more symbols;
authorwenzelm
Fri Jun 26 14:53:15 2015 +0200 (2015-06-26)
changeset 60588750c533459b1
parent 60587 0318b43ee95c
child 60589 b5622eef7176
more symbols;
src/HOL/TLA/Action.thy
src/HOL/TLA/Buffer/Buffer.thy
src/HOL/TLA/Buffer/DBuffer.thy
src/HOL/TLA/Inc/Inc.thy
src/HOL/TLA/Init.thy
src/HOL/TLA/Intensional.thy
src/HOL/TLA/Memory/MemClerk.thy
src/HOL/TLA/Memory/MemClerkParameters.thy
src/HOL/TLA/Memory/Memory.thy
src/HOL/TLA/Memory/MemoryImplementation.thy
src/HOL/TLA/Memory/MemoryParameters.thy
src/HOL/TLA/Memory/ProcedureInterface.thy
src/HOL/TLA/Memory/RPC.thy
src/HOL/TLA/Memory/RPCParameters.thy
src/HOL/TLA/Stfun.thy
src/HOL/TLA/TLA.thy
     1.1 --- a/src/HOL/TLA/Action.thy	Fri Jun 26 11:44:22 2015 +0200
     1.2 +++ b/src/HOL/TLA/Action.thy	Fri Jun 26 14:53:15 2015 +0200
     1.3 @@ -12,40 +12,40 @@
     1.4  
     1.5  (** abstract syntax **)
     1.6  
     1.7 -type_synonym 'a trfun = "(state * state) => 'a"
     1.8 +type_synonym 'a trfun = "(state * state) \<Rightarrow> 'a"
     1.9  type_synonym action   = "bool trfun"
    1.10  
    1.11  instance prod :: (world, world) world ..
    1.12  
    1.13  consts
    1.14    (** abstract syntax **)
    1.15 -  before        :: "'a stfun => 'a trfun"
    1.16 -  after         :: "'a stfun => 'a trfun"
    1.17 -  unch          :: "'a stfun => action"
    1.18 +  before        :: "'a stfun \<Rightarrow> 'a trfun"
    1.19 +  after         :: "'a stfun \<Rightarrow> 'a trfun"
    1.20 +  unch          :: "'a stfun \<Rightarrow> action"
    1.21  
    1.22 -  SqAct         :: "[action, 'a stfun] => action"
    1.23 -  AnAct         :: "[action, 'a stfun] => action"
    1.24 -  enabled       :: "action => stpred"
    1.25 +  SqAct         :: "[action, 'a stfun] \<Rightarrow> action"
    1.26 +  AnAct         :: "[action, 'a stfun] \<Rightarrow> action"
    1.27 +  enabled       :: "action \<Rightarrow> stpred"
    1.28  
    1.29  (** concrete syntax **)
    1.30  
    1.31  syntax
    1.32    (* Syntax for writing action expressions in arbitrary contexts *)
    1.33 -  "_ACT"        :: "lift => 'a"                      ("(ACT _)")
    1.34 +  "_ACT"        :: "lift \<Rightarrow> 'a"                      ("(ACT _)")
    1.35  
    1.36 -  "_before"     :: "lift => lift"                    ("($_)"  [100] 99)
    1.37 -  "_after"      :: "lift => lift"                    ("(_$)"  [100] 99)
    1.38 -  "_unchanged"  :: "lift => lift"                    ("(unchanged _)" [100] 99)
    1.39 +  "_before"     :: "lift \<Rightarrow> lift"                    ("($_)"  [100] 99)
    1.40 +  "_after"      :: "lift \<Rightarrow> lift"                    ("(_$)"  [100] 99)
    1.41 +  "_unchanged"  :: "lift \<Rightarrow> lift"                    ("(unchanged _)" [100] 99)
    1.42  
    1.43    (*** Priming: same as "after" ***)
    1.44 -  "_prime"      :: "lift => lift"                    ("(_`)" [100] 99)
    1.45 +  "_prime"      :: "lift \<Rightarrow> lift"                    ("(_`)" [100] 99)
    1.46  
    1.47 -  "_SqAct"      :: "[lift, lift] => lift"            ("([_]'_(_))" [0,1000] 99)
    1.48 -  "_AnAct"      :: "[lift, lift] => lift"            ("(<_>'_(_))" [0,1000] 99)
    1.49 -  "_Enabled"    :: "lift => lift"                    ("(Enabled _)" [100] 100)
    1.50 +  "_SqAct"      :: "[lift, lift] \<Rightarrow> lift"            ("([_]'_(_))" [0,1000] 99)
    1.51 +  "_AnAct"      :: "[lift, lift] \<Rightarrow> lift"            ("(<_>'_(_))" [0,1000] 99)
    1.52 +  "_Enabled"    :: "lift \<Rightarrow> lift"                    ("(Enabled _)" [100] 100)
    1.53  
    1.54  translations
    1.55 -  "ACT A"            =>   "(A::state*state => _)"
    1.56 +  "ACT A"            =>   "(A::state*state \<Rightarrow> _)"
    1.57    "_before"          ==   "CONST before"
    1.58    "_after"           ==   "CONST after"
    1.59    "_prime"           =>   "_after"
    1.60 @@ -59,16 +59,16 @@
    1.61    "w |= unchanged f" <=   "_unchanged f w"
    1.62  
    1.63  axiomatization where
    1.64 -  unl_before:    "(ACT $v) (s,t) == v s" and
    1.65 -  unl_after:     "(ACT v$) (s,t) == v t" and
    1.66 +  unl_before:    "(ACT $v) (s,t) \<equiv> v s" and
    1.67 +  unl_after:     "(ACT v$) (s,t) \<equiv> v t" and
    1.68  
    1.69 -  unchanged_def: "(s,t) |= unchanged v == (v t = v s)"
    1.70 +  unchanged_def: "(s,t) \<Turnstile> unchanged v \<equiv> (v t = v s)"
    1.71  
    1.72  defs
    1.73 -  square_def:    "ACT [A]_v == ACT (A | unchanged v)"
    1.74 -  angle_def:     "ACT <A>_v == ACT (A & \<not> unchanged v)"
    1.75 +  square_def:    "ACT [A]_v \<equiv> ACT (A \<or> unchanged v)"
    1.76 +  angle_def:     "ACT <A>_v \<equiv> ACT (A \<and> \<not> unchanged v)"
    1.77  
    1.78 -  enabled_def:   "s |= Enabled A  ==  \<exists>u. (s,u) |= A"
    1.79 +  enabled_def:   "s \<Turnstile> Enabled A  \<equiv>  \<exists>u. (s,u) \<Turnstile> A"
    1.80  
    1.81  
    1.82  (* The following assertion specializes "intI" for any world type
    1.83 @@ -76,22 +76,22 @@
    1.84  *)
    1.85  
    1.86  lemma actionI [intro!]:
    1.87 -  assumes "\<And>s t. (s,t) |= A"
    1.88 -  shows "|- A"
    1.89 +  assumes "\<And>s t. (s,t) \<Turnstile> A"
    1.90 +  shows "\<turnstile> A"
    1.91    apply (rule assms intI prod.induct)+
    1.92    done
    1.93  
    1.94 -lemma actionD [dest]: "|- A ==> (s,t) |= A"
    1.95 +lemma actionD [dest]: "\<turnstile> A \<Longrightarrow> (s,t) \<Turnstile> A"
    1.96    apply (erule intD)
    1.97    done
    1.98  
    1.99  lemma pr_rews [int_rewrite]:
   1.100 -  "|- (#c)` = #c"
   1.101 -  "\<And>f. |- f<x>` = f<x` >"
   1.102 -  "\<And>f. |- f<x,y>` = f<x`,y` >"
   1.103 -  "\<And>f. |- f<x,y,z>` = f<x`,y`,z` >"
   1.104 -  "|- (\<forall>x. P x)` = (\<forall>x. (P x)`)"
   1.105 -  "|- (\<exists>x. P x)` = (\<exists>x. (P x)`)"
   1.106 +  "\<turnstile> (#c)` = #c"
   1.107 +  "\<And>f. \<turnstile> f<x>` = f<x` >"
   1.108 +  "\<And>f. \<turnstile> f<x,y>` = f<x`,y` >"
   1.109 +  "\<And>f. \<turnstile> f<x,y,z>` = f<x`,y`,z` >"
   1.110 +  "\<turnstile> (\<forall>x. P x)` = (\<forall>x. (P x)`)"
   1.111 +  "\<turnstile> (\<exists>x. P x)` = (\<exists>x. (P x)`)"
   1.112    by (rule actionI, unfold unl_after intensional_rews, rule refl)+
   1.113  
   1.114  
   1.115 @@ -112,7 +112,7 @@
   1.116    (rewrite_rule ctxt @{thms action_rews} (th RS @{thm actionD}))
   1.117      handle THM _ => int_unlift ctxt th;
   1.118  
   1.119 -(* Turn  |- A = B  into meta-level rewrite rule  A == B *)
   1.120 +(* Turn  \<turnstile> A = B  into meta-level rewrite rule  A == B *)
   1.121  val action_rewrite = int_rewrite
   1.122  
   1.123  fun action_use ctxt th =
   1.124 @@ -132,69 +132,69 @@
   1.125  
   1.126  (* =========================== square / angle brackets =========================== *)
   1.127  
   1.128 -lemma idle_squareI: "(s,t) |= unchanged v ==> (s,t) |= [A]_v"
   1.129 +lemma idle_squareI: "(s,t) \<Turnstile> unchanged v \<Longrightarrow> (s,t) \<Turnstile> [A]_v"
   1.130    by (simp add: square_def)
   1.131  
   1.132 -lemma busy_squareI: "(s,t) |= A ==> (s,t) |= [A]_v"
   1.133 +lemma busy_squareI: "(s,t) \<Turnstile> A \<Longrightarrow> (s,t) \<Turnstile> [A]_v"
   1.134    by (simp add: square_def)
   1.135  
   1.136  lemma squareE [elim]:
   1.137 -  "[| (s,t) |= [A]_v; A (s,t) ==> B (s,t); v t = v s ==> B (s,t) |] ==> B (s,t)"
   1.138 +  "\<lbrakk> (s,t) \<Turnstile> [A]_v; A (s,t) \<Longrightarrow> B (s,t); v t = v s \<Longrightarrow> B (s,t) \<rbrakk> \<Longrightarrow> B (s,t)"
   1.139    apply (unfold square_def action_rews)
   1.140    apply (erule disjE)
   1.141    apply simp_all
   1.142    done
   1.143  
   1.144 -lemma squareCI [intro]: "[| v t \<noteq> v s ==> A (s,t) |] ==> (s,t) |= [A]_v"
   1.145 +lemma squareCI [intro]: "\<lbrakk> v t \<noteq> v s \<Longrightarrow> A (s,t) \<rbrakk> \<Longrightarrow> (s,t) \<Turnstile> [A]_v"
   1.146    apply (unfold square_def action_rews)
   1.147    apply (rule disjCI)
   1.148    apply (erule (1) meta_mp)
   1.149    done
   1.150  
   1.151 -lemma angleI [intro]: "\<And>s t. [| A (s,t); v t \<noteq> v s |] ==> (s,t) |= <A>_v"
   1.152 +lemma angleI [intro]: "\<And>s t. \<lbrakk> A (s,t); v t \<noteq> v s \<rbrakk> \<Longrightarrow> (s,t) \<Turnstile> <A>_v"
   1.153    by (simp add: angle_def)
   1.154  
   1.155 -lemma angleE [elim]: "[| (s,t) |= <A>_v; [| A (s,t); v t \<noteq> v s |] ==> R |] ==> R"
   1.156 +lemma angleE [elim]: "\<lbrakk> (s,t) \<Turnstile> <A>_v; \<lbrakk> A (s,t); v t \<noteq> v s \<rbrakk> \<Longrightarrow> R \<rbrakk> \<Longrightarrow> R"
   1.157    apply (unfold angle_def action_rews)
   1.158    apply (erule conjE)
   1.159    apply simp
   1.160    done
   1.161  
   1.162  lemma square_simulation:
   1.163 -   "\<And>f. [| |- unchanged f & \<not>B --> unchanged g;
   1.164 -            |- A & \<not>unchanged g --> B
   1.165 -         |] ==> |- [A]_f --> [B]_g"
   1.166 +   "\<And>f. \<lbrakk> \<turnstile> unchanged f & \<not>B \<longrightarrow> unchanged g;
   1.167 +            \<turnstile> A & \<not>unchanged g \<longrightarrow> B
   1.168 +         \<rbrakk> \<Longrightarrow> \<turnstile> [A]_f \<longrightarrow> [B]_g"
   1.169    apply clarsimp
   1.170    apply (erule squareE)
   1.171    apply (auto simp add: square_def)
   1.172    done
   1.173  
   1.174 -lemma not_square: "|- (\<not> [A]_v) = <\<not>A>_v"
   1.175 +lemma not_square: "\<turnstile> (\<not> [A]_v) = <\<not>A>_v"
   1.176    by (auto simp: square_def angle_def)
   1.177  
   1.178 -lemma not_angle: "|- (\<not> <A>_v) = [\<not>A]_v"
   1.179 +lemma not_angle: "\<turnstile> (\<not> <A>_v) = [\<not>A]_v"
   1.180    by (auto simp: square_def angle_def)
   1.181  
   1.182  
   1.183  (* ============================== Facts about ENABLED ============================== *)
   1.184  
   1.185 -lemma enabledI: "|- A --> $Enabled A"
   1.186 +lemma enabledI: "\<turnstile> A \<longrightarrow> $Enabled A"
   1.187    by (auto simp add: enabled_def)
   1.188  
   1.189 -lemma enabledE: "[| s |= Enabled A; \<And>u. A (s,u) ==> Q |] ==> Q"
   1.190 +lemma enabledE: "\<lbrakk> s \<Turnstile> Enabled A; \<And>u. A (s,u) \<Longrightarrow> Q \<rbrakk> \<Longrightarrow> Q"
   1.191    apply (unfold enabled_def)
   1.192    apply (erule exE)
   1.193    apply simp
   1.194    done
   1.195  
   1.196 -lemma notEnabledD: "|- \<not>$Enabled G --> \<not> G"
   1.197 +lemma notEnabledD: "\<turnstile> \<not>$Enabled G \<longrightarrow> \<not> G"
   1.198    by (auto simp add: enabled_def)
   1.199  
   1.200  (* Monotonicity *)
   1.201  lemma enabled_mono:
   1.202 -  assumes min: "s |= Enabled F"
   1.203 -    and maj: "|- F --> G"
   1.204 -  shows "s |= Enabled G"
   1.205 +  assumes min: "s \<Turnstile> Enabled F"
   1.206 +    and maj: "\<turnstile> F \<longrightarrow> G"
   1.207 +  shows "s \<Turnstile> Enabled G"
   1.208    apply (rule min [THEN enabledE])
   1.209    apply (rule enabledI [action_use])
   1.210    apply (erule maj [action_use])
   1.211 @@ -202,50 +202,50 @@
   1.212  
   1.213  (* stronger variant *)
   1.214  lemma enabled_mono2:
   1.215 -  assumes min: "s |= Enabled F"
   1.216 -    and maj: "\<And>t. F (s,t) ==> G (s,t)"
   1.217 -  shows "s |= Enabled G"
   1.218 +  assumes min: "s \<Turnstile> Enabled F"
   1.219 +    and maj: "\<And>t. F (s,t) \<Longrightarrow> G (s,t)"
   1.220 +  shows "s \<Turnstile> Enabled G"
   1.221    apply (rule min [THEN enabledE])
   1.222    apply (rule enabledI [action_use])
   1.223    apply (erule maj)
   1.224    done
   1.225  
   1.226 -lemma enabled_disj1: "|- Enabled F --> Enabled (F | G)"
   1.227 +lemma enabled_disj1: "\<turnstile> Enabled F \<longrightarrow> Enabled (F | G)"
   1.228    by (auto elim!: enabled_mono)
   1.229  
   1.230 -lemma enabled_disj2: "|- Enabled G --> Enabled (F | G)"
   1.231 +lemma enabled_disj2: "\<turnstile> Enabled G \<longrightarrow> Enabled (F | G)"
   1.232    by (auto elim!: enabled_mono)
   1.233  
   1.234 -lemma enabled_conj1: "|- Enabled (F & G) --> Enabled F"
   1.235 +lemma enabled_conj1: "\<turnstile> Enabled (F & G) \<longrightarrow> Enabled F"
   1.236    by (auto elim!: enabled_mono)
   1.237  
   1.238 -lemma enabled_conj2: "|- Enabled (F & G) --> Enabled G"
   1.239 +lemma enabled_conj2: "\<turnstile> Enabled (F & G) \<longrightarrow> Enabled G"
   1.240    by (auto elim!: enabled_mono)
   1.241  
   1.242  lemma enabled_conjE:
   1.243 -    "[| s |= Enabled (F & G); [| s |= Enabled F; s |= Enabled G |] ==> Q |] ==> Q"
   1.244 +    "\<lbrakk> s \<Turnstile> Enabled (F & G); \<lbrakk> s \<Turnstile> Enabled F; s \<Turnstile> Enabled G \<rbrakk> \<Longrightarrow> Q \<rbrakk> \<Longrightarrow> Q"
   1.245    apply (frule enabled_conj1 [action_use])
   1.246    apply (drule enabled_conj2 [action_use])
   1.247    apply simp
   1.248    done
   1.249  
   1.250 -lemma enabled_disjD: "|- Enabled (F | G) --> Enabled F | Enabled G"
   1.251 +lemma enabled_disjD: "\<turnstile> Enabled (F | G) \<longrightarrow> Enabled F | Enabled G"
   1.252    by (auto simp add: enabled_def)
   1.253  
   1.254 -lemma enabled_disj: "|- Enabled (F | G) = (Enabled F | Enabled G)"
   1.255 +lemma enabled_disj: "\<turnstile> Enabled (F | G) = (Enabled F | Enabled G)"
   1.256    apply clarsimp
   1.257    apply (rule iffI)
   1.258     apply (erule enabled_disjD [action_use])
   1.259    apply (erule disjE enabled_disj1 [action_use] enabled_disj2 [action_use])+
   1.260    done
   1.261  
   1.262 -lemma enabled_ex: "|- Enabled (\<exists>x. F x) = (\<exists>x. Enabled (F x))"
   1.263 +lemma enabled_ex: "\<turnstile> Enabled (\<exists>x. F x) = (\<exists>x. Enabled (F x))"
   1.264    by (force simp add: enabled_def)
   1.265  
   1.266  
   1.267  (* A rule that combines enabledI and baseE, but generates fewer instantiations *)
   1.268  lemma base_enabled:
   1.269 -    "[| basevars vs; \<exists>c. \<forall>u. vs u = c --> A(s,u) |] ==> s |= Enabled A"
   1.270 +    "\<lbrakk> basevars vs; \<exists>c. \<forall>u. vs u = c \<longrightarrow> A(s,u) \<rbrakk> \<Longrightarrow> s \<Turnstile> Enabled A"
   1.271    apply (erule exE)
   1.272    apply (erule baseE)
   1.273    apply (rule enabledI [action_use])
   1.274 @@ -294,7 +294,7 @@
   1.275  
   1.276  lemma
   1.277    assumes "basevars (x,y,z)"
   1.278 -  shows "|- x --> Enabled ($x & (y$ = #False))"
   1.279 +  shows "\<turnstile> x \<longrightarrow> Enabled ($x & (y$ = #False))"
   1.280    apply (enabled assms)
   1.281    apply auto
   1.282    done
     2.1 --- a/src/HOL/TLA/Buffer/Buffer.thy	Fri Jun 26 11:44:22 2015 +0200
     2.2 +++ b/src/HOL/TLA/Buffer/Buffer.thy	Fri Jun 26 14:53:15 2015 +0200
     2.3 @@ -10,14 +10,14 @@
     2.4  
     2.5  consts
     2.6    (* actions *)
     2.7 -  BInit     :: "'a stfun => 'a list stfun => 'a stfun => stpred"
     2.8 -  Enq       :: "'a stfun => 'a list stfun => 'a stfun => action"
     2.9 -  Deq       :: "'a stfun => 'a list stfun => 'a stfun => action"
    2.10 -  Next      :: "'a stfun => 'a list stfun => 'a stfun => action"
    2.11 +  BInit     :: "'a stfun \<Rightarrow> 'a list stfun \<Rightarrow> 'a stfun \<Rightarrow> stpred"
    2.12 +  Enq       :: "'a stfun \<Rightarrow> 'a list stfun \<Rightarrow> 'a stfun \<Rightarrow> action"
    2.13 +  Deq       :: "'a stfun \<Rightarrow> 'a list stfun \<Rightarrow> 'a stfun \<Rightarrow> action"
    2.14 +  Next      :: "'a stfun \<Rightarrow> 'a list stfun \<Rightarrow> 'a stfun \<Rightarrow> action"
    2.15  
    2.16    (* temporal formulas *)
    2.17 -  IBuffer   :: "'a stfun => 'a list stfun => 'a stfun => temporal"
    2.18 -  Buffer    :: "'a stfun => 'a stfun => temporal"
    2.19 +  IBuffer   :: "'a stfun \<Rightarrow> 'a list stfun \<Rightarrow> 'a stfun \<Rightarrow> temporal"
    2.20 +  Buffer    :: "'a stfun \<Rightarrow> 'a stfun \<Rightarrow> temporal"
    2.21  
    2.22  defs
    2.23    BInit_def:   "BInit ic q oc    == PRED q = #[]"
    2.24 @@ -38,28 +38,28 @@
    2.25  (* ---------------------------- Data lemmas ---------------------------- *)
    2.26  
    2.27  (*FIXME: move to theory List? Maybe as (tl xs = xs) = (xs = [])"?*)
    2.28 -lemma tl_not_self [simp]: "xs \<noteq> [] ==> tl xs \<noteq> xs"
    2.29 +lemma tl_not_self [simp]: "xs \<noteq> [] \<Longrightarrow> tl xs \<noteq> xs"
    2.30    by (auto simp: neq_Nil_conv)
    2.31  
    2.32  
    2.33  (* ---------------------------- Action lemmas ---------------------------- *)
    2.34  
    2.35  (* Dequeue is visible *)
    2.36 -lemma Deq_visible: "|- <Deq ic q oc>_(ic,q,oc) = Deq ic q oc"
    2.37 +lemma Deq_visible: "\<turnstile> <Deq ic q oc>_(ic,q,oc) = Deq ic q oc"
    2.38    apply (unfold angle_def Deq_def)
    2.39    apply (safe, simp (asm_lr))+
    2.40    done
    2.41  
    2.42  (* Enabling condition for dequeue -- NOT NEEDED *)
    2.43  lemma Deq_enabled: 
    2.44 -    "\<And>q. basevars (ic,q,oc) ==> |- Enabled (<Deq ic q oc>_(ic,q,oc)) = (q \<noteq> #[])"
    2.45 +    "\<And>q. basevars (ic,q,oc) \<Longrightarrow> \<turnstile> Enabled (<Deq ic q oc>_(ic,q,oc)) = (q \<noteq> #[])"
    2.46    apply (unfold Deq_visible [temp_rewrite])
    2.47    apply (force elim!: base_enabled [temp_use] enabledE [temp_use] simp: Deq_def)
    2.48    done
    2.49  
    2.50  (* For the left-to-right implication, we don't need the base variable stuff *)
    2.51  lemma Deq_enabledE: 
    2.52 -    "|- Enabled (<Deq ic q oc>_(ic,q,oc)) --> (q \<noteq> #[])"
    2.53 +    "\<turnstile> Enabled (<Deq ic q oc>_(ic,q,oc)) \<longrightarrow> (q \<noteq> #[])"
    2.54    apply (unfold Deq_visible [temp_rewrite])
    2.55    apply (auto elim!: enabledE simp add: Deq_def)
    2.56    done
     3.1 --- a/src/HOL/TLA/Buffer/DBuffer.thy	Fri Jun 26 11:44:22 2015 +0200
     3.2 +++ b/src/HOL/TLA/Buffer/DBuffer.thy	Fri Jun 26 14:53:15 2015 +0200
     3.3 @@ -50,12 +50,12 @@
     3.4  
     3.5  
     3.6  (*** Proper initialization ***)
     3.7 -lemma DBInit: "|- Init DBInit --> Init (BInit inp qc out)"
     3.8 +lemma DBInit: "\<turnstile> Init DBInit \<longrightarrow> Init (BInit inp qc out)"
     3.9    by (auto simp: Init_def DBInit_def BInit_def)
    3.10  
    3.11  
    3.12  (*** Step simulation ***)
    3.13 -lemma DB_step_simulation: "|- [DBNext]_(inp,mid,out,q1,q2) --> [Next inp qc out]_(inp,qc,out)"
    3.14 +lemma DB_step_simulation: "\<turnstile> [DBNext]_(inp,mid,out,q1,q2) \<longrightarrow> [Next inp qc out]_(inp,qc,out)"
    3.15    apply (rule square_simulation)
    3.16     apply clarsimp
    3.17    apply (tactic
    3.18 @@ -66,23 +66,23 @@
    3.19  (*** Simulation of fairness ***)
    3.20  
    3.21  (* Compute enabledness predicates for DBDeq and DBPass actions *)
    3.22 -lemma DBDeq_visible: "|- <DBDeq>_(inp,mid,out,q1,q2) = DBDeq"
    3.23 +lemma DBDeq_visible: "\<turnstile> <DBDeq>_(inp,mid,out,q1,q2) = DBDeq"
    3.24    apply (unfold angle_def DBDeq_def Deq_def)
    3.25    apply (safe, simp (asm_lr))+
    3.26    done
    3.27  
    3.28  lemma DBDeq_enabled: 
    3.29 -    "|- Enabled (<DBDeq>_(inp,mid,out,q1,q2)) = (q2 \<noteq> #[])"
    3.30 +    "\<turnstile> Enabled (<DBDeq>_(inp,mid,out,q1,q2)) = (q2 \<noteq> #[])"
    3.31    apply (unfold DBDeq_visible [action_rewrite])
    3.32    apply (force intro!: DB_base [THEN base_enabled, temp_use]
    3.33      elim!: enabledE simp: angle_def DBDeq_def Deq_def)
    3.34    done
    3.35  
    3.36 -lemma DBPass_visible: "|- <DBPass>_(inp,mid,out,q1,q2) = DBPass"
    3.37 +lemma DBPass_visible: "\<turnstile> <DBPass>_(inp,mid,out,q1,q2) = DBPass"
    3.38    by (auto simp: angle_def DBPass_def Deq_def)
    3.39  
    3.40  lemma DBPass_enabled: 
    3.41 -    "|- Enabled (<DBPass>_(inp,mid,out,q1,q2)) = (q1 \<noteq> #[])"
    3.42 +    "\<turnstile> Enabled (<DBPass>_(inp,mid,out,q1,q2)) = (q1 \<noteq> #[])"
    3.43    apply (unfold DBPass_visible [action_rewrite])
    3.44    apply (force intro!: DB_base [THEN base_enabled, temp_use]
    3.45      elim!: enabledE simp: angle_def DBPass_def Deq_def)
    3.46 @@ -109,8 +109,8 @@
    3.47  *)
    3.48  
    3.49  (* Condition (1a) *)
    3.50 -lemma DBFair_1a: "|- \<box>[DBNext]_(inp,mid,out,q1,q2) & WF(DBPass)_(inp,mid,out,q1,q2)  
    3.51 -         --> (qc \<noteq> #[] & q2 = #[] \<leadsto> q2 \<noteq> #[])"
    3.52 +lemma DBFair_1a: "\<turnstile> \<box>[DBNext]_(inp,mid,out,q1,q2) & WF(DBPass)_(inp,mid,out,q1,q2)  
    3.53 +         \<longrightarrow> (qc \<noteq> #[] & q2 = #[] \<leadsto> q2 \<noteq> #[])"
    3.54    apply (rule WF1)
    3.55      apply (force simp: db_defs)
    3.56     apply (force simp: angle_def DBPass_def)
    3.57 @@ -118,8 +118,8 @@
    3.58    done
    3.59  
    3.60  (* Condition (1) *)
    3.61 -lemma DBFair_1: "|- \<box>[DBNext]_(inp,mid,out,q1,q2) & WF(DBPass)_(inp,mid,out,q1,q2)  
    3.62 -         --> (Enabled (<Deq inp qc out>_(inp,qc,out)) \<leadsto> q2 \<noteq> #[])"
    3.63 +lemma DBFair_1: "\<turnstile> \<box>[DBNext]_(inp,mid,out,q1,q2) & WF(DBPass)_(inp,mid,out,q1,q2)  
    3.64 +         \<longrightarrow> (Enabled (<Deq inp qc out>_(inp,qc,out)) \<leadsto> q2 \<noteq> #[])"
    3.65    apply clarsimp
    3.66    apply (rule leadsto_classical [temp_use])
    3.67    apply (rule DBFair_1a [temp_use, THEN LatticeTransitivity [temp_use]])
    3.68 @@ -130,8 +130,8 @@
    3.69    done
    3.70  
    3.71  (* Condition (2) *)
    3.72 -lemma DBFair_2: "|- \<box>[DBNext]_(inp,mid,out,q1,q2) & WF(DBDeq)_(inp,mid,out,q1,q2)  
    3.73 -         --> (q2 \<noteq> #[] \<leadsto> DBDeq)"
    3.74 +lemma DBFair_2: "\<turnstile> \<box>[DBNext]_(inp,mid,out,q1,q2) & WF(DBDeq)_(inp,mid,out,q1,q2)  
    3.75 +         \<longrightarrow> (q2 \<noteq> #[] \<leadsto> DBDeq)"
    3.76    apply (rule WF_leadsto)
    3.77      apply (force simp: DBDeq_enabled [temp_use])
    3.78     apply (force simp: angle_def)
    3.79 @@ -139,9 +139,9 @@
    3.80    done
    3.81  
    3.82  (* High-level fairness *)
    3.83 -lemma DBFair: "|- \<box>[DBNext]_(inp,mid,out,q1,q2) & WF(DBPass)_(inp,mid,out,q1,q2)  
    3.84 +lemma DBFair: "\<turnstile> \<box>[DBNext]_(inp,mid,out,q1,q2) & WF(DBPass)_(inp,mid,out,q1,q2)  
    3.85                                          & WF(DBDeq)_(inp,mid,out,q1,q2)   
    3.86 -         --> WF(Deq inp qc out)_(inp,qc,out)"
    3.87 +         \<longrightarrow> WF(Deq inp qc out)_(inp,qc,out)"
    3.88    apply (auto simp del: qc_def intro!: leadsto_WF [temp_use]
    3.89      DBFair_1 [temp_use, THEN [2] LatticeTransitivity [temp_use]]
    3.90      DBFair_2 [temp_use, THEN [2] LatticeTransitivity [temp_use]])
    3.91 @@ -150,7 +150,7 @@
    3.92    done
    3.93  
    3.94  (*** Main theorem ***)
    3.95 -lemma DBuffer_impl_Buffer: "|- DBuffer --> Buffer inp out"
    3.96 +lemma DBuffer_impl_Buffer: "\<turnstile> DBuffer \<longrightarrow> Buffer inp out"
    3.97    apply (unfold DBuffer_def Buffer_def IBuffer_def)
    3.98    apply (force intro!: eexI [temp_use] DBInit [temp_use]
    3.99      DB_step_simulation [THEN STL4, temp_use] DBFair [temp_use])
     4.1 --- a/src/HOL/TLA/Inc/Inc.thy	Fri Jun 26 11:44:22 2015 +0200
     4.2 +++ b/src/HOL/TLA/Inc/Inc.thy	Fri Jun 26 14:53:15 2015 +0200
     4.3 @@ -86,31 +86,31 @@
     4.4  
     4.5  (*** Invariant proof for Psi: "manual" proof proves individual lemmas ***)
     4.6  
     4.7 -lemma PsiInv_Init: "|- InitPsi --> PsiInv"
     4.8 +lemma PsiInv_Init: "\<turnstile> InitPsi \<longrightarrow> PsiInv"
     4.9    by (auto simp: InitPsi_def PsiInv_defs)
    4.10  
    4.11 -lemma PsiInv_alpha1: "|- alpha1 & $PsiInv --> PsiInv$"
    4.12 +lemma PsiInv_alpha1: "\<turnstile> alpha1 & $PsiInv \<longrightarrow> PsiInv$"
    4.13    by (auto simp: alpha1_def PsiInv_defs)
    4.14  
    4.15 -lemma PsiInv_alpha2: "|- alpha2 & $PsiInv --> PsiInv$"
    4.16 +lemma PsiInv_alpha2: "\<turnstile> alpha2 & $PsiInv \<longrightarrow> PsiInv$"
    4.17    by (auto simp: alpha2_def PsiInv_defs)
    4.18  
    4.19 -lemma PsiInv_beta1: "|- beta1 & $PsiInv --> PsiInv$"
    4.20 +lemma PsiInv_beta1: "\<turnstile> beta1 & $PsiInv \<longrightarrow> PsiInv$"
    4.21    by (auto simp: beta1_def PsiInv_defs)
    4.22  
    4.23 -lemma PsiInv_beta2: "|- beta2 & $PsiInv --> PsiInv$"
    4.24 +lemma PsiInv_beta2: "\<turnstile> beta2 & $PsiInv \<longrightarrow> PsiInv$"
    4.25    by (auto simp: beta2_def PsiInv_defs)
    4.26  
    4.27 -lemma PsiInv_gamma1: "|- gamma1 & $PsiInv --> PsiInv$"
    4.28 +lemma PsiInv_gamma1: "\<turnstile> gamma1 & $PsiInv \<longrightarrow> PsiInv$"
    4.29    by (auto simp: gamma1_def PsiInv_defs)
    4.30  
    4.31 -lemma PsiInv_gamma2: "|- gamma2 & $PsiInv --> PsiInv$"
    4.32 +lemma PsiInv_gamma2: "\<turnstile> gamma2 & $PsiInv \<longrightarrow> PsiInv$"
    4.33    by (auto simp: gamma2_def PsiInv_defs)
    4.34  
    4.35 -lemma PsiInv_stutter: "|- unchanged (x,y,sem,pc1,pc2) & $PsiInv --> PsiInv$"
    4.36 +lemma PsiInv_stutter: "\<turnstile> unchanged (x,y,sem,pc1,pc2) & $PsiInv \<longrightarrow> PsiInv$"
    4.37    by (auto simp: PsiInv_defs)
    4.38  
    4.39 -lemma PsiInv: "|- Psi --> \<box>PsiInv"
    4.40 +lemma PsiInv: "\<turnstile> Psi \<longrightarrow> \<box>PsiInv"
    4.41    apply (invariant simp: Psi_def)
    4.42     apply (force simp: PsiInv_Init [try_rewrite] Init_def)
    4.43    apply (auto intro: PsiInv_alpha1 [try_rewrite] PsiInv_alpha2 [try_rewrite]
