I ==> F \\<in> A(i) LeadsTo A'(i)); \
  13.419 +\        (!!i. i \\<in> I ==>F \\<in> Stable(A'(i)));   F \\<in> program  |] \
  13.420 +\     ==> F \\<in> (\\<Inter>i \\<in> I. A(i)) LeadsTo (\\<Inter>i \\<in> I. A'(i))";
  13.421  by (res_inst_tac [("C1", "0")] (Finite_completion RS LeadsTo_weaken_R) 1);
  13.422  by (ALLGOALS(Simp_tac));
  13.423  by (rtac subset_refl 5);
  13.424 @@ -397,7 +397,7 @@
  13.425                    ORELSE   (*subgoal may involve LeadsTo, leadsTo or ensures*)
  13.426                    REPEAT (ares_tac [LeadsTo_Basis, leadsTo_Basis,
  13.427                                      EnsuresI, ensuresI] 1),
  13.428 -              (*now there are two subgoals: co & transient*)
  13.429 +              (*now there are two subgoals \\<in> co & transient*)
  13.430                simp_tac (simpset() addsimps !program_defs_ref) 2,
  13.431                res_inst_tac [("act", sact)] transientI 2,
  13.432                   (*simplify the command's domain*)
    14.1 --- a/src/ZF/UNITY/Union.ML	Mon Jul 07 17:58:21 2003 +0200
    14.2 +++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
    14.3 @@ -1,652 +0,0 @@
    14.4 -(*  Title:      ZF/UNITY/Union.ML
    14.5 -    ID:         $Id$
    14.6 -    Author:     Sidi O Ehmety, Computer Laboratory
    14.7 -    Copyright   2001  University of Cambridge
    14.8 -
    14.9 -Unions of programs
   14.10 -
   14.11 -From Misra's Chapter 5: Asynchronous Compositions of Programs
   14.12 -
   14.13 -Proofs ported from HOL.
   14.14 -
   14.15 -*)
   14.16 -
   14.17 -(** SKIP **)
   14.18 -
   14.19 -Goal "reachable(SKIP) = state";
   14.20 -by (force_tac (claset() addEs [reachable.induct]
   14.21 -                        addIs reachable.intrs, simpset()) 1);
   14.22 -qed "reachable_SKIP";
   14.23 -AddIffs [reachable_SKIP];
   14.24 -
   14.25 -(* Elimination programify from ok and Join *)
   14.26 -
   14.27 -Goal "programify(F) ok G <-> F ok G";
   14.28 -by (simp_tac (simpset() addsimps [ok_def]) 1);
   14.29 -qed "ok_programify_left";
   14.30 -
   14.31 -Goal "F ok programify(G) <-> F ok G";
   14.32 -by (simp_tac (simpset() addsimps [ok_def]) 1);
   14.33 -qed "ok_programify_right";
   14.34 -
   14.35 -Goal "programify(F) Join G = F Join G";
   14.36 -by (simp_tac (simpset() addsimps [Join_def]) 1);
   14.37 -qed "Join_programify_left";
   14.38 -
   14.39 -Goal "F Join programify(G) = F Join G";
   14.40 -by (simp_tac (simpset() addsimps [Join_def]) 1);
   14.41 -qed "Join_programify_right";
   14.42 -
   14.43 -AddIffs [ok_programify_left, ok_programify_right, 
   14.44 -          Join_programify_left, Join_programify_right];
   14.45 -
   14.46 -(** SKIP and safety properties **)
   14.47 -
   14.48 -Goalw [constrains_def, st_set_def] 
   14.49 -"(SKIP: A co B) <-> (A<=B & st_set(A))";
   14.50 -by Auto_tac;
   14.51 -qed "SKIP_in_constrains_iff";
   14.52 -AddIffs [SKIP_in_constrains_iff];
   14.53 -
   14.54 -Goalw [Constrains_def]"(SKIP : A Co B)<-> (state Int A<=B)";
   14.55 -by Auto_tac;
   14.56 -qed "SKIP_in_Constrains_iff";
   14.57 -AddIffs [SKIP_in_Constrains_iff];
   14.58 -
   14.59 -Goal "SKIP:stable(A) <-> st_set(A)";
   14.60 -by (auto_tac (claset(), 
   14.61 -    simpset() addsimps [stable_def]));
   14.62 -qed "SKIP_in_stable";
   14.63 -AddIffs [SKIP_in_stable];
   14.64 -
   14.65 -Goalw [Stable_def] "SKIP:Stable(A)";
   14.66 -by Auto_tac;
   14.67 -qed "SKIP_in_Stable";
   14.68 -AddIffs [SKIP_in_Stable];
   14.69 -
   14.70 -(** Join and JOIN types **)
   14.71 -
   14.72 -Goalw [Join_def]  "F Join G : program";
   14.73 -by Auto_tac;
   14.74 -qed "Join_in_program";
   14.75 -AddIffs [Join_in_program];
   14.76 -AddTCs [Join_in_program];
   14.77 -
   14.78 -Goalw [JOIN_def] "JOIN(I,F):program";
   14.79 -by Auto_tac;
   14.80 -qed "JOIN_in_program";
   14.81 -AddIffs [JOIN_in_program];
   14.82 -AddTCs [JOIN_in_program];
   14.83 -
   14.84 -(* Init, Acts, and AllowedActs of Join and JOIN *)
   14.85 -Goal "Init(F Join G) = Init(F) Int Init(G)";
   14.86 -by (simp_tac (simpset() 
   14.87 -         addsimps [Int_assoc, Join_def]) 1);
   14.88 -qed "Init_Join";
   14.89 -
   14.90 -Goal "Acts(F Join G) = Acts(F) Un Acts(G)";
   14.91 -by (simp_tac (simpset() addsimps [Int_Un_distrib2, cons_absorb, Join_def]) 1);
   14.92 -qed "Acts_Join";
   14.93 -
   14.94 -Goal "AllowedActs(F Join G) = \
   14.95 -\ AllowedActs(F) Int AllowedActs(G)";
   14.96 -by (simp_tac (simpset() 
   14.97 -     addsimps [Int_assoc,cons_absorb,Join_def]) 1);
   14.98 -qed "AllowedActs_Join";
   14.99 -Addsimps [Init_Join, Acts_Join, AllowedActs_Join];
  14.100 -
  14.101 -(** Join's algebraic laws **)
  14.102 -
  14.103 -Goal "F Join G = G Join F";
  14.104 -by (simp_tac (simpset() addsimps 
  14.105 -     [Join_def, Un_commute, Int_commute]) 1);
  14.106 -qed "Join_commute";
  14.107 -
  14.108 -Goal "A Join (B Join C) = B Join (A Join C)";
  14.109 -by (simp_tac (simpset() addsimps
  14.110 -    [Join_def,Int_Un_distrib2, cons_absorb]) 1);
  14.111 -by (simp_tac (simpset() addsimps 
  14.112 -        Un_ac@Int_ac@[Int_Un_distrib2, cons_absorb]) 1);
  14.113 -qed "Join_left_commute";
  14.114 -
  14.115 -Goal "(F Join G) Join H = F Join (G Join H)";
  14.116 -by (asm_simp_tac (simpset() addsimps 
  14.117 -          Un_ac@[Join_def, cons_absorb, Int_assoc, Int_Un_distrib2]) 1);
  14.118 -qed "Join_assoc";
  14.119 -
  14.120 -(* Needed below *)
  14.121 -Goal "cons(id(state), Pow(state * state)) = Pow(state*state)";
  14.122 -by Auto_tac;
  14.123 -qed "cons_id";
  14.124 -AddIffs [cons_id];
  14.125 -
  14.126 -Goalw [Join_def, SKIP_def] 
  14.127 -    "SKIP Join F = programify(F)";
  14.128 -by (auto_tac (claset(), simpset() addsimps [Int_absorb,cons_eq]));
  14.129 -qed "Join_SKIP_left";
  14.130 -
  14.131 -Goal  "F Join SKIP =  programify(F)";
  14.132 -by (stac Join_commute 1);
  14.133 -by (asm_simp_tac (simpset() addsimps [Join_SKIP_left]) 1);
  14.134 -qed "Join_SKIP_right";
  14.135 -
  14.136 -AddIffs [Join_SKIP_left, Join_SKIP_right];
  14.137 -
  14.138 -Goal "F Join F = programify(F)";
  14.139 -by (rtac program_equalityI 1);
  14.140 -by Auto_tac;
  14.141 -qed "Join_absorb";
  14.142 -
  14.143 -Addsimps [Join_absorb];
  14.144 -
  14.145 -Goal "F Join (F Join G) = F Join G";
  14.146 -by (asm_simp_tac (simpset() addsimps [Join_assoc RS sym]) 1);
  14.147 -qed "Join_left_absorb";
  14.148 -
  14.149 -(*Join is an AC-operator*)
  14.150 -val Join_ac = [Join_assoc, Join_left_absorb, Join_commute, Join_left_commute];
  14.151 -
  14.152 -(** Eliminating programify form JN and OK expressions **)
  14.153 -
  14.154 -Goal "OK(I, %x. programify(F(x))) <-> OK(I, F)";
  14.155 -by (simp_tac (simpset() addsimps [OK_def]) 1);
  14.156 -qed "OK_programify";
  14.157 -
  14.158 -Goal "JOIN(I, %x. programify(F(x))) = JOIN(I, F)";
  14.159 -by (simp_tac (simpset() addsimps [JOIN_def]) 1);
  14.160 -qed "JN_programify";
  14.161 -
  14.162 -AddIffs [OK_programify, JN_programify];
  14.163 -
  14.164 -(* JN *)
  14.165 -
  14.166 -Goalw [JOIN_def] "JOIN(0, F) = SKIP";
  14.167 -by Auto_tac;
  14.168 -qed "JN_empty";
  14.169 -AddIffs [JN_empty];
  14.170 -Addsimps [Inter_0];
  14.171 -
  14.172 -Goal "Init(JN i:I. F(i)) = (if I=0 then state else (INT i:I. Init(F(i))))";
  14.173 -by (simp_tac (simpset() addsimps [JOIN_def]) 1);
  14.174 -by (auto_tac (claset() addSEs [not_emptyE],
  14.175 -               simpset() addsimps INT_extend_simps
  14.176 -                         delsimps INT_simps));
  14.177 -qed "Init_JN";
  14.178 -
  14.179 -Goalw [JOIN_def]
  14.180 -     "Acts(JOIN(I,F)) = cons(id(state), UN i:I.  Acts(F(i)))";
  14.181 -by (auto_tac (claset(), simpset() delsimps (INT_simps@UN_simps)));
  14.182 -by (rtac equalityI 1);
  14.183 -by (auto_tac (claset() addDs [Acts_type RS subsetD], simpset()));
  14.184 -qed "Acts_JN";
  14.185 -
  14.186 -Goalw [JOIN_def]
  14.187 -"AllowedActs(JN i:I. F(i)) = (if I=0 then Pow(state*state) else (INT i:I. AllowedActs(F(i))))";
  14.188 -by Auto_tac;
  14.189 -by (rtac equalityI 1);
  14.190 -by (auto_tac (claset()  addSEs [not_emptyE] addDs [AllowedActs_type RS subsetD], simpset()));
  14.191 -qed "AllowedActs_JN";
  14.192 -AddIffs [Init_JN, Acts_JN, AllowedActs_JN];
  14.193 -
  14.194 -Goal "(JN i:cons(a,I). F(i)) = F(a) Join (JN i:I. F(i))";
  14.195 -by (rtac program_equalityI 1);
  14.196 -by Auto_tac;
  14.197 -qed "JN_cons";
  14.198 -AddIffs[JN_cons];
  14.199 -
  14.200 -
  14.201 -val prems = Goalw [JOIN_def]
  14.202 -    "[| I=J;  !!i. i:J ==> F(i) = G(i) |] ==> \
  14.203 -\    (JN i:I. F(i)) = (JN i:J. G(i))";
  14.204 -by (asm_simp_tac (simpset() addsimps prems) 1);
  14.205 -qed "JN_cong";
  14.206 -
  14.207 -Addcongs [JN_cong];
  14.208 -
  14.209 -(*** JN laws ***)
  14.210 -Goal "k:I ==>F(k) Join (JN i:I. F(i)) = (JN i:I. F(i))";
  14.211 -by (stac (JN_cons RS sym) 1);
  14.212 -by (auto_tac (claset(), 
  14.213 -           simpset() addsimps [cons_absorb]));
  14.214 -qed "JN_absorb";
  14.215 -
  14.216 -Goal "(JN i: I Un J. F(i)) = ((JN i: I. F(i)) Join (JN i:J. F(i)))";
  14.217 -by (rtac program_equalityI 1);
  14.218 -by (ALLGOALS(asm_full_simp_tac (simpset() addsimps [UN_Un,INT_Un])));
  14.219 -by (ALLGOALS(asm_full_simp_tac (simpset() delsimps INT_simps
  14.220 -		                          addsimps INT_extend_simps)));
  14.221 -by (Blast_tac 1); 
  14.222 -qed "JN_Un";
  14.223 -
  14.224 -Goal "(JN i:I. c) = (if I=0 then SKIP else programify(c))";
  14.225 -by (rtac program_equalityI 1);
  14.226 -by Auto_tac;
  14.227 -qed "JN_constant";
  14.228 -
  14.229 -Goal "(JN i:I. F(i) Join G(i)) = (JN i:I. F(i))  Join  (JN i:I. G(i))";
  14.230 -by (rtac program_equalityI 1);
  14.231 -by (ALLGOALS(simp_tac (simpset() addsimps [Int_absorb])));
  14.232 -by (safe_tac (claset() addSEs [not_emptyE]));
  14.233 -by (ALLGOALS(asm_full_simp_tac (simpset() addsimps 
  14.234 -              [INT_Int_distrib, Int_absorb])));
  14.235 -by (Force_tac 1);
  14.236 -qed "JN_Join_distrib";
  14.237 -
  14.238 -Goal "(JN i:I. F(i) Join G) = ((JN i:I. F(i) Join G))";
  14.239 -by (asm_simp_tac (simpset() addsimps [JN_Join_distrib, JN_constant]) 1);
  14.240 -qed "JN_Join_miniscope";
  14.241 -
  14.242 -(*Used to prove guarantees_JN_I*)
  14.243 -
  14.244 -Goal "i:I==>F(i) Join JOIN(I - {i}, F) = JOIN(I, F)";
  14.245 -by (rtac program_equalityI 1);
  14.246 -by (auto_tac (claset() addSEs [not_emptyE], simpset()));
  14.247 -qed "JN_Join_diff";
  14.248 -
  14.249 -(*** Safety: co, stable, FP ***)
  14.250 -
  14.251 -
  14.252 -(*Fails if I=0 because it collapses to SKIP : A co B, i.e. to A<=B.  So an
  14.253 -  alternative precondition is A<=B, but most proofs using this rule require
  14.254 -  I to be nonempty for other reasons anyway.*)
  14.255 -
  14.256 -Goalw [constrains_def, JOIN_def,st_set_def]
  14.257 - "i:I==>(JN i:I. F(i)):A co B <-> (ALL i:I. programify(F(i)):A co B)";
  14.258 -by Auto_tac;
  14.259 -by (Blast_tac 2);
  14.260 -by (rename_tac "j act y z" 1);
  14.261 -by (cut_inst_tac [("F","F(j)")] Acts_type 1);
  14.262 -by (dres_inst_tac [("x", "act")] bspec 1);
  14.263 -by Auto_tac;
  14.264 -qed "JN_constrains";
  14.265 -
  14.266 -Goal "(F Join G : A co B) <-> (programify(F):A co B & programify(G):A co B)";
  14.267 -by (auto_tac (claset(), simpset() addsimps [constrains_def]));
  14.268 -qed "Join_constrains";
  14.269 -
  14.270 -Goal "(F Join G : A unless B) <-> \
  14.271 -\   (programify(F) : A unless B & programify(G):A unless B)";
  14.272 -by (asm_simp_tac (simpset() addsimps [Join_constrains, unless_def]) 1);
  14.273 -qed "Join_unless";
  14.274 -
  14.275 -AddIffs [Join_constrains, Join_unless];
  14.276 -
  14.277 -(*Analogous weak versions FAIL; see Misra [1994] 5.4.1, Substitution Axiom.