    4.44 @@ -123,16 +123,16 @@
    4.45     More realistic examples require user guidance anyway.
    4.46  *)
    4.47  
    4.48 -lemma "|- Psi --> \<box>PsiInv"
    4.49 +lemma "\<turnstile> Psi \<longrightarrow> \<box>PsiInv"
    4.50    by (auto_invariant simp: PsiInv_defs Psi_defs)
    4.51  
    4.52  
    4.53  (**** Step simulation ****)
    4.54  
    4.55 -lemma Init_sim: "|- Psi --> Init InitPhi"
    4.56 +lemma Init_sim: "\<turnstile> Psi \<longrightarrow> Init InitPhi"
    4.57    by (auto simp: InitPhi_def Psi_def InitPsi_def Init_def)
    4.58  
    4.59 -lemma Step_sim: "|- Psi --> \<box>[M1 | M2]_(x,y)"
    4.60 +lemma Step_sim: "\<turnstile> Psi \<longrightarrow> \<box>[M1 | M2]_(x,y)"
    4.61    by (auto simp: square_def M1_def M2_def Psi_defs elim!: STL4E [temp_use])
    4.62  
    4.63  
    4.64 @@ -140,7 +140,7 @@
    4.65  
    4.66  (*
    4.67     The goal is to prove Fair_M1 far below, which asserts
    4.68 -         |- Psi --> WF(M1)_(x,y)
    4.69 +         \<turnstile> Psi \<longrightarrow> WF(M1)_(x,y)
    4.70     (the other fairness condition is symmetrical).
    4.71  
    4.72     The strategy is to use WF2 (with beta1 as the helpful action). Proving its
    4.73 @@ -154,10 +154,10 @@
    4.74     the auxiliary lemmas are very similar.
    4.75  *)
    4.76  
    4.77 -lemma Stuck_at_b: "|- \<box>[(N1 | N2) & \<not> beta1]_(x,y,sem,pc1,pc2) --> stable(pc1 = #b)"
    4.78 +lemma Stuck_at_b: "\<turnstile> \<box>[(N1 | N2) & \<not> beta1]_(x,y,sem,pc1,pc2) \<longrightarrow> stable(pc1 = #b)"
    4.79    by (auto elim!: Stable squareE simp: Psi_defs)
    4.80  
    4.81 -lemma N1_enabled_at_g: "|- pc1 = #g --> Enabled (<N1>_(x,y,sem,pc1,pc2))"
    4.82 +lemma N1_enabled_at_g: "\<turnstile> pc1 = #g \<longrightarrow> Enabled (<N1>_(x,y,sem,pc1,pc2))"
    4.83    apply clarsimp
    4.84    apply (rule_tac F = gamma1 in enabled_mono)
    4.85     apply (enabled Inc_base)
    4.86 @@ -166,20 +166,20 @@
    4.87    done
    4.88  
    4.89  lemma g1_leadsto_a1:
    4.90 -  "|- \<box>[(N1 | N2) & \<not>beta1]_(x,y,sem,pc1,pc2) & SF(N1)_(x,y,sem,pc1,pc2) & \<box>#True  
    4.91 -    --> (pc1 = #g \<leadsto> pc1 = #a)"
    4.92 +  "\<turnstile> \<box>[(N1 | N2) & \<not>beta1]_(x,y,sem,pc1,pc2) & SF(N1)_(x,y,sem,pc1,pc2) & \<box>#True  
    4.93 +    \<longrightarrow> (pc1 = #g \<leadsto> pc1 = #a)"
    4.94    apply (rule SF1)
    4.95      apply (tactic
    4.96        {* action_simp_tac (@{context} addsimps @{thms Psi_defs}) [] [@{thm squareE}] 1 *})
    4.97     apply (tactic
    4.98        {* action_simp_tac (@{context} addsimps @{thm angle_def} :: @{thms Psi_defs}) [] [] 1 *})
    4.99 -  (* reduce |- \<box>A --> \<diamond>Enabled B  to  |- A --> Enabled B *)
   4.100 +  (* reduce \<turnstile> \<box>A \<longrightarrow> \<diamond>Enabled B  to  \<turnstile> A \<longrightarrow> Enabled B *)
   4.101    apply (auto intro!: InitDmd_gen [temp_use] N1_enabled_at_g [temp_use]
   4.102      dest!: STL2_gen [temp_use] simp: Init_def)
   4.103    done
   4.104  
   4.105  (* symmetrical for N2, and similar for beta2 *)
   4.106 -lemma N2_enabled_at_g: "|- pc2 = #g --> Enabled (<N2>_(x,y,sem,pc1,pc2))"
   4.107 +lemma N2_enabled_at_g: "\<turnstile> pc2 = #g \<longrightarrow> Enabled (<N2>_(x,y,sem,pc1,pc2))"
   4.108    apply clarsimp
   4.109    apply (rule_tac F = gamma2 in enabled_mono)
   4.110    apply (enabled Inc_base)
   4.111 @@ -188,8 +188,8 @@
   4.112    done
   4.113  
   4.114  lemma g2_leadsto_a2:
   4.115 -  "|- \<box>[(N1 | N2) & \<not>beta1]_(x,y,sem,pc1,pc2) & SF(N2)_(x,y,sem,pc1,pc2) & \<box>#True  
   4.116 -    --> (pc2 = #g \<leadsto> pc2 = #a)"
   4.117 +  "\<turnstile> \<box>[(N1 | N2) & \<not>beta1]_(x,y,sem,pc1,pc2) & SF(N2)_(x,y,sem,pc1,pc2) & \<box>#True  
   4.118 +    \<longrightarrow> (pc2 = #g \<leadsto> pc2 = #a)"
   4.119    apply (rule SF1)
   4.120    apply (tactic {* action_simp_tac (@{context} addsimps @{thms Psi_defs}) [] [@{thm squareE}] 1 *})
   4.121    apply (tactic {* action_simp_tac (@{context} addsimps @{thm angle_def} :: @{thms Psi_defs})
   4.122 @@ -198,7 +198,7 @@
   4.123      dest!: STL2_gen [temp_use] simp add: Init_def)
   4.124    done
   4.125  
   4.126 -lemma N2_enabled_at_b: "|- pc2 = #b --> Enabled (<N2>_(x,y,sem,pc1,pc2))"
   4.127 +lemma N2_enabled_at_b: "\<turnstile> pc2 = #b \<longrightarrow> Enabled (<N2>_(x,y,sem,pc1,pc2))"
   4.128    apply clarsimp
   4.129    apply (rule_tac F = beta2 in enabled_mono)
   4.130     apply (enabled Inc_base)
   4.131 @@ -207,8 +207,8 @@
   4.132    done
   4.133  
   4.134  lemma b2_leadsto_g2:
   4.135 -  "|- \<box>[(N1 | N2) & \<not>beta1]_(x,y,sem,pc1,pc2) & SF(N2)_(x,y,sem,pc1,pc2) & \<box>#True  
   4.136 -    --> (pc2 = #b \<leadsto> pc2 = #g)"
   4.137 +  "\<turnstile> \<box>[(N1 | N2) & \<not>beta1]_(x,y,sem,pc1,pc2) & SF(N2)_(x,y,sem,pc1,pc2) & \<box>#True  
   4.138 +    \<longrightarrow> (pc2 = #b \<leadsto> pc2 = #g)"
   4.139    apply (rule SF1)
   4.140      apply (tactic
   4.141        {* action_simp_tac (@{context} addsimps @{thms Psi_defs}) [] [@{thm squareE}] 1 *})
   4.142 @@ -220,8 +220,8 @@
   4.143  
   4.144  (* Combine above lemmas: the second component will eventually reach pc2 = a *)
   4.145  lemma N2_leadsto_a:
   4.146 -  "|- \<box>[(N1 | N2) & \<not>beta1]_(x,y,sem,pc1,pc2) & SF(N2)_(x,y,sem,pc1,pc2) & \<box>#True  
   4.147 -    --> (pc2 = #a | pc2 = #b | pc2 = #g \<leadsto> pc2 = #a)"
   4.148 +  "\<turnstile> \<box>[(N1 | N2) & \<not>beta1]_(x,y,sem,pc1,pc2) & SF(N2)_(x,y,sem,pc1,pc2) & \<box>#True  
   4.149 +    \<longrightarrow> (pc2 = #a | pc2 = #b | pc2 = #g \<leadsto> pc2 = #a)"
   4.150    apply (auto intro!: LatticeDisjunctionIntro [temp_use])
   4.151      apply (rule LatticeReflexivity [temp_use])
   4.152     apply (rule LatticeTransitivity [temp_use])
   4.153 @@ -230,8 +230,8 @@
   4.154  
   4.155  (* Get rid of disjunction on the left-hand side of \<leadsto> above. *)
   4.156  lemma N2_live:
   4.157 -  "|- \<box>[(N1 | N2) & \<not>beta1]_(x,y,sem,pc1,pc2) & SF(N2)_(x,y,sem,pc1,pc2)  
   4.158 -    --> \<diamond>(pc2 = #a)"
   4.159 +  "\<turnstile> \<box>[(N1 | N2) & \<not>beta1]_(x,y,sem,pc1,pc2) & SF(N2)_(x,y,sem,pc1,pc2)  
   4.160 +    \<longrightarrow> \<diamond>(pc2 = #a)"
   4.161    apply (auto simp: Init_defs intro!: N2_leadsto_a [temp_use, THEN [2] leadsto_init [temp_use]])
   4.162    apply (case_tac "pc2 (st1 sigma)")
   4.163      apply auto
   4.164 @@ -240,7 +240,7 @@
   4.165  (* Now prove that the first component will eventually reach pc1 = b from pc1 = a *)
   4.166  
   4.167  lemma N1_enabled_at_both_a:
   4.168 -  "|- pc2 = #a & (PsiInv & pc1 = #a) --> Enabled (<N1>_(x,y,sem,pc1,pc2))"
   4.169 +  "\<turnstile> pc2 = #a & (PsiInv & pc1 = #a) \<longrightarrow> Enabled (<N1>_(x,y,sem,pc1,pc2))"
   4.170    apply clarsimp
   4.171    apply (rule_tac F = alpha1 in enabled_mono)
   4.172    apply (enabled Inc_base)
   4.173 @@ -249,9 +249,9 @@
   4.174    done
   4.175  
   4.176  lemma a1_leadsto_b1:
   4.177 -  "|- \<box>($PsiInv & [(N1 | N2) & \<not>beta1]_(x,y,sem,pc1,pc2))       
   4.178 +  "\<turnstile> \<box>($PsiInv & [(N1 | N2) & \<not>beta1]_(x,y,sem,pc1,pc2))       
   4.179           & SF(N1)_(x,y,sem,pc1,pc2) & \<box> SF(N2)_(x,y,sem,pc1,pc2)   
   4.180 -         --> (pc1 = #a \<leadsto> pc1 = #b)"
   4.181 +         \<longrightarrow> (pc1 = #a \<leadsto> pc1 = #b)"
   4.182    apply (rule SF1)
   4.183    apply (tactic {* action_simp_tac (@{context} addsimps @{thms Psi_defs}) [] [@{thm squareE}] 1 *})
   4.184    apply (tactic
   4.185 @@ -263,9 +263,9 @@
   4.186  
   4.187  (* Combine the leadsto properties for N1: it will arrive at pc1 = b *)
   4.188  
   4.189 -lemma N1_leadsto_b: "|- \<box>($PsiInv & [(N1 | N2) & \<not>beta1]_(x,y,sem,pc1,pc2))              
   4.190 +lemma N1_leadsto_b: "\<turnstile> \<box>($PsiInv & [(N1 | N2) & \<not>beta1]_(x,y,sem,pc1,pc2))              
   4.191           & SF(N1)_(x,y,sem,pc1,pc2) & \<box> SF(N2)_(x,y,sem,pc1,pc2)   
   4.192 -         --> (pc1 = #b | pc1 = #g | pc1 = #a \<leadsto> pc1 = #b)"
   4.193 +         \<longrightarrow> (pc1 = #b | pc1 = #g | pc1 = #a \<leadsto> pc1 = #b)"
   4.194    apply (auto intro!: LatticeDisjunctionIntro [temp_use])
   4.195      apply (rule LatticeReflexivity [temp_use])
   4.196     apply (rule LatticeTransitivity [temp_use])
   4.197 @@ -273,15 +273,15 @@
   4.198        simp: split_box_conj)
   4.199    done
   4.200  
   4.201 -lemma N1_live: "|- \<box>($PsiInv & [(N1 | N2) & \<not>beta1]_(x,y,sem,pc1,pc2))              
   4.202 +lemma N1_live: "\<turnstile> \<box>($PsiInv & [(N1 | N2) & \<not>beta1]_(x,y,sem,pc1,pc2))              
   4.203           & SF(N1)_(x,y,sem,pc1,pc2) & \<box> SF(N2)_(x,y,sem,pc1,pc2)   
   4.204 -         --> \<diamond>(pc1 = #b)"
   4.205 +         \<longrightarrow> \<diamond>(pc1 = #b)"
   4.206    apply (auto simp: Init_defs intro!: N1_leadsto_b [temp_use, THEN [2] leadsto_init [temp_use]])
   4.207    apply (case_tac "pc1 (st1 sigma)")
   4.208      apply auto
   4.209    done
   4.210  
   4.211 -lemma N1_enabled_at_b: "|- pc1 = #b --> Enabled (<N1>_(x,y,sem,pc1,pc2))"
   4.212 +lemma N1_enabled_at_b: "\<turnstile> pc1 = #b \<longrightarrow> Enabled (<N1>_(x,y,sem,pc1,pc2))"
   4.213    apply clarsimp
   4.214    apply (rule_tac F = beta1 in enabled_mono)
   4.215     apply (enabled Inc_base)
   4.216 @@ -291,9 +291,9 @@
   4.217  
   4.218  (* Now assemble the bits and pieces to prove that Psi is fair. *)
   4.219  
   4.220 -lemma Fair_M1_lemma: "|- \<box>($PsiInv & [(N1 | N2)]_(x,y,sem,pc1,pc2))    
   4.221 +lemma Fair_M1_lemma: "\<turnstile> \<box>($PsiInv & [(N1 | N2)]_(x,y,sem,pc1,pc2))    
   4.222           & SF(N1)_(x,y,sem,pc1,pc2) & \<box>SF(N2)_(x,y,sem,pc1,pc2)   
   4.223 -         --> SF(M1)_(x,y)"
   4.224 +         \<longrightarrow> SF(M1)_(x,y)"
   4.225    apply (rule_tac B = beta1 and P = "PRED pc1 = #b" in SF2)
   4.226     (* action premises *)
   4.227       apply (force simp: angle_def M1_def beta1_def)
   4.228 @@ -304,7 +304,7 @@
   4.229      elim: STL4E [temp_use] simp: square_def)
   4.230    done
   4.231  
   4.232 -lemma Fair_M1: "|- Psi --> WF(M1)_(x,y)"
   4.233 +lemma Fair_M1: "\<turnstile> Psi \<longrightarrow> WF(M1)_(x,y)"
   4.234    by (auto intro!: SFImplWF [temp_use] Fair_M1_lemma [temp_use] PsiInv [temp_use]
   4.235      simp: Psi_def split_box_conj [temp_use] more_temp_simps)
   4.236  
     5.1 --- a/src/HOL/TLA/Init.thy	Fri Jun 26 11:44:22 2015 +0200
     5.2 +++ b/src/HOL/TLA/Init.thy	Fri Jun 26 14:53:15 2015 +0200
     5.3 @@ -18,22 +18,22 @@
     5.4  
     5.5  
     5.6  consts
     5.7 -  Initial     :: "('w::world => bool) => temporal"
     5.8 -  first_world :: "behavior => ('w::world)"
     5.9 -  st1         :: "behavior => state"
    5.10 -  st2         :: "behavior => state"
    5.11 +  Initial     :: "('w::world \<Rightarrow> bool) \<Rightarrow> temporal"
    5.12 +  first_world :: "behavior \<Rightarrow> ('w::world)"
    5.13 +  st1         :: "behavior \<Rightarrow> state"
    5.14 +  st2         :: "behavior \<Rightarrow> state"
    5.15  
    5.16  syntax
    5.17 -  "_TEMP"    :: "lift => 'a"                          ("(TEMP _)")
    5.18 -  "_Init"    :: "lift => lift"                        ("(Init _)"[40] 50)
    5.19 +  "_TEMP"    :: "lift \<Rightarrow> 'a"                          ("(TEMP _)")
    5.20 +  "_Init"    :: "lift \<Rightarrow> lift"                        ("(Init _)"[40] 50)
    5.21  
    5.22  translations
    5.23 -  "TEMP F"   => "(F::behavior => _)"
    5.24 +  "TEMP F"   => "(F::behavior \<Rightarrow> _)"
    5.25    "_Init"    == "CONST Initial"
    5.26    "sigma |= Init F"  <= "_Init F sigma"
    5.27  
    5.28  defs
    5.29 -  Init_def:    "sigma |= Init F  ==  (first_world sigma) |= F"
    5.30 +  Init_def:    "sigma \<Turnstile> Init F  ==  (first_world sigma) \<Turnstile> F"
    5.31  
    5.32  defs (overloaded)
    5.33    fw_temp_def: "first_world == \<lambda>sigma. sigma"
    5.34 @@ -41,37 +41,37 @@
    5.35    fw_act_def:  "first_world == \<lambda>sigma. (st1 sigma, st2 sigma)"
    5.36  
    5.37  lemma const_simps [int_rewrite, simp]:
    5.38 -  "|- (Init #True) = #True"
    5.39 -  "|- (Init #False) = #False"
    5.40 +  "\<turnstile> (Init #True) = #True"
    5.41 +  "\<turnstile> (Init #False) = #False"
    5.42    by (auto simp: Init_def)
    5.43  
    5.44  lemma Init_simps1 [int_rewrite]:
    5.45 -  "\<And>F. |- (Init \<not>F) = (\<not> Init F)"
    5.46 -  "|- (Init (P --> Q)) = (Init P --> Init Q)"
    5.47 -  "|- (Init (P & Q)) = (Init P & Init Q)"
    5.48 -  "|- (Init (P | Q)) = (Init P | Init Q)"
    5.49 -  "|- (Init (P = Q)) = ((Init P) = (Init Q))"
    5.50 -  "|- (Init (\<forall>x. F x)) = (\<forall>x. (Init F x))"
    5.51 -  "|- (Init (\<exists>x. F x)) = (\<exists>x. (Init F x))"
    5.52 -  "|- (Init (\<exists>!x. F x)) = (\<exists>!x. (Init F x))"
    5.53 +  "\<And>F. \<turnstile> (Init \<not>F) = (\<not> Init F)"
    5.54 +  "\<turnstile> (Init (P \<longrightarrow> Q)) = (Init P \<longrightarrow> Init Q)"
    5.55 +  "\<turnstile> (Init (P & Q)) = (Init P & Init Q)"
    5.56 +  "\<turnstile> (Init (P | Q)) = (Init P | Init Q)"
    5.57 +  "\<turnstile> (Init (P = Q)) = ((Init P) = (Init Q))"
    5.58 +  "\<turnstile> (Init (\<forall>x. F x)) = (\<forall>x. (Init F x))"
    5.59 +  "\<turnstile> (Init (\<exists>x. F x)) = (\<exists>x. (Init F x))"
    5.60 +  "\<turnstile> (Init (\<exists>!x. F x)) = (\<exists>!x. (Init F x))"
    5.61    by (auto simp: Init_def)
    5.62  
    5.63 -lemma Init_stp_act: "|- (Init $P) = (Init P)"
    5.64 +lemma Init_stp_act: "\<turnstile> (Init $P) = (Init P)"
    5.65    by (auto simp add: Init_def fw_act_def fw_stp_def)
    5.66  
    5.67  lemmas Init_simps2 = Init_stp_act [int_rewrite] Init_simps1
    5.68  lemmas Init_stp_act_rev = Init_stp_act [int_rewrite, symmetric]
    5.69  
    5.70 -lemma Init_temp: "|- (Init F) = F"
    5.71 +lemma Init_temp: "\<turnstile> (Init F) = F"
    5.72    by (auto simp add: Init_def fw_temp_def)
    5.73  
    5.74  lemmas Init_simps = Init_temp [int_rewrite] Init_simps2
    5.75  
    5.76  (* Trivial instances of the definitions that avoid introducing lambda expressions. *)
    5.77 -lemma Init_stp: "(sigma |= Init P) = P (st1 sigma)"
    5.78 +lemma Init_stp: "(sigma \<Turnstile> Init P) = P (st1 sigma)"
    5.79    by (simp add: Init_def fw_stp_def)
    5.80  
    5.81 -lemma Init_act: "(sigma |= Init A) = A (st1 sigma, st2 sigma)"
    5.82 +lemma Init_act: "(sigma \<Turnstile> Init A) = A (st1 sigma, st2 sigma)"
    5.83    by (simp add: Init_def fw_act_def)
    5.84  
    5.85  lemmas Init_defs = Init_stp Init_act Init_temp [int_use]
     6.1 --- a/src/HOL/TLA/Intensional.thy	Fri Jun 26 11:44:22 2015 +0200
     6.2 +++ b/src/HOL/TLA/Intensional.thy	Fri Jun 26 14:53:15 2015 +0200
     6.3 @@ -14,79 +14,79 @@
     6.4  
     6.5  (** abstract syntax **)
     6.6  
     6.7 -type_synonym ('w,'a) expr = "'w => 'a"   (* intention: 'w::world, 'a::type *)
     6.8 +type_synonym ('w,'a) expr = "'w \<Rightarrow> 'a"   (* intention: 'w::world, 'a::type *)
     6.9  type_synonym 'w form = "('w, bool) expr"
    6.10  
    6.11  consts
    6.12 -  Valid    :: "('w::world) form => bool"
    6.13 -  const    :: "'a => ('w::world, 'a) expr"
    6.14 -  lift     :: "['a => 'b, ('w::world, 'a) expr] => ('w,'b) expr"
    6.15 -  lift2    :: "['a => 'b => 'c, ('w::world,'a) expr, ('w,'b) expr] => ('w,'c) expr"
    6.16 -  lift3    :: "['a => 'b => 'c => 'd, ('w::world,'a) expr, ('w,'b) expr, ('w,'c) expr] => ('w,'d) expr"
    6.17 +  Valid    :: "('w::world) form \<Rightarrow> bool"
    6.18 +  const    :: "'a \<Rightarrow> ('w::world, 'a) expr"
    6.19 +  lift     :: "['a \<Rightarrow> 'b, ('w::world, 'a) expr] \<Rightarrow> ('w,'b) expr"
    6.20 +  lift2    :: "['a \<Rightarrow> 'b \<Rightarrow> 'c, ('w::world,'a) expr, ('w,'b) expr] \<Rightarrow> ('w,'c) expr"
    6.21 +  lift3    :: "['a \<Rightarrow> 'b \<Rightarrow> 'c \<Rightarrow> 'd, ('w::world,'a) expr, ('w,'b) expr, ('w,'c) expr] \<Rightarrow> ('w,'d) expr"
    6.22  
    6.23    (* "Rigid" quantification (logic level) *)
    6.24 -  RAll     :: "('a => ('w::world) form) => 'w form"       (binder "Rall " 10)
    6.25 -  REx      :: "('a => ('w::world) form) => 'w form"       (binder "Rex " 10)
    6.26 -  REx1     :: "('a => ('w::world) form) => 'w form"       (binder "Rex! " 10)
    6.27 +  RAll     :: "('a \<Rightarrow> ('w::world) form) \<Rightarrow> 'w form"       (binder "Rall " 10)
    6.28 +  REx      :: "('a \<Rightarrow> ('w::world) form) \<Rightarrow> 'w form"       (binder "Rex " 10)
    6.29 +  REx1     :: "('a \<Rightarrow> ('w::world) form) \<Rightarrow> 'w form"       (binder "Rex! " 10)
    6.30  
    6.31  (** concrete syntax **)
    6.32  
    6.33  nonterminal lift and liftargs
    6.34  
    6.35  syntax
    6.36 -  ""            :: "id => lift"                          ("_")
    6.37 -  ""            :: "longid => lift"                      ("_")
    6.38 -  ""            :: "var => lift"                         ("_")
    6.39 -  "_applC"      :: "[lift, cargs] => lift"               ("(1_/ _)" [1000, 1000] 999)
    6.40 -  ""            :: "lift => lift"                        ("'(_')")
    6.41 -  "_lambda"     :: "[idts, 'a] => lift"                  ("(3\<lambda>_./ _)" [0, 3] 3)
    6.42 -  "_constrain"  :: "[lift, type] => lift"                ("(_::_)" [4, 0] 3)
    6.43 -  ""            :: "lift => liftargs"                    ("_")
    6.44 -  "_liftargs"   :: "[lift, liftargs] => liftargs"        ("_,/ _")
    6.45 -  "_Valid"      :: "lift => bool"                        ("(|- _)" 5)
    6.46 -  "_holdsAt"    :: "['a, lift] => bool"                  ("(_ |= _)" [100,10] 10)
    6.47 +  ""            :: "id \<Rightarrow> lift"                          ("_")
    6.48 +  ""            :: "longid \<Rightarrow> lift"                      ("_")
    6.49 +  ""            :: "var \<Rightarrow> lift"                         ("_")
    6.50 +  "_applC"      :: "[lift, cargs] \<Rightarrow> lift"               ("(1_/ _)" [1000, 1000] 999)
    6.51 +  ""            :: "lift \<Rightarrow> lift"                        ("'(_')")
    6.52 +  "_lambda"     :: "[idts, 'a] \<Rightarrow> lift"                  ("(3\<lambda>_./ _)" [0, 3] 3)
    6.53 +  "_constrain"  :: "[lift, type] \<Rightarrow> lift"                ("(_::_)" [4, 0] 3)
    6.54 +  ""            :: "lift \<Rightarrow> liftargs"                    ("_")
    6.55 +  "_liftargs"   :: "[lift, liftargs] \<Rightarrow> liftargs"        ("_,/ _")
    6.56 +  "_Valid"      :: "lift \<Rightarrow> bool"                        ("(|- _)" 5)
    6.57 +  "_holdsAt"    :: "['a, lift] \<Rightarrow> bool"                  ("(_ |= _)" [100,10] 10)
    6.58  
    6.59 -  (* Syntax for lifted expressions outside the scope of |- or |= *)
    6.60 -  "_LIFT"       :: "lift => 'a"                          ("LIFT _")
    6.61 +  (* Syntax for lifted expressions outside the scope of \<turnstile> or |= *)
    6.62 +  "_LIFT"       :: "lift \<Rightarrow> 'a"                          ("LIFT _")
    6.63  
    6.64    (* generic syntax for lifted constants and functions *)
    6.65 -  "_const"      :: "'a => lift"                          ("(#_)" [1000] 999)
    6.66 -  "_lift"       :: "['a, lift] => lift"                  ("(_<_>)" [1000] 999)
    6.67 -  "_lift2"      :: "['a, lift, lift] => lift"            ("(_<_,/ _>)" [1000] 999)
    6.68 -  "_lift3"      :: "['a, lift, lift, lift] => lift"      ("(_<_,/ _,/ _>)" [1000] 999)
    6.69 +  "_const"      :: "'a \<Rightarrow> lift"                          ("(#_)" [1000] 999)
    6.70 +  "_lift"       :: "['a, lift] \<Rightarrow> lift"                  ("(_<_>)" [1000] 999)
    6.71 +  "_lift2"      :: "['a, lift, lift] \<Rightarrow> lift"            ("(_<_,/ _>)" [1000] 999)
    6.72 +  "_lift3"      :: "['a, lift, lift, lift] \<Rightarrow> lift"      ("(_<_,/ _,/ _>)" [1000] 999)
    6.73  
    6.74    (* concrete syntax for common infix functions: reuse same symbol *)
    6.75 -  "_liftEqu"    :: "[lift, lift] => lift"                ("(_ =/ _)" [50,51] 50)
    6.76 -  "_liftNeq"    :: "[lift, lift] => lift"                ("(_ ~=/ _)" [50,51] 50)
    6.77 -  "_liftNot"    :: "lift => lift"                        ("(~ _)" [40] 40)
    6.78 -  "_liftAnd"    :: "[lift, lift] => lift"                ("(_ &/ _)" [36,35] 35)
    6.79 -  "_liftOr"     :: "[lift, lift] => lift"                ("(_ |/ _)" [31,30] 30)
    6.80 -  "_liftImp"    :: "[lift, lift] => lift"                ("(_ -->/ _)" [26,25] 25)
    6.81 -  "_liftIf"     :: "[lift, lift, lift] => lift"          ("(if (_)/ then (_)/ else (_))" 10)
    6.82 -  "_liftPlus"   :: "[lift, lift] => lift"                ("(_ +/ _)" [66,65] 65)
    6.83 -  "_liftMinus"  :: "[lift, lift] => lift"                ("(_ -/ _)" [66,65] 65)
    6.84 -  "_liftTimes"  :: "[lift, lift] => lift"                ("(_ */ _)" [71,70] 70)
    6.85 -  "_liftDiv"    :: "[lift, lift] => lift"                ("(_ div _)" [71,70] 70)
    6.86 -  "_liftMod"    :: "[lift, lift] => lift"                ("(_ mod _)" [71,70] 70)
    6.87 -  "_liftLess"   :: "[lift, lift] => lift"                ("(_/ < _)"  [50, 51] 50)
    6.88 -  "_liftLeq"    :: "[lift, lift] => lift"                ("(_/ <= _)" [50, 51] 50)
    6.89 -  "_liftMem"    :: "[lift, lift] => lift"                ("(_/ : _)" [50, 51] 50)
    6.90 -  "_liftNotMem" :: "[lift, lift] => lift"                ("(_/ ~: _)" [50, 51] 50)
    6.91 -  "_liftFinset" :: "liftargs => lift"                    ("{(_)}")
    6.92 +  "_liftEqu"    :: "[lift, lift] \<Rightarrow> lift"                ("(_ =/ _)" [50,51] 50)
    6.93 +  "_liftNeq"    :: "[lift, lift] \<Rightarrow> lift"                ("(_ ~=/ _)" [50,51] 50)
    6.94 +  "_liftNot"    :: "lift \<Rightarrow> lift"                        ("(~ _)" [40] 40)
    6.95 +  "_liftAnd"    :: "[lift, lift] \<Rightarrow> lift"                ("(_ &/ _)" [36,35] 35)
    6.96 +  "_liftOr"     :: "[lift, lift] \<Rightarrow> lift"                ("(_ |/ _)" [31,30] 30)
    6.97 +  "_liftImp"    :: "[lift, lift] \<Rightarrow> lift"                ("(_ -->/ _)" [26,25] 25)
    6.98 +  "_liftIf"     :: "[lift, lift, lift] \<Rightarrow> lift"          ("(if (_)/ then (_)/ else (_))" 10)
    6.99 +  "_liftPlus"   :: "[lift, lift] \<Rightarrow> lift"                ("(_ +/ _)" [66,65] 65)
   6.100 +  "_liftMinus"  :: "[lift, lift] \<Rightarrow> lift"                ("(_ -/ _)" [66,65] 65)
   6.101 +  "_liftTimes"  :: "[lift, lift] \<Rightarrow> lift"                ("(_ */ _)" [71,70] 70)
   6.102 +  "_liftDiv"    :: "[lift, lift] \<Rightarrow> lift"                ("(_ div _)" [71,70] 70)
   6.103 +  "_liftMod"    :: "[lift, lift] \<Rightarrow> lift"                ("(_ mod _)" [71,70] 70)
   6.104 +  "_liftLess"   :: "[lift, lift] \<Rightarrow> lift"                ("(_/ < _)"  [50, 51] 50)
   6.105 +  "_liftLeq"    :: "[lift, lift] \<Rightarrow> lift"                ("(_/ <= _)" [50, 51] 50)
   6.106 +  "_liftMem"    :: "[lift, lift] \<Rightarrow> lift"                ("(_/ : _)" [50, 51] 50)
   6.107 +  "_liftNotMem" :: "[lift, lift] \<Rightarrow> lift"                ("(_/ ~: _)" [50, 51] 50)
   6.108 +  "_liftFinset" :: "liftargs \<Rightarrow> lift"                    ("{(_)}")
   6.109    (** TODO: syntax for lifted collection / comprehension **)
   6.110 -  "_liftPair"   :: "[lift,liftargs] => lift"                   ("(1'(_,/ _'))")
   6.111 +  "_liftPair"   :: "[lift,liftargs] \<Rightarrow> lift"                   ("(1'(_,/ _'))")
   6.112    (* infix syntax for list operations *)
   6.113 -  "_liftCons" :: "[lift, lift] => lift"                  ("(_ #/ _)" [65,66] 65)
   6.114 -  "_liftApp"  :: "[lift, lift] => lift"                  ("(_ @/ _)" [65,66] 65)
   6.115 -  "_liftList" :: "liftargs => lift"                      ("[(_)]")
   6.116 +  "_liftCons" :: "[lift, lift] \<Rightarrow> lift"                  ("(_ #/ _)" [65,66] 65)
   6.117 +  "_liftApp"  :: "[lift, lift] \<Rightarrow> lift"                  ("(_ @/ _)" [65,66] 65)
   6.118 +  "_liftList" :: "liftargs \<Rightarrow> lift"                      ("[(_)]")
   6.119  
   6.120    (* Rigid quantification (syntax level) *)
   6.121 -  "_ARAll"  :: "[idts, lift] => lift"                    ("(3! _./ _)" [0, 10] 10)
   6.122 -  "_AREx"   :: "[idts, lift] => lift"                    ("(3? _./ _)" [0, 10] 10)
   6.123 -  "_AREx1"  :: "[idts, lift] => lift"                    ("(3?! _./ _)" [0, 10] 10)
   6.124 -  "_RAll" :: "[idts, lift] => lift"                      ("(3ALL _./ _)" [0, 10] 10)
   6.125 -  "_REx"  :: "[idts, lift] => lift"                      ("(3EX _./ _)" [0, 10] 10)
   6.126 -  "_REx1" :: "[idts, lift] => lift"                      ("(3EX! _./ _)" [0, 10] 10)
   6.127 +  "_ARAll"  :: "[idts, lift] \<Rightarrow> lift"                    ("(3! _./ _)" [0, 10] 10)
   6.128 +  "_AREx"   :: "[idts, lift] \<Rightarrow> lift"                    ("(3? _./ _)" [0, 10] 10)
   6.129 +  "_AREx1"  :: "[idts, lift] \<Rightarrow> lift"                    ("(3?! _./ _)" [0, 10] 10)
   6.130 +  "_RAll" :: "[idts, lift] \<Rightarrow> lift"                      ("(3ALL _./ _)" [0, 10] 10)
   6.131 +  "_REx"  :: "[idts, lift] \<Rightarrow> lift"                      ("(3EX _./ _)" [0, 10] 10)
   6.132 +  "_REx1" :: "[idts, lift] \<Rightarrow> lift"                      ("(3EX! _./ _)" [0, 10] 10)
   6.133  
   6.134  translations
   6.135    "_const"        == "CONST const"
   6.136 @@ -141,31 +141,31 @@
   6.137    "w |= EX! x. A"  <= "_REx1 x A w"
   6.138  
   6.139  syntax (xsymbols)
   6.140 -  "_Valid"      :: "lift => bool"                        ("(\<turnstile> _)" 5)
   6.141 -  "_holdsAt"    :: "['a, lift] => bool"                  ("(_ \<Turnstile> _)" [100,10] 10)
   6.142 -  "_liftNeq"    :: "[lift, lift] => lift"                (infixl "\<noteq>" 50)
   6.143 -  "_liftNot"    :: "lift => lift"                        ("\<not> _" [40] 40)
   6.144 -  "_liftAnd"    :: "[lift, lift] => lift"                (infixr "\<and>" 35)
   6.145 -  "_liftOr"     :: "[lift, lift] => lift"                (infixr "\<or>" 30)
   6.146 -  "_liftImp"    :: "[lift, lift] => lift"                (infixr "\<longrightarrow>" 25)
   6.147 -  "_RAll"       :: "[idts, lift] => lift"                ("(3\<forall>_./ _)" [0, 10] 10)
   6.148 -  "_REx"        :: "[idts, lift] => lift"                ("(3\<exists>_./ _)" [0, 10] 10)
   6.149 -  "_REx1"       :: "[idts, lift] => lift"                ("(3\<exists>!_./ _)" [0, 10] 10)
   6.150 -  "_liftLeq"    :: "[lift, lift] => lift"                ("(_/ \<le> _)" [50, 51] 50)
   6.151 -  "_liftMem"    :: "[lift, lift] => lift"                ("(_/ \<in> _)" [50, 51] 50)
   6.152 -  "_liftNotMem" :: "[lift, lift] => lift"                ("(_/ \<notin> _)" [50, 51] 50)
   6.153 +  "_Valid"      :: "lift \<Rightarrow> bool"                        ("(\<turnstile> _)" 5)
   6.154 +  "_holdsAt"    :: "['a, lift] \<Rightarrow> bool"                  ("(_ \<Turnstile> _)" [100,10] 10)
   6.155 +  "_liftNeq"    :: "[lift, lift] \<Rightarrow> lift"                (infixl "\<noteq>" 50)
   6.156 +  "_liftNot"    :: "lift \<Rightarrow> lift"                        ("\<not> _" [40] 40)
   6.157 +  "_liftAnd"    :: "[lift, lift] \<Rightarrow> lift"                (infixr "\<and>" 35)
   6.158 +  "_liftOr"     :: "[lift, lift] \<Rightarrow> lift"                (infixr "\<or>" 30)
   6.159 +  "_liftImp"    :: "[lift, lift] \<Rightarrow> lift"                (infixr "\<longrightarrow>" 25)
   6.160 +  "_RAll"       :: "[idts, lift] \<Rightarrow> lift"                ("(3\<forall>_./ _)" [0, 10] 10)
   6.161 +  "_REx"        :: "[idts, lift] \<Rightarrow> lift"                ("(3\<exists>_./ _)" [0, 10] 10)
   6.162 +  "_REx1"       :: "[idts, lift] \<Rightarrow> lift"                ("(3\<exists>!_./ _)" [0, 10] 10)
   6.163 +  "_liftLeq"    :: "[lift, lift] \<Rightarrow> lift"                ("(_/ \<le> _)" [50, 51] 50)
   6.164 +  "_liftMem"    :: "[lift, lift] \<Rightarrow> lift"                ("(_/ \<in> _)" [50, 51] 50)
   6.165 +  "_liftNotMem" :: "[lift, lift] \<Rightarrow> lift"                ("(_/ \<notin> _)" [50, 51] 50)
   6.166  
   6.167  defs
   6.168 -  Valid_def:   "|- A    ==  \<forall>w. w |= A"
   6.169 +  Valid_def:   "\<turnstile> A    ==  \<forall>w. w \<Turnstile> A"
   6.170  
   6.171    unl_con:     "LIFT #c w  ==  c"
   6.172    unl_lift:    "lift f x w == f (x w)"
   6.173    unl_lift2:   "LIFT f<x, y> w == f (x w) (y w)"
   6.174    unl_lift3:   "LIFT f<x, y, z> w == f (x w) (y w) (z w)"
   6.175  
   6.176 -  unl_Rall:    "w |= \<forall>x. A x  ==  \<forall>x. (w |= A x)"
   6.177 -  unl_Rex:     "w |= \<exists>x. A x   ==  \<exists> x. (w |= A x)"
   6.178 -  unl_Rex1:    "w |= \<exists>!x. A x  ==  \<exists>!x. (w |= A x)"
   6.179 +  unl_Rall:    "w \<Turnstile> \<forall>x. A x  ==  \<forall>x. (w \<Turnstile> A x)"
   6.180 +  unl_Rex:     "w \<Turnstile> \<exists>x. A x   ==  \<exists> x. (w \<Turnstile> A x)"
   6.181 +  unl_Rex1:    "w \<Turnstile> \<exists>!x. A x  ==  \<exists>!x. (w \<Turnstile> A x)"
   6.182  
   6.183  
   6.184  subsection {* Lemmas and tactics for "intensional" logics. *}
   6.185 @@ -173,20 +173,20 @@
   6.186  lemmas intensional_rews [simp] =
   6.187    unl_con unl_lift unl_lift2 unl_lift3 unl_Rall unl_Rex unl_Rex1
   6.188  
   6.189 -lemma inteq_reflection: "|- x=y  ==>  (x==y)"
   6.190 +lemma inteq_reflection: "\<turnstile> x=y  \<Longrightarrow>  (x==y)"
   6.191    apply (unfold Valid_def unl_lift2)
   6.192    apply (rule eq_reflection)
   6.193    apply (rule ext)
   6.194    apply (erule spec)
   6.195    done
   6.196  
   6.197 -lemma intI [intro!]: "(\<And>w. w |= A) ==> |- A"
   6.198 +lemma intI [intro!]: "(\<And>w. w \<Turnstile> A) \<Longrightarrow> \<turnstile> A"
   6.199    apply (unfold Valid_def)
   6.200    apply (rule allI)
   6.201    apply (erule meta_spec)
   6.202    done
   6.203  
   6.204 -lemma intD [dest]: "|- A ==> w |= A"
   6.205 +lemma intD [dest]: "\<turnstile> A \<Longrightarrow> w \<Turnstile> A"
   6.206    apply (unfold Valid_def)
   6.207    apply (erule spec)
   6.208    done
   6.209 @@ -194,30 +194,30 @@
   6.210  (** Lift usual HOL simplifications to "intensional" level. **)
   6.211  
   6.212  lemma int_simps:
   6.213 -  "|- (x=x) = #True"
   6.214 -  "|- (\<not>#True) = #False"  "|- (\<not>#False) = #True"  "|- (\<not>\<not> P) = P"
   6.215 -  "|- ((\<not>P) = P) = #False"  "|- (P = (\<not>P)) = #False"
   6.216 -  "|- (P \<noteq> Q) = (P = (\<not>Q))"
   6.217 -  "|- (#True=P) = P"  "|- (P=#True) = P"
   6.218 -  "|- (#True --> P) = P"  "|- (#False --> P) = #True"
   6.219 -  "|- (P --> #True) = #True"  "|- (P --> P) = #True"
   6.220 -  "|- (P --> #False) = (\<not>P)"  "|- (P --> \<not>P) = (\<not>P)"
   6.221 -  "|- (P & #True) = P"  "|- (#True & P) = P"
   6.222 -  "|- (P & #False) = #False"  "|- (#False & P) = #False"
   6.223 -  "|- (P & P) = P"  "|- (P & \<not>P) = #False"  "|- (\<not>P & P) = #False"
   6.224 -  "|- (P | #True) = #True"  "|- (#True | P) = #True"
   6.225 -  "|- (P | #False) = P"  "|- (#False | P) = P"
   6.226 -  "|- (P | P) = P"  "|- (P | \<not>P) = #True"  "|- (\<not>P | P) = #True"
   6.227 -  "|- (\<forall>x. P) = P"  "|- (\<exists>x. P) = P"
   6.228 -  "|- (\<not>Q --> \<not>P) = (P --> Q)"
   6.229 -  "|- (P|Q --> R) = ((P-->R)&(Q-->R))"
   6.230 +  "\<turnstile> (x=x) = #True"
   6.231 +  "\<turnstile> (\<not>#True) = #False"  "\<turnstile> (\<not>#False) = #True"  "\<turnstile> (\<not>\<not> P) = P"
   6.232 +  "\<turnstile> ((\<not>P) = P) = #False"  "\<turnstile> (P = (\<not>P)) = #False"
   6.233 +  "\<turnstile> (P \<noteq> Q) = (P = (\<not>Q))"
   6.234 +  "\<turnstile> (#True=P) = P"  "\<turnstile> (P=#True) = P"
   6.235 +  "\<turnstile> (#True \<longrightarrow> P) = P"  "\<turnstile> (#False \<longrightarrow> P) = #True"
   6.236 +  "\<turnstile> (P \<longrightarrow> #True) = #True"  "\<turnstile> (P \<longrightarrow> P) = #True"
   6.237 +  "\<turnstile> (P \<longrightarrow> #False) = (\<not>P)"  "\<turnstile> (P \<longrightarrow> \<not>P) = (\<not>P)"
   6.238 +  "\<turnstile> (P & #True) = P"  "\<turnstile> (#True & P) = P"
   6.239 +  "\<turnstile> (P & #False) = #False"  "\<turnstile> (#False & P) = #False"
   6.240 +  "\<turnstile> (P & P) = P"  "\<turnstile> (P & \<not>P) = #False"  "\<turnstile> (\<not>P & P) = #False"
   6.241 +  "\<turnstile> (P | #True) = #True"  "\<turnstile> (#True | P) = #True"
   6.242 +  "\<turnstile> (P | #False) = P"  "\<turnstile> (#False | P) = P"
   6.243 +  "\<turnstile> (P | P) = P"  "\<turnstile> (P | \<not>P) = #True"  "\<turnstile> (\<not>P | P) = #True"
   6.244 +  "\<turnstile> (\<forall>x. P) = P"  "\<turnstile> (\<exists>x. P) = P"
   6.245 +  "\<turnstile> (\<not>Q \<longrightarrow> \<not>P) = (P \<longrightarrow> Q)"
   6.246 +  "\<turnstile> (P|Q \<longrightarrow> R) = ((P\<longrightarrow>R)&(Q\<longrightarrow>R))"
   6.247    apply (unfold Valid_def intensional_rews)
   6.248    apply blast+
   6.249    done
   6.250  
   6.251  declare int_simps [THEN inteq_reflection, simp]
   6.252  
   6.253 -lemma TrueW [simp]: "|- #True"
   6.254 +lemma TrueW [simp]: "\<turnstile> #True"
   6.255    by (simp add: Valid_def unl_con)
   6.256  
   6.257  
   6.258 @@ -226,21 +226,21 @@
   6.259  
   6.260  ML {*
   6.261  (* Basic unlifting introduces a parameter "w" and applies basic rewrites, e.g.
   6.262 -   |- F = G    becomes   F w = G w
   6.263 -   |- F --> G  becomes   F w --> G w
   6.264 +   \<turnstile> F = G    becomes   F w = G w
   6.265 +   \<turnstile> F \<longrightarrow> G  becomes   F w \<longrightarrow> G w
   6.266  *)
   6.267  
   6.268  fun int_unlift ctxt th =
   6.269    rewrite_rule ctxt @{thms intensional_rews} (th RS @{thm intD} handle THM _ => th);
   6.270  
   6.271 -(* Turn  |- F = G  into meta-level rewrite rule  F == G *)
   6.272 +(* Turn  \<turnstile> F = G  into meta-level rewrite rule  F == G *)
   6.273  fun int_rewrite ctxt th =
   6.274    zero_var_indexes (rewrite_rule ctxt @{thms intensional_rews} (th RS @{thm inteq_reflection}))
   6.275  
   6.276 -(* flattening turns "-->" into "==>" and eliminates conjunctions in the
   6.277 +(* flattening turns "\<longrightarrow>" into "\<Longrightarrow>" and eliminates conjunctions in the
   6.278     antecedent. For example,
   6.279  
   6.280 -         P & Q --> (R | S --> T)    becomes   [| P; Q; R | S |] ==> T
   6.281 +         P & Q \<longrightarrow> (R | S \<longrightarrow> T)    becomes   \<lbrakk> P; Q; R | S \<rbrakk> \<Longrightarrow> T
   6.282  
   6.283     Flattening can be useful with "intensional" lemmas (after unlifting).
   6.284     Naive resolution with mp and conjI may run away because of higher-order
   6.285 @@ -284,10 +284,10 @@
   6.286  attribute_setup int_use =
   6.287    {* Scan.succeed (Thm.rule_attribute (int_use o Context.proof_of)) *}
   6.288  
   6.289 -lemma Not_Rall: "|- (\<not>(\<forall>x. F x)) = (\<exists>x. \<not>F x)"
   6.290 +lemma Not_Rall: "\<turnstile> (\<not>(\<forall>x. F x)) = (\<exists>x. \<not>F x)"
   6.291    by (simp add: Valid_def)
   6.292  
   6.293 -lemma Not_Rex: "|- (\<not> (\<exists>x. F x)) = (\<forall>x. \<not> F x)"
   6.294 +lemma Not_Rex: "\<turnstile> (\<not> (\<exists>x. F x)) = (\<forall>x. \<not> F x)"
   6.295    by (simp add: Valid_def)
   6.296  
   6.297  end
     7.1 --- a/src/HOL/TLA/Memory/MemClerk.thy	Fri Jun 26 11:44:22 2015 +0200
     7.2 +++ b/src/HOL/TLA/Memory/MemClerk.thy	Fri Jun 26 14:53:15 2015 +0200
     7.3 @@ -11,16 +11,16 @@
     7.4  (* The clerk takes the same arguments as the memory and sends requests to the RPC *)
     7.5  type_synonym mClkSndChType = "memChType"
     7.6  type_synonym mClkRcvChType = "rpcSndChType"
     7.7 -type_synonym mClkStType = "(PrIds => mClkState) stfun"
     7.8 +type_synonym mClkStType = "(PrIds \<Rightarrow> mClkState) stfun"
     7.9  
    7.10  definition
    7.11    (* state predicates *)
    7.12 -  MClkInit      :: "mClkRcvChType => mClkStType => PrIds => stpred"
    7.13 +  MClkInit      :: "mClkRcvChType \<Rightarrow> mClkStType \<Rightarrow> PrIds \<Rightarrow> stpred"
    7.14    where "MClkInit rcv cst p = PRED (cst!p = #clkA  &  \<not>Calling rcv p)"
    7.15  
    7.16  definition
    7.17    (* actions *)
    7.18 -  MClkFwd       :: "mClkSndChType => mClkRcvChType => mClkStType => PrIds => action"
    7.19 +  MClkFwd       :: "mClkSndChType \<Rightarrow> mClkRcvChType \<Rightarrow> mClkStType \<Rightarrow> PrIds \<Rightarrow> action"
    7.20    where "MClkFwd send rcv cst p = ACT
    7.21                             $Calling send p
    7.22                           & $(cst!p) = #clkA
    7.23 @@ -29,7 +29,7 @@
    7.24                           & unchanged (rtrner send!p)"
    7.25  
    7.26  definition
    7.27 -  MClkRetry     :: "mClkSndChType => mClkRcvChType => mClkStType => PrIds => action"
    7.28 +  MClkRetry     :: "mClkSndChType \<Rightarrow> mClkRcvChType \<Rightarrow> mClkStType \<Rightarrow> PrIds \<Rightarrow> action"
    7.29    where "MClkRetry send rcv cst p = ACT
    7.30                             $(cst!p) = #clkB
    7.31                           & res<$(rcv!p)> = #RPCFailure
    7.32 @@ -37,7 +37,7 @@
    7.33                           & unchanged (cst!p, rtrner send!p)"
    7.34  
    7.35  definition
    7.36 -  MClkReply     :: "mClkSndChType => mClkRcvChType => mClkStType => PrIds => action"
    7.37 +  MClkReply     :: "mClkSndChType \<Rightarrow> mClkRcvChType \<Rightarrow> mClkStType \<Rightarrow> PrIds \<Rightarrow> action"
    7.38    where "MClkReply send rcv cst p = ACT
    7.39                             \<not>$Calling rcv p
    7.40                           & $(cst!p) = #clkB
    7.41 @@ -46,7 +46,7 @@
    7.42                           & unchanged (caller rcv!p)"
    7.43  
    7.44  definition
    7.45 -  MClkNext      :: "mClkSndChType => mClkRcvChType => mClkStType => PrIds => action"
    7.46 +  MClkNext      :: "mClkSndChType \<Rightarrow> mClkRcvChType \<Rightarrow> mClkStType \<Rightarrow> PrIds \<Rightarrow> action"
    7.47    where "MClkNext send rcv cst p = ACT
    7.48                          (  MClkFwd send rcv cst p
    7.49                           | MClkRetry send rcv cst p
    7.50 @@ -54,7 +54,7 @@
    7.51  
    7.52  definition
    7.53    (* temporal *)
    7.54 -  MClkIPSpec    :: "mClkSndChType => mClkRcvChType => mClkStType => PrIds => temporal"
    7.55 +  MClkIPSpec    :: "mClkSndChType \<Rightarrow> mClkRcvChType \<Rightarrow> mClkStType \<Rightarrow> PrIds \<Rightarrow> temporal"
    7.56    where "MClkIPSpec send rcv cst p = TEMP
    7.57                             Init MClkInit rcv cst p
    7.58                           & \<box>[ MClkNext send rcv cst p ]_(cst!p, rtrner send!p, caller rcv!p)
    7.59 @@ -62,7 +62,7 @@
    7.60                           & SF(MClkReply send rcv cst p)_(cst!p, rtrner send!p, caller rcv!p)"
    7.61  
    7.62  definition
    7.63 -  MClkISpec     :: "mClkSndChType => mClkRcvChType => mClkStType => temporal"
    7.64 +  MClkISpec     :: "mClkSndChType \<Rightarrow> mClkRcvChType \<Rightarrow> mClkStType \<Rightarrow> temporal"
    7.65    where "MClkISpec send rcv cst = TEMP (\<forall>p. MClkIPSpec send rcv cst p)"
    7.66  
    7.67  lemmas MC_action_defs =
    7.68 @@ -73,33 +73,33 @@
    7.69  (* The Clerk engages in an action for process p only if there is an outstanding,
    7.70     unanswered call for that process.