  14.278 -  reachable (F Join G) could be much bigger than reachable F, reachable G
  14.279 -*)
  14.280 -
  14.281 -Goal "[| F : A co A';  G:B co B' |] \
  14.282 -\     ==> F Join G : (A Int B) co (A' Un B')";
  14.283 -by (subgoal_tac "st_set(A) & st_set(B) & F:program & G:program" 1);
  14.284 -by (blast_tac (claset()  addDs [constrainsD2]) 2);
  14.285 -by (Asm_simp_tac 1);
  14.286 -by (blast_tac (claset() addIs [constrains_weaken]) 1);
  14.287 -qed "Join_constrains_weaken";
  14.288 -
  14.289 -(*If I=0, it degenerates to SKIP : state co 0, which is false.*)
  14.290 -val [major, minor] = Goal 
  14.291 -"[| (!!i. i:I ==> F(i) : A(i) co A'(i));  i: I |] \
  14.292 -\     ==> (JN i:I. F(i)) : (INT i:I. A(i)) co (UN i:I. A'(i))";
  14.293 -by (cut_facts_tac [minor] 1);
  14.294 -by (asm_simp_tac (simpset() addsimps [JN_constrains]) 1);
  14.295 -by (Clarify_tac 1);
  14.296 -by (rename_tac "j" 1);
  14.297 -by (forw_inst_tac [("i", "j")] major 1);
  14.298 -by (ftac constrainsD2 1);
  14.299 -by (Asm_full_simp_tac 1);
  14.300 -by (blast_tac (claset() addIs [constrains_weaken]) 1);
  14.301 -qed "JN_constrains_weaken";
  14.302 -
  14.303 -Goal "(JN i:I. F(i)): stable(A) <-> ((ALL i:I. programify(F(i)):stable(A)) & st_set(A))";
  14.304 -by (asm_simp_tac 
  14.305 -    (simpset() addsimps [stable_def, constrains_def, JOIN_def]) 1);
  14.306 -by Auto_tac;
  14.307 -by (cut_inst_tac [("F", "F(i)")] Acts_type 1);
  14.308 -by (dres_inst_tac [("x","act")] bspec 1);
  14.309 -by Auto_tac;
  14.310 -qed "JN_stable";
  14.311 -
  14.312 -val [major, minor] = Goalw [initially_def]
  14.313 - "[| (!!i. i:I ==>F(i):initially(A)); i:I |] ==> (JN i:I. F(i)):initially(A)";
  14.314 -by (cut_facts_tac [minor] 1);
  14.315 -by (auto_tac (claset() addSEs [not_emptyE], simpset() addsimps [Inter_iff]));
  14.316 -by (forw_inst_tac [("i", "x")] major 1);
  14.317 -by Auto_tac;
  14.318 -qed "initially_JN_I";
  14.319 -
  14.320 -val [major, minor] = Goal 
  14.321 -"[|(!!i. i:I ==> F(i) : invariant(A)); i:I|]==> (JN i:I. F(i)):invariant(A)";
  14.322 -by (cut_facts_tac [minor] 1);
  14.323 -by (auto_tac (claset() addSIs [initially_JN_I] addDs [major], 
  14.324 -              simpset() addsimps [invariant_def, JN_stable]));
  14.325 -by (thin_tac "i:I" 1);
  14.326 -by (ftac major 1);
  14.327 -by (dtac major 2);
  14.328 -by (auto_tac (claset(), simpset() addsimps [invariant_def]));
  14.329 -by (ALLGOALS(ftac stableD2 ));
  14.330 -by Auto_tac;
  14.331 -qed "invariant_JN_I";
  14.332 -
  14.333 -Goal " (F Join G : stable(A)) <->  \
  14.334 -\     (programify(F) : stable(A) & programify(G): stable(A))";
  14.335 -by (asm_simp_tac (simpset() addsimps [stable_def]) 1);
  14.336 -qed "Join_stable";
  14.337 -AddIffs [Join_stable];
  14.338 -
  14.339 -Goalw [initially_def] "[| F:initially(A); G:initially(A) |] ==> F Join G: initially(A)";
  14.340 -by Auto_tac;
  14.341 -qed "initially_JoinI";
  14.342 -AddSIs [initially_JoinI];
  14.343 -
  14.344 -Goal "[| F : invariant(A); G : invariant(A) |]  \
  14.345 -\     ==> F Join G : invariant(A)";
  14.346 -by (subgoal_tac "F:program&G:program" 1);
  14.347 -by (blast_tac (claset() addDs [invariantD2]) 2);
  14.348 -by (full_simp_tac (simpset() addsimps [invariant_def]) 1);
  14.349 -by (auto_tac (claset() addIs [Join_in_program], simpset()));
  14.350 -qed "invariant_JoinI";
  14.351 -
  14.352 -
  14.353 -(* Fails if I=0 because INT i:0. A(i) = 0 *)
  14.354 -Goal "i:I ==> FP(JN i:I. F(i)) = (INT i:I. FP (programify(F(i))))";
  14.355 -by (asm_simp_tac (simpset() addsimps [FP_def, Inter_def]) 1);
  14.356 -by (rtac equalityI 1);
  14.357 -by Safe_tac;
  14.358 -by (ALLGOALS(subgoal_tac "st_set({x})"));
  14.359 -by (rotate_tac ~1 3);
  14.360 -by (rotate_tac ~1 1);
  14.361 -by (ALLGOALS(asm_full_simp_tac (simpset() addsimps [JN_stable])));
  14.362 -by (rewtac st_set_def);
  14.363 -by (REPEAT(Blast_tac 1));
  14.364 -qed "FP_JN";
  14.365 -
  14.366 -(*** Progress: transient, ensures ***)
  14.367 -
  14.368 -Goal "i:I==>(JN i:I. F(i)) : transient(A) <-> \
  14.369 -\  (EX i:I. programify(F(i)) : transient(A))";
  14.370 -by (auto_tac (claset(),
  14.371 -              simpset() addsimps [transient_def, JOIN_def]));
  14.372 -by (rewtac st_set_def);
  14.373 -by (dres_inst_tac [("x", "act")] bspec 2);
  14.374 -by (auto_tac (claset() addDs [Acts_type RS subsetD], simpset()));
  14.375 -qed "JN_transient";
  14.376 -
  14.377 -Goal "F Join G : transient(A) <-> \
  14.378 -\     (programify(F) : transient(A) | programify(G):transient(A))";
  14.379 -by (auto_tac (claset(),
  14.380 -              simpset() addsimps [transient_def, Join_def, Int_Un_distrib2]));
  14.381 -qed "Join_transient";
  14.382 -
  14.383 -AddIffs [Join_transient];
  14.384 -
  14.385 -
  14.386 -Goal "F : transient(A) ==> F Join G : transient(A)";
  14.387 -by (asm_full_simp_tac (simpset() 
  14.388 -           addsimps [Join_transient, transientD2]) 1);
  14.389 -qed "Join_transient_I1";
  14.390 -
  14.391 -
  14.392 -Goal "G : transient(A) ==> F Join G : transient(A)";
  14.393 -by (asm_full_simp_tac (simpset() 
  14.394 -           addsimps [Join_transient, transientD2]) 1);
  14.395 -qed "Join_transient_I2";
  14.396 -
  14.397 -(*If I=0 it degenerates to (SKIP : A ensures B) = False, i.e. to ~(A<=B) *)
  14.398 -Goal "i : I ==> \
  14.399 -\     (JN i:I. F(i)) : A ensures B <-> \
  14.400 -\     ((ALL i:I. programify(F(i)) : (A-B) co (A Un B)) &  \
  14.401 -\     (EX i:I. programify(F(i)) : A ensures B))";
  14.402 -by (auto_tac (claset(),
  14.403 -              simpset() addsimps [ensures_def, JN_constrains, JN_transient]));
  14.404 -qed "JN_ensures";
  14.405 -
  14.406 -
  14.407 -Goalw [ensures_def]
  14.408 -     "F Join G : A ensures B  <->     \
  14.409 -\     (programify(F) : (A-B) co (A Un B) & programify(G) : (A-B) co (A Un B) & \
  14.410 -\      (programify(F): transient (A-B) | programify(G) : transient (A-B)))";
  14.411 -by (auto_tac (claset(), simpset() addsimps [Join_transient]));
  14.412 -qed "Join_ensures";
  14.413 -
  14.414 -Goalw [stable_def, constrains_def, Join_def, st_set_def]
  14.415 -    "[| F : stable(A);  G : A co A' |] \
  14.416 -\    ==> F Join G : A co A'";
  14.417 -by (cut_inst_tac [("F", "F")] Acts_type 1);
  14.418 -by (cut_inst_tac [("F", "G")] Acts_type 1);
  14.419 -by Auto_tac;
  14.420 -by (REPEAT(Blast_tac 1));
  14.421 -qed "stable_Join_constrains";
  14.422 -
  14.423 -(*Premise for G cannot use Always because  F: Stable A  is
  14.424 -   weaker than G : stable A *)
  14.425 -Goal "[| F : stable(A);  G : invariant(A) |] ==> F Join G : Always(A)";
  14.426 -by (subgoal_tac "F:program & G:program & st_set(A)" 1);
  14.427 -by (blast_tac (claset() addDs [invariantD2, stableD2]) 2);
  14.428 -by (asm_full_simp_tac (simpset() addsimps [Always_def, invariant_def,initially_def ,
  14.429 -                                       Stable_eq_stable]) 1);
  14.430 -by (force_tac(claset() addIs [stable_Int], simpset()) 1);
  14.431 -qed "stable_Join_Always1";
  14.432 -
  14.433 -(*As above, but exchanging the roles of F and G*)
  14.434 -Goal "[| F : invariant(A);  G : stable(A) |] ==> F Join G : Always(A)";
  14.435 -by (stac Join_commute 1);
  14.436 -by (blast_tac (claset() addIs [stable_Join_Always1]) 1);
  14.437 -qed "stable_Join_Always2";
  14.438 -
  14.439 -
  14.440 -
  14.441 -Goal "[| F : stable(A);  G : A ensures B |] ==> F Join G : A ensures B";
  14.442 -by (subgoal_tac "F:program & G:program & st_set(A)" 1);
  14.443 -by (blast_tac (claset() addDs [stableD2, ensures_type RS subsetD]) 2);
  14.444 -by (asm_simp_tac (simpset() addsimps [Join_ensures]) 1);
  14.445 -by (asm_full_simp_tac (simpset() addsimps [stable_def, ensures_def]) 1);
  14.446 -by (etac constrains_weaken 1);
  14.447 -by Auto_tac;
  14.448 -qed "stable_Join_ensures1";
  14.449 -
  14.450 -
  14.451 -(*As above, but exchanging the roles of F and G*)
  14.452 -Goal "[| F : A ensures B;  G : stable(A) |] ==> F Join G : A ensures B";
  14.453 -by (stac Join_commute 1);
  14.454 -by (blast_tac (claset() addIs [stable_Join_ensures1]) 1);
  14.455 -qed "stable_Join_ensures2";
  14.456 -
  14.457 -(*** The ok and OK relations ***)
  14.458 -
  14.459 -Goal "SKIP ok F";
  14.460 -by (auto_tac (claset() addDs [Acts_type RS subsetD], simpset() addsimps [ok_def]));
  14.461 -qed "ok_SKIP1";  
  14.462 -
  14.463 -Goal "F ok SKIP";
  14.464 -by (auto_tac (claset() addDs [Acts_type RS subsetD],
  14.465 -      simpset() addsimps [ok_def]));
  14.466 -qed "ok_SKIP2";
  14.467 -AddIffs [ok_SKIP1, ok_SKIP2];  
  14.468 -
  14.469 -Goal "(F ok G & (F Join G) ok H) <-> (G ok H & F ok (G Join H))";
  14.470 -by (auto_tac (claset(), simpset() addsimps [ok_def]));
  14.471 -qed "ok_Join_commute";
  14.472 -
  14.473 -Goal "(F ok G) <->(G ok F)";
  14.474 -by (auto_tac (claset(), simpset() addsimps [ok_def]));
  14.475 -qed "ok_commute";
  14.476 -
  14.477 -bind_thm ("ok_sym", ok_commute RS iffD1);
  14.478 -
  14.479 -Goal "OK({<0,F>,<1,G>,<2,H>}, snd) <-> (F ok G & (F Join G) ok H)";
  14.480 -by (asm_full_simp_tac
  14.481 -    (simpset() addsimps [ok_def, Join_def,  OK_def,
  14.482 -                        Int_assoc, cons_absorb, Int_Un_distrib2, Ball_def]) 1);
  14.483 -by (rtac iffI 1);
  14.484 -by Safe_tac; 
  14.485 -by (REPEAT(Force_tac 1));
  14.486 -qed "ok_iff_OK";
  14.487 -
  14.488 -Goal "F ok (G Join H) <-> (F ok G & F ok H)";
  14.489 -by (auto_tac (claset(), simpset() addsimps [ok_def]));
  14.490 -qed "ok_Join_iff1";
  14.491 -
  14.492 -
  14.493 -Goal "(G Join H) ok F <-> (G ok F & H ok F)";
  14.494 -by (auto_tac (claset(), simpset() addsimps [ok_def]));
  14.495 -qed "ok_Join_iff2";
  14.496 -AddIffs [ok_Join_iff1, ok_Join_iff2];
  14.497 -
  14.498 -(*useful?  Not with the previous two around*)
  14.499 -Goal "[| F ok G; (F Join G) ok H |] ==> F ok (G Join H)";
  14.500 -by (auto_tac (claset(), simpset() addsimps [ok_def]));
  14.501 -qed "ok_Join_commute_I";
  14.502 -
  14.503 -Goal "F ok JOIN(I,G) <-> (ALL i:I. F ok G(i))";
  14.504 -by (force_tac (claset() addDs [Acts_type RS subsetD] addSEs [not_emptyE],
  14.505 -               simpset() addsimps [ok_def]) 1);
  14.506 -qed "ok_JN_iff1";
  14.507 -
  14.508 -Goal "JOIN(I,G) ok F   <->  (ALL i:I. G(i) ok F)";
  14.509 -by (auto_tac (claset() addSEs [not_emptyE], simpset() addsimps [ok_def]));
  14.510 -by (blast_tac (claset() addDs [Acts_type RS subsetD]) 1);
  14.511 -qed "ok_JN_iff2";
  14.512 -AddIffs [ok_JN_iff1, ok_JN_iff2];
  14.513 -
  14.514 -Goal "OK(I,F) <-> (ALL i: I. ALL j: I-{i}. F(i) ok (F(j)))"; 
  14.515 -by (auto_tac (claset(), simpset() addsimps [ok_def, OK_def]));  
  14.516 -qed "OK_iff_ok";
  14.517 -
  14.518 -Goal "[| OK(I,F); i: I; j: I; i~=j|] ==> F(i) ok F(j)"; 
  14.519 -by (auto_tac (claset(), simpset() addsimps [OK_iff_ok]));  
  14.520 -qed "OK_imp_ok";
  14.521 -
  14.522 -
  14.523 -(*** Allowed ***)
  14.524 -
  14.525 -Goal "Allowed(SKIP) = program";
  14.526 -by (auto_tac (claset() addDs [Acts_type RS subsetD], 
  14.527 -               simpset() addsimps [Allowed_def]));  
  14.528 -qed "Allowed_SKIP";
  14.529 -
  14.530 -Goal "Allowed(F Join G) = \
  14.531 -\  Allowed(programify(F)) Int Allowed(programify(G))";
  14.532 -by (auto_tac (claset(), simpset() addsimps [Allowed_def]));
  14.533 -qed "Allowed_Join";
  14.534 -
  14.535 -Goal "i:I ==> \
  14.536 -\  Allowed(JOIN(I,F)) = (INT i:I. Allowed(programify(F(i))))";
  14.537 -by (auto_tac (claset(), simpset() addsimps [Allowed_def]));
  14.538 -by (Blast_tac 1); 
  14.539 -qed "Allowed_JN";
  14.540 -Addsimps [Allowed_SKIP, Allowed_Join, Allowed_JN];
  14.541 -
  14.542 -Goal "F ok G <-> (programify(F):Allowed(programify(G)) & \
  14.543 -\  programify(G):Allowed(programify(F)))";
  14.544 -by (asm_simp_tac (simpset() addsimps [ok_def, Allowed_def]) 1);
  14.545 -qed "ok_iff_Allowed";
  14.546 -
  14.547 -
  14.548 -Goal "OK(I,F) <-> \
  14.549 -\ (ALL i: I. ALL j: I-{i}. programify(F(i)) : Allowed(programify(F(j))))"; 
  14.550 -by (auto_tac (claset(), simpset() addsimps [OK_iff_ok, ok_iff_Allowed]));  
  14.551 -qed "OK_iff_Allowed";
  14.552 -
  14.553 -(*** safety_prop, for reasoning about given instances of "ok" ***)
  14.554 -
  14.555 -Goal "safety_prop(X) ==> (Acts(G) <= cons(id(state), (UN F:X. Acts(F)))) <-> (programify(G):X)";
  14.556 -by (full_simp_tac( simpset() addsimps [safety_prop_def]) 1);
  14.557 -by (Clarify_tac 1);
  14.558 -by (case_tac "G:program" 1);
  14.559 -by (ALLGOALS(Asm_full_simp_tac));
  14.560 -by (Blast_tac 1);
  14.561 -by Safe_tac;
  14.562 -by (Force_tac 2);
  14.563 -by (force_tac (claset(), simpset() 
  14.564 -          addsimps [programify_def]) 1);
  14.565 -qed "safety_prop_Acts_iff";
  14.566 -
  14.567 -Goal "safety_prop(X) ==> \
  14.568 -\ (UN G:X. Acts(G)) <= AllowedActs(F) <-> (X <= Allowed(programify(F)))";
  14.569 -by (asm_full_simp_tac (simpset() addsimps [Allowed_def, 
  14.570 -              safety_prop_Acts_iff RS iff_sym]) 1);
  14.571 -by Safe_tac;
  14.572 -by (REPEAT (Blast_tac 2)); 
  14.573 -by (rewtac safety_prop_def);
  14.574 -by (Blast_tac 1); 
  14.575 -qed "safety_prop_AllowedActs_iff_Allowed";
  14.576 -
  14.577 -
  14.578 -Goal "safety_prop(X) ==> Allowed(mk_program(init, acts, UN F:X. Acts(F))) = X";
  14.579 -by (subgoal_tac "cons(id(state), Union(RepFun(X, Acts)) Int Pow(state * state)) = \
  14.580 -\                   Union(RepFun(X, Acts))" 1);
  14.581 -by (rtac equalityI 2);
  14.582 -by (REPEAT(force_tac (claset() addDs [Acts_type RS subsetD],
  14.583 -               simpset() addsimps [safety_prop_def]) 2));
  14.584 -by (asm_full_simp_tac (simpset() delsimps UN_simps
  14.585 -                   addsimps [Allowed_def, safety_prop_Acts_iff]) 1);
  14.586 -by (rewtac safety_prop_def);
  14.587 -by Auto_tac;
  14.588 -qed "Allowed_eq";
  14.589 -
  14.590 -Goal "[| F == mk_program (init, acts, UN F:X. Acts(F)); safety_prop(X) |] \
  14.591 -\     ==> Allowed(F) = X";
  14.592 -by (asm_simp_tac (simpset() addsimps [Allowed_eq]) 1); 
  14.593 -qed "def_prg_Allowed";
  14.594 -
  14.595 -(*For safety_prop to hold, the property must be satisfiable!*)
  14.596 -Goal "safety_prop(A co B) <-> (A <= B & st_set(A))";
  14.597 -by (simp_tac (simpset() addsimps [safety_prop_def, constrains_def, st_set_def]) 1);