    7.71  *)
    7.72 -lemma MClkidle: "|- \<not>$Calling send p & $(cst!p) = #clkA --> \<not>MClkNext send rcv cst p"
    7.73 +lemma MClkidle: "\<turnstile> \<not>$Calling send p & $(cst!p) = #clkA \<longrightarrow> \<not>MClkNext send rcv cst p"
    7.74    by (auto simp: Return_def MC_action_defs)
    7.75  
    7.76 -lemma MClkbusy: "|- $Calling rcv p --> \<not>MClkNext send rcv cst p"
    7.77 +lemma MClkbusy: "\<turnstile> $Calling rcv p \<longrightarrow> \<not>MClkNext send rcv cst p"
    7.78    by (auto simp: Call_def MC_action_defs)
    7.79  
    7.80  
    7.81  (* Enabledness of actions *)
    7.82  
    7.83 -lemma MClkFwd_enabled: "\<And>p. basevars (rtrner send!p, caller rcv!p, cst!p) ==>  
    7.84 -      |- Calling send p & \<not>Calling rcv p & cst!p = #clkA   
    7.85 -         --> Enabled (MClkFwd send rcv cst p)"
    7.86 +lemma MClkFwd_enabled: "\<And>p. basevars (rtrner send!p, caller rcv!p, cst!p) \<Longrightarrow>  
    7.87 +      \<turnstile> Calling send p & \<not>Calling rcv p & cst!p = #clkA   
    7.88 +         \<longrightarrow> Enabled (MClkFwd send rcv cst p)"
    7.89    by (tactic {* action_simp_tac (@{context} addsimps [@{thm MClkFwd_def},
    7.90      @{thm Call_def}, @{thm caller_def}, @{thm rtrner_def}]) [exI]
    7.91      [@{thm base_enabled}, @{thm Pair_inject}] 1 *})
    7.92  
    7.93 -lemma MClkFwd_ch_enabled: "|- Enabled (MClkFwd send rcv cst p)  -->   
    7.94 +lemma MClkFwd_ch_enabled: "\<turnstile> Enabled (MClkFwd send rcv cst p)  \<longrightarrow>   
    7.95           Enabled (<MClkFwd send rcv cst p>_(cst!p, rtrner send!p, caller rcv!p))"
    7.96    by (auto elim!: enabled_mono simp: angle_def MClkFwd_def)
    7.97  
    7.98 -lemma MClkReply_change: "|- MClkReply send rcv cst p -->  
    7.99 +lemma MClkReply_change: "\<turnstile> MClkReply send rcv cst p \<longrightarrow>  
   7.100           <MClkReply send rcv cst p>_(cst!p, rtrner send!p, caller rcv!p)"
   7.101    by (auto simp: angle_def MClkReply_def elim: Return_changed [temp_use])
   7.102  
   7.103 -lemma MClkReply_enabled: "\<And>p. basevars (rtrner send!p, caller rcv!p, cst!p) ==>  
   7.104 -      |- Calling send p & \<not>Calling rcv p & cst!p = #clkB   
   7.105 -         --> Enabled (<MClkReply send rcv cst p>_(cst!p, rtrner send!p, caller rcv!p))"
   7.106 +lemma MClkReply_enabled: "\<And>p. basevars (rtrner send!p, caller rcv!p, cst!p) \<Longrightarrow>  
   7.107 +      \<turnstile> Calling send p & \<not>Calling rcv p & cst!p = #clkB   
   7.108 +         \<longrightarrow> Enabled (<MClkReply send rcv cst p>_(cst!p, rtrner send!p, caller rcv!p))"
   7.109    apply (tactic {* action_simp_tac @{context}
   7.110      [@{thm MClkReply_change} RSN (2, @{thm enabled_mono})] [] 1 *})
   7.111    apply (tactic {* action_simp_tac (@{context} addsimps
   7.112 @@ -107,7 +107,7 @@
   7.113      [exI] [@{thm base_enabled}, @{thm Pair_inject}] 1 *})
   7.114    done
   7.115  
   7.116 -lemma MClkReplyNotRetry: "|- MClkReply send rcv cst p --> \<not>MClkRetry send rcv cst p"
   7.117 +lemma MClkReplyNotRetry: "\<turnstile> MClkReply send rcv cst p \<longrightarrow> \<not>MClkRetry send rcv cst p"
   7.118    by (auto simp: MClkReply_def MClkRetry_def)
   7.119  
   7.120  end
     8.1 --- a/src/HOL/TLA/Memory/MemClerkParameters.thy	Fri Jun 26 11:44:22 2015 +0200
     8.2 +++ b/src/HOL/TLA/Memory/MemClerkParameters.thy	Fri Jun 26 14:53:15 2015 +0200
     8.3 @@ -17,12 +17,12 @@
     8.4  
     8.5  definition
     8.6    (* translate a memory call to an RPC call *)
     8.7 -  MClkRelayArg     :: "memOp => rpcOp"
     8.8 +  MClkRelayArg     :: "memOp \<Rightarrow> rpcOp"
     8.9    where "MClkRelayArg marg = memcall marg"
    8.10  
    8.11  definition
    8.12    (* translate RPC failures to memory failures *)
    8.13 -  MClkReplyVal     :: "Vals => Vals"
    8.14 +  MClkReplyVal     :: "Vals \<Rightarrow> Vals"
    8.15    where "MClkReplyVal v = (if v = RPCFailure then MemFailure else v)"
    8.16  
    8.17  end
     9.1 --- a/src/HOL/TLA/Memory/Memory.thy	Fri Jun 26 11:44:22 2015 +0200
     9.2 +++ b/src/HOL/TLA/Memory/Memory.thy	Fri Jun 26 14:53:15 2015 +0200
     9.3 @@ -9,46 +9,46 @@
     9.4  begin
     9.5  
     9.6  type_synonym memChType = "(memOp, Vals) channel"
     9.7 -type_synonym memType = "(Locs => Vals) stfun"  (* intention: MemLocs => MemVals *)
     9.8 -type_synonym resType = "(PrIds => Vals) stfun"
     9.9 +type_synonym memType = "(Locs \<Rightarrow> Vals) stfun"  (* intention: MemLocs \<Rightarrow> MemVals *)
    9.10 +type_synonym resType = "(PrIds \<Rightarrow> Vals) stfun"
    9.11  
    9.12  consts
    9.13    (* state predicates *)
    9.14 -  MInit      :: "memType => Locs => stpred"
    9.15 -  PInit      :: "resType => PrIds => stpred"
    9.16 +  MInit      :: "memType \<Rightarrow> Locs \<Rightarrow> stpred"
    9.17 +  PInit      :: "resType \<Rightarrow> PrIds \<Rightarrow> stpred"
    9.18    (* auxiliary predicates: is there a pending read/write request for
    9.19       some process id and location/value? *)
    9.20 -  RdRequest  :: "memChType => PrIds => Locs => stpred"
    9.21 -  WrRequest  :: "memChType => PrIds => Locs => Vals => stpred"
    9.22 +  RdRequest  :: "memChType \<Rightarrow> PrIds \<Rightarrow> Locs \<Rightarrow> stpred"
    9.23 +  WrRequest  :: "memChType \<Rightarrow> PrIds \<Rightarrow> Locs \<Rightarrow> Vals \<Rightarrow> stpred"
    9.24  
    9.25    (* actions *)
    9.26 -  GoodRead   :: "memType => resType => PrIds => Locs => action"
    9.27 -  BadRead    :: "memType => resType => PrIds => Locs => action"
    9.28 -  ReadInner  :: "memChType => memType => resType => PrIds => Locs => action"
    9.29 -  Read       :: "memChType => memType => resType => PrIds => action"
    9.30 -  GoodWrite  :: "memType => resType => PrIds => Locs => Vals => action"
    9.31 -  BadWrite   :: "memType => resType => PrIds => Locs => Vals => action"
    9.32 -  WriteInner :: "memChType => memType => resType => PrIds => Locs => Vals => action"
    9.33 -  Write      :: "memChType => memType => resType => PrIds => Locs => action"
    9.34 -  MemReturn  :: "memChType => resType => PrIds => action"
    9.35 -  MemFail    :: "memChType => resType => PrIds => action"
    9.36 -  RNext      :: "memChType => memType => resType => PrIds => action"
    9.37 -  UNext      :: "memChType => memType => resType => PrIds => action"
    9.38 +  GoodRead   :: "memType \<Rightarrow> resType \<Rightarrow> PrIds \<Rightarrow> Locs \<Rightarrow> action"
    9.39 +  BadRead    :: "memType \<Rightarrow> resType \<Rightarrow> PrIds \<Rightarrow> Locs \<Rightarrow> action"
    9.40 +  ReadInner  :: "memChType \<Rightarrow> memType \<Rightarrow> resType \<Rightarrow> PrIds \<Rightarrow> Locs \<Rightarrow> action"
    9.41 +  Read       :: "memChType \<Rightarrow> memType \<Rightarrow> resType \<Rightarrow> PrIds \<Rightarrow> action"
    9.42 +  GoodWrite  :: "memType \<Rightarrow> resType \<Rightarrow> PrIds \<Rightarrow> Locs \<Rightarrow> Vals \<Rightarrow> action"
    9.43 +  BadWrite   :: "memType \<Rightarrow> resType \<Rightarrow> PrIds \<Rightarrow> Locs \<Rightarrow> Vals \<Rightarrow> action"
    9.44 +  WriteInner :: "memChType \<Rightarrow> memType \<Rightarrow> resType \<Rightarrow> PrIds \<Rightarrow> Locs \<Rightarrow> Vals \<Rightarrow> action"
    9.45 +  Write      :: "memChType \<Rightarrow> memType \<Rightarrow> resType \<Rightarrow> PrIds \<Rightarrow> Locs \<Rightarrow> action"
    9.46 +  MemReturn  :: "memChType \<Rightarrow> resType \<Rightarrow> PrIds \<Rightarrow> action"
    9.47 +  MemFail    :: "memChType \<Rightarrow> resType \<Rightarrow> PrIds \<Rightarrow> action"
    9.48 +  RNext      :: "memChType \<Rightarrow> memType \<Rightarrow> resType \<Rightarrow> PrIds \<Rightarrow> action"
    9.49 +  UNext      :: "memChType \<Rightarrow> memType \<Rightarrow> resType \<Rightarrow> PrIds \<Rightarrow> action"
    9.50  
    9.51    (* temporal formulas *)
    9.52 -  RPSpec     :: "memChType => memType => resType => PrIds => temporal"
    9.53 -  UPSpec     :: "memChType => memType => resType => PrIds => temporal"
    9.54 -  MSpec      :: "memChType => memType => resType => Locs => temporal"
    9.55 -  IRSpec     :: "memChType => memType => resType => temporal"
    9.56 -  IUSpec     :: "memChType => memType => resType => temporal"
    9.57 +  RPSpec     :: "memChType \<Rightarrow> memType \<Rightarrow> resType \<Rightarrow> PrIds \<Rightarrow> temporal"
    9.58 +  UPSpec     :: "memChType \<Rightarrow> memType \<Rightarrow> resType \<Rightarrow> PrIds \<Rightarrow> temporal"
    9.59 +  MSpec      :: "memChType \<Rightarrow> memType \<Rightarrow> resType \<Rightarrow> Locs \<Rightarrow> temporal"
    9.60 +  IRSpec     :: "memChType \<Rightarrow> memType \<Rightarrow> resType \<Rightarrow> temporal"
    9.61 +  IUSpec     :: "memChType \<Rightarrow> memType \<Rightarrow> resType \<Rightarrow> temporal"
    9.62  
    9.63 -  RSpec      :: "memChType => resType => temporal"
    9.64 -  USpec      :: "memChType => temporal"
    9.65 +  RSpec      :: "memChType \<Rightarrow> resType \<Rightarrow> temporal"
    9.66 +  USpec      :: "memChType \<Rightarrow> temporal"
    9.67  
    9.68    (* memory invariant: in the paper, the invariant is hidden in the definition of
    9.69       the predicate S used in the implementation proof, but it is easier to verify
    9.70       at this level. *)
    9.71 -  MemInv    :: "memType => Locs => stpred"
    9.72 +  MemInv    :: "memType \<Rightarrow> Locs \<Rightarrow> stpred"
    9.73  
    9.74  defs
    9.75    MInit_def:         "MInit mm l == PRED mm!l = #InitVal"
    9.76 @@ -119,15 +119,15 @@
    9.77                          & \<box>[ \<exists>p. Write ch mm rs p l ]_(mm!l)"
    9.78    IRSpec_def:        "IRSpec ch mm rs == TEMP
    9.79                          (\<forall>p. RPSpec ch mm rs p)
    9.80 -                        & (\<forall>l. #l : #MemLoc --> MSpec ch mm rs l)"
    9.81 +                        & (\<forall>l. #l : #MemLoc \<longrightarrow> MSpec ch mm rs l)"
    9.82    IUSpec_def:        "IUSpec ch mm rs == TEMP
    9.83                          (\<forall>p. UPSpec ch mm rs p)
    9.84 -                        & (\<forall>l. #l : #MemLoc --> MSpec ch mm rs l)"
    9.85 +                        & (\<forall>l. #l : #MemLoc \<longrightarrow> MSpec ch mm rs l)"
    9.86  
    9.87    RSpec_def:         "RSpec ch rs == TEMP (\<exists>\<exists>mm. IRSpec ch mm rs)"
    9.88    USpec_def:         "USpec ch == TEMP (\<exists>\<exists>mm rs. IUSpec ch mm rs)"
    9.89  
    9.90 -  MemInv_def:        "MemInv mm l == PRED  #l : #MemLoc --> mm!l : #MemVal"
    9.91 +  MemInv_def:        "MemInv mm l == PRED  #l : #MemLoc \<longrightarrow> mm!l : #MemVal"
    9.92  
    9.93  lemmas RM_action_defs =
    9.94    MInit_def PInit_def RdRequest_def WrRequest_def MemInv_def
    9.95 @@ -142,19 +142,19 @@
    9.96  
    9.97  
    9.98  (* The reliable memory is an implementation of the unreliable one *)
    9.99 -lemma ReliableImplementsUnReliable: "|- IRSpec ch mm rs --> IUSpec ch mm rs"
   9.100 +lemma ReliableImplementsUnReliable: "\<turnstile> IRSpec ch mm rs \<longrightarrow> IUSpec ch mm rs"
   9.101    by (force simp: UNext_def UPSpec_def IUSpec_def RM_temp_defs elim!: STL4E [temp_use] squareE)
   9.102  
   9.103  (* The memory spec implies the memory invariant *)
   9.104 -lemma MemoryInvariant: "|- MSpec ch mm rs l --> \<box>(MemInv mm l)"
   9.105 +lemma MemoryInvariant: "\<turnstile> MSpec ch mm rs l \<longrightarrow> \<box>(MemInv mm l)"
   9.106    by (auto_invariant simp: RM_temp_defs RM_action_defs)
   9.107  
   9.108  (* The invariant is trivial for non-locations *)
   9.109 -lemma NonMemLocInvariant: "|- #l \<notin> #MemLoc --> \<box>(MemInv mm l)"
   9.110 +lemma NonMemLocInvariant: "\<turnstile> #l \<notin> #MemLoc \<longrightarrow> \<box>(MemInv mm l)"
   9.111    by (auto simp: MemInv_def intro!: necT [temp_use])
   9.112  
   9.113  lemma MemoryInvariantAll:
   9.114 -    "|- (\<forall>l. #l : #MemLoc --> MSpec ch mm rs l) --> (\<forall>l. \<box>(MemInv mm l))"
   9.115 +    "\<turnstile> (\<forall>l. #l : #MemLoc \<longrightarrow> MSpec ch mm rs l) \<longrightarrow> (\<forall>l. \<box>(MemInv mm l))"
   9.116    apply clarify
   9.117    apply (auto elim!: MemoryInvariant [temp_use] NonMemLocInvariant [temp_use])
   9.118    done
   9.119 @@ -164,17 +164,17 @@
   9.120     We need this only for the reliable memory.
   9.121  *)
   9.122  
   9.123 -lemma Memoryidle: "|- \<not>$(Calling ch p) --> \<not> RNext ch mm rs p"
   9.124 +lemma Memoryidle: "\<turnstile> \<not>$(Calling ch p) \<longrightarrow> \<not> RNext ch mm rs p"
   9.125    by (auto simp: Return_def RM_action_defs)
   9.126  
   9.127  (* Enabledness conditions *)
   9.128  
   9.129 -lemma MemReturn_change: "|- MemReturn ch rs p --> <MemReturn ch rs p>_(rtrner ch ! p, rs!p)"
   9.130 +lemma MemReturn_change: "\<turnstile> MemReturn ch rs p \<longrightarrow> <MemReturn ch rs p>_(rtrner ch ! p, rs!p)"
   9.131    by (force simp: MemReturn_def angle_def)
   9.132  
   9.133 -lemma MemReturn_enabled: "\<And>p. basevars (rtrner ch ! p, rs!p) ==>
   9.134 -      |- Calling ch p & (rs!p \<noteq> #NotAResult)
   9.135 -         --> Enabled (<MemReturn ch rs p>_(rtrner ch ! p, rs!p))"
   9.136 +lemma MemReturn_enabled: "\<And>p. basevars (rtrner ch ! p, rs!p) \<Longrightarrow>
   9.137 +      \<turnstile> Calling ch p & (rs!p \<noteq> #NotAResult)
   9.138 +         \<longrightarrow> Enabled (<MemReturn ch rs p>_(rtrner ch ! p, rs!p))"
   9.139    apply (tactic
   9.140      {* action_simp_tac @{context} [@{thm MemReturn_change} RSN (2, @{thm enabled_mono}) ] [] 1 *})
   9.141    apply (tactic
   9.142 @@ -182,34 +182,34 @@
   9.143        @{thm rtrner_def}]) [exI] [@{thm base_enabled}, @{thm Pair_inject}] 1 *})
   9.144    done
   9.145  
   9.146 -lemma ReadInner_enabled: "\<And>p. basevars (rtrner ch ! p, rs!p) ==>
   9.147 -      |- Calling ch p & (arg<ch!p> = #(read l)) --> Enabled (ReadInner ch mm rs p l)"
   9.148 +lemma ReadInner_enabled: "\<And>p. basevars (rtrner ch ! p, rs!p) \<Longrightarrow>
   9.149 +      \<turnstile> Calling ch p & (arg<ch!p> = #(read l)) \<longrightarrow> Enabled (ReadInner ch mm rs p l)"
   9.150    apply (case_tac "l : MemLoc")
   9.151    apply (force simp: ReadInner_def GoodRead_def BadRead_def RdRequest_def
   9.152      intro!: exI elim!: base_enabled [temp_use])+
   9.153    done
   9.154  
   9.155 -lemma WriteInner_enabled: "\<And>p. basevars (mm!l, rtrner ch ! p, rs!p) ==>
   9.156 -      |- Calling ch p & (arg<ch!p> = #(write l v))
   9.157 -         --> Enabled (WriteInner ch mm rs p l v)"
   9.158 +lemma WriteInner_enabled: "\<And>p. basevars (mm!l, rtrner ch ! p, rs!p) \<Longrightarrow>
   9.159 +      \<turnstile> Calling ch p & (arg<ch!p> = #(write l v))
   9.160 +         \<longrightarrow> Enabled (WriteInner ch mm rs p l v)"
   9.161    apply (case_tac "l:MemLoc & v:MemVal")
   9.162    apply (force simp: WriteInner_def GoodWrite_def BadWrite_def WrRequest_def
   9.163      intro!: exI elim!: base_enabled [temp_use])+
   9.164    done
   9.165  
   9.166 -lemma ReadResult: "|- Read ch mm rs p & (\<forall>l. $(MemInv mm l)) --> (rs!p)` \<noteq> #NotAResult"
   9.167 +lemma ReadResult: "\<turnstile> Read ch mm rs p & (\<forall>l. $(MemInv mm l)) \<longrightarrow> (rs!p)` \<noteq> #NotAResult"
   9.168    by (force simp: Read_def ReadInner_def GoodRead_def BadRead_def MemInv_def)
   9.169  
   9.170 -lemma WriteResult: "|- Write ch mm rs p l --> (rs!p)` \<noteq> #NotAResult"
   9.171 +lemma WriteResult: "\<turnstile> Write ch mm rs p l \<longrightarrow> (rs!p)` \<noteq> #NotAResult"
   9.172    by (auto simp: Write_def WriteInner_def GoodWrite_def BadWrite_def)
   9.173  
   9.174 -lemma ReturnNotReadWrite: "|- (\<forall>l. $MemInv mm l) & MemReturn ch rs p
   9.175 -         --> \<not> Read ch mm rs p & (\<forall>l. \<not> Write ch mm rs p l)"
   9.176 +lemma ReturnNotReadWrite: "\<turnstile> (\<forall>l. $MemInv mm l) & MemReturn ch rs p
   9.177 +         \<longrightarrow> \<not> Read ch mm rs p & (\<forall>l. \<not> Write ch mm rs p l)"
   9.178    by (auto simp: MemReturn_def dest!: WriteResult [temp_use] ReadResult [temp_use])
   9.179  
   9.180 -lemma RWRNext_enabled: "|- (rs!p = #NotAResult) & (!l. MemInv mm l)
   9.181 +lemma RWRNext_enabled: "\<turnstile> (rs!p = #NotAResult) & (!l. MemInv mm l)
   9.182           & Enabled (Read ch mm rs p | (\<exists>l. Write ch mm rs p l))
   9.183 -         --> Enabled (<RNext ch mm rs p>_(rtrner ch ! p, rs!p))"
   9.184 +         \<longrightarrow> Enabled (<RNext ch mm rs p>_(rtrner ch ! p, rs!p))"
   9.185    by (force simp: RNext_def angle_def elim!: enabled_mono2
   9.186      dest: ReadResult [temp_use] WriteResult [temp_use])
   9.187  
   9.188 @@ -217,9 +217,9 @@
   9.189  (* Combine previous lemmas: the memory can make a visible step if there is an
   9.190     outstanding call for which no result has been produced.
   9.191  *)
   9.192 -lemma RNext_enabled: "\<And>p. \<forall>l. basevars (mm!l, rtrner ch!p, rs!p) ==>
   9.193 -      |- (rs!p = #NotAResult) & Calling ch p & (\<forall>l. MemInv mm l)
   9.194 -         --> Enabled (<RNext ch mm rs p>_(rtrner ch ! p, rs!p))"
   9.195 +lemma RNext_enabled: "\<And>p. \<forall>l. basevars (mm!l, rtrner ch!p, rs!p) \<Longrightarrow>
   9.196 +      \<turnstile> (rs!p = #NotAResult) & Calling ch p & (\<forall>l. MemInv mm l)
   9.197 +         \<longrightarrow> Enabled (<RNext ch mm rs p>_(rtrner ch ! p, rs!p))"
   9.198    apply (auto simp: enabled_disj [try_rewrite] intro!: RWRNext_enabled [temp_use])
   9.199    apply (case_tac "arg (ch w p)")
   9.200     apply (tactic {* action_simp_tac (@{context} addsimps [@{thm Read_def},
    10.1 --- a/src/HOL/TLA/Memory/MemoryImplementation.thy	Fri Jun 26 11:44:22 2015 +0200
    10.2 +++ b/src/HOL/TLA/Memory/MemoryImplementation.thy	Fri Jun 26 14:53:15 2015 +0200
    10.3 @@ -10,7 +10,7 @@
    10.4  
    10.5  datatype histState = histA | histB
    10.6  
    10.7 -type_synonym histType = "(PrIds => histState) stfun"  (* the type of the history variable *)
    10.8 +type_synonym histType = "(PrIds \<Rightarrow> histState) stfun"  (* the type of the history variable *)
    10.9  
   10.10  consts
   10.11    (* the specification *)
   10.12 @@ -32,15 +32,15 @@
   10.13  
   10.14  definition
   10.15    (* auxiliary predicates *)
   10.16 -  MVOKBARF      :: "Vals => bool"
   10.17 +  MVOKBARF      :: "Vals \<Rightarrow> bool"
   10.18    where "MVOKBARF v <-> (v : MemVal) | (v = OK) | (v = BadArg) | (v = RPCFailure)"
   10.19  
   10.20  definition
   10.21 -  MVOKBA        :: "Vals => bool"
   10.22 +  MVOKBA        :: "Vals \<Rightarrow> bool"
   10.23    where "MVOKBA v <-> (v : MemVal) | (v = OK) | (v = BadArg)"
   10.24  
   10.25  definition
   10.26 -  MVNROKBA      :: "Vals => bool"
   10.27 +  MVNROKBA      :: "Vals \<Rightarrow> bool"
   10.28    where "MVNROKBA v <-> (v : MemVal) | (v = NotAResult) | (v = OK) | (v = BadArg)"
   10.29  
   10.30  definition
   10.31 @@ -49,30 +49,30 @@
   10.32    where "e p = PRED (caller memCh!p)"
   10.33  
   10.34  definition
   10.35 -  c             :: "PrIds => (mClkState * (bit * Vals) * (bit * rpcOp)) stfun"
   10.36 +  c             :: "PrIds \<Rightarrow> (mClkState * (bit * Vals) * (bit * rpcOp)) stfun"
   10.37    where "c p = PRED (cst!p, rtrner memCh!p, caller crCh!p)"
   10.38  
   10.39  definition
   10.40 -  r             :: "PrIds => (rpcState * (bit * Vals) * (bit * memOp)) stfun"
   10.41 +  r             :: "PrIds \<Rightarrow> (rpcState * (bit * Vals) * (bit * memOp)) stfun"
   10.42    where "r p = PRED (rst!p, rtrner crCh!p, caller rmCh!p)"
   10.43  
   10.44  definition
   10.45 -  m             :: "PrIds => ((bit * Vals) * Vals) stfun"
   10.46 +  m             :: "PrIds \<Rightarrow> ((bit * Vals) * Vals) stfun"
   10.47    where "m p = PRED (rtrner rmCh!p, ires!p)"
   10.48  
   10.49  definition
   10.50    (* the environment action *)
   10.51 -  ENext         :: "PrIds => action"
   10.52 +  ENext         :: "PrIds \<Rightarrow> action"
   10.53    where "ENext p = ACT (\<exists>l. #l : #MemLoc & Call memCh p #(read l))"
   10.54  
   10.55  
   10.56  definition
   10.57    (* specification of the history variable *)
   10.58 -  HInit         :: "histType => PrIds => stpred"
   10.59 +  HInit         :: "histType \<Rightarrow> PrIds \<Rightarrow> stpred"
   10.60    where "HInit rmhist p = PRED rmhist!p = #histA"
   10.61  
   10.62  definition
   10.63 -  HNext         :: "histType => PrIds => action"
   10.64 +  HNext         :: "histType \<Rightarrow> PrIds \<Rightarrow> action"
   10.65    where "HNext rmhist p = ACT (rmhist!p)$ =
   10.66                       (if (MemReturn rmCh ires p | RPCFail crCh rmCh rst p)
   10.67                        then #histB
   10.68 @@ -81,39 +81,39 @@
   10.69                             else $(rmhist!p))"
   10.70  
   10.71  definition
   10.72 -  HistP         :: "histType => PrIds => temporal"
   10.73 +  HistP         :: "histType \<Rightarrow> PrIds \<Rightarrow> temporal"
   10.74    where "HistP rmhist p = (TEMP Init HInit rmhist p
   10.75                             & \<box>[HNext rmhist p]_(c p,r p,m p, rmhist!p))"
   10.76  
   10.77  definition
   10.78 -  Hist          :: "histType => temporal"
   10.79 +  Hist          :: "histType \<Rightarrow> temporal"
   10.80    where "Hist rmhist = TEMP (\<forall>p. HistP rmhist p)"
   10.81  
   10.82  definition
   10.83    (* the implementation *)
   10.84 -  IPImp          :: "PrIds => temporal"
   10.85 +  IPImp          :: "PrIds \<Rightarrow> temporal"
   10.86    where "IPImp p = (TEMP (  Init \<not>Calling memCh p & \<box>[ENext p]_(e p)
   10.87                         & MClkIPSpec memCh crCh cst p
   10.88                         & RPCIPSpec crCh rmCh rst p
   10.89                         & RPSpec rmCh mm ires p
   10.90 -                       & (\<forall>l. #l : #MemLoc --> MSpec rmCh mm ires l)))"
   10.91 +                       & (\<forall>l. #l : #MemLoc \<longrightarrow> MSpec rmCh mm ires l)))"
   10.92  
   10.93  definition
   10.94 -  ImpInit        :: "PrIds => stpred"
   10.95 +  ImpInit        :: "PrIds \<Rightarrow> stpred"
   10.96    where "ImpInit p = PRED (  \<not>Calling memCh p
   10.97                            & MClkInit crCh cst p
   10.98                            & RPCInit rmCh rst p
   10.99                            & PInit ires p)"
  10.100  
  10.101  definition
  10.102 -  ImpNext        :: "PrIds => action"
  10.103 +  ImpNext        :: "PrIds \<Rightarrow> action"
  10.104    where "ImpNext p = (ACT  [ENext p]_(e p)
  10.105                         & [MClkNext memCh crCh cst p]_(c p)
  10.106                         & [RPCNext crCh rmCh rst p]_(r p)
  10.107                         & [RNext rmCh mm ires p]_(m p))"
  10.108  
  10.109  definition
  10.110 -  ImpLive        :: "PrIds => temporal"
  10.111 +  ImpLive        :: "PrIds \<Rightarrow> temporal"
  10.112    where "ImpLive p = (TEMP  WF(MClkFwd memCh crCh cst p)_(c p)
  10.113                          & SF(MClkReply memCh crCh cst p)_(c p)
  10.114                          & WF(RPCNext crCh rmCh rst p)_(r p)
  10.115 @@ -134,16 +134,16 @@
  10.116       NB: The second conjunct of the definition in the paper is taken care of by
  10.117       the type definitions. The last conjunct is asserted separately as the memory
  10.118       invariant MemInv, proved in Memory.thy. *)
  10.119 -  S :: "histType => bool => bool => bool => mClkState => rpcState => histState => histState => PrIds => stpred"
  10.120 +  S :: "histType \<Rightarrow> bool \<Rightarrow> bool \<Rightarrow> bool \<Rightarrow> mClkState \<Rightarrow> rpcState \<Rightarrow> histState \<Rightarrow> histState \<Rightarrow> PrIds \<Rightarrow> stpred"
  10.121    where "S rmhist ecalling ccalling rcalling cs rs hs1 hs2 p = (PRED
  10.122                  Calling memCh p = #ecalling
  10.123                & Calling crCh p  = #ccalling
  10.124 -              & (#ccalling --> arg<crCh!p> = MClkRelayArg<arg<memCh!p>>)
  10.125 -              & (\<not> #ccalling & cst!p = #clkB --> MVOKBARF<res<crCh!p>>)
  10.126 +              & (#ccalling \<longrightarrow> arg<crCh!p> = MClkRelayArg<arg<memCh!p>>)
  10.127 +              & (\<not> #ccalling & cst!p = #clkB \<longrightarrow> MVOKBARF<res<crCh!p>>)
  10.128                & Calling rmCh p  = #rcalling
  10.129 -              & (#rcalling --> arg<rmCh!p> = RPCRelayArg<arg<crCh!p>>)
  10.130 -              & (\<not> #rcalling --> ires!p = #NotAResult)
  10.131 -              & (\<not> #rcalling & rst!p = #rpcB --> MVOKBA<res<rmCh!p>>)
  10.132 +              & (#rcalling \<longrightarrow> arg<rmCh!p> = RPCRelayArg<arg<crCh!p>>)
  10.133 +              & (\<not> #rcalling \<longrightarrow> ires!p = #NotAResult)
  10.134 +              & (\<not> #rcalling & rst!p = #rpcB \<longrightarrow> MVOKBA<res<rmCh!p>>)
  10.135                & cst!p = #cs
  10.136                & rst!p = #rs
  10.137                & (rmhist!p = #hs1 | rmhist!p = #hs2)
  10.138 @@ -151,37 +151,37 @@
  10.139  
  10.140  definition
  10.141    (* predicates S1 -- S6 define special instances of S *)
  10.142 -  S1            :: "histType => PrIds => stpred"
  10.143 +  S1            :: "histType \<Rightarrow> PrIds \<Rightarrow> stpred"
  10.144    where "S1 rmhist p = S rmhist False False False clkA rpcA histA histA p"
  10.145  
  10.146  definition
  10.147 -  S2            :: "histType => PrIds => stpred"
  10.148 +  S2            :: "histType \<Rightarrow> PrIds \<Rightarrow> stpred"
  10.149    where "S2 rmhist p = S rmhist True False False clkA rpcA histA histA p"
  10.150  
  10.151  definition
  10.152 -  S3            :: "histType => PrIds => stpred"
  10.153 +  S3            :: "histType \<Rightarrow> PrIds \<Rightarrow> stpred"
  10.154    where "S3 rmhist p = S rmhist True True False clkB rpcA histA histB p"
  10.155  
  10.156  definition
  10.157 -  S4            :: "histType => PrIds => stpred"
  10.158 +  S4            :: "histType \<Rightarrow> PrIds \<Rightarrow> stpred"
  10.159    where "S4 rmhist p = S rmhist True True True clkB rpcB histA histB p"
  10.160  
  10.161  definition
  10.162 -  S5            :: "histType => PrIds => stpred"
  10.163 +  S5            :: "histType \<Rightarrow> PrIds \<Rightarrow> stpred"
  10.164    where "S5 rmhist p = S rmhist True True False clkB rpcB histB histB p"
  10.165  
  10.166  definition
  10.167 -  S6            :: "histType => PrIds => stpred"
  10.168 +  S6            :: "histType \<Rightarrow> PrIds \<Rightarrow> stpred"
  10.169    where "S6 rmhist p = S rmhist True False False clkB rpcA histB histB p"
  10.170  
  10.171  definition
  10.172    (* The invariant asserts that the system is always in one of S1 - S6, for every p *)
  10.173 -  ImpInv         :: "histType => PrIds => stpred"
  10.174 +  ImpInv         :: "histType \<Rightarrow> PrIds \<Rightarrow> stpred"
  10.175    where "ImpInv rmhist p = (PRED (S1 rmhist p | S2 rmhist p | S3 rmhist p
  10.176                                  | S4 rmhist p | S5 rmhist p | S6 rmhist p))"
  10.177  
  10.178  definition
  10.179 -  resbar        :: "histType => resType"        (* refinement mapping *)
  10.180 +  resbar        :: "histType \<Rightarrow> resType"        (* refinement mapping *)
  10.181    where"resbar rmhist s p =
  10.182                    (if (S1 rmhist p s | S2 rmhist p s)
  10.183                     then ires s p
  10.184 @@ -241,8 +241,8 @@
  10.185  
  10.186  section "History variable"
  10.187  
  10.188 -lemma HistoryLemma: "|- Init(\<forall>p. ImpInit p) & \<box>(\<forall>p. ImpNext p)
  10.189 -         --> (\<exists>\<exists>rmhist. Init(\<forall>p. HInit rmhist p)
  10.190 +lemma HistoryLemma: "\<turnstile> Init(\<forall>p. ImpInit p) & \<box>(\<forall>p. ImpNext p)
  10.191 +         \<longrightarrow> (\<exists>\<exists>rmhist. Init(\<forall>p. HInit rmhist p)
  10.192                            & \<box>(\<forall>p. [HNext rmhist p]_(c p, r p, m p, rmhist!p)))"
  10.193    apply clarsimp
  10.194    apply (rule historyI)
  10.195 @@ -255,7 +255,7 @@
  10.196    apply (erule fun_cong)
  10.197    done
  10.198  
  10.199 -lemma History: "|- Implementation --> (\<exists>\<exists>rmhist. Hist rmhist)"
  10.200 +lemma History: "\<turnstile> Implementation \<longrightarrow> (\<exists>\<exists>rmhist. Hist rmhist)"
  10.201    apply clarsimp
  10.202    apply (rule HistoryLemma [temp_use, THEN eex_mono])
  10.203      prefer 3
  10.204 @@ -274,14 +274,14 @@
  10.205  
  10.206  (* RPCFailure notin MemVals U {OK,BadArg} *)
  10.207  
  10.208 -lemma MVOKBAnotRF: "MVOKBA x ==> x \<noteq> RPCFailure"
  10.209 +lemma MVOKBAnotRF: "MVOKBA x \<Longrightarrow> x \<noteq> RPCFailure"
  10.210    apply (unfold MVOKBA_def)
  10.211    apply auto
  10.212    done
  10.213  
  10.214  (* NotAResult notin MemVals U {OK,BadArg,RPCFailure} *)
  10.215  
  10.216 -lemma MVOKBARFnotNR: "MVOKBARF x ==> x \<noteq> NotAResult"
  10.217 +lemma MVOKBARFnotNR: "MVOKBARF x \<Longrightarrow> x \<noteq> NotAResult"
  10.218    apply (unfold MVOKBARF_def)
  10.219    apply auto
  10.220    done
  10.221 @@ -294,32 +294,32 @@
  10.222  *)
  10.223  
  10.224  (* --- not used ---
  10.225 -lemma S1_excl: "|- S1 rmhist p --> S1 rmhist p & \<not>S2 rmhist p & \<not>S3 rmhist p &
  10.226 +lemma S1_excl: "\<turnstile> S1 rmhist p \<longrightarrow> S1 rmhist p & \<not>S2 rmhist p & \<not>S3 rmhist p &
  10.227      \<not>S4 rmhist p & \<not>S5 rmhist p & \<not>S6 rmhist p"
  10.228    by (auto simp: S_def S1_def S2_def S3_def S4_def S5_def S6_def)
  10.229  *)
  10.230  
  10.231 -lemma S2_excl: "|- S2 rmhist p --> S2 rmhist p & \<not>S1 rmhist p"
  10.232 +lemma S2_excl: "\<turnstile> S2 rmhist p \<longrightarrow> S2 rmhist p & \<not>S1 rmhist p"
  10.233    by (auto simp: S_def S1_def S2_def)
  10.234  
  10.235 -lemma S3_excl: "|- S3 rmhist p --> S3 rmhist p & \<not>S1 rmhist p & \<not>S2 rmhist p"
  10.236 +lemma S3_excl: "\<turnstile> S3 rmhist p \<longrightarrow> S3 rmhist p & \<not>S1 rmhist p & \<not>S2 rmhist p"
  10.237    by (auto simp: S_def S1_def S2_def S3_def)
  10.238  
  10.239 -lemma S4_excl: "|- S4 rmhist p --> S4 rmhist p & \<not>S1 rmhist p & \<not>S2 rmhist p & \<not>S3 rmhist p"
  10.240 +lemma S4_excl: "\<turnstile> S4 rmhist p \<longrightarrow> S4 rmhist p & \<not>S1 rmhist p & \<not>S2 rmhist p & \<not>S3 rmhist p"
  10.241    by (auto simp: S_def S1_def S2_def S3_def S4_def)
  10.242  
  10.243 -lemma S5_excl: "|- S5 rmhist p --> S5 rmhist p & \<not>S1 rmhist p & \<not>S2 rmhist p
  10.244 +lemma S5_excl: "\<turnstile> S5 rmhist p \<longrightarrow> S5 rmhist p & \<not>S1 rmhist p & \<not>S2 rmhist p
  10.245                           & \<not>S3 rmhist p & \<not>S4 rmhist p"
  10.246    by (auto simp: S_def S1_def S2_def S3_def S4_def S5_def)
  10.247  
  10.248 -lemma S6_excl: "|- S6 rmhist p --> S6 rmhist p & \<not>S1 rmhist p & \<not>S2 rmhist p
  10.249 +lemma S6_excl: "\<turnstile> S6 rmhist p \<longrightarrow> S6 rmhist p & \<not>S1 rmhist p & \<not>S2 rmhist p
  10.250                           & \<not>S3 rmhist p & \<not>S4 rmhist p & \<not>S5 rmhist p"
  10.251    by (auto simp: S_def S1_def S2_def S3_def S4_def S5_def S6_def)
  10.252  
  10.253  
  10.254  (* ==================== Lemmas about the environment ============================== *)
  10.255  
  10.256 -lemma Envbusy: "|- $(Calling memCh p) --> \<not>ENext p"
  10.257 +lemma Envbusy: "\<turnstile> $(Calling memCh p) \<longrightarrow> \<not>ENext p"
  10.258    by (auto simp: ENext_def Call_def)
  10.259  
  10.260  (* ==================== Lemmas about the implementation's states ==================== *)
  10.261 @@ -331,25 +331,25 @@
  10.262  
  10.263  (* ------------------------------ State S1 ---------------------------------------- *)
  10.264  
  10.265 -lemma S1Env: "|- ENext p & $(S1 rmhist p) & unchanged (c p, r p, m p, rmhist!p)
  10.266 -         --> (S2 rmhist p)$"
  10.267 +lemma S1Env: "\<turnstile> ENext p & $(S1 rmhist p) & unchanged (c p, r p, m p, rmhist!p)
  10.268 +         \<longrightarrow> (S2 rmhist p)$"
  10.269    by (force simp: ENext_def Call_def c_def r_def m_def
  10.270      caller_def rtrner_def MVNROKBA_def S_def S1_def S2_def Calling_def)
  10.271  
  10.272 -lemma S1ClerkUnch: "|- [MClkNext memCh crCh cst p]_(c p) & $(S1 rmhist p) --> unchanged (c p)"
  10.273 +lemma S1ClerkUnch: "\<turnstile> [MClkNext memCh crCh cst p]_(c p) & $(S1 rmhist p) \<longrightarrow> unchanged (c p)"
  10.274    using [[fast_solver]]
  10.275    by (auto elim!: squareE [temp_use] dest!: MClkidle [temp_use] simp: S_def S1_def)
  10.276  
  10.277 -lemma S1RPCUnch: "|- [RPCNext crCh rmCh rst p]_(r p) & $(S1 rmhist p) --> unchanged (r p)"
  10.278 +lemma S1RPCUnch: "\<turnstile> [RPCNext crCh rmCh rst p]_(r p) & $(S1 rmhist p) \<longrightarrow> unchanged (r p)"
  10.279    using [[fast_solver]]
  10.280    by (auto elim!: squareE [temp_use] dest!: RPCidle [temp_use] simp: S_def S1_def)
  10.281  
  10.282 -lemma S1MemUnch: "|- [RNext rmCh mm ires p]_(m p) & $(S1 rmhist p) --> unchanged (m p)"
  10.283 +lemma S1MemUnch: "\<turnstile> [RNext rmCh mm ires p]_(m p) & $(S1 rmhist p) \<longrightarrow> unchanged (m p)"
  10.284    using [[fast_solver]]
  10.285    by (auto elim!: squareE [temp_use] dest!: Memoryidle [temp_use] simp: S_def S1_def)
  10.286  
  10.287 -lemma S1Hist: "|- [HNext rmhist p]_(c p,r p,m p,rmhist!p) & $(S1 rmhist p)
  10.288 -         --> unchanged (rmhist!p)"
  10.289 +lemma S1Hist: "\<turnstile> [HNext rmhist p]_(c p,r p,m p,rmhist!p) & $(S1 rmhist p)
  10.290 +         \<longrightarrow> unchanged (rmhist!p)"
  10.291    by (tactic {* action_simp_tac (@{context} addsimps [@{thm HNext_def}, @{thm S_def},
  10.292      @{thm S1_def}, @{thm MemReturn_def}, @{thm RPCFail_def}, @{thm MClkReply_def},
  10.293      @{thm Return_def}]) [] [temp_use @{context} @{thm squareE}] 1 *})
  10.294 @@ -357,88 +357,88 @@
  10.295  
  10.296  (* ------------------------------ State S2 ---------------------------------------- *)
  10.297  
  10.298 -lemma S2EnvUnch: "|- [ENext p]_(e p) & $(S2 rmhist p) --> unchanged (e p)"
  10.299 +lemma S2EnvUnch: "\<turnstile> [ENext p]_(e p) & $(S2 rmhist p) \<longrightarrow> unchanged (e p)"
  10.300    by (auto dest!: Envbusy [temp_use] simp: S_def S2_def)
  10.301  
  10.302 -lemma S2Clerk: "|- MClkNext memCh crCh cst p & $(S2 rmhist p) --> MClkFwd memCh crCh cst p"
  10.303 +lemma S2Clerk: "\<turnstile> MClkNext memCh crCh cst p & $(S2 rmhist p) \<longrightarrow> MClkFwd memCh crCh cst p"
  10.304    by (auto simp: MClkNext_def MClkRetry_def MClkReply_def S_def S2_def)
  10.305  
  10.306 -lemma S2Forward: "|- $(S2 rmhist p) & MClkFwd memCh crCh cst p
  10.307 +lemma S2Forward: "\<turnstile> $(S2 rmhist p) & MClkFwd memCh crCh cst p
  10.308           & unchanged (e p, r p, m p, rmhist!p)
  10.309 -         --> (S3 rmhist p)$"
  10.310 +         \<longrightarrow> (S3 rmhist p)$"
  10.311    by (tactic {* action_simp_tac (@{context} addsimps [@{thm MClkFwd_def},
  10.312      @{thm Call_def}, @{thm e_def}, @{thm r_def}, @{thm m_def}, @{thm caller_def},
  10.313      @{thm rtrner_def}, @{thm S_def}, @{thm S2_def}, @{thm S3_def}, @{thm Calling_def}]) [] [] 1 *})
  10.314  
  10.315 -lemma S2RPCUnch: "|- [RPCNext crCh rmCh rst p]_(r p) & $(S2 rmhist p) --> unchanged (r p)"
  10.316 +lemma S2RPCUnch: "\<turnstile> [RPCNext crCh rmCh rst p]_(r p) & $(S2 rmhist p) \<longrightarrow> unchanged (r p)"
  10.317    by (auto simp: S_def S2_def dest!: RPCidle [temp_use])
  10.318  
  10.319 -lemma S2MemUnch: "|- [RNext rmCh mm ires p]_(m p) & $(S2 rmhist p) --> unchanged (m p)"
  10.320 +lemma S2MemUnch: "\<turnstile> [RNext rmCh mm ires p]_(m p) & $(S2 rmhist p) \<longrightarrow> unchanged (m p)"
  10.321    by (auto simp: S_def S2_def dest!: Memoryidle [temp_use])
  10.322  
  10.323 -lemma S2Hist: "|- [HNext rmhist p]_(c p,r p,m p,rmhist!p) & $(S2 rmhist p)
  10.324 -         --> unchanged (rmhist!p)"
  10.325 +lemma S2Hist: "\<turnstile> [HNext rmhist p]_(c p,r p,m p,rmhist!p) & $(S2 rmhist p)
  10.326 +         \<longrightarrow> unchanged (rmhist!p)"
  10.327    using [[fast_solver]]
  10.328    by (auto elim!: squareE [temp_use] simp: HNext_def MemReturn_def RPCFail_def
  10.329      MClkReply_def Return_def S_def S2_def)
  10.330  
  10.331  (* ------------------------------ State S3 ---------------------------------------- *)
  10.332  
  10.333 -lemma S3EnvUnch: "|- [ENext p]_(e p) & $(S3 rmhist p) --> unchanged (e p)"
  10.334 +lemma S3EnvUnch: "\<turnstile> [ENext p]_(e p) & $(S3 rmhist p) \<longrightarrow> unchanged (e p)"
  10.335    by (auto dest!: Envbusy [temp_use] simp: S_def S3_def)
  10.336  
  10.337 -lemma S3ClerkUnch: "|- [MClkNext memCh crCh cst p]_(c p) & $(S3 rmhist p) --> unchanged (c p)"
  10.338 +lemma S3ClerkUnch: "\<turnstile> [MClkNext memCh crCh cst p]_(c p) & $(S3 rmhist p) \<longrightarrow> unchanged (c p)"
  10.339    by (auto dest!: MClkbusy [temp_use] simp: square_def S_def S3_def)
  10.340  
  10.341 -lemma S3LegalRcvArg: "|- S3 rmhist p --> IsLegalRcvArg<arg<crCh!p>>"
  10.342 +lemma S3LegalRcvArg: "\<turnstile> S3 rmhist p \<longrightarrow> IsLegalRcvArg<arg<crCh!p>>"
  10.343    by (auto simp: IsLegalRcvArg_def MClkRelayArg_def S_def S3_def)
  10.344  
  10.345 -lemma S3RPC: "|- RPCNext crCh rmCh rst p & $(S3 rmhist p)
  10.346 -         --> RPCFwd crCh rmCh rst p | RPCFail crCh rmCh rst p"
  10.347 +lemma S3RPC: "\<turnstile> RPCNext crCh rmCh rst p & $(S3 rmhist p)
  10.348 +         \<longrightarrow> RPCFwd crCh rmCh rst p | RPCFail crCh rmCh rst p"
  10.349    apply clarsimp
  10.350    apply (frule S3LegalRcvArg [action_use])
  10.351    apply (auto simp: RPCNext_def RPCReject_def RPCReply_def S_def S3_def)
  10.352    done
  10.353  
  10.354 -lemma S3Forward: "|- RPCFwd crCh rmCh rst p & HNext rmhist p & $(S3 rmhist p)
  10.355 +lemma S3Forward: "\<turnstile> RPCFwd crCh rmCh rst p & HNext rmhist p & $(S3 rmhist p)
  10.356           & unchanged (e p, c p, m p)
  10.357 -         --> (S4 rmhist p)$ & unchanged (rmhist!p)"
  10.358 +         \<longrightarrow> (S4 rmhist p)$ & unchanged (rmhist!p)"
  10.359    by (tactic {* action_simp_tac (@{context} addsimps [@{thm RPCFwd_def},
  10.360      @{thm HNext_def}, @{thm MemReturn_def}, @{thm RPCFail_def},
  10.361      @{thm MClkReply_def}, @{thm Return_def}, @{thm Call_def}, @{thm e_def},
  10.362      @{thm c_def}, @{thm m_def}, @{thm caller_def}, @{thm rtrner_def}, @{thm S_def},
  10.363      @{thm S3_def}, @{thm S4_def}, @{thm Calling_def}]) [] [] 1 *})
  10.364  
  10.365 -lemma S3Fail: "|- RPCFail crCh rmCh rst p & $(S3 rmhist p) & HNext rmhist p
  10.366 +lemma S3Fail: "\<turnstile> RPCFail crCh rmCh rst p & $(S3 rmhist p) & HNext rmhist p
  10.367           & unchanged (e p, c p, m p)
  10.368 -         --> (S6 rmhist p)$"
  10.369 +         \<longrightarrow> (S6 rmhist p)$"
  10.370    by (tactic {* action_simp_tac (@{context} addsimps [@{thm HNext_def},
  10.371      @{thm RPCFail_def}, @{thm Return_def}, @{thm e_def}, @{thm c_def},
  10.372      @{thm m_def}, @{thm caller_def}, @{thm rtrner_def}, @{thm MVOKBARF_def},
  10.373      @{thm S_def}, @{thm S3_def}, @{thm S6_def}, @{thm Calling_def}]) [] [] 1 *})
  10.374  
  10.375 -lemma S3MemUnch: "|- [RNext rmCh mm ires p]_(m p) & $(S3 rmhist p) --> unchanged (m p)"
  10.376 +lemma S3MemUnch: "\<turnstile> [RNext rmCh mm ires p]_(m p) & $(S3 rmhist p) \<longrightarrow> unchanged (m p)"
  10.377    by (auto simp: S_def S3_def dest!: Memoryidle [temp_use])
  10.378  
  10.379 -lemma S3Hist: "|- HNext rmhist p & $(S3 rmhist p) & unchanged (r p) --> unchanged (rmhist!p)"
  10.380 +lemma S3Hist: "\<turnstile> HNext rmhist p & $(S3 rmhist p) & unchanged (r p) \<longrightarrow> unchanged (rmhist!p)"
  10.381    by (auto simp: HNext_def MemReturn_def RPCFail_def MClkReply_def
  10.382      Return_def r_def rtrner_def S_def S3_def Calling_def)
  10.383  
  10.384  (* ------------------------------ State S4 ---------------------------------------- *)
  10.385  
  10.386 -lemma S4EnvUnch: "|- [ENext p]_(e p) & $(S4 rmhist p) --> unchanged (e p)"
  10.387 +lemma S4EnvUnch: "\<turnstile> [ENext p]_(e p) & $(S4 rmhist p) \<longrightarrow> unchanged (e p)"
  10.388    by (auto simp: S_def S4_def dest!: Envbusy [temp_use])
  10.389  
  10.390 -lemma S4ClerkUnch: "|- [MClkNext memCh crCh cst p]_(c p) & $(S4 rmhist p) --> unchanged (c p)"
  10.391 +lemma S4ClerkUnch: "\<turnstile> [MClkNext memCh crCh cst p]_(c p) & $(S4 rmhist p) \<longrightarrow> unchanged (c p)"
  10.392    by (auto simp: S_def S4_def dest!: MClkbusy [temp_use])
  10.393  
  10.394 -lemma S4RPCUnch: "|- [RPCNext crCh rmCh rst p]_(r p) & $(S4 rmhist p) --> unchanged (r p)"
  10.395 +lemma S4RPCUnch: "\<turnstile> [RPCNext crCh rmCh rst p]_(r p) & $(S4 rmhist p) \<longrightarrow> unchanged (r p)"
  10.396    using [[fast_solver]]
  10.397    by (auto elim!: squareE [temp_use] dest!: RPCbusy [temp_use] simp: S_def S4_def)
  10.398  
  10.399 -lemma S4ReadInner: "|- ReadInner rmCh mm ires p l & $(S4 rmhist p) & unchanged (e p, c p, r p)
  10.400 +lemma S4ReadInner: "\<turnstile> ReadInner rmCh mm ires p l & $(S4 rmhist p) & unchanged (e p, c p, r p)
  10.401           & HNext rmhist p & $(MemInv mm l)
  10.402 -         --> (S4 rmhist p)$ & unchanged (rmhist!p)"
  10.403 +         \<longrightarrow> (S4 rmhist p)$ & unchanged (rmhist!p)"
  10.404    by (tactic {* action_simp_tac (@{context} addsimps [@{thm ReadInner_def},
  10.405      @{thm GoodRead_def}, @{thm BadRead_def}, @{thm HNext_def}, @{thm MemReturn_def},
  10.406      @{thm RPCFail_def}, @{thm MClkReply_def}, @{thm Return_def}, @{thm e_def},
  10.407 @@ -446,105 +446,105 @@
  10.408      @{thm MVNROKBA_def}, @{thm S_def}, @{thm S4_def}, @{thm RdRequest_def},
  10.409      @{thm Calling_def}, @{thm MemInv_def}]) [] [] 1 *})
  10.410  
  10.411 -lemma S4Read: "|- Read rmCh mm ires p & $(S4 rmhist p) & unchanged (e p, c p, r p)
  10.412 +lemma S4Read: "\<turnstile> Read rmCh mm ires p & $(S4 rmhist p) & unchanged (e p, c p, r p)
  10.413           & HNext rmhist p & (\<forall>l. $MemInv mm l)
  10.414 -         --> (S4 rmhist p)$ & unchanged (rmhist!p)"
  10.415 +         \<longrightarrow> (S4 rmhist p)$ & unchanged (rmhist!p)"
  10.416    by (auto simp: Read_def dest!: S4ReadInner [temp_use])
  10.417  
  10.418 -lemma S4WriteInner: "|- WriteInner rmCh mm ires p l v & $(S4 rmhist p) & unchanged (e p, c p, r p)           & HNext rmhist p
  10.419 -         --> (S4 rmhist p)$ & unchanged (rmhist!p)"
  10.420 +lemma S4WriteInner: "\<turnstile> WriteInner rmCh mm ires p l v & $(S4 rmhist p) & unchanged (e p, c p, r p)           & HNext rmhist p
  10.421 +         \<longrightarrow> (S4 rmhist p)$ & unchanged (rmhist!p)"
  10.422    by (tactic {* action_simp_tac (@{context} addsimps [@{thm WriteInner_def},
  10.423      @{thm GoodWrite_def}, @{thm BadWrite_def}, @{thm HNext_def}, @{thm MemReturn_def},
  10.424      @{thm RPCFail_def}, @{thm MClkReply_def}, @{thm Return_def}, @{thm e_def},
  10.425      @{thm c_def}, @{thm r_def}, @{thm rtrner_def}, @{thm caller_def}, @{thm MVNROKBA_def},
  10.426      @{thm S_def}, @{thm S4_def}, @{thm WrRequest_def}, @{thm Calling_def}]) [] [] 1 *})
  10.427  
  10.428 -lemma S4Write: "|- Write rmCh mm ires p l & $(S4 rmhist p) & unchanged (e p, c p, r p)
  10.429 +lemma S4Write: "\<turnstile> Write rmCh mm ires p l & $(S4 rmhist p) & unchanged (e p, c p, r p)
  10.430           & (HNext rmhist p)
  10.431 -         --> (S4 rmhist p)$ & unchanged (rmhist!p)"
  10.432 +         \<longrightarrow> (S4 rmhist p)$ & unchanged (rmhist!p)"
  10.433    by (auto simp: Write_def dest!: S4WriteInner [temp_use])
  10.434  
  10.435 -lemma WriteS4: "|- $ImpInv rmhist p & Write rmCh mm ires p l --> $S4 rmhist p"
  10.436 +lemma WriteS4: "\<turnstile> $ImpInv rmhist p & Write rmCh mm ires p l \<longrightarrow> $S4 rmhist p"
  10.437    by (auto simp: Write_def WriteInner_def ImpInv_def
  10.438      WrRequest_def S_def S1_def S2_def S3_def S4_def S5_def S6_def)
  10.439  
  10.440 -lemma S4Return: "|- MemReturn rmCh ires p & $S4 rmhist p & unchanged (e p, c p, r p)
  10.441 +lemma S4Return: "\<turnstile> MemReturn rmCh ires p & $S4 rmhist p & unchanged (e p, c p, r p)
  10.442           & HNext rmhist p
  10.443 -         --> (S5 rmhist p)$"
  10.444 +         \<longrightarrow> (S5 rmhist p)$"
  10.445    by (auto simp: HNext_def MemReturn_def Return_def e_def c_def r_def
  10.446      rtrner_def caller_def MVNROKBA_def MVOKBA_def S_def S4_def S5_def Calling_def)
  10.447  
  10.448 -lemma S4Hist: "|- HNext rmhist p & $S4 rmhist p & (m p)$ = $(m p) --> (rmhist!p)$ = $(rmhist!p)"
  10.449 +lemma S4Hist: "\<turnstile> HNext rmhist p & $S4 rmhist p & (m p)$ = $(m p) \<longrightarrow> (rmhist!p)$ = $(rmhist!p)"
  10.450    by (auto simp: HNext_def MemReturn_def RPCFail_def MClkReply_def
  10.451      Return_def m_def rtrner_def S_def S4_def Calling_def)
  10.452  
  10.453  (* ------------------------------ State S5 ---------------------------------------- *)
  10.454  
  10.455 -lemma S5EnvUnch: "|- [ENext p]_(e p) & $(S5 rmhist p) --> unchanged (e p)"
  10.456 +lemma S5EnvUnch: "\<turnstile> [ENext p]_(e p) & $(S5 rmhist p) \<longrightarrow> unchanged (e p)"
  10.457    by (auto simp: S_def S5_def dest!: Envbusy [temp_use])
  10.458  
  10.459 -lemma S5ClerkUnch: "|- [MClkNext memCh crCh cst p]_(c p) & $(S5 rmhist p) --> unchanged (c p)"
  10.460 +lemma S5ClerkUnch: "\<turnstile> [MClkNext memCh crCh cst p]_(c p) & $(S5 rmhist p) \<longrightarrow> unchanged (c p)"
  10.461    by (auto simp: S_def S5_def dest!: MClkbusy [temp_use])
  10.462  
  10.463 -lemma S5RPC: "|- RPCNext crCh rmCh rst p & $(S5 rmhist p)
  10.464 -         --> RPCReply crCh rmCh rst p | RPCFail crCh rmCh rst p"
  10.465 +lemma S5RPC: "\<turnstile> RPCNext crCh rmCh rst p & $(S5 rmhist p)
  10.466 +         \<longrightarrow> RPCReply crCh rmCh rst p | RPCFail crCh rmCh rst p"
  10.467    by (auto simp: RPCNext_def RPCReject_def RPCFwd_def S_def S5_def)
  10.468  
  10.469 -lemma S5Reply: "|- RPCReply crCh rmCh rst p & $(S5 rmhist p) & unchanged (e p, c p, m p,rmhist!p)
  10.470 -       --> (S6 rmhist p)$"
  10.471 +lemma S5Reply: "\<turnstile> RPCReply crCh rmCh rst p & $(S5 rmhist p) & unchanged (e p, c p, m p,rmhist!p)
  10.472 +       \<longrightarrow> (S6 rmhist p)$"
  10.473    by (tactic {* action_simp_tac (@{context} addsimps [@{thm RPCReply_def},
  10.474      @{thm Return_def}, @{thm e_def}, @{thm c_def}, @{thm m_def}, @{thm MVOKBA_def},
  10.475      @{thm MVOKBARF_def}, @{thm caller_def}, @{thm rtrner_def}, @{thm S_def},
  10.476      @{thm S5_def}, @{thm S6_def}, @{thm Calling_def}]) [] [] 1 *})
  10.477  
  10.478 -lemma S5Fail: "|- RPCFail crCh rmCh rst p & $(S5 rmhist p) & unchanged (e p, c p, m p,rmhist!p)
  10.479 -         --> (S6 rmhist p)$"
  10.480 +lemma S5Fail: "\<turnstile> RPCFail crCh rmCh rst p & $(S5 rmhist p) & unchanged (e p, c p, m p,rmhist!p)
  10.481 +         \<longrightarrow> (S6 rmhist p)$"
  10.482    by (tactic {* action_simp_tac (@{context} addsimps [@{thm RPCFail_def},
  10.483      @{thm Return_def}, @{thm e_def}, @{thm c_def}, @{thm m_def},
  10.484      @{thm MVOKBARF_def}, @{thm caller_def}, @{thm rtrner_def},
  10.485      @{thm S_def}, @{thm S5_def}, @{thm S6_def}, @{thm Calling_def}]) [] [] 1 *})
  10.486  
  10.487 -lemma S5MemUnch: "|- [RNext rmCh mm ires p]_(m p) & $(S5 rmhist p) --> unchanged (m p)"
  10.488 +lemma S5MemUnch: "\<turnstile> [RNext rmCh mm ires p]_(m p) & $(S5 rmhist p) \<longrightarrow> unchanged (m p)"
  10.489    by (auto simp: S_def S5_def dest!: Memoryidle [temp_use])
  10.490  
  10.491 -lemma S5Hist: "|- [HNext rmhist p]_(c p, r p, m p, rmhist!p) & $(S5 rmhist p)
  10.492 -         --> (rmhist!p)$ = $(rmhist!p)"
  10.493 +lemma S5Hist: "\<turnstile> [HNext rmhist p]_(c p, r p, m p, rmhist!p) & $(S5 rmhist p)
  10.494 +         \<longrightarrow> (rmhist!p)$ = $(rmhist!p)"
  10.495    using [[fast_solver]]
  10.496    by (auto elim!: squareE [temp_use] simp: HNext_def MemReturn_def RPCFail_def
  10.497      MClkReply_def Return_def S_def S5_def)
  10.498  
  10.499  (* ------------------------------ State S6 ---------------------------------------- *)
  10.500  
  10.501 -lemma S6EnvUnch: "|- [ENext p]_(e p) & $(S6 rmhist p) --> unchanged (e p)"
  10.502 +lemma S6EnvUnch: "\<turnstile> [ENext p]_(e p) & $(S6 rmhist p) \<longrightarrow> unchanged (e p)"
  10.503    by (auto simp: S_def S6_def dest!: Envbusy [temp_use])
  10.504  
  10.505 -lemma S6Clerk: "|- MClkNext memCh crCh cst p & $(S6 rmhist p)