  14.598 -by (Blast_tac 1);
  14.599 -qed "safety_prop_constrains";
  14.600 -AddIffs [safety_prop_constrains];
  14.601 -
  14.602 -(* To be used with resolution *)
  14.603 -Goal "[| A<=B; st_set(A) |] ==>safety_prop(A co B)";
  14.604 -by Auto_tac;
  14.605 -qed "safety_prop_constrainsI";
  14.606 -
  14.607 -Goal "safety_prop(stable(A)) <-> st_set(A)";
  14.608 -by (asm_simp_tac (simpset() addsimps [stable_def]) 1);
  14.609 -qed "safety_prop_stable";
  14.610 -AddIffs [safety_prop_stable];
  14.611 -
  14.612 -Goal "st_set(A) ==> safety_prop(stable(A))";
  14.613 -by Auto_tac;
  14.614 -qed "safety_prop_stableI";
  14.615 -
  14.616 -Goal "[| safety_prop(X) ; safety_prop(Y) |] ==> safety_prop(X Int Y)";
  14.617 -by (asm_full_simp_tac (simpset() addsimps [safety_prop_def]) 1);
  14.618 -by Safe_tac;
  14.619 -by (Blast_tac 1); 
  14.620 -by (dres_inst_tac [("B", "Union(RepFun(X Int Y, Acts))"),
  14.621 -                   ("C", "Union(RepFun(Y, Acts))")] subset_trans 2);
  14.622 -by (dres_inst_tac [("B", "Union(RepFun(X Int Y, Acts))"),
  14.623 -                   ("C", "Union(RepFun(X, Acts))")] subset_trans 1);
  14.624 -by (REPEAT(Blast_tac 1));
  14.625 -qed "safety_prop_Int";
  14.626 -Addsimps [safety_prop_Int];
  14.627 -
  14.628 -(* If I=0 the conclusion becomes safety_prop(0) which is false *)
  14.629 -val [major, minor] = Goalw [safety_prop_def] 
  14.630 -"[| (!!i. i:I ==>safety_prop(X(i))); i:I |] ==> safety_prop(INT i:I. X(i))";
  14.631 -by (cut_facts_tac [minor] 1);
  14.632 -by Safe_tac;
  14.633 -by (full_simp_tac (simpset() addsimps [Inter_iff]) 1);
  14.634 -by (Clarify_tac 1);
  14.635 -by (ftac major 1);
  14.636 -by (dres_inst_tac [("i", "xa")] major 2);
  14.637 -by (forw_inst_tac [("i", "xa")] major 4);
  14.638 -by (ALLGOALS(Asm_full_simp_tac));
  14.639 -by Auto_tac;
  14.640 -by (dres_inst_tac [("B", "Union(RepFun(Inter(RepFun(I, X)), Acts))"),
  14.641 -                   ("C", "Union(RepFun(X(xa), Acts))")] subset_trans 1);
  14.642 -by (REPEAT(Blast_tac 1));
  14.643 -qed "safety_prop_Inter";
  14.644 -
  14.645 -Goalw [ok_def]
  14.646 -"[| F == mk_program(init,acts, UN G:X. Acts(G)); safety_prop(X) |] \
  14.647 -\     ==> F ok G <-> (programify(G):X & acts Int Pow(state*state) <= AllowedActs(G))";
  14.648 -by (dres_inst_tac [("G", "G")] safety_prop_Acts_iff 1);
  14.649 -by Safe_tac;
  14.650 -by (ALLGOALS(cut_inst_tac [("F", "G")] AllowedActs_type));
  14.651 -by (ALLGOALS(cut_inst_tac [("F", "G")] Acts_type));
  14.652 -by Auto_tac;
  14.653 -qed "def_UNION_ok_iff";
  14.654 -
  14.655 -
    15.1 --- a/src/ZF/UNITY/Union.thy	Mon Jul 07 17:58:21 2003 +0200
    15.2 +++ b/src/ZF/UNITY/Union.thy	Tue Jul 08 11:44:30 2003 +0200
    15.3 @@ -11,35 +11,37 @@
    15.4  
    15.5  *)
    15.6  
    15.7 -Union = SubstAx + FP +
    15.8 +theory Union = SubstAx + FP:
    15.9 +
   15.10 +declare Inter_0 [simp]
   15.11  
   15.12  constdefs
   15.13  
   15.14 -  (*FIXME: conjoin Init(F) Int Init(G) ~= 0 *) 
   15.15 -  ok :: [i, i] => o     (infixl 65)
   15.16 -    "F ok G == Acts(F) <= AllowedActs(G) &
   15.17 -               Acts(G) <= AllowedActs(F)"
   15.18 +  (*FIXME: conjoin Init(F) Int Init(G) \<noteq> 0 *) 
   15.19 +  ok :: "[i, i] => o"     (infixl "ok" 65)
   15.20 +    "F ok G == Acts(F) \<subseteq> AllowedActs(G) &
   15.21 +               Acts(G) \<subseteq> AllowedActs(F)"
   15.22  
   15.23 -  (*FIXME: conjoin (INT i:I. Init(F(i))) ~= 0 *) 
   15.24 -  OK  :: [i, i=>i] => o
   15.25 -    "OK(I,F) == (ALL i:I. ALL j: I-{i}. Acts(F(i)) <= AllowedActs(F(j)))"
   15.26 +  (*FIXME: conjoin (\<Inter>i \<in> I. Init(F(i))) \<noteq> 0 *) 
   15.27 +  OK  :: "[i, i=>i] => o"
   15.28 +    "OK(I,F) == (\<forall>i \<in> I. \<forall>j \<in> I-{i}. Acts(F(i)) \<subseteq> AllowedActs(F(j)))"
   15.29  
   15.30 -   JOIN  :: [i, i=>i] => i
   15.31 +   JOIN  :: "[i, i=>i] => i"
   15.32    "JOIN(I,F) == if I = 0 then SKIP else
   15.33 -                 mk_program(INT i:I. Init(F(i)), UN i:I. Acts(F(i)),
   15.34 -                 INT i:I. AllowedActs(F(i)))"
   15.35 +                 mk_program(\<Inter>i \<in> I. Init(F(i)), \<Union>i \<in> I. Acts(F(i)),
   15.36 +                 \<Inter>i \<in> I. AllowedActs(F(i)))"
   15.37  
   15.38 -  Join :: [i, i] => i    (infixl 65)
   15.39 +  Join :: "[i, i] => i"    (infixl "Join" 65)
   15.40    "F Join G == mk_program (Init(F) Int Init(G), Acts(F) Un Acts(G),
   15.41  				AllowedActs(F) Int AllowedActs(G))"
   15.42    (*Characterizes safety properties.  Used with specifying AllowedActs*)
   15.43    safety_prop :: "i => o"
   15.44 -  "safety_prop(X) == X<=program &
   15.45 -      SKIP:X & (ALL G:program. Acts(G) <= (UN F:X. Acts(F)) --> G:X)"
   15.46 +  "safety_prop(X) == X\<subseteq>program &
   15.47 +      SKIP \<in> X & (\<forall>G \<in> program. Acts(G) \<subseteq> (\<Union>F \<in> X. Acts(F)) --> G \<in> X)"
   15.48    
   15.49  syntax
   15.50 -  "@JOIN1"     :: [pttrns, i] => i         ("(3JN _./ _)" 10)
   15.51 -  "@JOIN"      :: [pttrn, i, i] => i       ("(3JN _:_./ _)" 10)
   15.52 +  "@JOIN1"     :: "[pttrns, i] => i"         ("(3JN _./ _)" 10)
   15.53 +  "@JOIN"      :: "[pttrn, i, i] => i"       ("(3JN _:_./ _)" 10)
   15.54  
   15.55  translations
   15.56    "JN x:A. B"   == "JOIN(A, (%x. B))"
   15.57 @@ -47,9 +49,624 @@
   15.58    "JN x. B"     == "JOIN(state,(%x. B))"
   15.59  
   15.60  syntax (symbols)
   15.61 -   SKIP     :: i                    ("\\<bottom>")
   15.62 -  "op Join" :: [i, i] => i   (infixl "\\<squnion>" 65)
   15.63 -  "@JOIN1"  :: [pttrns, i] => i     ("(3\\<Squnion> _./ _)" 10)
   15.64 -  "@JOIN"   :: [pttrn, i, i] => i   ("(3\\<Squnion> _:_./ _)" 10)
   15.65 +   SKIP     :: i                      ("\<bottom>")
   15.66 +  Join      :: "[i, i] => i"          (infixl "\<squnion>" 65)
   15.67 +  "@JOIN1"  :: "[pttrns, i] => i"     ("(3\<Squnion> _./ _)" 10)
   15.68 +  "@JOIN"   :: "[pttrn, i, i] => i"   ("(3\<Squnion> _ \<in> _./ _)" 10)
   15.69 +
   15.70 +
   15.71 +subsection{*SKIP*}
   15.72 +
   15.73 +lemma reachable_SKIP [simp]: "reachable(SKIP) = state"
   15.74 +by (force elim: reachable.induct intro: reachable.intros)
   15.75 +
   15.76 +text{*Elimination programify from ok and Join*}
   15.77 +
   15.78 +lemma ok_programify_left [iff]: "programify(F) ok G <-> F ok G"
   15.79 +by (simp add: ok_def)
   15.80 +
   15.81 +lemma ok_programify_right [iff]: "F ok programify(G) <-> F ok G"
   15.82 +by (simp add: ok_def)
   15.83 +
   15.84 +lemma Join_programify_left [simp]: "programify(F) Join G = F Join G"
   15.85 +by (simp add: Join_def)
   15.86 +
   15.87 +lemma Join_programify_right [simp]: "F Join programify(G) = F Join G"
   15.88 +by (simp add: Join_def)
   15.89 +
   15.90 +subsection{*SKIP and safety properties*}
   15.91 +
   15.92 +lemma SKIP_in_constrains_iff [iff]: "(SKIP \<in> A co B) <-> (A\<subseteq>B & st_set(A))"
   15.93 +by (unfold constrains_def st_set_def, auto)
   15.94 +
   15.95 +lemma SKIP_in_Constrains_iff [iff]: "(SKIP \<in> A Co B)<-> (state Int A\<subseteq>B)"
   15.96 +by (unfold Constrains_def, auto)
   15.97 +
   15.98 +lemma SKIP_in_stable [iff]: "SKIP \<in> stable(A) <-> st_set(A)"
   15.99 +by (auto simp add: stable_def)
  15.100 +
  15.101 +lemma SKIP_in_Stable [iff]: "SKIP \<in> Stable(A)"
  15.102 +by (unfold Stable_def, auto)
  15.103 +
  15.104 +subsection{*Join and JOIN types*}
  15.105 +
  15.106 +lemma Join_in_program [iff,TC]: "F Join G \<in> program"
  15.107 +by (unfold Join_def, auto)
  15.108 +
  15.109 +lemma JOIN_in_program [iff,TC]: "JOIN(I,F) \<in> program"
  15.110 +by (unfold JOIN_def, auto)
  15.111 +
  15.112 +subsection{*Init, Acts, and AllowedActs of Join and JOIN*}
  15.113 +lemma Init_Join [simp]: "Init(F Join G) = Init(F) Int Init(G)"
  15.114 +by (simp add: Int_assoc Join_def)
  15.115 +
  15.116 +lemma Acts_Join [simp]: "Acts(F Join G) = Acts(F) Un Acts(G)"
  15.117 +by (simp add: Int_Un_distrib2 cons_absorb Join_def)
  15.118 +
  15.119 +lemma AllowedActs_Join [simp]: "AllowedActs(F Join G) =  
  15.120 +  AllowedActs(F) Int AllowedActs(G)"
  15.121 +apply (simp add: Int_assoc cons_absorb Join_def)
  15.122 +done
  15.123 +
  15.124 +subsection{*Join's algebraic laws*}
  15.125 +
  15.126 +lemma Join_commute: "F Join G = G Join F"
  15.127 +by (simp add: Join_def Un_commute Int_commute)
  15.128 +
  15.129 +lemma Join_left_commute: "A Join (B Join C) = B Join (A Join C)"
  15.130 +apply (simp add: Join_def Int_Un_distrib2 cons_absorb)
  15.131 +apply (simp add: Un_ac Int_ac Int_Un_distrib2 cons_absorb)
  15.132 +done
  15.133 +
  15.134 +lemma Join_assoc: "(F Join G) Join H = F Join (G Join H)"
  15.135 +by (simp add: Un_ac Join_def cons_absorb Int_assoc Int_Un_distrib2)
  15.136 +
  15.137 +subsection{*Needed below*}
  15.138 +lemma cons_id [simp]: "cons(id(state), Pow(state * state)) = Pow(state*state)"
  15.139 +by auto
  15.140 +
  15.141 +lemma Join_SKIP_left [simp]: "SKIP Join F = programify(F)"
  15.142 +apply (unfold Join_def SKIP_def)
  15.143 +apply (auto simp add: Int_absorb cons_eq)
  15.144 +done
  15.145 +
  15.146 +lemma Join_SKIP_right [simp]: "F Join SKIP =  programify(F)"
  15.147 +apply (subst Join_commute)
  15.148 +apply (simp add: Join_SKIP_left)
  15.149 +done
  15.150 +
  15.151 +lemma Join_absorb [simp]: "F Join F = programify(F)"
  15.152 +by (rule program_equalityI, auto)
  15.153 +
  15.154 +lemma Join_left_absorb: "F Join (F Join G) = F Join G"
  15.155 +by (simp add: Join_assoc [symmetric])
  15.156 +
  15.157 +subsection{*Join is an AC-operator*}
  15.158 +lemmas Join_ac = Join_assoc Join_left_absorb Join_commute Join_left_commute
  15.159 +
  15.160 +subsection{*Eliminating programify form JN and OK expressions*}
  15.161 +
  15.162 +lemma OK_programify [iff]: "OK(I, %x. programify(F(x))) <-> OK(I, F)"
  15.163 +by (simp add: OK_def)
  15.164 +
  15.165 +lemma JN_programify [iff]: "JOIN(I, %x. programify(F(x))) = JOIN(I, F)"
  15.166 +by (simp add: JOIN_def)
  15.167 +
  15.168 +
  15.169 +subsection{*JN*}
  15.170 +
  15.171 +lemma JN_empty [simp]: "JOIN(0, F) = SKIP"
  15.172 +by (unfold JOIN_def, auto)
  15.173 +
  15.174 +lemma Init_JN [simp]:
  15.175 +     "Init(\<Squnion>i \<in> I. F(i)) = (if I=0 then state else (\<Inter>i \<in> I. Init(F(i))))"
  15.176 +apply (simp add: JOIN_def)
  15.177 +apply (auto elim!: not_emptyE simp add: INT_extend_simps simp del: INT_simps)
  15.178 +done
  15.179 +
  15.180 +lemma Acts_JN [simp]: 
  15.181 +     "Acts(JOIN(I,F)) = cons(id(state), \<Union>i \<in> I.  Acts(F(i)))"
  15.182 +apply (unfold JOIN_def)
  15.183 +apply (auto simp del: INT_simps UN_simps)
  15.184 +apply (rule equalityI)
  15.185 +apply (auto dest: Acts_type [THEN subsetD])
  15.186 +done
  15.187 +
  15.188 +lemma AllowedActs_JN [simp]: 
  15.189 +     "AllowedActs(\<Squnion>i \<in> I. F(i)) = 
  15.190 +      (if I=0 then Pow(state*state) else (\<Inter>i \<in> I. AllowedActs(F(i))))"
  15.191 +apply (unfold JOIN_def, auto)
  15.192 +apply (rule equalityI)
  15.193 +apply (auto elim!: not_emptyE dest: AllowedActs_type [THEN subsetD])
  15.194 +done
  15.195 +
  15.196 +lemma JN_cons [simp]: "(\<Squnion>i \<in> cons(a,I). F(i)) = F(a) Join (\<Squnion>i \<in> I. F(i))"
  15.197 +by (rule program_equalityI, auto)
  15.198 +
  15.199 +lemma JN_cong [cong]:
  15.200 +    "[| I=J;  !!i. i \<in> J ==> F(i) = G(i) |] ==>  
  15.201 +     (\<Squnion>i \<in> I. F(i)) = (\<Squnion>i \<in> J. G(i))"
  15.202 +by (simp add: JOIN_def)
  15.203 +
  15.204 +
  15.205 +
  15.206 +subsection{*JN laws*}
  15.207 +lemma JN_absorb: "k \<in> I ==>F(k) Join (\<Squnion>i \<in> I. F(i)) = (\<Squnion>i \<in> I. F(i))"
  15.208 +apply (subst JN_cons [symmetric])
  15.209 +apply (auto simp add: cons_absorb)
  15.210 +done
  15.211 +
  15.212 +lemma JN_Un: "(\<Squnion>i \<in> I Un J. F(i)) = ((\<Squnion>i \<in> I. F(i)) Join (\<Squnion>i \<in> J. F(i)))"
  15.213 +apply (rule program_equalityI)
  15.214 +apply (simp_all add: UN_Un INT_Un)
  15.215 +apply (simp_all del: INT_simps add: INT_extend_simps, blast)
  15.216 +done
  15.217 +
  15.218 +lemma JN_constant: "(\<Squnion>i \<in> I. c) = (if I=0 then SKIP else programify(c))"
  15.219 +by (rule program_equalityI, auto)
  15.220 +
  15.221 +lemma JN_Join_distrib:
  15.222 +     "(\<Squnion>i \<in> I. F(i) Join G(i)) = (\<Squnion>i \<in> I. F(i))  Join  (\<Squnion>i \<in> I. G(i))"
  15.223 +apply (rule program_equalityI)
  15.224 +apply (simp_all add: Int_absorb)
  15.225 +apply (safe elim!: not_emptyE)
  15.226 +apply (simp_all add: INT_Int_distrib Int_absorb, force)
  15.227 +done
  15.228 +
  15.229 +lemma JN_Join_miniscope: "(\<Squnion>i \<in> I. F(i) Join G) = ((\<Squnion>i \<in> I. F(i) Join G))"
  15.230 +by (simp add: JN_Join_distrib JN_constant)
  15.231 +
  15.232 +text{*Used to prove guarantees_JN_I*}
  15.233 +lemma JN_Join_diff: "i \<in> I==>F(i) Join JOIN(I - {i}, F) = JOIN(I, F)"
  15.234 +apply (rule program_equalityI)
  15.235 +apply (auto elim!: not_emptyE)
  15.236 +done
  15.237 +
  15.238 +subsection{*Safety: co, stable, FP*}
  15.239 +
  15.240 +
  15.241 +(*Fails if I=0 because it collapses to SKIP \<in> A co B, i.e. to A\<subseteq>B.  So an
  15.242 +  alternative precondition is A\<subseteq>B, but most proofs using this rule require
  15.243 +  I to be nonempty for other reasons anyway.*)
  15.244 +
  15.245 +lemma JN_constrains: 
  15.246 + "i \<in> I==>(\<Squnion>i \<in> I. F(i)) \<in> A co B <-> (\<forall>i \<in> I. programify(F(i)) \<in> A co B)"
  15.247 +
  15.248 +apply (unfold constrains_def JOIN_def st_set_def, auto)
  15.249 +prefer 2 apply blast
  15.250 +apply (rename_tac j act y z)
  15.251 +apply (cut_tac F = "F (j) " in Acts_type)
  15.252 +apply (drule_tac x = act in bspec, auto)
  15.253 +done
  15.254 +
  15.255 +lemma Join_constrains [iff]:
  15.256 +     "(F Join G \<in> A co B) <-> (programify(F) \<in> A co B & programify(G) \<in> A co B)"
  15.257 +by (auto simp add: constrains_def)
  15.258 +
  15.259 +lemma Join_unless [iff]:
  15.260 +     "(F Join G \<in> A unless B) <->  
  15.261 +    (programify(F) \<in> A unless B & programify(G) \<in> A unless B)"
  15.262 +by (simp add: Join_constrains unless_def)
  15.263 +
  15.264 +
  15.265 +(*Analogous weak versions FAIL; see Misra [1994] 5.4.1, Substitution Axiom.