  10.506 -         --> MClkRetry memCh crCh cst p | MClkReply memCh crCh cst p"
  10.507 +lemma S6Clerk: "\<turnstile> MClkNext memCh crCh cst p & $(S6 rmhist p)
  10.508 +         \<longrightarrow> MClkRetry memCh crCh cst p | MClkReply memCh crCh cst p"
  10.509    by (auto simp: MClkNext_def MClkFwd_def S_def S6_def)
  10.510  
  10.511 -lemma S6Retry: "|- MClkRetry memCh crCh cst p & HNext rmhist p & $S6 rmhist p
  10.512 +lemma S6Retry: "\<turnstile> MClkRetry memCh crCh cst p & HNext rmhist p & $S6 rmhist p
  10.513           & unchanged (e p,r p,m p)
  10.514 -         --> (S3 rmhist p)$ & unchanged (rmhist!p)"
  10.515 +         \<longrightarrow> (S3 rmhist p)$ & unchanged (rmhist!p)"
  10.516    by (tactic {* action_simp_tac (@{context} addsimps [@{thm HNext_def},
  10.517      @{thm MClkReply_def}, @{thm MClkRetry_def}, @{thm Call_def}, @{thm Return_def},
  10.518      @{thm e_def}, @{thm r_def}, @{thm m_def}, @{thm caller_def}, @{thm rtrner_def},
  10.519      @{thm S_def}, @{thm S6_def}, @{thm S3_def}, @{thm Calling_def}]) [] [] 1 *})
  10.520  
  10.521 -lemma S6Reply: "|- MClkReply memCh crCh cst p & HNext rmhist p & $S6 rmhist p
  10.522 +lemma S6Reply: "\<turnstile> MClkReply memCh crCh cst p & HNext rmhist p & $S6 rmhist p
  10.523           & unchanged (e p,r p,m p)
  10.524 -         --> (S1 rmhist p)$"
  10.525 +         \<longrightarrow> (S1 rmhist p)$"
  10.526    by (tactic {* action_simp_tac (@{context} addsimps [@{thm HNext_def},
  10.527      @{thm MemReturn_def}, @{thm RPCFail_def}, @{thm Return_def}, @{thm MClkReply_def},
  10.528      @{thm e_def}, @{thm r_def}, @{thm m_def}, @{thm caller_def}, @{thm rtrner_def},
  10.529      @{thm S_def}, @{thm S6_def}, @{thm S1_def}, @{thm Calling_def}]) [] [] 1 *})
  10.530  
  10.531 -lemma S6RPCUnch: "|- [RPCNext crCh rmCh rst p]_(r p) & $S6 rmhist p --> unchanged (r p)"
  10.532 +lemma S6RPCUnch: "\<turnstile> [RPCNext crCh rmCh rst p]_(r p) & $S6 rmhist p \<longrightarrow> unchanged (r p)"
  10.533    by (auto simp: S_def S6_def dest!: RPCidle [temp_use])
  10.534  
  10.535 -lemma S6MemUnch: "|- [RNext rmCh mm ires p]_(m p) & $(S6 rmhist p) --> unchanged (m p)"
  10.536 +lemma S6MemUnch: "\<turnstile> [RNext rmCh mm ires p]_(m p) & $(S6 rmhist p) \<longrightarrow> unchanged (m p)"
  10.537    by (auto simp: S_def S6_def dest!: Memoryidle [temp_use])
  10.538  
  10.539 -lemma S6Hist: "|- HNext rmhist p & $S6 rmhist p & (c p)$ = $(c p) --> (rmhist!p)$ = $(rmhist!p)"
  10.540 +lemma S6Hist: "\<turnstile> HNext rmhist p & $S6 rmhist p & (c p)$ = $(c p) \<longrightarrow> (rmhist!p)$ = $(rmhist!p)"
  10.541    by (auto simp: HNext_def MClkReply_def Return_def c_def rtrner_def S_def S6_def Calling_def)
  10.542  
  10.543  
  10.544 @@ -554,7 +554,7 @@
  10.545  (* ========== Step 1.1 ================================================= *)
  10.546  (* The implementation's initial condition implies the state predicate S1 *)
  10.547  
  10.548 -lemma Step1_1: "|- ImpInit p & HInit rmhist p --> S1 rmhist p"
  10.549 +lemma Step1_1: "\<turnstile> ImpInit p & HInit rmhist p \<longrightarrow> S1 rmhist p"
  10.550    using [[fast_solver]]
  10.551    by (auto elim!: squareE [temp_use] simp: MVNROKBA_def
  10.552      MClkInit_def RPCInit_def PInit_def HInit_def ImpInit_def S_def S1_def)
  10.553 @@ -562,9 +562,9 @@
  10.554  (* ========== Step 1.2 ================================================== *)
  10.555  (* Figure 16 is a predicate-action diagram for the implementation. *)
  10.556  
  10.557 -lemma Step1_2_1: "|- [HNext rmhist p]_(c p,r p,m p, rmhist!p) & ImpNext p
  10.558 +lemma Step1_2_1: "\<turnstile> [HNext rmhist p]_(c p,r p,m p, rmhist!p) & ImpNext p
  10.559           & \<not>unchanged (e p, c p, r p, m p, rmhist!p)  & $S1 rmhist p
  10.560 -         --> (S2 rmhist p)$ & ENext p & unchanged (c p, r p, m p)"
  10.561 +         \<longrightarrow> (S2 rmhist p)$ & ENext p & unchanged (c p, r p, m p)"
  10.562    apply (tactic {* action_simp_tac (@{context} addsimps [@{thm ImpNext_def}]) []
  10.563        (map (temp_elim @{context})
  10.564          [@{thm S1ClerkUnch}, @{thm S1RPCUnch}, @{thm S1MemUnch}, @{thm S1Hist}]) 1 *})
  10.565 @@ -572,9 +572,9 @@
  10.566     apply (auto elim!: squareE [temp_use] intro!: S1Env [temp_use])
  10.567    done
  10.568  
  10.569 -lemma Step1_2_2: "|- [HNext rmhist p]_(c p,r p,m p, rmhist!p) & ImpNext p
  10.570 +lemma Step1_2_2: "\<turnstile> [HNext rmhist p]_(c p,r p,m p, rmhist!p) & ImpNext p
  10.571           & \<not>unchanged (e p, c p, r p, m p, rmhist!p) & $S2 rmhist p
  10.572 -         --> (S3 rmhist p)$ & MClkFwd memCh crCh cst p
  10.573 +         \<longrightarrow> (S3 rmhist p)$ & MClkFwd memCh crCh cst p
  10.574               & unchanged (e p, r p, m p, rmhist!p)"
  10.575    apply (tactic {* action_simp_tac (@{context} addsimps [@{thm ImpNext_def}]) []
  10.576      (map (temp_elim @{context})
  10.577 @@ -583,9 +583,9 @@
  10.578     apply (auto elim!: squareE [temp_use] intro!: S2Clerk [temp_use] S2Forward [temp_use])
  10.579    done
  10.580  
  10.581 -lemma Step1_2_3: "|- [HNext rmhist p]_(c p,r p,m p, rmhist!p) & ImpNext p
  10.582 +lemma Step1_2_3: "\<turnstile> [HNext rmhist p]_(c p,r p,m p, rmhist!p) & ImpNext p
  10.583           & \<not>unchanged (e p, c p, r p, m p, rmhist!p) & $S3 rmhist p
  10.584 -         --> ((S4 rmhist p)$ & RPCFwd crCh rmCh rst p & unchanged (e p, c p, m p, rmhist!p))
  10.585 +         \<longrightarrow> ((S4 rmhist p)$ & RPCFwd crCh rmCh rst p & unchanged (e p, c p, m p, rmhist!p))
  10.586               | ((S6 rmhist p)$ & RPCFail crCh rmCh rst p & unchanged (e p, c p, m p))"
  10.587    apply (tactic {* action_simp_tac (@{context} addsimps [@{thm ImpNext_def}]) []
  10.588      (map (temp_elim @{context}) [@{thm S3EnvUnch}, @{thm S3ClerkUnch}, @{thm S3MemUnch}]) 1 *})
  10.589 @@ -595,10 +595,10 @@
  10.590     apply (auto dest!: S3Hist [temp_use])
  10.591    done
  10.592  
  10.593 -lemma Step1_2_4: "|- [HNext rmhist p]_(c p,r p,m p, rmhist!p) & ImpNext p
  10.594 +lemma Step1_2_4: "\<turnstile> [HNext rmhist p]_(c p,r p,m p, rmhist!p) & ImpNext p
  10.595                & \<not>unchanged (e p, c p, r p, m p, rmhist!p)
  10.596                & $S4 rmhist p & (\<forall>l. $(MemInv mm l))
  10.597 -         --> ((S4 rmhist p)$ & Read rmCh mm ires p & unchanged (e p, c p, r p, rmhist!p))
  10.598 +         \<longrightarrow> ((S4 rmhist p)$ & Read rmCh mm ires p & unchanged (e p, c p, r p, rmhist!p))
  10.599               | ((S4 rmhist p)$ & (\<exists>l. Write rmCh mm ires p l) & unchanged (e p, c p, r p, rmhist!p))
  10.600               | ((S5 rmhist p)$ & MemReturn rmCh ires p & unchanged (e p, c p, r p))"
  10.601    apply (tactic {* action_simp_tac (@{context} addsimps [@{thm ImpNext_def}]) []
  10.602 @@ -609,9 +609,9 @@
  10.603    apply (auto dest!: S4Hist [temp_use])
  10.604    done
  10.605  
  10.606 -lemma Step1_2_5: "|- [HNext rmhist p]_(c p,r p,m p, rmhist!p) & ImpNext p
  10.607 +lemma Step1_2_5: "\<turnstile> [HNext rmhist p]_(c p,r p,m p, rmhist!p) & ImpNext p
  10.608                & \<not>unchanged (e p, c p, r p, m p, rmhist!p) & $S5 rmhist p
  10.609 -         --> ((S6 rmhist p)$ & RPCReply crCh rmCh rst p & unchanged (e p, c p, m p))
  10.610 +         \<longrightarrow> ((S6 rmhist p)$ & RPCReply crCh rmCh rst p & unchanged (e p, c p, m p))
  10.611               | ((S6 rmhist p)$ & RPCFail crCh rmCh rst p & unchanged (e p, c p, m p))"
  10.612    apply (tactic {* action_simp_tac (@{context} addsimps [@{thm ImpNext_def}]) []
  10.613      (map (temp_elim @{context}) [@{thm S5EnvUnch}, @{thm S5ClerkUnch}, @{thm S5MemUnch}, @{thm S5Hist}]) 1 *})
  10.614 @@ -620,9 +620,9 @@
  10.615     apply (auto elim!: squareE [temp_use] dest!: S5Reply [temp_use] S5Fail [temp_use])
  10.616    done
  10.617  
  10.618 -lemma Step1_2_6: "|- [HNext rmhist p]_(c p,r p,m p, rmhist!p) & ImpNext p
  10.619 +lemma Step1_2_6: "\<turnstile> [HNext rmhist p]_(c p,r p,m p, rmhist!p) & ImpNext p
  10.620                & \<not>unchanged (e p, c p, r p, m p, rmhist!p) & $S6 rmhist p
  10.621 -         --> ((S1 rmhist p)$ & MClkReply memCh crCh cst p & unchanged (e p, r p, m p))
  10.622 +         \<longrightarrow> ((S1 rmhist p)$ & MClkReply memCh crCh cst p & unchanged (e p, r p, m p))
  10.623               | ((S3 rmhist p)$ & MClkRetry memCh crCh cst p & unchanged (e p,r p,m p,rmhist!p))"
  10.624    apply (tactic {* action_simp_tac (@{context} addsimps [@{thm ImpNext_def}]) []
  10.625      (map (temp_elim @{context}) [@{thm S6EnvUnch}, @{thm S6RPCUnch}, @{thm S6MemUnch}]) 1 *})
  10.626 @@ -637,7 +637,7 @@
  10.627  
  10.628  section "Initialization (Step 1.3)"
  10.629  
  10.630 -lemma Step1_3: "|- S1 rmhist p --> PInit (resbar rmhist) p"
  10.631 +lemma Step1_3: "\<turnstile> S1 rmhist p \<longrightarrow> PInit (resbar rmhist) p"
  10.632    by (tactic {* action_simp_tac (@{context} addsimps [@{thm resbar_def},
  10.633      @{thm PInit_def}, @{thm S_def}, @{thm S1_def}]) [] [] 1 *})
  10.634  
  10.635 @@ -648,30 +648,30 @@
  10.636  
  10.637  section "Step simulation (Step 1.4)"
  10.638  
  10.639 -lemma Step1_4_1: "|- ENext p & $S1 rmhist p & (S2 rmhist p)$ & unchanged (c p, r p, m p)
  10.640 -         --> unchanged (rtrner memCh!p, resbar rmhist!p)"
  10.641 +lemma Step1_4_1: "\<turnstile> ENext p & $S1 rmhist p & (S2 rmhist p)$ & unchanged (c p, r p, m p)
  10.642 +         \<longrightarrow> unchanged (rtrner memCh!p, resbar rmhist!p)"
  10.643    using [[fast_solver]]
  10.644    by (auto elim!: squareE [temp_use] simp: c_def r_def m_def resbar_def)
  10.645  
  10.646 -lemma Step1_4_2: "|- MClkFwd memCh crCh cst p & $S2 rmhist p & (S3 rmhist p)$
  10.647 +lemma Step1_4_2: "\<turnstile> MClkFwd memCh crCh cst p & $S2 rmhist p & (S3 rmhist p)$
  10.648           & unchanged (e p, r p, m p, rmhist!p)
  10.649 -         --> unchanged (rtrner memCh!p, resbar rmhist!p)"
  10.650 +         \<longrightarrow> unchanged (rtrner memCh!p, resbar rmhist!p)"
  10.651    by (tactic {* action_simp_tac
  10.652      (@{context} addsimps [@{thm MClkFwd_def}, @{thm e_def}, @{thm r_def}, @{thm m_def},
  10.653      @{thm resbar_def}, @{thm S_def}, @{thm S2_def}, @{thm S3_def}]) [] [] 1 *})
  10.654  
  10.655 -lemma Step1_4_3a: "|- RPCFwd crCh rmCh rst p & $S3 rmhist p & (S4 rmhist p)$
  10.656 +lemma Step1_4_3a: "\<turnstile> RPCFwd crCh rmCh rst p & $S3 rmhist p & (S4 rmhist p)$
  10.657           & unchanged (e p, c p, m p, rmhist!p)
  10.658 -         --> unchanged (rtrner memCh!p, resbar rmhist!p)"
  10.659 +         \<longrightarrow> unchanged (rtrner memCh!p, resbar rmhist!p)"
  10.660    apply clarsimp
  10.661    apply (drule S3_excl [temp_use] S4_excl [temp_use])+
  10.662    apply (tactic {* action_simp_tac (@{context} addsimps [@{thm e_def},
  10.663      @{thm c_def}, @{thm m_def}, @{thm resbar_def}, @{thm S_def}, @{thm S3_def}]) [] [] 1 *})
  10.664    done
  10.665  
  10.666 -lemma Step1_4_3b: "|- RPCFail crCh rmCh rst p & $S3 rmhist p & (S6 rmhist p)$
  10.667 +lemma Step1_4_3b: "\<turnstile> RPCFail crCh rmCh rst p & $S3 rmhist p & (S6 rmhist p)$
  10.668           & unchanged (e p, c p, m p)
  10.669 -         --> MemFail memCh (resbar rmhist) p"
  10.670 +         \<longrightarrow> MemFail memCh (resbar rmhist) p"
  10.671    apply clarsimp
  10.672    apply (drule S6_excl [temp_use])
  10.673    apply (auto simp: RPCFail_def MemFail_def e_def c_def m_def resbar_def)
  10.674 @@ -679,9 +679,9 @@
  10.675     apply (auto simp: Return_def)
  10.676    done
  10.677  
  10.678 -lemma Step1_4_4a1: "|- $S4 rmhist p & (S4 rmhist p)$ & ReadInner rmCh mm ires p l
  10.679 +lemma Step1_4_4a1: "\<turnstile> $S4 rmhist p & (S4 rmhist p)$ & ReadInner rmCh mm ires p l
  10.680           & unchanged (e p, c p, r p, rmhist!p) & $MemInv mm l
  10.681 -         --> ReadInner memCh mm (resbar rmhist) p l"
  10.682 +         \<longrightarrow> ReadInner memCh mm (resbar rmhist) p l"
  10.683    apply clarsimp
  10.684    apply (drule S4_excl [temp_use])+
  10.685    apply (tactic {* action_simp_tac (@{context} addsimps [@{thm ReadInner_def},
  10.686 @@ -693,14 +693,14 @@
  10.687                  [] [@{thm impE}, @{thm MemValNotAResultE}]) *})
  10.688    done
  10.689  
  10.690 -lemma Step1_4_4a: "|- Read rmCh mm ires p & $S4 rmhist p & (S4 rmhist p)$
  10.691 +lemma Step1_4_4a: "\<turnstile> Read rmCh mm ires p & $S4 rmhist p & (S4 rmhist p)$
  10.692           & unchanged (e p, c p, r p, rmhist!p) & (\<forall>l. $(MemInv mm l))
  10.693 -         --> Read memCh mm (resbar rmhist) p"
  10.694 +         \<longrightarrow> Read memCh mm (resbar rmhist) p"
  10.695    by (force simp: Read_def elim!: Step1_4_4a1 [temp_use])
  10.696  
  10.697 -lemma Step1_4_4b1: "|- $S4 rmhist p & (S4 rmhist p)$ & WriteInner rmCh mm ires p l v
  10.698 +lemma Step1_4_4b1: "\<turnstile> $S4 rmhist p & (S4 rmhist p)$ & WriteInner rmCh mm ires p l v
  10.699           & unchanged (e p, c p, r p, rmhist!p)
  10.700 -         --> WriteInner memCh mm (resbar rmhist) p l v"
  10.701 +         \<longrightarrow> WriteInner memCh mm (resbar rmhist) p l v"
  10.702    apply clarsimp
  10.703    apply (drule S4_excl [temp_use])+
  10.704    apply (tactic {* action_simp_tac (@{context} addsimps
  10.705 @@ -712,14 +712,14 @@
  10.706        @{thm S4_def}, @{thm WrRequest_def}]) [] []) *})
  10.707    done
  10.708  
  10.709 -lemma Step1_4_4b: "|- Write rmCh mm ires p l & $S4 rmhist p & (S4 rmhist p)$
  10.710 +lemma Step1_4_4b: "\<turnstile> Write rmCh mm ires p l & $S4 rmhist p & (S4 rmhist p)$
  10.711           & unchanged (e p, c p, r p, rmhist!p)
  10.712 -         --> Write memCh mm (resbar rmhist) p l"
  10.713 +         \<longrightarrow> Write memCh mm (resbar rmhist) p l"
  10.714    by (force simp: Write_def elim!: Step1_4_4b1 [temp_use])
  10.715  
  10.716 -lemma Step1_4_4c: "|- MemReturn rmCh ires p & $S4 rmhist p & (S5 rmhist p)$
  10.717 +lemma Step1_4_4c: "\<turnstile> MemReturn rmCh ires p & $S4 rmhist p & (S5 rmhist p)$
  10.718           & unchanged (e p, c p, r p)
  10.719 -         --> unchanged (rtrner memCh!p, resbar rmhist!p)"
  10.720 +         \<longrightarrow> unchanged (rtrner memCh!p, resbar rmhist!p)"
  10.721    apply (tactic {* action_simp_tac (@{context} addsimps [@{thm e_def},
  10.722      @{thm c_def}, @{thm r_def}, @{thm resbar_def}]) [] [] 1 *})
  10.723    apply (drule S4_excl [temp_use] S5_excl [temp_use])+
  10.724 @@ -727,27 +727,27 @@
  10.725    apply (auto elim!: squareE [temp_use] simp: MemReturn_def Return_def)
  10.726    done
  10.727  
  10.728 -lemma Step1_4_5a: "|- RPCReply crCh rmCh rst p & $S5 rmhist p & (S6 rmhist p)$
  10.729 +lemma Step1_4_5a: "\<turnstile> RPCReply crCh rmCh rst p & $S5 rmhist p & (S6 rmhist p)$
  10.730           & unchanged (e p, c p, m p)
  10.731 -         --> unchanged (rtrner memCh!p, resbar rmhist!p)"
  10.732 +         \<longrightarrow> unchanged (rtrner memCh!p, resbar rmhist!p)"
  10.733    apply clarsimp
  10.734    apply (drule S5_excl [temp_use] S6_excl [temp_use])+
  10.735    apply (auto simp: e_def c_def m_def resbar_def)
  10.736     apply (auto simp: RPCReply_def Return_def S5_def S_def dest!: MVOKBAnotRF [temp_use])
  10.737    done
  10.738  
  10.739 -lemma Step1_4_5b: "|- RPCFail crCh rmCh rst p & $S5 rmhist p & (S6 rmhist p)$
  10.740 +lemma Step1_4_5b: "\<turnstile> RPCFail crCh rmCh rst p & $S5 rmhist p & (S6 rmhist p)$
  10.741           & unchanged (e p, c p, m p)
  10.742 -         --> MemFail memCh (resbar rmhist) p"
  10.743 +         \<longrightarrow> MemFail memCh (resbar rmhist) p"
  10.744    apply clarsimp
  10.745    apply (drule S6_excl [temp_use])
  10.746    apply (auto simp: e_def c_def m_def RPCFail_def Return_def MemFail_def resbar_def)
  10.747     apply (auto simp: S5_def S_def)
  10.748    done
  10.749  
  10.750 -lemma Step1_4_6a: "|- MClkReply memCh crCh cst p & $S6 rmhist p & (S1 rmhist p)$
  10.751 +lemma Step1_4_6a: "\<turnstile> MClkReply memCh crCh cst p & $S6 rmhist p & (S1 rmhist p)$
  10.752           & unchanged (e p, r p, m p)
  10.753 -         --> MemReturn memCh (resbar rmhist) p"
  10.754 +         \<longrightarrow> MemReturn memCh (resbar rmhist) p"
  10.755    apply clarsimp
  10.756    apply (drule S6_excl [temp_use])+
  10.757    apply (tactic {* action_simp_tac (@{context} addsimps [@{thm e_def},
  10.758 @@ -758,9 +758,9 @@
  10.759        [@{thm MClkReplyVal_def}, @{thm S6_def}, @{thm S_def}]) [] [@{thm MVOKBARFnotNR}]) *})
  10.760    done
  10.761  
  10.762 -lemma Step1_4_6b: "|- MClkRetry memCh crCh cst p & $S6 rmhist p & (S3 rmhist p)$
  10.763 +lemma Step1_4_6b: "\<turnstile> MClkRetry memCh crCh cst p & $S6 rmhist p & (S3 rmhist p)$
  10.764           & unchanged (e p, r p, m p, rmhist!p)
  10.765 -         --> MemFail memCh (resbar rmhist) p"
  10.766 +         \<longrightarrow> MemFail memCh (resbar rmhist) p"
  10.767    apply clarsimp
  10.768    apply (drule S3_excl [temp_use])+
  10.769    apply (tactic {* action_simp_tac (@{context} addsimps [@{thm e_def}, @{thm r_def},
  10.770 @@ -768,12 +768,12 @@
  10.771     apply (auto simp: S6_def S_def)
  10.772    done
  10.773  
  10.774 -lemma S_lemma: "|- unchanged (e p, c p, r p, m p, rmhist!p)
  10.775 -         --> unchanged (S rmhist ec cc rc cs rs hs1 hs2 p)"
  10.776 +lemma S_lemma: "\<turnstile> unchanged (e p, c p, r p, m p, rmhist!p)
  10.777 +         \<longrightarrow> unchanged (S rmhist ec cc rc cs rs hs1 hs2 p)"
  10.778    by (auto simp: e_def c_def r_def m_def caller_def rtrner_def S_def Calling_def)
  10.779  
  10.780 -lemma Step1_4_7H: "|- unchanged (e p, c p, r p, m p, rmhist!p)
  10.781 -         --> unchanged (rtrner memCh!p, S1 rmhist p, S2 rmhist p, S3 rmhist p,
  10.782 +lemma Step1_4_7H: "\<turnstile> unchanged (e p, c p, r p, m p, rmhist!p)
  10.783 +         \<longrightarrow> unchanged (rtrner memCh!p, S1 rmhist p, S2 rmhist p, S3 rmhist p,
  10.784                          S4 rmhist p, S5 rmhist p, S6 rmhist p)"
  10.785    apply clarsimp
  10.786    apply (rule conjI)
  10.787 @@ -781,8 +781,8 @@
  10.788    apply (force simp: S1_def S2_def S3_def S4_def S5_def S6_def intro!: S_lemma [temp_use])
  10.789    done
  10.790  
  10.791 -lemma Step1_4_7: "|- unchanged (e p, c p, r p, m p, rmhist!p)
  10.792 -         --> unchanged (rtrner memCh!p, resbar rmhist!p, S1 rmhist p, S2 rmhist p,
  10.793 +lemma Step1_4_7: "\<turnstile> unchanged (e p, c p, r p, m p, rmhist!p)
  10.794 +         \<longrightarrow> unchanged (rtrner memCh!p, resbar rmhist!p, S1 rmhist p, S2 rmhist p,
  10.795                          S3 rmhist p, S4 rmhist p, S5 rmhist p, S6 rmhist p)"
  10.796    apply (rule actionI)
  10.797    apply (unfold action_rews)
  10.798 @@ -798,7 +798,7 @@
  10.799  fun split_idle_tac ctxt =
  10.800    SELECT_GOAL
  10.801     (TRY (rtac @{thm actionI} 1) THEN
  10.802 -    Induct_Tacs.case_tac ctxt "(s,t) |= unchanged (e p, c p, r p, m p, rmhist!p)" [] NONE 1 THEN
  10.803 +    Induct_Tacs.case_tac ctxt "(s,t) \<Turnstile> unchanged (e p, c p, r p, m p, rmhist!p)" [] NONE 1 THEN
  10.804      rewrite_goals_tac ctxt @{thms action_rews} THEN
  10.805      forward_tac ctxt [temp_use ctxt @{thm Step1_4_7}] 1 THEN
  10.806      asm_full_simp_tac ctxt 1);
  10.807 @@ -816,42 +816,42 @@
  10.808  
  10.809  (* Steps that leave all variables unchanged are safe, so I may assume
  10.810     that some variable changes in the proof that a step is safe. *)
  10.811 -lemma unchanged_safe: "|- (\<not>unchanged (e p, c p, r p, m p, rmhist!p)
  10.812 -             --> [UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p))
  10.813 -         --> [UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p)"
  10.814 +lemma unchanged_safe: "\<turnstile> (\<not>unchanged (e p, c p, r p, m p, rmhist!p)
  10.815 +             \<longrightarrow> [UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p))
  10.816 +         \<longrightarrow> [UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p)"
  10.817    apply (split_idle simp: square_def)
  10.818    apply force
  10.819    done
  10.820  (* turn into (unsafe, looping!) introduction rule *)
  10.821  lemmas unchanged_safeI = impI [THEN unchanged_safe [action_use]]
  10.822  
  10.823 -lemma S1safe: "|- $S1 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)
  10.824 -         --> [UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p)"
  10.825 +lemma S1safe: "\<turnstile> $S1 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)
  10.826 +         \<longrightarrow> [UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p)"
  10.827    apply clarsimp
  10.828    apply (rule unchanged_safeI)
  10.829    apply (rule idle_squareI)
  10.830    apply (auto dest!: Step1_2_1 [temp_use] Step1_4_1 [temp_use])
  10.831    done
  10.832  
  10.833 -lemma S2safe: "|- $S2 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)
  10.834 -         --> [UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p)"
  10.835 +lemma S2safe: "\<turnstile> $S2 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)
  10.836 +         \<longrightarrow> [UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p)"
  10.837    apply clarsimp
  10.838    apply (rule unchanged_safeI)
  10.839    apply (rule idle_squareI)
  10.840    apply (auto dest!: Step1_2_2 [temp_use] Step1_4_2 [temp_use])
  10.841    done
  10.842  
  10.843 -lemma S3safe: "|- $S3 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)
  10.844 -         --> [UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p)"
  10.845 +lemma S3safe: "\<turnstile> $S3 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)
  10.846 +         \<longrightarrow> [UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p)"
  10.847    apply clarsimp
  10.848    apply (rule unchanged_safeI)
  10.849    apply (auto dest!: Step1_2_3 [temp_use])
  10.850    apply (auto simp: square_def UNext_def dest!: Step1_4_3a [temp_use] Step1_4_3b [temp_use])
  10.851    done
  10.852  
  10.853 -lemma S4safe: "|- $S4 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)
  10.854 +lemma S4safe: "\<turnstile> $S4 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)
  10.855           & (\<forall>l. $(MemInv mm l))
  10.856 -         --> [UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p)"
  10.857 +         \<longrightarrow> [UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p)"
  10.858    apply clarsimp
  10.859    apply (rule unchanged_safeI)
  10.860    apply (auto dest!: Step1_2_4 [temp_use])
  10.861 @@ -859,16 +859,16 @@
  10.862         dest!: Step1_4_4a [temp_use] Step1_4_4b [temp_use] Step1_4_4c [temp_use])
  10.863    done
  10.864  
  10.865 -lemma S5safe: "|- $S5 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)
  10.866 -         --> [UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p)"
  10.867 +lemma S5safe: "\<turnstile> $S5 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)
  10.868 +         \<longrightarrow> [UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p)"
  10.869    apply clarsimp
  10.870    apply (rule unchanged_safeI)
  10.871    apply (auto dest!: Step1_2_5 [temp_use])
  10.872    apply (auto simp: square_def UNext_def dest!: Step1_4_5a [temp_use] Step1_4_5b [temp_use])
  10.873    done
  10.874  
  10.875 -lemma S6safe: "|- $S6 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)
  10.876 -         --> [UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p)"
  10.877 +lemma S6safe: "\<turnstile> $S6 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)
  10.878 +         \<longrightarrow> [UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p)"
  10.879    apply clarsimp
  10.880    apply (rule unchanged_safeI)
  10.881    apply (auto dest!: Step1_2_6 [temp_use])
  10.882 @@ -889,8 +889,8 @@
  10.883  
  10.884  (* ------------------------------ State S1 ------------------------------ *)
  10.885  
  10.886 -lemma S1_successors: "|- $S1 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)
  10.887 -         --> (S1 rmhist p)$ | (S2 rmhist p)$"
  10.888 +lemma S1_successors: "\<turnstile> $S1 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)
  10.889 +         \<longrightarrow> (S1 rmhist p)$ | (S2 rmhist p)$"
  10.890    apply split_idle
  10.891    apply (auto dest!: Step1_2_1 [temp_use])
  10.892    done
  10.893 @@ -899,199 +899,199 @@
  10.894     by entering the state S1 infinitely often.