  15.266 +  reachable (F Join G) could be much bigger than reachable F, reachable G
  15.267 +*)
  15.268 +
  15.269 +lemma Join_constrains_weaken:
  15.270 +     "[| F \<in> A co A';  G \<in> B co B' |]  
  15.271 +      ==> F Join G \<in> (A Int B) co (A' Un B')"
  15.272 +apply (subgoal_tac "st_set (A) & st_set (B) & F \<in> program & G \<in> program")
  15.273 +prefer 2 apply (blast dest: constrainsD2, simp)
  15.274 +apply (blast intro: constrains_weaken)
  15.275 +done
  15.276 +
  15.277 +(*If I=0, it degenerates to SKIP \<in> state co 0, which is false.*)
  15.278 +lemma JN_constrains_weaken:
  15.279 +  assumes major: "(!!i. i \<in> I ==> F(i) \<in> A(i) co A'(i))"
  15.280 +      and minor: "i \<in> I"
  15.281 +  shows "(\<Squnion>i \<in> I. F(i)) \<in> (\<Inter>i \<in> I. A(i)) co (\<Union>i \<in> I. A'(i))"
  15.282 +apply (cut_tac minor)
  15.283 +apply (simp (no_asm_simp) add: JN_constrains)
  15.284 +apply clarify
  15.285 +apply (rename_tac "j")
  15.286 +apply (frule_tac i = j in major)
  15.287 +apply (frule constrainsD2, simp)
  15.288 +apply (blast intro: constrains_weaken)
  15.289 +done
  15.290 +
  15.291 +lemma JN_stable:
  15.292 +     "(\<Squnion>i \<in> I. F(i)) \<in>  stable(A) <-> ((\<forall>i \<in> I. programify(F(i)) \<in> stable(A)) & st_set(A))"
  15.293 +apply (auto simp add: stable_def constrains_def JOIN_def)
  15.294 +apply (cut_tac F = "F (i) " in Acts_type)
  15.295 +apply (drule_tac x = act in bspec, auto)
  15.296 +done
  15.297 +
  15.298 +lemma initially_JN_I: 
  15.299 +  assumes major: "(!!i. i \<in> I ==>F(i) \<in> initially(A))"
  15.300 +      and minor: "i \<in> I"
  15.301 +  shows  "(\<Squnion>i \<in> I. F(i)) \<in> initially(A)"
  15.302 +apply (cut_tac minor)
  15.303 +apply (auto elim!: not_emptyE simp add: Inter_iff initially_def) 
  15.304 +apply (frule_tac i = x in major)
  15.305 +apply (auto simp add: initially_def) 
  15.306 +done
  15.307 +
  15.308 +lemma invariant_JN_I: 
  15.309 +  assumes major: "(!!i. i \<in> I ==> F(i) \<in> invariant(A))"
  15.310 +      and minor: "i \<in> I"
  15.311 +  shows "(\<Squnion>i \<in> I. F(i)) \<in> invariant(A)"
  15.312 +apply (cut_tac minor)
  15.313 +apply (auto intro!: initially_JN_I dest: major simp add: invariant_def JN_stable)
  15.314 +apply (erule_tac V = "i \<in> I" in thin_rl)
  15.315 +apply (frule major)
  15.316 +apply (drule_tac [2] major)
  15.317 +apply (auto simp add: invariant_def)
  15.318 +apply (frule stableD2, force)+
  15.319 +done
  15.320 +
  15.321 +lemma Join_stable [iff]:
  15.322 +     " (F Join G \<in> stable(A)) <->   
  15.323 +      (programify(F) \<in> stable(A) & programify(G) \<in>  stable(A))"
  15.324 +by (simp add: stable_def)
  15.325 +
  15.326 +lemma initially_JoinI [intro!]:
  15.327 +     "[| F \<in> initially(A); G \<in> initially(A) |] ==> F Join G \<in> initially(A)"
  15.328 +by (unfold initially_def, auto)
  15.329 +
  15.330 +lemma invariant_JoinI:
  15.331 +     "[| F \<in> invariant(A); G \<in> invariant(A) |]   
  15.332 +      ==> F Join G \<in> invariant(A)"
  15.333 +apply (subgoal_tac "F \<in> program&G \<in> program")
  15.334 +prefer 2 apply (blast dest: invariantD2)
  15.335 +apply (simp add: invariant_def)
  15.336 +apply (auto intro: Join_in_program)
  15.337 +done
  15.338 +
  15.339 +
  15.340 +(* Fails if I=0 because \<Inter>i \<in> 0. A(i) = 0 *)
  15.341 +lemma FP_JN: "i \<in> I ==> FP(\<Squnion>i \<in> I. F(i)) = (\<Inter>i \<in> I. FP (programify(F(i))))"
  15.342 +by (auto simp add: FP_def Inter_def st_set_def JN_stable)
  15.343 +
  15.344 +subsection{*Progress: transient, ensures*}
  15.345 +
  15.346 +lemma JN_transient:
  15.347 +     "i \<in> I ==> 
  15.348 +      (\<Squnion>i \<in> I. F(i)) \<in> transient(A) <-> (\<exists>i \<in> I. programify(F(i)) \<in> transient(A))"
  15.349 +apply (auto simp add: transient_def JOIN_def)
  15.350 +apply (unfold st_set_def)
  15.351 +apply (drule_tac [2] x = act in bspec)
  15.352 +apply (auto dest: Acts_type [THEN subsetD])
  15.353 +done
  15.354 +
  15.355 +lemma Join_transient [iff]:
  15.356 +     "F Join G \<in> transient(A) <->  
  15.357 +      (programify(F) \<in> transient(A) | programify(G) \<in> transient(A))"
  15.358 +apply (auto simp add: transient_def Join_def Int_Un_distrib2)
  15.359 +done
  15.360 +
  15.361 +lemma Join_transient_I1: "F \<in> transient(A) ==> F Join G \<in> transient(A)"
  15.362 +by (simp add: Join_transient transientD2)
  15.363 +
  15.364 +
  15.365 +lemma Join_transient_I2: "G \<in> transient(A) ==> F Join G \<in> transient(A)"
  15.366 +by (simp add: Join_transient transientD2)
  15.367 +
  15.368 +(*If I=0 it degenerates to (SKIP \<in> A ensures B) = False, i.e. to ~(A\<subseteq>B) *)
  15.369 +lemma JN_ensures:
  15.370 +     "i \<in> I ==>  
  15.371 +      (\<Squnion>i \<in> I. F(i)) \<in> A ensures B <->  
  15.372 +      ((\<forall>i \<in> I. programify(F(i)) \<in> (A-B) co (A Un B)) &   
  15.373 +      (\<exists>i \<in> I. programify(F(i)) \<in> A ensures B))"
  15.374 +by (auto simp add: ensures_def JN_constrains JN_transient)
  15.375 +
  15.376 +
  15.377 +lemma Join_ensures: 
  15.378 +     "F Join G \<in> A ensures B  <->      
  15.379 +      (programify(F) \<in> (A-B) co (A Un B) & programify(G) \<in> (A-B) co (A Un B) &  
  15.380 +       (programify(F) \<in>  transient (A-B) | programify(G) \<in> transient (A-B)))"
  15.381 +
  15.382 +apply (unfold ensures_def)
  15.383 +apply (auto simp add: Join_transient)
  15.384 +done
  15.385 +
  15.386 +lemma stable_Join_constrains: 
  15.387 +    "[| F \<in> stable(A);  G \<in> A co A' |]  
  15.388 +     ==> F Join G \<in> A co A'"
  15.389 +apply (unfold stable_def constrains_def Join_def st_set_def)
  15.390 +apply (cut_tac F = F in Acts_type)
  15.391 +apply (cut_tac F = G in Acts_type, force) 
  15.392 +done
  15.393 +
  15.394 +(*Premise for G cannot use Always because  F \<in> Stable A  is
  15.395 +   weaker than G \<in> stable A *)
  15.396 +lemma stable_Join_Always1:
  15.397 +     "[| F \<in> stable(A);  G \<in> invariant(A) |] ==> F Join G \<in> Always(A)"
  15.398 +apply (subgoal_tac "F \<in> program & G \<in> program & st_set (A) ")
  15.399 +prefer 2 apply (blast dest: invariantD2 stableD2)
  15.400 +apply (simp add: Always_def invariant_def initially_def Stable_eq_stable)
  15.401 +apply (force intro: stable_Int)
  15.402 +done
  15.403 +
  15.404 +(*As above, but exchanging the roles of F and G*)
  15.405 +lemma stable_Join_Always2:
  15.406 +     "[| F \<in> invariant(A);  G \<in> stable(A) |] ==> F Join G \<in> Always(A)"
  15.407 +apply (subst Join_commute)
  15.408 +apply (blast intro: stable_Join_Always1)
  15.409 +done
  15.410 +
  15.411 +
  15.412 +
  15.413 +lemma stable_Join_ensures1:
  15.414 +     "[| F \<in> stable(A);  G \<in> A ensures B |] ==> F Join G \<in> A ensures B"
  15.415 +apply (subgoal_tac "F \<in> program & G \<in> program & st_set (A) ")
  15.416 +prefer 2 apply (blast dest: stableD2 ensures_type [THEN subsetD])
  15.417 +apply (simp (no_asm_simp) add: Join_ensures)
  15.418 +apply (simp add: stable_def ensures_def)
  15.419 +apply (erule constrains_weaken, auto)
  15.420 +done
  15.421 +
  15.422 +
  15.423 +(*As above, but exchanging the roles of F and G*)
  15.424 +lemma stable_Join_ensures2:
  15.425 +     "[| F \<in> A ensures B;  G \<in> stable(A) |] ==> F Join G \<in> A ensures B"
  15.426 +apply (subst Join_commute)
  15.427 +apply (blast intro: stable_Join_ensures1)
  15.428 +done
  15.429 +
  15.430 +subsection{*The ok and OK relations*}
  15.431 +
  15.432 +lemma ok_SKIP1 [iff]: "SKIP ok F"
  15.433 +by (auto dest: Acts_type [THEN subsetD] simp add: ok_def)
  15.434 +
  15.435 +lemma ok_SKIP2 [iff]: "F ok SKIP"
  15.436 +by (auto dest: Acts_type [THEN subsetD] simp add: ok_def)
  15.437 +
  15.438 +lemma ok_Join_commute:
  15.439 +     "(F ok G & (F Join G) ok H) <-> (G ok H & F ok (G Join H))"
  15.440 +by (auto simp add: ok_def)
  15.441 +
  15.442 +lemma ok_commute: "(F ok G) <->(G ok F)"
  15.443 +by (auto simp add: ok_def)
  15.444 +
  15.445 +lemmas ok_sym = ok_commute [THEN iffD1, standard]
  15.446 +
  15.447 +lemma ok_iff_OK: "OK({<0,F>,<1,G>,<2,H>}, snd) <-> (F ok G & (F Join G) ok H)"
  15.448 +by (simp add: ok_def Join_def OK_def Int_assoc cons_absorb
  15.449 +                 Int_Un_distrib2 Ball_def,  safe, force+)
  15.450 +
  15.451 +lemma ok_Join_iff1 [iff]: "F ok (G Join H) <-> (F ok G & F ok H)"
  15.452 +by (auto simp add: ok_def)
  15.453 +
  15.454 +lemma ok_Join_iff2 [iff]: "(G Join H) ok F <-> (G ok F & H ok F)"
  15.455 +by (auto simp add: ok_def)
  15.456 +
  15.457 +(*useful?  Not with the previous two around*)
  15.458 +lemma ok_Join_commute_I: "[| F ok G; (F Join G) ok H |] ==> F ok (G Join H)"
  15.459 +by (auto simp add: ok_def)
  15.460 +
  15.461 +lemma ok_JN_iff1 [iff]: "F ok JOIN(I,G) <-> (\<forall>i \<in> I. F ok G(i))"
  15.462 +by (force dest: Acts_type [THEN subsetD] elim!: not_emptyE simp add: ok_def)
  15.463 +
  15.464 +lemma ok_JN_iff2 [iff]: "JOIN(I,G) ok F   <->  (\<forall>i \<in> I. G(i) ok F)"
  15.465 +apply (auto elim!: not_emptyE simp add: ok_def)
  15.466 +apply (blast dest: Acts_type [THEN subsetD])
  15.467 +done
  15.468 +
  15.469 +lemma OK_iff_ok: "OK(I,F) <-> (\<forall>i \<in> I. \<forall>j \<in> I-{i}. F(i) ok (F(j)))"
  15.470 +by (auto simp add: ok_def OK_def)
  15.471 +
  15.472 +lemma OK_imp_ok: "[| OK(I,F); i \<in> I; j \<in> I; i\<noteq>j|] ==> F(i) ok F(j)"
  15.473 +by (auto simp add: OK_iff_ok)
  15.474 +
  15.475 +
  15.476 +subsection{*Allowed*}
  15.477 +
  15.478 +lemma Allowed_SKIP [simp]: "Allowed(SKIP) = program"
  15.479 +by (auto dest: Acts_type [THEN subsetD] simp add: Allowed_def)
  15.480 +
  15.481 +lemma Allowed_Join [simp]:
  15.482 +     "Allowed(F Join G) =  
  15.483 +   Allowed(programify(F)) Int Allowed(programify(G))"
  15.484 +apply (auto simp add: Allowed_def)
  15.485 +done
  15.486 +
  15.487 +lemma Allowed_JN [simp]:
  15.488 +     "i \<in> I ==>  
  15.489 +   Allowed(JOIN(I,F)) = (\<Inter>i \<in> I. Allowed(programify(F(i))))"
  15.490 +apply (auto simp add: Allowed_def, blast)
  15.491 +done
  15.492 +
  15.493 +lemma ok_iff_Allowed:
  15.494 +     "F ok G <-> (programify(F) \<in> Allowed(programify(G)) &  
  15.495 +   programify(G) \<in> Allowed(programify(F)))"
  15.496 +by (simp add: ok_def Allowed_def)
  15.497 +
  15.498 +
  15.499 +lemma OK_iff_Allowed:
  15.500 +     "OK(I,F) <->  
  15.501 +  (\<forall>i \<in> I. \<forall>j \<in> I-{i}. programify(F(i)) \<in> Allowed(programify(F(j))))"
  15.502 +apply (auto simp add: OK_iff_ok ok_iff_Allowed)
  15.503 +done
  15.504 +
  15.505 +subsection{*safety_prop, for reasoning about given instances of "ok"*}
  15.506 +
  15.507 +lemma safety_prop_Acts_iff:
  15.508 +     "safety_prop(X) ==> (Acts(G) \<subseteq> cons(id(state), (\<Union>F \<in> X. Acts(F)))) <-> (programify(G) \<in> X)"
  15.509 +apply (simp (no_asm_use) add: safety_prop_def)
  15.510 +apply clarify
  15.511 +apply (case_tac "G \<in> program", simp_all, blast, safe)
  15.512 +prefer 2 apply force
  15.513 +apply (force simp add: programify_def)
  15.514 +done
  15.515 +
  15.516 +lemma safety_prop_AllowedActs_iff_Allowed:
  15.517 +     "safety_prop(X) ==>  
  15.518 +  (\<Union>G \<in> X. Acts(G)) \<subseteq> AllowedActs(F) <-> (X \<subseteq> Allowed(programify(F)))"
  15.519 +apply (simp add: Allowed_def safety_prop_Acts_iff [THEN iff_sym] 
  15.520 +                 safety_prop_def, blast) 
  15.521 +done
  15.522 +
  15.523 +
  15.524 +lemma Allowed_eq:
  15.525 +     "safety_prop(X) ==> Allowed(mk_program(init, acts, \<Union>F \<in> X. Acts(F))) = X"
  15.526 +apply (subgoal_tac "cons (id (state), Union (RepFun (X, Acts)) Int Pow (state * state)) = Union (RepFun (X, Acts))")
  15.527 +apply (rule_tac [2] equalityI)
  15.528 +  apply (simp del: UN_simps add: Allowed_def safety_prop_Acts_iff safety_prop_def, auto)
  15.529 +apply (force dest: Acts_type [THEN subsetD] simp add: safety_prop_def)+
  15.530 +done
  15.531 +
  15.532 +lemma def_prg_Allowed:
  15.533 +     "[| F == mk_program (init, acts, \<Union>F \<in> X. Acts(F)); safety_prop(X) |]  
  15.534 +      ==> Allowed(F) = X"
  15.535 +by (simp add: Allowed_eq)
  15.536 +
  15.537 +(*For safety_prop to hold, the property must be satisfiable!*)
  15.538 +lemma safety_prop_constrains [iff]:
  15.539 +     "safety_prop(A co B) <-> (A \<subseteq> B & st_set(A))"
  15.540 +by (simp add: safety_prop_def constrains_def st_set_def, blast)
  15.541 +
  15.542 +(* To be used with resolution *)
  15.543 +lemma safety_prop_constrainsI [iff]:
  15.544 +     "[| A\<subseteq>B; st_set(A) |] ==>safety_prop(A co B)"
  15.545 +by auto
  15.546 +
  15.547 +lemma safety_prop_stable [iff]: "safety_prop(stable(A)) <-> st_set(A)"
  15.548 +by (simp add: stable_def)
  15.549 +
  15.550 +lemma safety_prop_stableI: "st_set(A) ==> safety_prop(stable(A))"
  15.551 +by auto
  15.552 +
  15.553 +lemma safety_prop_Int [simp]:
  15.554 +     "[| safety_prop(X) ; safety_prop(Y) |] ==> safety_prop(X Int Y)"
  15.555 +apply (simp add: safety_prop_def, safe, blast)
  15.556 +apply (drule_tac [2] B = "Union (RepFun (X Int Y, Acts))" and C = "Union (RepFun (Y, Acts))" in subset_trans)
  15.557 +apply (drule_tac B = "Union (RepFun (X Int Y, Acts))" and C = "Union (RepFun (X, Acts))" in subset_trans)
  15.558 +apply blast+
  15.559 +done
  15.560 +
  15.561 +(* If I=0 the conclusion becomes safety_prop(0) which is false *)
  15.562 +lemma safety_prop_Inter:
  15.563 +  assumes major: "(!!i. i \<in> I ==>safety_prop(X(i)))"
  15.564 +      and minor: "i \<in> I"
  15.565 +  shows "safety_prop(\<Inter>i \<in> I. X(i))"
  15.566 +apply (simp add: safety_prop_def)
  15.567 +apply (cut_tac minor, safe)
  15.568 +apply (simp (no_asm_use) add: Inter_iff)
  15.569 +apply clarify
  15.570 +apply (frule major)
  15.571 +apply (drule_tac [2] i = xa in major)
  15.572 +apply (frule_tac [4] i = xa in major)
  15.573 +apply (auto simp add: safety_prop_def)
  15.574 +apply (drule_tac B = "Union (RepFun (Inter (RepFun (I, X)), Acts))" and C = "Union (RepFun (X (xa), Acts))" in subset_trans)
  15.575 +apply blast+
  15.576 +done
  15.577 +
  15.578 +lemma def_UNION_ok_iff: 
  15.579 +"[| F == mk_program(init,acts, \<Union>G \<in> X. Acts(G)); safety_prop(X) |]  
  15.580 +      ==> F ok G <-> (programify(G) \<in> X & acts Int Pow(state*state) \<subseteq> AllowedActs(G))"
  15.581 +apply (unfold ok_def)
  15.582 +apply (drule_tac G = G in safety_prop_Acts_iff)
  15.583 +apply (cut_tac F = G in AllowedActs_type)
  15.584 +apply (cut_tac F = G in Acts_type, auto)
  15.585 +done
  15.586 +
  15.587 +
  15.588 +ML
  15.589 +{*
  15.590 +val safety_prop_def = thm "safety_prop_def";
  15.591 +
  15.592 +val reachable_SKIP = thm "reachable_SKIP";
  15.593 +val ok_programify_left = thm "ok_programify_left";
  15.594 +val ok_programify_right = thm "ok_programify_right";
  15.595 +val Join_programify_left = thm "Join_programify_left";
  15.596 +val Join_programify_right = thm "Join_programify_right";
  15.597 +val SKIP_in_constrains_iff = thm "SKIP_in_constrains_iff";
  15.598 +val SKIP_in_Constrains_iff = thm "SKIP_in_Constrains_iff";
  15.599 +val SKIP_in_stable = thm "SKIP_in_stable";
  15.600 +val SKIP_in_Stable = thm "SKIP_in_Stable";
  15.601 +val Join_in_program = thm "Join_in_program";
  15.602 +val JOIN_in_program = thm "JOIN_in_program";
  15.603 +val Init_Join = thm "Init_Join";
  15.604 +val Acts_Join = thm "Acts_Join";
  15.605 +val AllowedActs_Join = thm "AllowedActs_Join";
  15.606 +val Join_commute = thm "Join_commute";
  15.607 +val Join_left_commute = thm "Join_left_commute";
  15.608 +val Join_assoc = thm "Join_assoc";
  15.609 +val cons_id = thm "cons_id";
  15.610 +val Join_SKIP_left = thm "Join_SKIP_left";
  15.611 +val Join_SKIP_right = thm "Join_SKIP_right";
  15.612 +val Join_absorb = thm "Join_absorb";
  15.613 +val Join_left_absorb = thm "Join_left_absorb";
  15.614 +val OK_programify = thm "OK_programify";
  15.615 +val JN_programify = thm "JN_programify";
  15.616 +val JN_empty = thm "JN_empty";
  15.617 +val Init_JN = thm "Init_JN";
  15.618 +val Acts_JN = thm "Acts_JN";
  15.619 +val AllowedActs_JN = thm "AllowedActs_JN";
  15.620 +val JN_cons = thm "JN_cons";
  15.621 +val JN_cong = thm "JN_cong";
  15.622 +val JN_absorb = thm "JN_absorb";
  15.623 +val JN_Un = thm "JN_Un";
  15.624 +val JN_constant = thm "JN_constant";
  15.625 +val JN_Join_distrib = thm "JN_Join_distrib";
  15.626 +val JN_Join_miniscope = thm "JN_Join_miniscope";
  15.627 +val JN_Join_diff = thm "JN_Join_diff";
  15.628 +val JN_constrains = thm "JN_constrains";
  15.629 +val Join_constrains = thm "Join_constrains";
  15.630 +val Join_unless = thm "Join_unless";
  15.631 +val Join_constrains_weaken = thm "Join_constrains_weaken";
  15.632 +val JN_constrains_weaken = thm "JN_constrains_weaken";
  15.633 +val JN_stable = thm "JN_stable";
  15.634 +val initially_JN_I = thm "initially_JN_I";
  15.635 +val invariant_JN_I = thm "invariant_JN_I";
  15.636 +val Join_stable = thm "Join_stable";
  15.637 +val initially_JoinI = thm "initially_JoinI";
  15.638 +val invariant_JoinI = thm "invariant_JoinI";
  15.639 +val FP_JN = thm "FP_JN";
  15.640 +val JN_transient = thm "JN_transient";
  15.641 +val Join_transient = thm "Join_transient";
  15.642 +val Join_transient_I1 = thm "Join_transient_I1";
  15.643 +val Join_transient_I2 = thm "Join_transient_I2";
  15.644 +val JN_ensures = thm "JN_ensures";
  15.645 +val Join_ensures = thm "Join_ensures";
  15.646 +val stable_Join_constrains = thm "stable_Join_constrains";
  15.647 +val stable_Join_Always1 = thm "stable_Join_Always1";
  15.648 +val stable_Join_Always2 = thm "stable_Join_Always2";
  15.649 +val stable_Join_ensures1 = thm "stable_Join_ensures1";
  15.650 +val stable_Join_ensures2 = thm "stable_Join_ensures2";
  15.651 +val ok_SKIP1 = thm "ok_SKIP1";
  15.652 +val ok_SKIP2 = thm "ok_SKIP2";
  15.653 +val ok_Join_commute = thm "ok_Join_commute";
  15.654 +val ok_commute = thm "ok_commute";
  15.655 +val ok_sym = thm "ok_sym";
  15.656 +val ok_iff_OK = thm "ok_iff_OK";
  15.657 +val ok_Join_iff1 = thm "ok_Join_iff1";
  15.658 +val ok_Join_iff2 = thm "ok_Join_iff2";
  15.659 +val ok_Join_commute_I = thm "ok_Join_commute_I";
  15.660 +val ok_JN_iff1 = thm "ok_JN_iff1";
  15.661 +val ok_JN_iff2 = thm "ok_JN_iff2";
  15.662 +val OK_iff_ok = thm "OK_iff_ok";
  15.663 +val OK_imp_ok = thm "OK_imp_ok";
  15.664 +val Allowed_SKIP = thm "Allowed_SKIP";
  15.665 +val Allowed_Join = thm "Allowed_Join";
  15.666 +val Allowed_JN = thm "Allowed_JN";
  15.667 +val ok_iff_Allowed = thm "ok_iff_Allowed";
  15.668 +val OK_iff_Allowed = thm "OK_iff_Allowed";
  15.669 +val safety_prop_Acts_iff = thm "safety_prop_Acts_iff";
  15.670 +val safety_prop_AllowedActs_iff_Allowed = thm "safety_prop_AllowedActs_iff_Allowed";
  15.671 +val Allowed_eq = thm "Allowed_eq";
  15.672 +val def_prg_Allowed = thm "def_prg_Allowed";
  15.673 +val safety_prop_constrains = thm "safety_prop_constrains";
  15.674 +val safety_prop_constrainsI = thm "safety_prop_constrainsI";
  15.675 +val safety_prop_stable = thm "safety_prop_stable";
  15.676 +val safety_prop_stableI = thm "safety_prop_stableI";
  15.677 +val safety_prop_Int = thm "safety_prop_Int";
  15.678 +val safety_prop_Inter = thm "safety_prop_Inter";
  15.679 +val def_UNION_ok_iff = thm "def_UNION_ok_iff";
  15.680 +
  15.681 +val Join_ac = thms "Join_ac";
  15.682 +*}
  15.683 +
  15.684  
  15.685  end
    16.1 --- a/src/ZF/UNITY/WFair.ML	Mon Jul 07 17:58:21 2003 +0200
    16.2 +++ b/src/ZF/UNITY/WFair.ML	Tue Jul 08 11:44:30 2003 +0200
    16.3 @@ -1,5 +1,5 @@
    16.4  (*  Title:      HOL/UNITY/WFair.ML
    16.5 -    ID:         $Id$
    16.6 +    ID:         $Id \\<in> WFair.ML,v 1.13 2003/06/30 16:15:52 paulson Exp $
    16.7      Author:     Sidi O Ehmety, Computer Laboratory
    16.8      Copyright   2001  University of Cambridge
    16.9  
   16.10 @@ -10,11 +10,11 @@
   16.11  
   16.12  (** Ad-hoc set-theory rules **)
   16.13  
   16.14 -Goal "Union(B) Int A = (UN b:B. b Int A)";
   16.15 +Goal "Union(B) Int A = (\\<Union>b \\<in> B. b Int A)";
   16.16  by Auto_tac;
   16.17  qed "Int_Union_Union";
   16.18  
   16.19 -Goal "A Int Union(B) = (UN b:B. A Int b)";
   16.20 +Goal "A Int Union(B) = (\\<Union>b \\<in> B. A Int b)";
   16.21  by Auto_tac;
   16.22  qed "Int_Union_Union2";
   16.23  
   16.24 @@ -25,16 +25,16 @@
   16.25  qed "transient_type";
   16.26  
   16.27  Goalw [transient_def] 
   16.28 -"F:transient(A) ==> F:program & st_set(A)";
   16.29 +"F \\<in> transient(A) ==> F \\<in> program & st_set(A)";
   16.30  by Auto_tac;
   16.31  qed "transientD2";
   16.32  
   16.33 -Goal "[| F : stable(A); F : transient(A) |] ==> A = 0";
   16.34 +Goal "[| F \\<in> stable(A); F \\<in> transient(A) |] ==> A = 0";
   16.35  by (asm_full_simp_tac (simpset() addsimps [stable_def, constrains_def, transient_def]) 1); 
   16.36  by (Fast_tac 1); 
   16.37  qed "stable_transient_empty";
   16.38  
   16.39 -Goalw [transient_def, st_set_def] "[|F:transient(A); B<=A|] ==> F:transient(B)";
   16.40 +Goalw [transient_def, st_set_def] "[|F \\<in> transient(A); B<=A|] ==> F \\<in> transient(B)";
   16.41  by Safe_tac;
   16.42  by (res_inst_tac [("x", "act")] bexI 1);
   16.43  by (ALLGOALS(Asm_full_simp_tac));
   16.44 @@ -43,14 +43,14 @@
   16.45  qed "transient_strengthen";
   16.46  
   16.47  Goalw [transient_def] 
   16.48 -"[|act:Acts(F); A <= domain(act); act``A <= state-A; \
   16.49 -\   F:program; st_set(A)|] ==> F:transient(A)";
   16.50 +"[|act \\<in> Acts(F); A <= domain(act); act``A <= state-A; \
   16.51 +\   F \\<in> program; st_set(A)|] ==> F \\<in> transient(A)";
   16.52  by (Blast_tac 1);
   16.53  qed "transientI";
   16.54  
   16.55  val major::prems = 
   16.56 -Goalw [transient_def] "[| F:transient(A); \
   16.57 -\  !!act. [| act:Acts(F);  A <= domain(act); act``A <= state-A|]==>P|]==>P";
   16.58 +Goalw [transient_def] "[| F \\<in> transient(A); \
   16.59 +\  !!act. [| act \\<in> Acts(F);  A <= domain(act); act``A <= state-A|]==>P|]==>P";
   16.60  by (rtac (major RS CollectE) 1);
   16.61  by (blast_tac (claset() addIs prems) 1);
   16.62  qed "transientE";
   16.63 @@ -86,29 +86,29 @@
   16.64  qed "ensures_type";
   16.65  
   16.66  Goalw [ensures_def]
   16.67 -"[|F:(A-B) co (A Un B); F:transient(A-B)|]==>F:A ensures B";
   16.68 +"[|F:(A-B) co (A Un B); F \\<in> transient(A-B)|]==>F \\<in> A ensures B";
   16.69  by (auto_tac (claset(), simpset() addsimps [transient_type RS subsetD]));
   16.70  qed "ensuresI";
   16.71  
   16.72  (* Added by Sidi, from Misra's notes, Progress chapter, exercise 4 *)
   16.73 -Goal "[| F:A co A Un B; F: transient(A) |] ==> F: A ensures B";
   16.74 +Goal "[| F \\<in> A co A Un B; F \\<in> transient(A) |] ==> F \\<in> A ensures B";
   16.75  by (dres_inst_tac [("B", "A-B")] constrains_weaken_L 1);
   16.76  by (dres_inst_tac [("B", "A-B")] transient_strengthen 2);
   16.77  by (auto_tac (claset(), simpset() addsimps [ensures_def, transient_type RS subsetD]));
   16.78  qed "ensuresI2";
   16.79  
   16.80 -Goalw [ensures_def] "F:A ensures B ==> F:(A-B) co (A Un B) & F:transient (A-B)";