  10.895  *)
  10.896  
  10.897 -lemma S1_RNextdisabled: "|- S1 rmhist p -->
  10.898 +lemma S1_RNextdisabled: "\<turnstile> S1 rmhist p \<longrightarrow>
  10.899           \<not>Enabled (<RNext memCh mm (resbar rmhist) p>_(rtrner memCh!p, resbar rmhist!p))"
  10.900    apply (tactic {* action_simp_tac (@{context} addsimps [@{thm angle_def},
  10.901      @{thm S_def}, @{thm S1_def}]) [notI] [@{thm enabledE}, temp_elim @{context} @{thm Memoryidle}] 1 *})
  10.902    apply force
  10.903    done
  10.904  
  10.905 -lemma S1_Returndisabled: "|- S1 rmhist p -->
  10.906 +lemma S1_Returndisabled: "\<turnstile> S1 rmhist p \<longrightarrow>
  10.907           \<not>Enabled (<MemReturn memCh (resbar rmhist) p>_(rtrner memCh!p, resbar rmhist!p))"
  10.908    by (tactic {* action_simp_tac (@{context} addsimps [@{thm angle_def}, @{thm MemReturn_def},
  10.909      @{thm Return_def}, @{thm S_def}, @{thm S1_def}]) [notI] [@{thm enabledE}] 1 *})
  10.910  
  10.911 -lemma RNext_fair: "|- \<box>\<diamond>S1 rmhist p
  10.912 -         --> WF(RNext memCh mm (resbar rmhist) p)_(rtrner memCh!p, resbar rmhist!p)"
  10.913 +lemma RNext_fair: "\<turnstile> \<box>\<diamond>S1 rmhist p
  10.914 +         \<longrightarrow> WF(RNext memCh mm (resbar rmhist) p)_(rtrner memCh!p, resbar rmhist!p)"
  10.915    by (auto simp: WF_alt [try_rewrite] intro!: S1_RNextdisabled [temp_use]
  10.916      elim!: STL4E [temp_use] DmdImplE [temp_use])
  10.917  
  10.918 -lemma Return_fair: "|- \<box>\<diamond>S1 rmhist p
  10.919 -         --> WF(MemReturn memCh (resbar rmhist) p)_(rtrner memCh!p, resbar rmhist!p)"
  10.920 +lemma Return_fair: "\<turnstile> \<box>\<diamond>S1 rmhist p
  10.921 +         \<longrightarrow> WF(MemReturn memCh (resbar rmhist) p)_(rtrner memCh!p, resbar rmhist!p)"
  10.922    by (auto simp: WF_alt [try_rewrite]
  10.923      intro!: S1_Returndisabled [temp_use] elim!: STL4E [temp_use] DmdImplE [temp_use])
  10.924  
  10.925  (* ------------------------------ State S2 ------------------------------ *)
  10.926  
  10.927 -lemma S2_successors: "|- $S2 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)
  10.928 -         --> (S2 rmhist p)$ | (S3 rmhist p)$"
  10.929 +lemma S2_successors: "\<turnstile> $S2 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)
  10.930 +         \<longrightarrow> (S2 rmhist p)$ | (S3 rmhist p)$"
  10.931    apply split_idle
  10.932    apply (auto dest!: Step1_2_2 [temp_use])
  10.933    done
  10.934  
  10.935 -lemma S2MClkFwd_successors: "|- ($S2 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p))
  10.936 +lemma S2MClkFwd_successors: "\<turnstile> ($S2 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p))
  10.937           & <MClkFwd memCh crCh cst p>_(c p)
  10.938 -         --> (S3 rmhist p)$"
  10.939 +         \<longrightarrow> (S3 rmhist p)$"
  10.940    by (auto simp: angle_def dest!: Step1_2_2 [temp_use])
  10.941  
  10.942 -lemma S2MClkFwd_enabled: "|- $S2 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)
  10.943 -         --> $Enabled (<MClkFwd memCh crCh cst p>_(c p))"
  10.944 +lemma S2MClkFwd_enabled: "\<turnstile> $S2 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)
  10.945 +         \<longrightarrow> $Enabled (<MClkFwd memCh crCh cst p>_(c p))"
  10.946    apply (auto simp: c_def intro!: MClkFwd_ch_enabled [temp_use] MClkFwd_enabled [temp_use])
  10.947       apply (cut_tac MI_base)
  10.948       apply (blast dest: base_pair)
  10.949      apply (simp_all add: S_def S2_def)
  10.950    done
  10.951  
  10.952 -lemma S2_live: "|- \<box>(ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p))
  10.953 +lemma S2_live: "\<turnstile> \<box>(ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p))
  10.954           & WF(MClkFwd memCh crCh cst p)_(c p)
  10.955 -         --> (S2 rmhist p \<leadsto> S3 rmhist p)"
  10.956 +         \<longrightarrow> (S2 rmhist p \<leadsto> S3 rmhist p)"
  10.957    by (rule WF1 S2_successors S2MClkFwd_successors S2MClkFwd_enabled)+
  10.958  
  10.959  (* ------------------------------ State S3 ------------------------------ *)
  10.960  
  10.961 -lemma S3_successors: "|- $S3 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)
  10.962 -         --> (S3 rmhist p)$ | (S4 rmhist p | S6 rmhist p)$"
  10.963 +lemma S3_successors: "\<turnstile> $S3 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)
  10.964 +         \<longrightarrow> (S3 rmhist p)$ | (S4 rmhist p | S6 rmhist p)$"
  10.965    apply split_idle
  10.966    apply (auto dest!: Step1_2_3 [temp_use])
  10.967    done
  10.968  
  10.969 -lemma S3RPC_successors: "|- ($S3 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p))
  10.970 +lemma S3RPC_successors: "\<turnstile> ($S3 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p))
  10.971           & <RPCNext crCh rmCh rst p>_(r p)
  10.972 -         --> (S4 rmhist p | S6 rmhist p)$"
  10.973 +         \<longrightarrow> (S4 rmhist p | S6 rmhist p)$"
  10.974    apply (auto simp: angle_def dest!: Step1_2_3 [temp_use])
  10.975    done
  10.976  
  10.977 -lemma S3RPC_enabled: "|- $S3 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)
  10.978 -         --> $Enabled (<RPCNext crCh rmCh rst p>_(r p))"
  10.979 +lemma S3RPC_enabled: "\<turnstile> $S3 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)
  10.980 +         \<longrightarrow> $Enabled (<RPCNext crCh rmCh rst p>_(r p))"
  10.981    apply (auto simp: r_def intro!: RPCFail_Next_enabled [temp_use] RPCFail_enabled [temp_use])
  10.982      apply (cut_tac MI_base)
  10.983      apply (blast dest: base_pair)
  10.984     apply (simp_all add: S_def S3_def)
  10.985    done
  10.986  
  10.987 -lemma S3_live: "|- \<box>(ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p))
  10.988 +lemma S3_live: "\<turnstile> \<box>(ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p))
  10.989           & WF(RPCNext crCh rmCh rst p)_(r p)
  10.990 -         --> (S3 rmhist p \<leadsto> S4 rmhist p | S6 rmhist p)"
  10.991 +         \<longrightarrow> (S3 rmhist p \<leadsto> S4 rmhist p | S6 rmhist p)"
  10.992    by (rule WF1 S3_successors S3RPC_successors S3RPC_enabled)+
  10.993  
  10.994  (* ------------- State S4 -------------------------------------------------- *)
  10.995  
  10.996 -lemma S4_successors: "|- $S4 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)
  10.997 +lemma S4_successors: "\<turnstile> $S4 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)
  10.998          & (\<forall>l. $MemInv mm l)
  10.999 -        --> (S4 rmhist p)$ | (S5 rmhist p)$"
 10.1000 +        \<longrightarrow> (S4 rmhist p)$ | (S5 rmhist p)$"
 10.1001    apply split_idle
 10.1002    apply (auto dest!: Step1_2_4 [temp_use])
 10.1003    done
 10.1004  
 10.1005  (* --------- State S4a: S4 /\ (ires p = NotAResult) ------------------------ *)
 10.1006  
 10.1007 -lemma S4a_successors: "|- $(S4 rmhist p & ires!p = #NotAResult)
 10.1008 +lemma S4a_successors: "\<turnstile> $(S4 rmhist p & ires!p = #NotAResult)
 10.1009           & ImpNext p & [HNext rmhist p]_(c p,r p,m p,rmhist!p) & (\<forall>l. $MemInv mm l)
 10.1010 -         --> (S4 rmhist p & ires!p = #NotAResult)$
 10.1011 +         \<longrightarrow> (S4 rmhist p & ires!p = #NotAResult)$
 10.1012               | ((S4 rmhist p & ires!p \<noteq> #NotAResult) | S5 rmhist p)$"
 10.1013    apply split_idle
 10.1014    apply (auto dest!: Step1_2_4 [temp_use])
 10.1015    done
 10.1016  
 10.1017 -lemma S4aRNext_successors: "|- ($(S4 rmhist p & ires!p = #NotAResult)
 10.1018 +lemma S4aRNext_successors: "\<turnstile> ($(S4 rmhist p & ires!p = #NotAResult)
 10.1019           & ImpNext p & [HNext rmhist p]_(c p,r p,m p,rmhist!p) & (\<forall>l. $MemInv mm l))
 10.1020           & <RNext rmCh mm ires p>_(m p)
 10.1021 -         --> ((S4 rmhist p & ires!p \<noteq> #NotAResult) | S5 rmhist p)$"
 10.1022 +         \<longrightarrow> ((S4 rmhist p & ires!p \<noteq> #NotAResult) | S5 rmhist p)$"
 10.1023    by (auto simp: angle_def
 10.1024      dest!: Step1_2_4 [temp_use] ReadResult [temp_use] WriteResult [temp_use])
 10.1025  
 10.1026 -lemma S4aRNext_enabled: "|- $(S4 rmhist p & ires!p = #NotAResult)
 10.1027 +lemma S4aRNext_enabled: "\<turnstile> $(S4 rmhist p & ires!p = #NotAResult)
 10.1028           & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p) & (\<forall>l. $MemInv mm l)
 10.1029 -         --> $Enabled (<RNext rmCh mm ires p>_(m p))"
 10.1030 +         \<longrightarrow> $Enabled (<RNext rmCh mm ires p>_(m p))"
 10.1031    apply (auto simp: m_def intro!: RNext_enabled [temp_use])
 10.1032     apply (cut_tac MI_base)
 10.1033     apply (blast dest: base_pair)
 10.1034    apply (simp add: S_def S4_def)
 10.1035    done
 10.1036  
 10.1037 -lemma S4a_live: "|- \<box>(ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)
 10.1038 +lemma S4a_live: "\<turnstile> \<box>(ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)
 10.1039           & (\<forall>l. $MemInv mm l)) & WF(RNext rmCh mm ires p)_(m p)
 10.1040 -         --> (S4 rmhist p & ires!p = #NotAResult
 10.1041 +         \<longrightarrow> (S4 rmhist p & ires!p = #NotAResult
 10.1042                \<leadsto> (S4 rmhist p & ires!p \<noteq> #NotAResult) | S5 rmhist p)"
 10.1043    by (rule WF1 S4a_successors S4aRNext_successors S4aRNext_enabled)+
 10.1044  
 10.1045  (* ---------- State S4b: S4 /\ (ires p # NotAResult) --------------------------- *)
 10.1046  
 10.1047 -lemma S4b_successors: "|- $(S4 rmhist p & ires!p \<noteq> #NotAResult)
 10.1048 +lemma S4b_successors: "\<turnstile> $(S4 rmhist p & ires!p \<noteq> #NotAResult)
 10.1049           & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p) & (\<forall>l. $MemInv mm l)
 10.1050 -         --> (S4 rmhist p & ires!p \<noteq> #NotAResult)$ | (S5 rmhist p)$"
 10.1051 +         \<longrightarrow> (S4 rmhist p & ires!p \<noteq> #NotAResult)$ | (S5 rmhist p)$"
 10.1052    apply (split_idle simp: m_def)
 10.1053    apply (auto dest!: WriteResult [temp_use] Step1_2_4 [temp_use] ReadResult [temp_use])
 10.1054    done
 10.1055  
 10.1056 -lemma S4bReturn_successors: "|- ($(S4 rmhist p & ires!p \<noteq> #NotAResult)
 10.1057 +lemma S4bReturn_successors: "\<turnstile> ($(S4 rmhist p & ires!p \<noteq> #NotAResult)
 10.1058           & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)
 10.1059           & (\<forall>l. $MemInv mm l)) & <MemReturn rmCh ires p>_(m p)
 10.1060 -         --> (S5 rmhist p)$"
 10.1061 +         \<longrightarrow> (S5 rmhist p)$"
 10.1062    by (force simp: angle_def dest!: Step1_2_4 [temp_use] dest: ReturnNotReadWrite [temp_use])
 10.1063  
 10.1064 -lemma S4bReturn_enabled: "|- $(S4 rmhist p & ires!p \<noteq> #NotAResult)
 10.1065 +lemma S4bReturn_enabled: "\<turnstile> $(S4 rmhist p & ires!p \<noteq> #NotAResult)
 10.1066           & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)
 10.1067           & (\<forall>l. $MemInv mm l)
 10.1068 -         --> $Enabled (<MemReturn rmCh ires p>_(m p))"
 10.1069 +         \<longrightarrow> $Enabled (<MemReturn rmCh ires p>_(m p))"
 10.1070    apply (auto simp: m_def intro!: MemReturn_enabled [temp_use])
 10.1071     apply (cut_tac MI_base)
 10.1072     apply (blast dest: base_pair)
 10.1073    apply (simp add: S_def S4_def)
 10.1074    done
 10.1075  
 10.1076 -lemma S4b_live: "|- \<box>(ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p) & (\<forall>l. $MemInv mm l))
 10.1077 +lemma S4b_live: "\<turnstile> \<box>(ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p) & (\<forall>l. $MemInv mm l))
 10.1078           & WF(MemReturn rmCh ires p)_(m p)
 10.1079 -         --> (S4 rmhist p & ires!p \<noteq> #NotAResult \<leadsto> S5 rmhist p)"
 10.1080 +         \<longrightarrow> (S4 rmhist p & ires!p \<noteq> #NotAResult \<leadsto> S5 rmhist p)"
 10.1081    by (rule WF1 S4b_successors S4bReturn_successors S4bReturn_enabled)+
 10.1082  
 10.1083  (* ------------------------------ State S5 ------------------------------ *)
 10.1084  
 10.1085 -lemma S5_successors: "|- $S5 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)
 10.1086 -         --> (S5 rmhist p)$ | (S6 rmhist p)$"
 10.1087 +lemma S5_successors: "\<turnstile> $S5 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)
 10.1088 +         \<longrightarrow> (S5 rmhist p)$ | (S6 rmhist p)$"
 10.1089    apply split_idle
 10.1090    apply (auto dest!: Step1_2_5 [temp_use])
 10.1091    done
 10.1092  
 10.1093 -lemma S5RPC_successors: "|- ($S5 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p))
 10.1094 +lemma S5RPC_successors: "\<turnstile> ($S5 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p))
 10.1095           & <RPCNext crCh rmCh rst p>_(r p)
 10.1096 -         --> (S6 rmhist p)$"
 10.1097 +         \<longrightarrow> (S6 rmhist p)$"
 10.1098    by (auto simp: angle_def dest!: Step1_2_5 [temp_use])
 10.1099  
 10.1100 -lemma S5RPC_enabled: "|- $S5 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)
 10.1101 -         --> $Enabled (<RPCNext crCh rmCh rst p>_(r p))"
 10.1102 +lemma S5RPC_enabled: "\<turnstile> $S5 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)
 10.1103 +         \<longrightarrow> $Enabled (<RPCNext crCh rmCh rst p>_(r p))"
 10.1104    apply (auto simp: r_def intro!: RPCFail_Next_enabled [temp_use] RPCFail_enabled [temp_use])
 10.1105      apply (cut_tac MI_base)
 10.1106      apply (blast dest: base_pair)
 10.1107     apply (simp_all add: S_def S5_def)
 10.1108    done
 10.1109  
 10.1110 -lemma S5_live: "|- \<box>(ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p))
 10.1111 +lemma S5_live: "\<turnstile> \<box>(ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p))
 10.1112           & WF(RPCNext crCh rmCh rst p)_(r p)
 10.1113 -         --> (S5 rmhist p \<leadsto> S6 rmhist p)"
 10.1114 +         \<longrightarrow> (S5 rmhist p \<leadsto> S6 rmhist p)"
 10.1115    by (rule WF1 S5_successors S5RPC_successors S5RPC_enabled)+
 10.1116  
 10.1117  (* ------------------------------ State S6 ------------------------------ *)
 10.1118  
 10.1119 -lemma S6_successors: "|- $S6 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)
 10.1120 -         --> (S1 rmhist p)$ | (S3 rmhist p)$ | (S6 rmhist p)$"
 10.1121 +lemma S6_successors: "\<turnstile> $S6 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)
 10.1122 +         \<longrightarrow> (S1 rmhist p)$ | (S3 rmhist p)$ | (S6 rmhist p)$"
 10.1123    apply split_idle
 10.1124    apply (auto dest!: Step1_2_6 [temp_use])
 10.1125    done
 10.1126  
 10.1127  lemma S6MClkReply_successors:
 10.1128 -  "|- ($S6 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p))
 10.1129 +  "\<turnstile> ($S6 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p))
 10.1130           & <MClkReply memCh crCh cst p>_(c p)
 10.1131 -         --> (S1 rmhist p)$"
 10.1132 +         \<longrightarrow> (S1 rmhist p)$"
 10.1133    by (auto simp: angle_def dest!: Step1_2_6 [temp_use] MClkReplyNotRetry [temp_use])
 10.1134  
 10.1135  lemma MClkReplyS6:
 10.1136 -  "|- $ImpInv rmhist p & <MClkReply memCh crCh cst p>_(c p) --> $S6 rmhist p"
 10.1137 +  "\<turnstile> $ImpInv rmhist p & <MClkReply memCh crCh cst p>_(c p) \<longrightarrow> $S6 rmhist p"
 10.1138    by (tactic {* action_simp_tac (@{context} addsimps [@{thm angle_def},
 10.1139      @{thm MClkReply_def}, @{thm Return_def}, @{thm ImpInv_def}, @{thm S_def},
 10.1140      @{thm S1_def}, @{thm S2_def}, @{thm S3_def}, @{thm S4_def}, @{thm S5_def}]) [] [] 1 *})
 10.1141  
 10.1142 -lemma S6MClkReply_enabled: "|- S6 rmhist p --> Enabled (<MClkReply memCh crCh cst p>_(c p))"
 10.1143 +lemma S6MClkReply_enabled: "\<turnstile> S6 rmhist p \<longrightarrow> Enabled (<MClkReply memCh crCh cst p>_(c p))"
 10.1144    apply (auto simp: c_def intro!: MClkReply_enabled [temp_use])
 10.1145       apply (cut_tac MI_base)
 10.1146       apply (blast dest: base_pair)
 10.1147 @@ -1099,11 +1099,11 @@
 10.1148        addsimps [@{thm S_def}, @{thm S6_def}]) [] []) *})
 10.1149    done
 10.1150  
 10.1151 -lemma S6_live: "|- \<box>(ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p) & $(ImpInv rmhist p))
 10.1152 +lemma S6_live: "\<turnstile> \<box>(ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p) & $(ImpInv rmhist p))
 10.1153           & SF(MClkReply memCh crCh cst p)_(c p) & \<box>\<diamond>(S6 rmhist p)
 10.1154 -         --> \<box>\<diamond>(S1 rmhist p)"
 10.1155 +         \<longrightarrow> \<box>\<diamond>(S1 rmhist p)"
 10.1156    apply clarsimp
 10.1157 -  apply (subgoal_tac "sigma |= \<box>\<diamond> (<MClkReply memCh crCh cst p>_ (c p))")
 10.1158 +  apply (subgoal_tac "sigma \<Turnstile> \<box>\<diamond> (<MClkReply memCh crCh cst p>_ (c p))")
 10.1159     apply (erule InfiniteEnsures)
 10.1160      apply assumption
 10.1161     apply (tactic {* action_simp_tac @{context} []
 10.1162 @@ -1115,23 +1115,23 @@
 10.1163  
 10.1164  (* --------------- aggregate leadsto properties----------------------------- *)
 10.1165  
 10.1166 -lemma S5S6LeadstoS6: "sigma |= S5 rmhist p \<leadsto> S6 rmhist p
 10.1167 -      ==> sigma |= (S5 rmhist p | S6 rmhist p) \<leadsto> S6 rmhist p"
 10.1168 +lemma S5S6LeadstoS6: "sigma \<Turnstile> S5 rmhist p \<leadsto> S6 rmhist p
 10.1169 +      \<Longrightarrow> sigma \<Turnstile> (S5 rmhist p | S6 rmhist p) \<leadsto> S6 rmhist p"
 10.1170    by (auto intro!: LatticeDisjunctionIntro [temp_use] LatticeReflexivity [temp_use])
 10.1171  
 10.1172 -lemma S4bS5S6LeadstoS6: "[| sigma |= S4 rmhist p & ires!p \<noteq> #NotAResult \<leadsto> S5 rmhist p;
 10.1173 -         sigma |= S5 rmhist p \<leadsto> S6 rmhist p |]
 10.1174 -      ==> sigma |= (S4 rmhist p & ires!p \<noteq> #NotAResult) | S5 rmhist p | S6 rmhist p
 10.1175 +lemma S4bS5S6LeadstoS6: "\<lbrakk> sigma \<Turnstile> S4 rmhist p & ires!p \<noteq> #NotAResult \<leadsto> S5 rmhist p;
 10.1176 +         sigma \<Turnstile> S5 rmhist p \<leadsto> S6 rmhist p \<rbrakk>
 10.1177 +      \<Longrightarrow> sigma \<Turnstile> (S4 rmhist p & ires!p \<noteq> #NotAResult) | S5 rmhist p | S6 rmhist p
 10.1178                      \<leadsto> S6 rmhist p"
 10.1179    by (auto intro!: LatticeDisjunctionIntro [temp_use]
 10.1180      S5S6LeadstoS6 [temp_use] intro: LatticeTransitivity [temp_use])
 10.1181  
 10.1182 -lemma S4S5S6LeadstoS6: "[| sigma |= S4 rmhist p & ires!p = #NotAResult
 10.1183 +lemma S4S5S6LeadstoS6: "\<lbrakk> sigma \<Turnstile> S4 rmhist p & ires!p = #NotAResult
 10.1184                    \<leadsto> (S4 rmhist p & ires!p \<noteq> #NotAResult) | S5 rmhist p;
 10.1185 -         sigma |= S4 rmhist p & ires!p \<noteq> #NotAResult \<leadsto> S5 rmhist p;
 10.1186 -         sigma |= S5 rmhist p \<leadsto> S6 rmhist p |]
 10.1187 -      ==> sigma |= S4 rmhist p | S5 rmhist p | S6 rmhist p \<leadsto> S6 rmhist p"
 10.1188 -  apply (subgoal_tac "sigma |= (S4 rmhist p & ires!p = #NotAResult) |
 10.1189 +         sigma \<Turnstile> S4 rmhist p & ires!p \<noteq> #NotAResult \<leadsto> S5 rmhist p;
 10.1190 +         sigma \<Turnstile> S5 rmhist p \<leadsto> S6 rmhist p \<rbrakk>
 10.1191 +      \<Longrightarrow> sigma \<Turnstile> S4 rmhist p | S5 rmhist p | S6 rmhist p \<leadsto> S6 rmhist p"
 10.1192 +  apply (subgoal_tac "sigma \<Turnstile> (S4 rmhist p & ires!p = #NotAResult) |
 10.1193      (S4 rmhist p & ires!p \<noteq> #NotAResult) | S5 rmhist p | S6 rmhist p \<leadsto> S6 rmhist p")
 10.1194     apply (erule_tac G = "PRED ((S4 rmhist p & ires!p = #NotAResult) |
 10.1195       (S4 rmhist p & ires!p \<noteq> #NotAResult) | S5 rmhist p | S6 rmhist p)" in
 10.1196 @@ -1144,12 +1144,12 @@
 10.1197    apply (auto intro!: S4bS5S6LeadstoS6 [temp_use])
 10.1198    done
 10.1199  
 10.1200 -lemma S3S4S5S6LeadstoS6: "[| sigma |= S3 rmhist p \<leadsto> S4 rmhist p | S6 rmhist p;
 10.1201 -         sigma |= S4 rmhist p & ires!p = #NotAResult
 10.1202 +lemma S3S4S5S6LeadstoS6: "\<lbrakk> sigma \<Turnstile> S3 rmhist p \<leadsto> S4 rmhist p | S6 rmhist p;
 10.1203 +         sigma \<Turnstile> S4 rmhist p & ires!p = #NotAResult
 10.1204                    \<leadsto> (S4 rmhist p & ires!p \<noteq> #NotAResult) | S5 rmhist p;
 10.1205 -         sigma |= S4 rmhist p & ires!p \<noteq> #NotAResult \<leadsto> S5 rmhist p;
 10.1206 -         sigma |= S5 rmhist p \<leadsto> S6 rmhist p |]
 10.1207 -      ==> sigma |= S3 rmhist p | S4 rmhist p | S5 rmhist p | S6 rmhist p \<leadsto> S6 rmhist p"
 10.1208 +         sigma \<Turnstile> S4 rmhist p & ires!p \<noteq> #NotAResult \<leadsto> S5 rmhist p;
 10.1209 +         sigma \<Turnstile> S5 rmhist p \<leadsto> S6 rmhist p \<rbrakk>
 10.1210 +      \<Longrightarrow> sigma \<Turnstile> S3 rmhist p | S4 rmhist p | S5 rmhist p | S6 rmhist p \<leadsto> S6 rmhist p"
 10.1211    apply (rule LatticeDisjunctionIntro [temp_use])
 10.1212     apply (erule LatticeTriangle2 [temp_use])
 10.1213     apply (rule S4S5S6LeadstoS6 [THEN LatticeTransitivity [temp_use]])
 10.1214 @@ -1157,13 +1157,13 @@
 10.1215          intro: ImplLeadsto_gen [temp_use] simp: Init_defs)
 10.1216    done
 10.1217  
 10.1218 -lemma S2S3S4S5S6LeadstoS6: "[| sigma |= S2 rmhist p \<leadsto> S3 rmhist p;
 10.1219 -         sigma |= S3 rmhist p \<leadsto> S4 rmhist p | S6 rmhist p;
 10.1220 -         sigma |= S4 rmhist p & ires!p = #NotAResult
 10.1221 +lemma S2S3S4S5S6LeadstoS6: "\<lbrakk> sigma \<Turnstile> S2 rmhist p \<leadsto> S3 rmhist p;
 10.1222 +         sigma \<Turnstile> S3 rmhist p \<leadsto> S4 rmhist p | S6 rmhist p;
 10.1223 +         sigma \<Turnstile> S4 rmhist p & ires!p = #NotAResult
 10.1224                    \<leadsto> S4 rmhist p & ires!p \<noteq> #NotAResult | S5 rmhist p;
 10.1225 -         sigma |= S4 rmhist p & ires!p \<noteq> #NotAResult \<leadsto> S5 rmhist p;
 10.1226 -         sigma |= S5 rmhist p \<leadsto> S6 rmhist p |]
 10.1227 -      ==> sigma |= S2 rmhist p | S3 rmhist p | S4 rmhist p | S5 rmhist p | S6 rmhist p
 10.1228 +         sigma \<Turnstile> S4 rmhist p & ires!p \<noteq> #NotAResult \<leadsto> S5 rmhist p;
 10.1229 +         sigma \<Turnstile> S5 rmhist p \<leadsto> S6 rmhist p \<rbrakk>
 10.1230 +      \<Longrightarrow> sigma \<Turnstile> S2 rmhist p | S3 rmhist p | S4 rmhist p | S5 rmhist p | S6 rmhist p
 10.1231                     \<leadsto> S6 rmhist p"
 10.1232    apply (rule LatticeDisjunctionIntro [temp_use])
 10.1233     apply (rule LatticeTransitivity [temp_use])
 10.1234 @@ -1173,14 +1173,14 @@
 10.1235           intro: ImplLeadsto_gen [temp_use] simp: Init_defs)
 10.1236    done
 10.1237  
 10.1238 -lemma NotS1LeadstoS6: "[| sigma |= \<box>ImpInv rmhist p;