   16.81 +Goalw [ensures_def] "F \\<in> A ensures B ==> F:(A-B) co (A Un B) & F \\<in> transient (A-B)";
   16.82  by Auto_tac;
   16.83  qed "ensuresD";
   16.84  
   16.85 -Goalw [ensures_def] "[|F:A ensures A'; A'<=B' |] ==> F:A ensures B'";
   16.86 +Goalw [ensures_def] "[|F \\<in> A ensures A'; A'<=B' |] ==> F \\<in> A ensures B'";
   16.87  by (blast_tac (claset()  
   16.88            addIs [transient_strengthen, constrains_weaken]) 1);
   16.89  qed "ensures_weaken_R";
   16.90  
   16.91  (*The L-version (precondition strengthening) fails, but we have this*) 
   16.92  Goalw [ensures_def]
   16.93 -     "[| F:stable(C);  F:A ensures B |] ==> F:(C Int A) ensures (C Int B)";
   16.94 +     "[| F \\<in> stable(C);  F \\<in> A ensures B |] ==> F:(C Int A) ensures (C Int B)";
   16.95  by (simp_tac (simpset() addsimps [Int_Un_distrib RS sym,
   16.96                                    Diff_Int_distrib RS sym]) 1);
   16.97  by (blast_tac (claset() 
   16.98 @@ -116,7 +116,7 @@
   16.99                 stable_constrains_Int, constrains_weaken]) 1); 
  16.100  qed "stable_ensures_Int"; 
  16.101  
  16.102 -Goal "[|F:stable(A);  F:transient(C); A<=B Un C|] ==> F : A ensures B";
  16.103 +Goal "[|F \\<in> stable(A);  F \\<in> transient(C); A<=B Un C|] ==> F \\<in> A ensures B";
  16.104  by (forward_tac [stable_type RS subsetD] 1);
  16.105  by (asm_full_simp_tac (simpset() addsimps [ensures_def, stable_def]) 1);
  16.106  by (Clarify_tac 1);
  16.107 @@ -128,7 +128,7 @@
  16.108  by (auto_tac (claset(), simpset() addsimps [ensures_def, unless_def]));
  16.109  qed "ensures_eq";
  16.110  
  16.111 -Goal "[| F:program; A<=B  |] ==> F : A ensures B";
  16.112 +Goal "[| F \\<in> program; A<=B  |] ==> F \\<in> A ensures B";
  16.113  by (rewrite_goal_tac [ensures_def,constrains_def,transient_def, st_set_def] 1);
  16.114  by Auto_tac;
  16.115  qed "subset_imp_ensures";
  16.116 @@ -142,27 +142,27 @@
  16.117  qed "leadsTo_type";
  16.118  
  16.119  Goalw [leadsTo_def, st_set_def] 
  16.120 -"F: A leadsTo B ==> F:program & st_set(A) & st_set(B)";
  16.121 +"F \\<in> A leadsTo B ==> F \\<in> program & st_set(A) & st_set(B)";
  16.122  by (blast_tac (claset() addDs [leads_left, leads_right]) 1);
  16.123  qed "leadsToD2";
  16.124  
  16.125  Goalw [leadsTo_def, st_set_def] 
  16.126 -    "[|F:A ensures B; st_set(A); st_set(B)|] ==> F:A leadsTo B";
  16.127 +    "[|F \\<in> A ensures B; st_set(A); st_set(B)|] ==> F \\<in> A leadsTo B";
  16.128  by (cut_facts_tac [ensures_type] 1);
  16.129  by (auto_tac (claset() addIs [leads.Basis], simpset()));
  16.130  qed "leadsTo_Basis";                       
  16.131  AddIs [leadsTo_Basis];
  16.132  
  16.133  (* Added by Sidi, from Misra's notes, Progress chapter, exercise number 4 *)
  16.134 -(* [| F:program; A<=B;  st_set(A); st_set(B) |] ==> A leadsTo B *)
  16.135 +(* [| F \\<in> program; A<=B;  st_set(A); st_set(B) |] ==> A leadsTo B *)
  16.136  bind_thm ("subset_imp_leadsTo", subset_imp_ensures RS leadsTo_Basis);
  16.137  
  16.138 -Goalw [leadsTo_def] "[|F: A leadsTo B;  F: B leadsTo C |]==>F: A leadsTo C";
  16.139 +Goalw [leadsTo_def] "[|F \\<in> A leadsTo B;  F \\<in> B leadsTo C |]==>F \\<in> A leadsTo C";
  16.140  by (auto_tac (claset() addIs [leads.Trans], simpset()));
  16.141  qed "leadsTo_Trans";
  16.142  
  16.143  (* Better when used in association with leadsTo_weaken_R *)
  16.144 -Goalw [transient_def] "F:transient(A) ==> F : A leadsTo (state-A )";
  16.145 +Goalw [transient_def] "F \\<in> transient(A) ==> F \\<in> A leadsTo (state-A )";
  16.146  by (rtac (ensuresI RS leadsTo_Basis) 1);
  16.147  by (ALLGOALS(Clarify_tac));
  16.148  by (blast_tac (claset() addIs [transientI]) 2);
  16.149 @@ -171,17 +171,17 @@
  16.150  qed "transient_imp_leadsTo";
  16.151  
  16.152  (*Useful with cancellation, disjunction*)
  16.153 -Goal "F : A leadsTo (A' Un A') ==> F : A leadsTo A'";
  16.154 +Goal "F \\<in> A leadsTo (A' Un A') ==> F \\<in> A leadsTo A'";
  16.155  by (Asm_full_simp_tac 1);
  16.156  qed "leadsTo_Un_duplicate";
  16.157  
  16.158 -Goal "F : A leadsTo (A' Un C Un C) ==> F : A leadsTo (A' Un C)";
  16.159 +Goal "F \\<in> A leadsTo (A' Un C Un C) ==> F \\<in> A leadsTo (A' Un C)";
  16.160  by (asm_full_simp_tac (simpset() addsimps Un_ac) 1);
  16.161  qed "leadsTo_Un_duplicate2";
  16.162  
  16.163  (*The Union introduction rule as we should have liked to state it*)
  16.164  val [major, program,B]= Goalw [leadsTo_def, st_set_def]
  16.165 -"[|(!!A. A:S ==> F:A leadsTo B); F:program; st_set(B)|]==>F:Union(S) leadsTo B";
  16.166 +"[|(!!A. A \\<in> S ==> F \\<in> A leadsTo B); F \\<in> program; st_set(B)|]==>F \\<in> Union(S) leadsTo B";
  16.167  by (cut_facts_tac [program, B] 1);
  16.168  by Auto_tac;
  16.169  by (rtac leads.Union 1);
  16.170 @@ -191,7 +191,7 @@
  16.171  qed "leadsTo_Union";
  16.172  
  16.173  val [major,program,B] = Goalw [leadsTo_def, st_set_def] 
  16.174 -"[|(!!A. A:S ==>F:(A Int C) leadsTo B); F:program; st_set(B)|] \
  16.175 +"[|(!!A. A \\<in> S ==>F:(A Int C) leadsTo B); F \\<in> program; st_set(B)|] \
  16.176  \  ==>F:(Union(S)Int C)leadsTo B";
  16.177  by (cut_facts_tac [program, B] 1);
  16.178  by (asm_simp_tac (simpset() delsimps UN_simps  addsimps [Int_Union_Union]) 1);
  16.179 @@ -202,7 +202,7 @@
  16.180  qed "leadsTo_Union_Int";
  16.181  
  16.182  val [major,program,B] = Goalw [leadsTo_def, st_set_def]
  16.183 -"[|(!!i. i:I ==> F : A(i) leadsTo B); F:program; st_set(B)|]==>F:(UN i:I. A(i)) leadsTo B";
  16.184 +"[|(!!i. i \\<in> I ==> F \\<in> A(i) leadsTo B); F \\<in> program; st_set(B)|]==>F:(\\<Union>i \\<in> I. A(i)) leadsTo B";
  16.185  by (cut_facts_tac [program, B] 1);
  16.186  by (asm_simp_tac (simpset()  addsimps [Int_Union_Union]) 1);
  16.187  by (rtac leads.Union 1);
  16.188 @@ -212,87 +212,87 @@
  16.189  qed "leadsTo_UN";
  16.190  
  16.191  (* Binary union introduction rule *)
  16.192 -Goal "[| F: A leadsTo C; F: B leadsTo C |] ==> F : (A Un B) leadsTo C";
  16.193 +Goal "[| F \\<in> A leadsTo C; F \\<in> B leadsTo C |] ==> F \\<in> (A Un B) leadsTo C";
  16.194  by (stac Un_eq_Union 1);
  16.195  by (blast_tac (claset() addIs [leadsTo_Union] addDs [leadsToD2]) 1);
  16.196  qed "leadsTo_Un";
  16.197  
  16.198  val [major, program, B] = Goal 
  16.199 -"[|(!!x. x:A==> F:{x} leadsTo B); F:program; st_set(B) |] ==> F:A leadsTo B";
  16.200 +"[|(!!x. x \\<in> A==> F:{x} leadsTo B); F \\<in> program; st_set(B) |] ==> F \\<in> A leadsTo B";
  16.201  by (res_inst_tac [("b", "A")] (UN_singleton RS subst) 1);
  16.202  by (rtac leadsTo_UN 1);
  16.203  by (auto_tac (claset() addDs prems, simpset() addsimps [major, program, B]));
  16.204  qed "single_leadsTo_I";
  16.205  
  16.206 -Goal "[| F:program; st_set(A) |] ==> F: A leadsTo A"; 
  16.207 +Goal "[| F \\<in> program; st_set(A) |] ==> F \\<in> A leadsTo A"; 
  16.208  by (blast_tac (claset() addIs [subset_imp_leadsTo]) 1);
  16.209  qed "leadsTo_refl";
  16.210  
  16.211 -Goal "F: A leadsTo A <-> F:program & st_set(A)";
  16.212 +Goal "F \\<in> A leadsTo A <-> F \\<in> program & st_set(A)";
  16.213  by (auto_tac (claset() addIs [leadsTo_refl]
  16.214                         addDs [leadsToD2], simpset()));
  16.215  qed "leadsTo_refl_iff";
  16.216  
  16.217 -Goal "F: 0 leadsTo B <-> (F:program & st_set(B))";
  16.218 +Goal "F \\<in> 0 leadsTo B <-> (F \\<in> program & st_set(B))";
  16.219  by (auto_tac (claset() addIs [subset_imp_leadsTo]
  16.220                         addDs [leadsToD2], simpset()));
  16.221  qed "empty_leadsTo";
  16.222  AddIffs [empty_leadsTo];
  16.223  
  16.224 -Goal  "F: A leadsTo state <-> (F:program & st_set(A))";
  16.225 +Goal  "F \\<in> A leadsTo state <-> (F \\<in> program & st_set(A))";
  16.226  by (auto_tac (claset() addIs [subset_imp_leadsTo]
  16.227                         addDs [leadsToD2, st_setD], simpset()));
  16.228  qed "leadsTo_state";
  16.229  AddIffs [leadsTo_state];
  16.230  
  16.231 -Goal "[| F:A leadsTo A'; A'<=B'; st_set(B') |] ==> F : A leadsTo B'";
  16.232 +Goal "[| F \\<in> A leadsTo A'; A'<=B'; st_set(B') |] ==> F \\<in> A leadsTo B'";
  16.233  by (blast_tac (claset() addDs [leadsToD2]
  16.234                          addIs [subset_imp_leadsTo,leadsTo_Trans]) 1);
  16.235  qed "leadsTo_weaken_R";
  16.236  
  16.237 -Goal "[| F:A leadsTo A'; B<=A |] ==> F : B leadsTo A'";
  16.238 +Goal "[| F \\<in> A leadsTo A'; B<=A |] ==> F \\<in> B leadsTo A'";
  16.239  by (ftac leadsToD2 1);
  16.240  by (blast_tac (claset() addIs [leadsTo_Trans,subset_imp_leadsTo, st_set_subset]) 1);
  16.241  qed_spec_mp "leadsTo_weaken_L";
  16.242  
  16.243 -Goal "[| F:A leadsTo A'; B<=A; A'<=B'; st_set(B')|]==> F:B leadsTo B'";
  16.244 +Goal "[| F \\<in> A leadsTo A'; B<=A; A'<=B'; st_set(B')|]==> F \\<in> B leadsTo B'";
  16.245  by (ftac leadsToD2 1);
  16.246  by (blast_tac (claset() addIs [leadsTo_weaken_R, leadsTo_weaken_L, 
  16.247                                 leadsTo_Trans, leadsTo_refl]) 1);
  16.248  qed "leadsTo_weaken";
  16.249  
  16.250  (* This rule has a nicer conclusion *)
  16.251 -Goal "[| F:transient(A); state-A<=B; st_set(B)|] ==> F:A leadsTo B";
  16.252 +Goal "[| F \\<in> transient(A); state-A<=B; st_set(B)|] ==> F \\<in> A leadsTo B";
  16.253  by (ftac transientD2 1);
  16.254  by (rtac leadsTo_weaken_R 1);
  16.255  by (auto_tac (claset(), simpset() addsimps [transient_imp_leadsTo]));
  16.256  qed "transient_imp_leadsTo2";
  16.257  
  16.258  (*Distributes over binary unions*)
  16.259 -Goal "F:(A Un B) leadsTo C  <->  (F:A leadsTo C & F : B leadsTo C)";
  16.260 +Goal "F:(A Un B) leadsTo C  <->  (F \\<in> A leadsTo C & F \\<in> B leadsTo C)";
  16.261  by (blast_tac (claset() addIs [leadsTo_Un, leadsTo_weaken_L]) 1);
  16.262  qed "leadsTo_Un_distrib";
  16.263  
  16.264  Goal 
  16.265 -"(F:(UN i:I. A(i)) leadsTo B)<-> ((ALL i : I. F: A(i) leadsTo B) & F:program & st_set(B))";
  16.266 +"(F:(\\<Union>i \\<in> I. A(i)) leadsTo B)<-> ((\\<forall>i \\<in> I. F \\<in> A(i) leadsTo B) & F \\<in> program & st_set(B))";
  16.267  by (blast_tac (claset() addDs [leadsToD2] 
  16.268                          addIs [leadsTo_UN, leadsTo_weaken_L]) 1);
  16.269  qed "leadsTo_UN_distrib";
  16.270  
  16.271 -Goal "(F: Union(S) leadsTo B) <->  (ALL A:S. F : A leadsTo B) & F:program & st_set(B)";
  16.272 +Goal "(F \\<in> Union(S) leadsTo B) <->  (\\<forall>A \\<in> S. F \\<in> A leadsTo B) & F \\<in> program & st_set(B)";
  16.273  by (blast_tac (claset() addDs [leadsToD2] 
  16.274                          addIs [leadsTo_Union, leadsTo_weaken_L]) 1);
  16.275  qed "leadsTo_Union_distrib";
  16.276  
  16.277 -(*Set difference: maybe combine with leadsTo_weaken_L?*)
  16.278 -Goal "[| F: (A-B) leadsTo C; F: B leadsTo C; st_set(C) |] ==> F: A leadsTo C";
  16.279 +(*Set difference \\<in> maybe combine with leadsTo_weaken_L?*)
  16.280 +Goal "[| F: (A-B) leadsTo C; F \\<in> B leadsTo C; st_set(C) |] ==> F \\<in> A leadsTo C";
  16.281  by (blast_tac (claset() addIs [leadsTo_Un, leadsTo_weaken]
  16.282                          addDs [leadsToD2]) 1);
  16.283  qed "leadsTo_Diff";
  16.284  
  16.285  val [major,minor] = Goal 
  16.286 -"[|(!!i. i:I ==> F: A(i) leadsTo A'(i)); F:program |] \
  16.287 -\  ==> F: (UN i:I. A(i)) leadsTo (UN i:I. A'(i))";
  16.288 +"[|(!!i. i \\<in> I ==> F \\<in> A(i) leadsTo A'(i)); F \\<in> program |] \
  16.289 +\  ==> F: (\\<Union>i \\<in> I. A(i)) leadsTo (\\<Union>i \\<in> I. A'(i))";
  16.290  by (rtac leadsTo_Union 1);
  16.291  by (ALLGOALS(Asm_simp_tac));
  16.292  by Safe_tac;
  16.293 @@ -302,32 +302,32 @@
  16.294  qed "leadsTo_UN_UN";
  16.295  
  16.296  (*Binary union version*)
  16.297 -Goal "[| F: A leadsTo A'; F:B leadsTo B' |] ==> F : (A Un B) leadsTo (A' Un B')";
  16.298 +Goal "[| F \\<in> A leadsTo A'; F \\<in> B leadsTo B' |] ==> F \\<in> (A Un B) leadsTo (A' Un B')";
  16.299  by (subgoal_tac "st_set(A) & st_set(A') & st_set(B) & st_set(B')" 1);
  16.300  by (blast_tac (claset() addDs [leadsToD2]) 2);
  16.301  by (blast_tac (claset() addIs [leadsTo_Un, leadsTo_weaken_R]) 1);
  16.302  qed "leadsTo_Un_Un";
  16.303  
  16.304  (** The cancellation law **)
  16.305 -Goal "[|F: A leadsTo (A' Un B); F: B leadsTo B'|] ==> F: A leadsTo (A' Un B')";
  16.306 -by (subgoal_tac "st_set(A) & st_set(A') & st_set(B) & st_set(B') &F:program" 1);
  16.307 +Goal "[|F \\<in> A leadsTo (A' Un B); F \\<in> B leadsTo B'|] ==> F \\<in> A leadsTo (A' Un B')";
  16.308 +by (subgoal_tac "st_set(A) & st_set(A') & st_set(B) & st_set(B') &F \\<in> program" 1);
  16.309  by (blast_tac (claset() addDs [leadsToD2]) 2);
  16.310  by (blast_tac (claset() addIs [leadsTo_Trans, leadsTo_Un_Un, leadsTo_refl]) 1);
  16.311  qed "leadsTo_cancel2";
  16.312  
  16.313 -Goal "[|F: A leadsTo (A' Un B); F : (B-A') leadsTo B'|]==> F: A leadsTo (A' Un B')";
  16.314 +Goal "[|F \\<in> A leadsTo (A' Un B); F \\<in> (B-A') leadsTo B'|]==> F \\<in> A leadsTo (A' Un B')";
  16.315  by (rtac leadsTo_cancel2 1);
  16.316  by (assume_tac 2);
  16.317  by (blast_tac (claset() addDs [leadsToD2] addIs [leadsTo_weaken_R]) 1);
  16.318  qed "leadsTo_cancel_Diff2";
  16.319  
  16.320  
  16.321 -Goal "[| F : A leadsTo (B Un A'); F : B leadsTo B' |] ==> F:A leadsTo (B' Un A')";
  16.322 +Goal "[| F \\<in> A leadsTo (B Un A'); F \\<in> B leadsTo B' |] ==> F \\<in> A leadsTo (B' Un A')";
  16.323  by (asm_full_simp_tac (simpset() addsimps [Un_commute]) 1);
  16.324  by (blast_tac (claset() addSIs [leadsTo_cancel2]) 1);
  16.325  qed "leadsTo_cancel1";
  16.326  
  16.327 -Goal "[|F: A leadsTo (B Un A'); F: (B-A') leadsTo B'|]==> F : A leadsTo (B' Un A')";
  16.328 +Goal "[|F \\<in> A leadsTo (B Un A'); F: (B-A') leadsTo B'|]==> F \\<in> A leadsTo (B' Un A')";
  16.329  by (rtac leadsTo_cancel1 1);
  16.330  by (assume_tac 2);
  16.331  by (blast_tac (claset() addIs [leadsTo_weaken_R] addDs [leadsToD2]) 1);
  16.332 @@ -335,12 +335,12 @@
  16.333  
  16.334  (*The INDUCTION rule as we should have liked to state it*)
  16.335  val [major, basis_prem, trans_prem, union_prem] = Goalw [leadsTo_def, st_set_def]
  16.336 -  "[| F: za leadsTo zb; \
  16.337 -\     !!A B. [| F: A ensures B; st_set(A); st_set(B) |] ==> P(A, B); \
  16.338 -\     !!A B C. [| F: A leadsTo B; P(A, B); \
  16.339 -\                 F: B leadsTo C; P(B, C) |] \
  16.340 +  "[| F \\<in> za leadsTo zb; \
  16.341 +\     !!A B. [| F \\<in> A ensures B; st_set(A); st_set(B) |] ==> P(A, B); \
  16.342 +\     !!A B C. [| F \\<in> A leadsTo B; P(A, B); \
  16.343 +\                 F \\<in> B leadsTo C; P(B, C) |] \
  16.344  \              ==> P(A, C); \
  16.345 -\     !!B S. [| ALL A:S. F:A leadsTo B; ALL A:S. P(A, B); st_set(B); ALL A:S. st_set(A)|] \
  16.346 +\     !!B S. [| \\<forall>A \\<in> S. F \\<in> A leadsTo B; \\<forall>A \\<in> S. P(A, B); st_set(B); \\<forall>A \\<in> S. st_set(A)|] \
  16.347  \        ==> P(Union(S), B) \
  16.348  \  |] ==> P(za, zb)";
  16.349  by (cut_facts_tac [major] 1);
  16.350 @@ -353,13 +353,13 @@
  16.351  
  16.352  (* Added by Sidi, an induction rule without ensures *)
  16.353  val [major,imp_prem,basis_prem,trans_prem,union_prem] = Goal
  16.354 -  "[| F: za leadsTo zb; \
  16.355 +  "[| F \\<in> za leadsTo zb; \
  16.356  \     !!A B. [| A<=B; st_set(B) |] ==> P(A, B); \
  16.357 -\     !!A B. [| F:A co A Un B; F:transient(A); st_set(B) |] ==> P(A, B); \
  16.358 -\     !!A B C. [| F: A leadsTo B; P(A, B); \
  16.359 -\                 F: B leadsTo C; P(B, C) |] \
  16.360 +\     !!A B. [| F \\<in> A co A Un B; F \\<in> transient(A); st_set(B) |] ==> P(A, B); \
  16.361 +\     !!A B C. [| F \\<in> A leadsTo B; P(A, B); \
  16.362 +\                 F \\<in> B leadsTo C; P(B, C) |] \
  16.363  \              ==> P(A, C); \
  16.364 -\     !!B S. [| ALL A:S. F:A leadsTo B; ALL A:S. P(A, B); st_set(B); ALL A:S. st_set(A) |] \
  16.365 +\     !!B S. [| \\<forall>A \\<in> S. F \\<in> A leadsTo B; \\<forall>A \\<in> S. P(A, B); st_set(B); \\<forall>A \\<in> S. st_set(A) |] \
  16.366  \        ==> P(Union(S), B) \
  16.367  \  |] ==> P(za, zb)";
  16.368  by (cut_facts_tac [major] 1);
  16.369 @@ -381,17 +381,17 @@
  16.370  by (auto_tac (claset() addIs [subset_imp_leadsTo], simpset()));
  16.371  qed "leadsTo_induct2";
  16.372  
  16.373 -(** Variant induction rule: on the preconditions for B **)
  16.374 -(*Lemma is the weak version: can't see how to do it in one step*)
  16.375 +(** Variant induction rule \\<in> on the preconditions for B **)
  16.376 +(*Lemma is the weak version \\<in> can't see how to do it in one step*)
  16.377  val major::prems = Goal
  16.378 -  "[| F : za leadsTo zb;  \
  16.379 +  "[| F \\<in> za leadsTo zb;  \
  16.380  \     P(zb); \
  16.381 -\     !!A B. [| F : A ensures B;  P(B); st_set(A); st_set(B) |] ==> P(A); \
  16.382 -\     !!S. [| ALL A:S. P(A); ALL A:S. st_set(A) |] ==> P(Union(S)) \
  16.383 +\     !!A B. [| F \\<in> A ensures B;  P(B); st_set(A); st_set(B) |] ==> P(A); \
  16.384 +\     !!S. [| \\<forall>A \\<in> S. P(A); \\<forall>A \\<in> S. st_set(A) |] ==> P(Union(S)) \
  16.385  \  |] ==> P(za)";
  16.386  (*by induction on this formula*)
  16.387  by (subgoal_tac "P(zb) --> P(za)" 1);
  16.388 -(*now solve first subgoal: this formula is sufficient*)
  16.389 +(*now solve first subgoal \\<in> this formula is sufficient*)
  16.390  by (blast_tac (claset() addIs leadsTo_refl::prems) 1);
  16.391  by (rtac (major RS leadsTo_induct) 1);
  16.392  by (REPEAT (blast_tac (claset() addIs prems) 1));
  16.393 @@ -399,13 +399,13 @@
  16.394  
  16.395  
  16.396  val [major, zb_prem, basis_prem, union_prem] = Goal
  16.397 -  "[| F : za leadsTo zb;  \
  16.398 +  "[| F \\<in> za leadsTo zb;  \
  16.399  \     P(zb); \
  16.400 -\     !!A B. [| F : A ensures B;  F : B leadsTo zb;  P(B); st_set(A) |] ==> P(A); \
  16.401 -\     !!S. ALL A:S. F : A leadsTo zb & P(A) & st_set(A) ==> P(Union(S)) \
  16.402 +\     !!A B. [| F \\<in> A ensures B;  F \\<in> B leadsTo zb;  P(B); st_set(A) |] ==> P(A); \
  16.403 +\     !!S. \\<forall>A \\<in> S. F \\<in> A leadsTo zb & P(A) & st_set(A) ==> P(Union(S)) \
  16.404  \  |] ==> P(za)";
  16.405  by (cut_facts_tac [major] 1);
  16.406 -by (subgoal_tac "(F : za leadsTo zb) & P(za)" 1);
  16.407 +by (subgoal_tac "(F \\<in> za leadsTo zb) & P(za)" 1);
  16.408  by (etac conjunct2 1);
  16.409  by (rtac (major RS leadsTo_induct_pre_aux) 1);
  16.410  by (blast_tac (claset() addDs [leadsToD2]
  16.411 @@ -417,7 +417,7 @@
  16.412  
  16.413  (** The impossibility law **)
  16.414  Goal
  16.415 -   "F : A leadsTo 0 ==> A=0";
  16.416 +   "F \\<in> A leadsTo 0 ==> A=0";
  16.417  by (etac leadsTo_induct_pre 1);
  16.418  by (auto_tac (claset(), simpset() addsimps
  16.419          [ensures_def, constrains_def, transient_def, st_set_def]));
  16.420 @@ -426,11 +426,11 @@
  16.421  qed "leadsTo_empty";
  16.422  Addsimps [leadsTo_empty];
  16.423  
  16.424 -(** PSP: Progress-Safety-Progress **)
  16.425 +(** PSP \\<in> Progress-Safety-Progress **)
  16.426  
  16.427 -(*Special case of PSP: Misra's "stable conjunction"*)
  16.428 +(*Special case of PSP \\<in> Misra's "stable conjunction"*)
  16.429  Goalw [stable_def]
  16.430 -   "[| F : A leadsTo A'; F : stable(B) |] ==> F:(A Int B) leadsTo (A' Int B)";
  16.431 +   "[| F \\<in> A leadsTo A'; F \\<in> stable(B) |] ==> F:(A Int B) leadsTo (A' Int B)";
  16.432  by (etac leadsTo_induct 1);
  16.433  by (rtac leadsTo_Union_Int 3);
  16.434  by (ALLGOALS(Asm_simp_tac));
  16.435 @@ -446,21 +446,21 @@
  16.436  qed "psp_stable";
  16.437  
  16.438  
  16.439 -Goal "[|F: A leadsTo A'; F : stable(B) |]==>F: (B Int A) leadsTo (B Int A')";
  16.440 +Goal "[|F \\<in> A leadsTo A'; F \\<in> stable(B) |]==>F: (B Int A) leadsTo (B Int A')";
  16.441  by (asm_simp_tac (simpset() 
  16.442               addsimps psp_stable::Int_ac) 1);
  16.443  qed "psp_stable2";
  16.444  
  16.445  Goalw [ensures_def, constrains_def, st_set_def]
  16.446 -"[| F: A ensures A'; F: B co B' |]==> F: (A Int B') ensures ((A' Int B) Un (B' - B))";
  16.447 +"[| F \\<in> A ensures A'; F \\<in> B co B' |]==> F: (A Int B') ensures ((A' Int B) Un (B' - B))";
  16.448  (*speeds up the proof*)
  16.449  by (Clarify_tac 1);  
  16.450  by (blast_tac (claset() addIs [transient_strengthen]) 1);
  16.451  qed "psp_ensures";
  16.452  
  16.453  Goal 
  16.454 -"[|F:A leadsTo A'; F: B co B'; st_set(B')|]==> F:(A Int B') leadsTo ((A' Int B) Un (B' - B))";
  16.455 -by (subgoal_tac "F:program & st_set(A) & st_set(A')& st_set(B)" 1);
  16.456 +"[|F \\<in> A leadsTo A'; F \\<in> B co B'; st_set(B')|]==> F:(A Int B') leadsTo ((A' Int B) Un (B' - B))";
  16.457 +by (subgoal_tac "F \\<in> program & st_set(A) & st_set(A')& st_set(B)" 1);
  16.458  by (blast_tac (claset() addSDs [constrainsD2, leadsToD2]) 2);
  16.459  by (etac leadsTo_induct 1);
  16.460  by (blast_tac (claset() addIs [leadsTo_Union_Int]) 3);
  16.461 @@ -475,14 +475,14 @@
  16.462  qed "psp";
  16.463  
  16.464  
  16.465 -Goal "[| F : A leadsTo A'; F : B co B'; st_set(B') |] \
  16.466 -\   ==> F : (B' Int A) leadsTo ((B Int A') Un (B' - B))";
  16.467 +Goal "[| F \\<in> A leadsTo A'; F \\<in> B co B'; st_set(B') |] \
  16.468 +\   ==> F \\<in> (B' Int A) leadsTo ((B Int A') Un (B' - B))";
  16.469  by (asm_simp_tac (simpset() addsimps psp::Int_ac) 1);
  16.470  qed "psp2";
  16.471  
  16.472  Goalw [unless_def]
  16.473 -   "[| F : A leadsTo A';  F : B unless B'; st_set(B); st_set(B') |] \
  16.474 -\   ==> F : (A Int B) leadsTo ((A' Int B) Un B')";
  16.475 +   "[| F \\<in> A leadsTo A';  F \\<in> B unless B'; st_set(B); st_set(B') |] \
  16.476 +\   ==> F \\<in> (A Int B) leadsTo ((A' Int B) Un B')";
  16.477  by (subgoal_tac "st_set(A)&st_set(A')" 1);
  16.478  by (blast_tac (claset() addDs [leadsToD2]) 2);
  16.479  by (dtac psp 1);
  16.480 @@ -492,17 +492,17 @@
  16.481  qed "psp_unless";
  16.482  
  16.483  (*** Proving the wf induction rules ***)
  16.484 -(** The most general rule: r is any wf relation; f is any variant function **)
  16.485 +(** The most general rule \\<in> r is any wf relation; f is any variant function **)
  16.486  Goal "[| wf(r); \
  16.487 -\        m:I; \
  16.488 +\        m \\<in> I; \
  16.489  \        field(r)<=I; \
  16.490 -\        F:program; st_set(B);\
  16.491 -\        ALL m:I. F : (A Int f-``{m}) leadsTo                     \
  16.492 +\        F \\<in> program; st_set(B);\
  16.493 +\        \\<forall>m \\<in> I. F \\<in> (A Int f-``{m}) leadsTo                     \
  16.494  \                   ((A Int f-``(converse(r)``{m})) Un B) |] \
  16.495 -\     ==> F : (A Int f-``{m}) leadsTo B";
  16.496 +\     ==> F \\<in> (A Int f-``{m}) leadsTo B";
  16.497  by (eres_inst_tac [("a","m")] wf_induct2 1);
  16.498  by (ALLGOALS(Asm_simp_tac));
  16.499 -by (subgoal_tac "F : (A Int (f-``(converse(r)``{x}))) leadsTo B" 1);
  16.500 +by (subgoal_tac "F \\<in> (A Int (f-``(converse(r)``{x}))) leadsTo B" 1);
  16.501  by (stac vimage_eq_UN 2);
  16.502  by (asm_simp_tac (simpset() delsimps UN_simps
  16.503  			    addsimps [Int_UN_distrib]) 2);
  16.504 @@ -515,10 +515,10 @@
  16.505  Goal "[| wf(r); \
  16.506  \        field(r)<=I; \
  16.507  \        A<=f-``I;\ 
  16.508 -\        F:program; st_set(A); st_set(B); \
  16.509 -\        ALL m:I. F : (A Int f-``{m}) leadsTo                     \
  16.510 +\        F \\<in> program; st_set(A); st_set(B); \
  16.511 +\        \\<forall>m \\<in> I. F \\<in> (A Int f-``{m}) leadsTo                     \
  16.512  \                   ((A Int f-``(converse(r)``{m})) Un B) |] \
  16.513 -\     ==> F : A leadsTo B";
  16.514 +\     ==> F \\<in> A leadsTo B";
  16.515  by (res_inst_tac [("b", "A")] subst 1);
  16.516  by (res_inst_tac [("I", "I")] leadsTo_UN 2);
  16.517  by (REPEAT (assume_tac 2));
  16.518 @@ -539,7 +539,7 @@
  16.519  by (rtac equalityI 1);
  16.520  by (force_tac (claset(), simpset()) 1);
  16.521  by (Clarify_tac 1);
  16.522 -by (thin_tac "x~:range(?y)" 1);
  16.523 +by (thin_tac "x\\<notin>range(?y)" 1);
  16.524  by (etac nat_induct 1);
  16.525  by (res_inst_tac [("b", "succ(succ(xa))")] domainI 2);
  16.526  by (res_inst_tac [("b","succ(0)")] domainI 1); 
  16.527 @@ -557,12 +557,12 @@
  16.528  by (blast_tac (claset() addIs [lt_trans]) 1); 
  16.529  qed "Image_inverse_lessThan";
  16.530  
  16.531 -(*Alternative proof is via the lemma F : (A Int f-`(lessThan m)) leadsTo B*)
  16.532 +(*Alternative proof is via the lemma F \\<in> (A Int f-`(lessThan m)) leadsTo B*)
  16.533  Goal
  16.534   "[| A<=f-``nat;\ 
  16.535 -\    F:program; st_set(A); st_set(B); \
  16.536 -\    ALL m:nat. F:(A Int f-``{m}) leadsTo ((A Int f -`` m) Un B) |] \
  16.537 -\     ==> F : A leadsTo B";
  16.538 +\    F \\<in> program; st_set(A); st_set(B); \
  16.539 +\    \\<forall>m \\<in> nat. F:(A Int f-``{m}) leadsTo ((A Int f -`` m) Un B) |] \
  16.540 +\     ==> F \\<in> A leadsTo B";
  16.541  by (res_inst_tac [("A1", "nat"),("f1", "%x. x")]
  16.542          (wf_measure RS leadsTo_wf_induct) 1);
  16.543  by (Clarify_tac 6);
  16.544 @@ -584,27 +584,27 @@
  16.545  qed "wlt_st_set";
  16.546  AddIffs [wlt_st_set];
  16.547  
  16.548 -Goalw [wlt_def] "F:wlt(F, B) leadsTo B <-> (F:program & st_set(B))";
  16.549 +Goalw [wlt_def] "F \\<in> wlt(F, B) leadsTo B <-> (F \\<in> program & st_set(B))";
  16.550  by (blast_tac (claset() addDs [leadsToD2] addSIs [leadsTo_Union]) 1);
  16.551  qed "wlt_leadsTo_iff";
  16.552  
  16.553 -(* [| F:program;  st_set(B) |] ==> F:wlt(F, B) leadsTo B  *)
  16.554 +(* [| F \\<in> program;  st_set(B) |] ==> F \\<in> wlt(F, B) leadsTo B  *)
  16.555  bind_thm("wlt_leadsTo", conjI RS (wlt_leadsTo_iff RS iffD2));
  16.556  
  16.557 -Goalw [wlt_def] "F : A leadsTo B ==> A <= wlt(F, B)";
  16.558 +Goalw [wlt_def] "F \\<in> A leadsTo B ==> A <= wlt(F, B)";
  16.559  by (ftac leadsToD2 1);
  16.560  by (auto_tac (claset(), simpset() addsimps [st_set_def]));
  16.561  qed "leadsTo_subset";
  16.562  
  16.563  (*Misra's property W2*)
  16.564 -Goal "F : A leadsTo B <-> (A <= wlt(F,B) & F:program & st_set(B))";
  16.565 +Goal "F \\<in> A leadsTo B <-> (A <= wlt(F,B) & F \\<in> program & st_set(B))";
  16.566  by Auto_tac;
  16.567  by (REPEAT(blast_tac (claset() addDs [leadsToD2,leadsTo_subset]
  16.568                                 addIs [leadsTo_weaken_L, wlt_leadsTo]) 1));
  16.569  qed "leadsTo_eq_subset_wlt";
  16.570  
  16.571  (*Misra's property W4*)
  16.572 -Goal "[| F:program; st_set(B) |] ==> B <= wlt(F,B)";
  16.573 +Goal "[| F \\<in> program; st_set(B) |] ==> B <= wlt(F,B)";
  16.574  by (rtac leadsTo_subset 1);
  16.575  by (asm_simp_tac (simpset() 
  16.576           addsimps [leadsTo_eq_subset_wlt RS iff_sym,
  16.577 @@ -614,16 +614,16 @@
  16.578  (*Used in the Trans case below*)
  16.579  Goalw [constrains_def, st_set_def]
  16.580     "[| B <= A2; \
  16.581 -\      F : (A1 - B) co (A1 Un B); \
  16.582 -\      F : (A2 - C) co (A2 Un C) |] \
  16.583 -\   ==> F : (A1 Un A2 - C) co (A1 Un A2 Un C)";
  16.584 +\      F \\<in> (A1 - B) co (A1 Un B); \
  16.585 +\      F \\<in> (A2 - C) co (A2 Un C) |] \
  16.586 +\   ==> F \\<in> (A1 Un A2 - C) co (A1 Un A2 Un C)";
  16.587  by (Blast_tac 1);
  16.588  qed "leadsTo_123_aux";
  16.589  
  16.590  (*Lemma (1,2,3) of Misra's draft book, Chapter 4, "Progress"*)
  16.591 -(* slightly different from the HOL one: B here is bounded *)
  16.592 -Goal "F : A leadsTo A' \
  16.593 -\     ==> EX B:Pow(state). A<=B & F:B leadsTo A' & F : (B-A') co (B Un A')";
  16.594 +(* slightly different from the HOL one \\<in> B here is bounded *)
  16.595 +Goal "F \\<in> A leadsTo A' \
  16.596 +\     ==> \\<exists>B \\<in> Pow(state). A<=B & F \\<in> B leadsTo A' & F \\<in> (B-A') co (B Un A')";
  16.597  by (ftac leadsToD2 1);
  16.598  by (etac leadsTo_induct 1);
  16.599  (*Basis*)
  16.600 @@ -636,14 +636,14 @@
  16.601  by (Blast_tac 1);
  16.602  (*Union*)
  16.603  by (clarify_tac (claset() addSDs [ball_conj_distrib RS iffD1]) 1);
  16.604 -by (subgoal_tac "EX y. y:Pi(S, %A. {Ba:Pow(state). A<=Ba & \
  16.605 -                          \         F:Ba leadsTo B & F:Ba - B co Ba Un B})" 1);
  16.606 +by (subgoal_tac "\\<exists>y. y \\<in> Pi(S, %A. {Ba \\<in> Pow(state). A<=Ba & \
  16.607 +                          \         F \\<in> Ba leadsTo B & F \\<in> Ba - B co Ba Un B})" 1);
  16.608  by (rtac AC_ball_Pi 2);
  16.609  by (ALLGOALS(Clarify_tac));
  16.610  by (rotate_tac 1 2);
  16.611  by (dres_inst_tac [("x", "x")] bspec 2);
  16.612  by (REPEAT(Blast_tac 2));
  16.613 -by (res_inst_tac [("x", "UN A:S. y`A")] bexI 1);
  16.614 +by (res_inst_tac [("x", "\\<Union>A \\<in> S. y`A")] bexI 1);
  16.615  by Safe_tac;
  16.616  by (res_inst_tac [("I1", "S")] (constrains_UN RS constrains_weaken) 3);
  16.617  by (rtac leadsTo_Union 2);
  16.618 @@ -654,7 +654,7 @@
  16.619  
  16.620  
  16.621  (*Misra's property W5*)
  16.622 -Goal "[| F:program; st_set(B) |] ==>F : (wlt(F, B) - B) co (wlt(F,B))";
  16.623 +Goal "[| F \\<in> program; st_set(B) |] ==>F \\<in> (wlt(F, B) - B) co (wlt(F,B))";
  16.624  by (cut_inst_tac [("F","F")] (wlt_leadsTo RS leadsTo_123) 1);
  16.625  by (assume_tac 1);
  16.626  by (Blast_tac 1);
  16.627 @@ -666,26 +666,26 @@
  16.628           addsimps [wlt_increasing RS (subset_Un_iff2 RS iffD1)]) 1);
  16.629  qed "wlt_constrains_wlt";
  16.630  
  16.631 -(*** Completion: Binary and General Finite versions ***)
  16.632 +(*** Completion \\<in> Binary and General Finite versions ***)
  16.633  
  16.634  Goal "[| W = wlt(F, (B' Un C));     \
  16.635 -\      F : A leadsTo (A' Un C);  F : A' co (A' Un C);   \
  16.636 -\      F : B leadsTo (B' Un C);  F : B' co (B' Un C) |] \
  16.637 -\   ==> F : (A Int B) leadsTo ((A' Int B') Un C)";
  16.638 +\      F \\<in> A leadsTo (A' Un C);  F \\<in> A' co (A' Un C);   \
  16.639 +\      F \\<in> B leadsTo (B' Un C);  F \\<in> B' co (B' Un C) |] \
  16.640 +\   ==> F \\<in> (A Int B) leadsTo ((A' Int B') Un C)";
  16.641  by (subgoal_tac "st_set(C)&st_set(W)&st_set(W-C)&st_set(A')&st_set(A)\
  16.642 -\                & st_set(B) & st_set(B') & F:program" 1);
  16.643 +\                & st_set(B) & st_set(B') & F \\<in> program" 1);
  16.644  by (Asm_simp_tac 2);
  16.645  by (blast_tac (claset() addSDs [leadsToD2]) 2);
  16.646 -by (subgoal_tac "F : (W-C) co (W Un B' Un C)" 1);
  16.647 +by (subgoal_tac "F \\<in> (W-C) co (W Un B' Un C)" 1);
  16.648  by (blast_tac (claset() addSIs [[asm_rl, wlt_constrains_wlt] 
  16.649                                 MRS constrains_Un RS constrains_weaken]) 2);
  16.650 -by (subgoal_tac "F : (W-C) co W" 1);
  16.651 +by (subgoal_tac "F \\<in> (W-C) co W" 1);
  16.652  by (asm_full_simp_tac (simpset() addsimps  [wlt_increasing RS 
  16.653                              (subset_Un_iff2 RS iffD1), Un_assoc]) 2);
  16.654 -by (subgoal_tac "F : (A Int W - C) leadsTo (A' Int W Un C)" 1);
  16.655 +by (subgoal_tac "F \\<in> (A Int W - C) leadsTo (A' Int W Un C)" 1);
  16.656  by (blast_tac (claset() addIs [wlt_leadsTo, psp RS leadsTo_weaken]) 2);
  16.657  (** LEVEL 9 **)
  16.658 -by (subgoal_tac "F : (A' Int W Un C) leadsTo (A' Int B' Un C)" 1);
  16.659 +by (subgoal_tac "F \\<in> (A' Int W Un C) leadsTo (A' Int B' Un C)" 1);
  16.660  by (rtac leadsTo_Un_duplicate2 2);
  16.661  by (rtac leadsTo_Un_Un 2);
  16.662  by (blast_tac (claset() addIs [leadsTo_refl]) 3);
  16.663 @@ -703,10 +703,10 @@
  16.664  qed "completion_aux";
  16.665  bind_thm("completion", refl RS completion_aux);
  16.666  
  16.667 -Goal "[| I:Fin(X); F:program; st_set(C) |] ==> \
  16.668 -\(ALL i:I. F : (A(i)) leadsTo (A'(i) Un C)) -->  \
  16.669 -\                  (ALL i:I. F : (A'(i)) co (A'(i) Un C)) --> \
  16.670 -\                  F : (INT i:I. A(i)) leadsTo ((INT i:I. A'(i)) Un C)";
  16.671 +Goal "[| I \\<in> Fin(X); F \\<in> program; st_set(C) |] ==> \
  16.672 +\(\\<forall>i \\<in> I. F \\<in> (A(i)) leadsTo (A'(i) Un C)) -->  \
  16.673 +\                  (\\<forall>i \\<in> I. F \\<in> (A'(i)) co (A'(i) Un C)) --> \
  16.674 +\                  F \\<in> (\\<Inter>i \\<in> I. A(i)) leadsTo ((\\<Inter>i \\<in> I. A'(i)) Un C)";
  16.675  by (etac Fin_induct 1); 
  16.676  by (auto_tac (claset(), simpset() addsimps [Inter_0]));
  16.677  by (rtac completion 1);
  16.678 @@ -717,19 +717,19 @@
  16.679  qed "lemma";
  16.680  
  16.681  val prems = Goal
  16.682 -     "[| I:Fin(X);  \
  16.683 -\        !!i. i:I ==> F : A(i) leadsTo (A'(i) Un C); \
  16.684 -\        !!i. i:I ==> F : A'(i) co (A'(i) Un C); F:program; st_set(C)|]   \
  16.685 -\     ==> F : (INT i:I. A(i)) leadsTo ((INT i:I. A'(i)) Un C)";
  16.686 +     "[| I \\<in> Fin(X);  \
  16.687 +\        !!i. i \\<in> I ==> F \\<in> A(i) leadsTo (A'(i) Un C); \
  16.688 +\        !!i. i \\<in> I ==> F \\<in> A'(i) co (A'(i) Un C); F \\<in> program; st_set(C)|]   \
  16.689 +\     ==> F \\<in> (\\<Inter>i \\<in> I. A(i)) leadsTo ((\\<Inter>i \\<in> I. A'(i)) Un C)";
  16.690  by (resolve_tac [lemma RS mp RS mp] 1);
  16.691  by (resolve_tac prems 3);
  16.692  by (REPEAT(blast_tac (claset() addIs prems) 1));
  16.693  qed "finite_completion";
  16.694  
  16.695  Goalw [stable_def]
  16.696 -     "[| F : A leadsTo A';  F : stable(A');   \
  16.697 -\        F : B leadsTo B';  F : stable(B') |] \
  16.698 -\   ==> F : (A Int B) leadsTo (A' Int B')";
  16.699 +     "[| F \\<in> A leadsTo A';  F \\<in> stable(A');   \
  16.700 +\        F \\<in> B leadsTo B';  F \\<in> stable(B') |] \
  16.701 +\   ==> F \\<in> (A Int B) leadsTo (A' Int B')";
  16.702  by (res_inst_tac [("C1", "0")] (completion RS leadsTo_weaken_R) 1);
  16.703  by (REPEAT(blast_tac (claset() addDs [leadsToD2, constrainsD2]) 5));
  16.704  by (ALLGOALS(Asm_full_simp_tac));
  16.705 @@ -737,12 +737,12 @@
  16.706  
  16.707  
  16.708  val major::prems = Goalw [stable_def]
  16.709 -     "[| I:Fin(X); \
  16.710 -\        (!!i. i:I ==> F : A(i) leadsTo A'(i)); \
  16.711 -\        (!!i. i:I ==> F: stable(A'(i)));  F:program |] \
  16.712 -\     ==> F : (INT i:I. A(i)) leadsTo (INT i:I. A'(i))";
  16.713 +     "[| I \\<in> Fin(X); \
  16.714 +\        (!!i. i \\<in> I ==> F \\<in> A(i) leadsTo A'(i)); \
  16.715 +\        (!!i. i \\<in> I ==> F \\<in> stable(A'(i)));  F \\<in> program |] \
  16.716 +\     ==> F \\<in> (\\<Inter>i \\<in> I. A(i)) leadsTo (\\<Inter>i \\<in> I. A'(i))";
  16.717  by (cut_facts_tac [major] 1);
  16.718 -by (subgoal_tac "st_set(INT i:I. A'(i))" 1);
  16.719 +by (subgoal_tac "st_set(\\<Inter>i \\<in> I. A'(i))" 1);
  16.720  by (blast_tac (claset() addDs [leadsToD2]@prems) 2);
  16.721  by (res_inst_tac [("C1", "0")] (finite_completion RS leadsTo_weaken_R) 1);
  16.722  by (Asm_simp_tac 1);