 10.1239 -         sigma |= S2 rmhist p \<leadsto> S3 rmhist p;
 10.1240 -         sigma |= S3 rmhist p \<leadsto> S4 rmhist p | S6 rmhist p;
 10.1241 -         sigma |= S4 rmhist p & ires!p = #NotAResult
 10.1242 +lemma NotS1LeadstoS6: "\<lbrakk> sigma \<Turnstile> \<box>ImpInv rmhist p;
 10.1243 +         sigma \<Turnstile> S2 rmhist p \<leadsto> S3 rmhist p;
 10.1244 +         sigma \<Turnstile> S3 rmhist p \<leadsto> S4 rmhist p | S6 rmhist p;
 10.1245 +         sigma \<Turnstile> S4 rmhist p & ires!p = #NotAResult
 10.1246                    \<leadsto> S4 rmhist p & ires!p \<noteq> #NotAResult | S5 rmhist p;
 10.1247 -         sigma |= S4 rmhist p & ires!p \<noteq> #NotAResult \<leadsto> S5 rmhist p;
 10.1248 -         sigma |= S5 rmhist p \<leadsto> S6 rmhist p |]
 10.1249 -      ==> sigma |= \<not>S1 rmhist p \<leadsto> S6 rmhist p"
 10.1250 +         sigma \<Turnstile> S4 rmhist p & ires!p \<noteq> #NotAResult \<leadsto> S5 rmhist p;
 10.1251 +         sigma \<Turnstile> S5 rmhist p \<leadsto> S6 rmhist p \<rbrakk>
 10.1252 +      \<Longrightarrow> sigma \<Turnstile> \<not>S1 rmhist p \<leadsto> S6 rmhist p"
 10.1253    apply (rule S2S3S4S5S6LeadstoS6 [THEN LatticeTransitivity [temp_use]])
 10.1254         apply assumption+
 10.1255    apply (erule INV_leadsto [temp_use])
 10.1256 @@ -1189,9 +1189,9 @@
 10.1257    apply (auto simp: ImpInv_def Init_defs intro!: necT [temp_use])
 10.1258    done
 10.1259  
 10.1260 -lemma S1Infinite: "[| sigma |= \<not>S1 rmhist p \<leadsto> S6 rmhist p;
 10.1261 -         sigma |= \<box>\<diamond>S6 rmhist p --> \<box>\<diamond>S1 rmhist p |]
 10.1262 -      ==> sigma |= \<box>\<diamond>S1 rmhist p"
 10.1263 +lemma S1Infinite: "\<lbrakk> sigma \<Turnstile> \<not>S1 rmhist p \<leadsto> S6 rmhist p;
 10.1264 +         sigma \<Turnstile> \<box>\<diamond>S6 rmhist p \<longrightarrow> \<box>\<diamond>S1 rmhist p \<rbrakk>
 10.1265 +      \<Longrightarrow> sigma \<Turnstile> \<box>\<diamond>S1 rmhist p"
 10.1266    apply (rule classical)
 10.1267    apply (tactic {* asm_lr_simp_tac (@{context} addsimps
 10.1268      [temp_use @{context} @{thm NotBox}, temp_rewrite @{context} @{thm NotDmd}]) 1 *})
 10.1269 @@ -1204,12 +1204,12 @@
 10.1270     a. memory invariant
 10.1271     b. "implementation invariant": always in states S1,...,S6
 10.1272  *)
 10.1273 -lemma Step1_5_1a: "|- IPImp p --> (\<forall>l. \<box>$MemInv mm l)"
 10.1274 +lemma Step1_5_1a: "\<turnstile> IPImp p \<longrightarrow> (\<forall>l. \<box>$MemInv mm l)"
 10.1275    by (auto simp: IPImp_def box_stp_act [temp_use] intro!: MemoryInvariantAll [temp_use])
 10.1276  
 10.1277 -lemma Step1_5_1b: "|- Init(ImpInit p & HInit rmhist p) & \<box>(ImpNext p)
 10.1278 +lemma Step1_5_1b: "\<turnstile> Init(ImpInit p & HInit rmhist p) & \<box>(ImpNext p)
 10.1279           & \<box>[HNext rmhist p]_(c p, r p, m p, rmhist!p) & \<box>(\<forall>l. $MemInv mm l)
 10.1280 -         --> \<box>ImpInv rmhist p"
 10.1281 +         \<longrightarrow> \<box>ImpInv rmhist p"
 10.1282    apply invariant
 10.1283     apply (auto simp: Init_def ImpInv_def box_stp_act [temp_use]
 10.1284       dest!: Step1_1 [temp_use] dest: S1_successors [temp_use] S2_successors [temp_use]
 10.1285 @@ -1218,25 +1218,25 @@
 10.1286    done
 10.1287  
 10.1288  (*** Initialization ***)
 10.1289 -lemma Step1_5_2a: "|- Init(ImpInit p & HInit rmhist p) --> Init(PInit (resbar rmhist) p)"
 10.1290 +lemma Step1_5_2a: "\<turnstile> Init(ImpInit p & HInit rmhist p) \<longrightarrow> Init(PInit (resbar rmhist) p)"
 10.1291    by (auto simp: Init_def intro!: Step1_1 [temp_use] Step1_3  [temp_use])
 10.1292  
 10.1293  (*** step simulation ***)
 10.1294 -lemma Step1_5_2b: "|- \<box>(ImpNext p & [HNext rmhist p]_(c p, r p, m p, rmhist!p)
 10.1295 +lemma Step1_5_2b: "\<turnstile> \<box>(ImpNext p & [HNext rmhist p]_(c p, r p, m p, rmhist!p)
 10.1296           & $ImpInv rmhist p & (\<forall>l. $MemInv mm l))
 10.1297 -         --> \<box>[UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p)"
 10.1298 +         \<longrightarrow> \<box>[UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p)"
 10.1299    by (auto simp: ImpInv_def elim!: STL4E [temp_use]
 10.1300      dest!: S1safe [temp_use] S2safe [temp_use] S3safe [temp_use] S4safe [temp_use]
 10.1301      S5safe [temp_use] S6safe [temp_use])
 10.1302  
 10.1303  (*** Liveness ***)
 10.1304 -lemma GoodImpl: "|- IPImp p & HistP rmhist p
 10.1305 -         -->   Init(ImpInit p & HInit rmhist p)
 10.1306 +lemma GoodImpl: "\<turnstile> IPImp p & HistP rmhist p
 10.1307 +         \<longrightarrow>   Init(ImpInit p & HInit rmhist p)
 10.1308               & \<box>(ImpNext p & [HNext rmhist p]_(c p, r p, m p, rmhist!p))
 10.1309               & \<box>(\<forall>l. $MemInv mm l) & \<box>($ImpInv rmhist p)
 10.1310               & ImpLive p"
 10.1311    apply clarsimp
 10.1312 -    apply (subgoal_tac "sigma |= Init (ImpInit p & HInit rmhist p) & \<box> (ImpNext p) &
 10.1313 +    apply (subgoal_tac "sigma \<Turnstile> Init (ImpInit p & HInit rmhist p) & \<box> (ImpNext p) &
 10.1314        \<box>[HNext rmhist p]_ (c p, r p, m p, rmhist!p) & \<box> (\<forall>l. $MemInv mm l)")
 10.1315     apply (auto simp: split_box_conj [try_rewrite] box_stp_act [try_rewrite]
 10.1316         dest!: Step1_5_1b [temp_use])
 10.1317 @@ -1251,10 +1251,10 @@
 10.1318    done
 10.1319  
 10.1320  (* The implementation is infinitely often in state S1... *)
 10.1321 -lemma Step1_5_3a: "|- \<box>(ImpNext p & [HNext rmhist p]_(c p, r p, m p, rmhist!p))
 10.1322 +lemma Step1_5_3a: "\<turnstile> \<box>(ImpNext p & [HNext rmhist p]_(c p, r p, m p, rmhist!p))
 10.1323           & \<box>(\<forall>l. $MemInv mm l)
 10.1324           & \<box>($ImpInv rmhist p) & ImpLive p
 10.1325 -         --> \<box>\<diamond>S1 rmhist p"
 10.1326 +         \<longrightarrow> \<box>\<diamond>S1 rmhist p"
 10.1327    apply (clarsimp simp: ImpLive_def)
 10.1328    apply (rule S1Infinite)
 10.1329     apply (force simp: split_box_conj [try_rewrite] box_stp_act [try_rewrite]
 10.1330 @@ -1264,18 +1264,18 @@
 10.1331    done
 10.1332  
 10.1333  (* ... and therefore satisfies the fairness requirements of the specification *)
 10.1334 -lemma Step1_5_3b: "|- \<box>(ImpNext p & [HNext rmhist p]_(c p, r p, m p, rmhist!p))
 10.1335 +lemma Step1_5_3b: "\<turnstile> \<box>(ImpNext p & [HNext rmhist p]_(c p, r p, m p, rmhist!p))
 10.1336           & \<box>(\<forall>l. $MemInv mm l) & \<box>($ImpInv rmhist p) & ImpLive p
 10.1337 -         --> WF(RNext memCh mm (resbar rmhist) p)_(rtrner memCh!p, resbar rmhist!p)"
 10.1338 +         \<longrightarrow> WF(RNext memCh mm (resbar rmhist) p)_(rtrner memCh!p, resbar rmhist!p)"
 10.1339    by (auto intro!: RNext_fair [temp_use] Step1_5_3a [temp_use])
 10.1340  
 10.1341 -lemma Step1_5_3c: "|- \<box>(ImpNext p & [HNext rmhist p]_(c p, r p, m p, rmhist!p))
 10.1342 +lemma Step1_5_3c: "\<turnstile> \<box>(ImpNext p & [HNext rmhist p]_(c p, r p, m p, rmhist!p))
 10.1343           & \<box>(\<forall>l. $MemInv mm l) & \<box>($ImpInv rmhist p) & ImpLive p
 10.1344 -         --> WF(MemReturn memCh (resbar rmhist) p)_(rtrner memCh!p, resbar rmhist!p)"
 10.1345 +         \<longrightarrow> WF(MemReturn memCh (resbar rmhist) p)_(rtrner memCh!p, resbar rmhist!p)"
 10.1346    by (auto intro!: Return_fair [temp_use] Step1_5_3a [temp_use])
 10.1347  
 10.1348  (* QED step of step 1 *)
 10.1349 -lemma Step1: "|- IPImp p & HistP rmhist p --> UPSpec memCh mm (resbar rmhist) p"
 10.1350 +lemma Step1: "\<turnstile> IPImp p & HistP rmhist p --> UPSpec memCh mm (resbar rmhist) p"
 10.1351    by (auto simp: UPSpec_def split_box_conj [temp_use]
 10.1352      dest!: GoodImpl [temp_use] intro!: Step1_5_2a [temp_use] Step1_5_2b [temp_use]
 10.1353      Step1_5_3b [temp_use] Step1_5_3c [temp_use])
 10.1354 @@ -1283,10 +1283,10 @@
 10.1355  (* ------------------------------ Step 2 ------------------------------ *)
 10.1356  section "Step 2"
 10.1357  
 10.1358 -lemma Step2_2a: "|- Write rmCh mm ires p l & ImpNext p
 10.1359 +lemma Step2_2a: "\<turnstile> Write rmCh mm ires p l & ImpNext p
 10.1360           & [HNext rmhist p]_(c p, r p, m p, rmhist!p)
 10.1361           & $ImpInv rmhist p
 10.1362 -         --> (S4 rmhist p)$ & unchanged (e p, c p, r p, rmhist!p)"
 10.1363 +         \<longrightarrow> (S4 rmhist p)$ & unchanged (e p, c p, r p, rmhist!p)"
 10.1364    apply clarsimp
 10.1365    apply (drule WriteS4 [action_use])
 10.1366     apply assumption
 10.1367 @@ -1296,26 +1296,26 @@
 10.1368       apply (auto simp: square_def dest: S4Write [temp_use])
 10.1369    done
 10.1370  
 10.1371 -lemma Step2_2: "|-   (\<forall>p. ImpNext p)
 10.1372 +lemma Step2_2: "\<turnstile>   (\<forall>p. ImpNext p)
 10.1373           & (\<forall>p. [HNext rmhist p]_(c p, r p, m p, rmhist!p))
 10.1374           & (\<forall>p. $ImpInv rmhist p)
 10.1375           & [\<exists>q. Write rmCh mm ires q l]_(mm!l)
 10.1376 -         --> [\<exists>q. Write memCh mm (resbar rmhist) q l]_(mm!l)"
 10.1377 +         \<longrightarrow> [\<exists>q. Write memCh mm (resbar rmhist) q l]_(mm!l)"
 10.1378    apply (auto intro!: squareCI elim!: squareE)
 10.1379    apply (assumption | rule exI Step1_4_4b [action_use])+
 10.1380      apply (force intro!: WriteS4 [temp_use])
 10.1381     apply (auto dest!: Step2_2a [temp_use])
 10.1382    done
 10.1383  
 10.1384 -lemma Step2_lemma: "|- \<box>(  (\<forall>p. ImpNext p)
 10.1385 +lemma Step2_lemma: "\<turnstile> \<box>(  (\<forall>p. ImpNext p)
 10.1386              & (\<forall>p. [HNext rmhist p]_(c p, r p, m p, rmhist!p))
 10.1387              & (\<forall>p. $ImpInv rmhist p)
 10.1388              & [\<exists>q. Write rmCh mm ires q l]_(mm!l))
 10.1389 -         --> \<box>[\<exists>q. Write memCh mm (resbar rmhist) q l]_(mm!l)"
 10.1390 +         \<longrightarrow> \<box>[\<exists>q. Write memCh mm (resbar rmhist) q l]_(mm!l)"
 10.1391    by (force elim!: STL4E [temp_use] dest!: Step2_2 [temp_use])
 10.1392  
 10.1393 -lemma Step2: "|- #l : #MemLoc & (\<forall>p. IPImp p & HistP rmhist p)
 10.1394 -         --> MSpec memCh mm (resbar rmhist) l"
 10.1395 +lemma Step2: "\<turnstile> #l : #MemLoc & (\<forall>p. IPImp p & HistP rmhist p)
 10.1396 +         \<longrightarrow> MSpec memCh mm (resbar rmhist) l"
 10.1397    apply (auto simp: MSpec_def)
 10.1398     apply (force simp: IPImp_def MSpec_def)
 10.1399    apply (auto intro!: Step2_lemma [temp_use] simp: split_box_conj [temp_use] all_box [temp_use])
 10.1400 @@ -1334,12 +1334,12 @@
 10.1401  (* Implementation of internal specification by combination of implementation
 10.1402     and history variable with explicit refinement mapping
 10.1403  *)
 10.1404 -lemma Impl_IUSpec: "|- Implementation & Hist rmhist --> IUSpec memCh mm (resbar rmhist)"
 10.1405 +lemma Impl_IUSpec: "\<turnstile> Implementation & Hist rmhist \<longrightarrow> IUSpec memCh mm (resbar rmhist)"
 10.1406    by (auto simp: IUSpec_def Implementation_def IPImp_def MClkISpec_def
 10.1407      RPCISpec_def IRSpec_def Hist_def intro!: Step1 [temp_use] Step2 [temp_use])
 10.1408  
 10.1409  (* The main theorem: introduce hiding and eliminate history variable. *)
 10.1410 -lemma Implementation: "|- Implementation --> USpec memCh"
 10.1411 +lemma Implementation: "\<turnstile> Implementation \<longrightarrow> USpec memCh"
 10.1412    apply clarsimp
 10.1413    apply (frule History [temp_use])
 10.1414    apply (auto simp: USpec_def intro: eexI [temp_use] Impl_IUSpec [temp_use]
    11.1 --- a/src/HOL/TLA/Memory/MemoryParameters.thy	Fri Jun 26 11:44:22 2015 +0200
    11.2 +++ b/src/HOL/TLA/Memory/MemoryParameters.thy	Fri Jun 26 14:53:15 2015 +0200
    11.3 @@ -40,7 +40,7 @@
    11.4    NotAResultNotOK NotAResultNotBA NotAResultNotMF
    11.5    NotAResultNotOK [symmetric] NotAResultNotBA [symmetric] NotAResultNotMF [symmetric]
    11.6  
    11.7 -lemma MemValNotAResultE: "[| x : MemVal; (x \<noteq> NotAResult ==> P) |] ==> P"
    11.8 +lemma MemValNotAResultE: "\<lbrakk> x \<in> MemVal; (x \<noteq> NotAResult \<Longrightarrow> P) \<rbrakk> \<Longrightarrow> P"
    11.9    using NotAResultNotVal by blast
   11.10  
   11.11  end
    12.1 --- a/src/HOL/TLA/Memory/ProcedureInterface.thy	Fri Jun 26 11:44:22 2015 +0200
    12.2 +++ b/src/HOL/TLA/Memory/ProcedureInterface.thy	Fri Jun 26 14:53:15 2015 +0200
    12.3 @@ -14,40 +14,40 @@
    12.4       rather than a single array-valued variable because the
    12.5       notation gets a little simpler.
    12.6    *)
    12.7 -type_synonym ('a,'r) channel =" (PrIds => ('a,'r) chan) stfun"
    12.8 +type_synonym ('a,'r) channel =" (PrIds \<Rightarrow> ('a,'r) chan) stfun"
    12.9  
   12.10  consts
   12.11    (* data-level functions *)
   12.12 -  cbit          :: "('a,'r) chan => bit"
   12.13 -  rbit          :: "('a,'r) chan => bit"
   12.14 -  arg           :: "('a,'r) chan => 'a"
   12.15 -  res           :: "('a,'r) chan => 'r"
   12.16 +  cbit          :: "('a,'r) chan \<Rightarrow> bit"
   12.17 +  rbit          :: "('a,'r) chan \<Rightarrow> bit"
   12.18 +  arg           :: "('a,'r) chan \<Rightarrow> 'a"
   12.19 +  res           :: "('a,'r) chan \<Rightarrow> 'r"
   12.20  
   12.21    (* state functions *)
   12.22 -  caller        :: "('a,'r) channel => (PrIds => (bit * 'a)) stfun"
   12.23 -  rtrner        :: "('a,'r) channel => (PrIds => (bit * 'r)) stfun"
   12.24 +  caller        :: "('a,'r) channel \<Rightarrow> (PrIds \<Rightarrow> (bit * 'a)) stfun"
   12.25 +  rtrner        :: "('a,'r) channel \<Rightarrow> (PrIds \<Rightarrow> (bit * 'r)) stfun"
   12.26  
   12.27    (* state predicates *)
   12.28 -  Calling   :: "('a,'r) channel => PrIds => stpred"
   12.29 +  Calling   :: "('a,'r) channel \<Rightarrow> PrIds \<Rightarrow> stpred"
   12.30  
   12.31    (* actions *)
   12.32 -  ACall      :: "('a,'r) channel => PrIds => 'a stfun => action"
   12.33 -  AReturn    :: "('a,'r) channel => PrIds => 'r stfun => action"
   12.34 +  ACall      :: "('a,'r) channel \<Rightarrow> PrIds \<Rightarrow> 'a stfun \<Rightarrow> action"
   12.35 +  AReturn    :: "('a,'r) channel \<Rightarrow> PrIds \<Rightarrow> 'r stfun \<Rightarrow> action"
   12.36  
   12.37    (* temporal formulas *)
   12.38 -  PLegalCaller      :: "('a,'r) channel => PrIds => temporal"
   12.39 -  LegalCaller       :: "('a,'r) channel => temporal"
   12.40 -  PLegalReturner    :: "('a,'r) channel => PrIds => temporal"
   12.41 -  LegalReturner     :: "('a,'r) channel => temporal"
   12.42 +  PLegalCaller      :: "('a,'r) channel \<Rightarrow> PrIds \<Rightarrow> temporal"
   12.43 +  LegalCaller       :: "('a,'r) channel \<Rightarrow> temporal"
   12.44 +  PLegalReturner    :: "('a,'r) channel \<Rightarrow> PrIds \<Rightarrow> temporal"
   12.45 +  LegalReturner     :: "('a,'r) channel \<Rightarrow> temporal"
   12.46  
   12.47    (* slice through array-valued state function *)
   12.48 -  slice        :: "('a => 'b) stfun => 'a => 'b stfun"
   12.49 +  slice        :: "('a \<Rightarrow> 'b) stfun \<Rightarrow> 'a \<Rightarrow> 'b stfun"
   12.50  
   12.51  syntax
   12.52 -  "_slice"    :: "[lift, 'a] => lift"      ("(_!_)" [70,70] 70)
   12.53 +  "_slice"    :: "[lift, 'a] \<Rightarrow> lift"      ("(_!_)" [70,70] 70)
   12.54  
   12.55 -  "_Call"     :: "['a, 'b, lift] => lift"    ("(Call _ _ _)" [90,90,90] 90)
   12.56 -  "_Return"   :: "['a, 'b, lift] => lift"    ("(Return _ _ _)" [90,90,90] 90)
   12.57 +  "_Call"     :: "['a, 'b, lift] \<Rightarrow> lift"    ("(Call _ _ _)" [90,90,90] 90)
   12.58 +  "_Return"   :: "['a, 'b, lift] \<Rightarrow> lift"    ("(Return _ _ _)" [90,90,90] 90)
   12.59  
   12.60  translations
   12.61    "_slice"  ==  "CONST slice"
   12.62 @@ -82,10 +82,10 @@
   12.63    PLegalCaller_def LegalCaller_def PLegalReturner_def LegalReturner_def
   12.64  
   12.65  (* Calls and returns change their subchannel *)
   12.66 -lemma Call_changed: "|- Call ch p v --> <Call ch p v>_((caller ch)!p)"
   12.67 +lemma Call_changed: "\<turnstile> Call ch p v \<longrightarrow> <Call ch p v>_((caller ch)!p)"
   12.68    by (auto simp: angle_def Call_def caller_def Calling_def)
   12.69  
   12.70 -lemma Return_changed: "|- Return ch p v --> <Return ch p v>_((rtrner ch)!p)"
   12.71 +lemma Return_changed: "\<turnstile> Return ch p v \<longrightarrow> <Return ch p v>_((rtrner ch)!p)"
   12.72    by (auto simp: angle_def Return_def rtrner_def Calling_def)
   12.73  
   12.74  end
    13.1 --- a/src/HOL/TLA/Memory/RPC.thy	Fri Jun 26 11:44:22 2015 +0200
    13.2 +++ b/src/HOL/TLA/Memory/RPC.thy	Fri Jun 26 14:53:15 2015 +0200
    13.3 @@ -10,22 +10,22 @@
    13.4  
    13.5  type_synonym rpcSndChType = "(rpcOp,Vals) channel"
    13.6  type_synonym rpcRcvChType = "memChType"
    13.7 -type_synonym rpcStType = "(PrIds => rpcState) stfun"
    13.8 +type_synonym rpcStType = "(PrIds \<Rightarrow> rpcState) stfun"
    13.9  
   13.10  consts
   13.11    (* state predicates *)
   13.12 -  RPCInit      :: "rpcRcvChType => rpcStType => PrIds => stpred"
   13.13 +  RPCInit      :: "rpcRcvChType \<Rightarrow> rpcStType \<Rightarrow> PrIds \<Rightarrow> stpred"
   13.14  
   13.15    (* actions *)
   13.16 -  RPCFwd     :: "rpcSndChType => rpcRcvChType => rpcStType => PrIds => action"
   13.17 -  RPCReject  :: "rpcSndChType => rpcRcvChType => rpcStType => PrIds => action"
   13.18 -  RPCFail    :: "rpcSndChType => rpcRcvChType => rpcStType => PrIds => action"
   13.19 -  RPCReply   :: "rpcSndChType => rpcRcvChType => rpcStType => PrIds => action"
   13.20 -  RPCNext    :: "rpcSndChType => rpcRcvChType => rpcStType => PrIds => action"
   13.21 +  RPCFwd     :: "rpcSndChType \<Rightarrow> rpcRcvChType \<Rightarrow> rpcStType \<Rightarrow> PrIds \<Rightarrow> action"
   13.22 +  RPCReject  :: "rpcSndChType \<Rightarrow> rpcRcvChType \<Rightarrow> rpcStType \<Rightarrow> PrIds \<Rightarrow> action"
   13.23 +  RPCFail    :: "rpcSndChType \<Rightarrow> rpcRcvChType \<Rightarrow> rpcStType \<Rightarrow> PrIds \<Rightarrow> action"
   13.24 +  RPCReply   :: "rpcSndChType \<Rightarrow> rpcRcvChType \<Rightarrow> rpcStType \<Rightarrow> PrIds \<Rightarrow> action"
   13.25 +  RPCNext    :: "rpcSndChType \<Rightarrow> rpcRcvChType \<Rightarrow> rpcStType \<Rightarrow> PrIds \<Rightarrow> action"
   13.26  
   13.27    (* temporal *)
   13.28 -  RPCIPSpec   :: "rpcSndChType => rpcRcvChType => rpcStType => PrIds => temporal"
   13.29 -  RPCISpec   :: "rpcSndChType => rpcRcvChType => rpcStType => temporal"
   13.30 +  RPCIPSpec   :: "rpcSndChType \<Rightarrow> rpcRcvChType \<Rightarrow> rpcStType \<Rightarrow> PrIds \<Rightarrow> temporal"
   13.31 +  RPCISpec   :: "rpcSndChType \<Rightarrow> rpcRcvChType \<Rightarrow> rpcStType \<Rightarrow> temporal"
   13.32  
   13.33  defs
   13.34    RPCInit_def:       "RPCInit rcv rst p == PRED ((rst!p = #rpcA) & \<not>Calling rcv p)"
   13.35 @@ -81,31 +81,31 @@
   13.36     unanswered call for that process.
   13.37  *)
   13.38  
   13.39 -lemma RPCidle: "|- \<not>$(Calling send p) --> \<not>RPCNext send rcv rst p"
   13.40 +lemma RPCidle: "\<turnstile> \<not>$(Calling send p) \<longrightarrow> \<not>RPCNext send rcv rst p"
   13.41    by (auto simp: Return_def RPC_action_defs)
   13.42  
   13.43 -lemma RPCbusy: "|- $(Calling rcv p) & $(rst!p) = #rpcB --> \<not>RPCNext send rcv rst p"
   13.44 +lemma RPCbusy: "\<turnstile> $(Calling rcv p) & $(rst!p) = #rpcB \<longrightarrow> \<not>RPCNext send rcv rst p"
   13.45    by (auto simp: RPC_action_defs)
   13.46  
   13.47  (* RPC failure actions are visible. *)
   13.48 -lemma RPCFail_vis: "|- RPCFail send rcv rst p -->  
   13.49 +lemma RPCFail_vis: "\<turnstile> RPCFail send rcv rst p \<longrightarrow>  
   13.50      <RPCNext send rcv rst p>_(rst!p, rtrner send!p, caller rcv!p)"
   13.51    by (auto dest!: Return_changed [temp_use] simp: angle_def RPCNext_def RPCFail_def)
   13.52  
   13.53 -lemma RPCFail_Next_enabled: "|- Enabled (RPCFail send rcv rst p) -->  
   13.54 +lemma RPCFail_Next_enabled: "\<turnstile> Enabled (RPCFail send rcv rst p) \<longrightarrow>  
   13.55      Enabled (<RPCNext send rcv rst p>_(rst!p, rtrner send!p, caller rcv!p))"
   13.56    by (force elim!: enabled_mono [temp_use] RPCFail_vis [temp_use])
   13.57  
   13.58  (* Enabledness of some actions *)
   13.59 -lemma RPCFail_enabled: "\<And>p. basevars (rtrner send!p, caller rcv!p, rst!p) ==>  
   13.60 -    |- \<not>Calling rcv p & Calling send p --> Enabled (RPCFail send rcv rst p)"
   13.61 +lemma RPCFail_enabled: "\<And>p. basevars (rtrner send!p, caller rcv!p, rst!p) \<Longrightarrow>  
   13.62 +    \<turnstile> \<not>Calling rcv p & Calling send p \<longrightarrow> Enabled (RPCFail send rcv rst p)"
   13.63    by (tactic {* action_simp_tac (@{context} addsimps [@{thm RPCFail_def},
   13.64      @{thm Return_def}, @{thm caller_def}, @{thm rtrner_def}]) [exI]
   13.65      [@{thm base_enabled}, @{thm Pair_inject}] 1 *})
   13.66  
   13.67 -lemma RPCReply_enabled: "\<And>p. basevars (rtrner send!p, caller rcv!p, rst!p) ==>  
   13.68 -      |- \<not>Calling rcv p & Calling send p & rst!p = #rpcB  
   13.69 -         --> Enabled (RPCReply send rcv rst p)"
   13.70 +lemma RPCReply_enabled: "\<And>p. basevars (rtrner send!p, caller rcv!p, rst!p) \<Longrightarrow>  
   13.71 +      \<turnstile> \<not>Calling rcv p & Calling send p & rst!p = #rpcB  
   13.72 +         \<longrightarrow> Enabled (RPCReply send rcv rst p)"
   13.73    by (tactic {* action_simp_tac (@{context} addsimps [@{thm RPCReply_def},
   13.74      @{thm Return_def}, @{thm caller_def}, @{thm rtrner_def}]) [exI]
   13.75      [@{thm base_enabled}, @{thm Pair_inject}] 1 *})
    14.1 --- a/src/HOL/TLA/Memory/RPCParameters.thy	Fri Jun 26 11:44:22 2015 +0200
    14.2 +++ b/src/HOL/TLA/Memory/RPCParameters.thy	Fri Jun 26 14:53:15 2015 +0200
    14.3 @@ -25,8 +25,8 @@
    14.4       is legal for the receiver (i.e., the memory). This can now be a little
    14.5       simpler than for the generic RPC component. RelayArg returns an arbitrary
    14.6       memory call for illegal arguments. *)
    14.7 -  IsLegalRcvArg  :: "rpcOp => bool"
    14.8 -  RPCRelayArg    :: "rpcOp => memOp"
    14.9 +  IsLegalRcvArg  :: "rpcOp \<Rightarrow> bool"
   14.10 +  RPCRelayArg    :: "rpcOp \<Rightarrow> memOp"
   14.11  
   14.12  axiomatization where
   14.13    (* RPCFailure is different from MemVals and exceptions *)
   14.14 @@ -37,11 +37,11 @@
   14.15  
   14.16  defs
   14.17    IsLegalRcvArg_def: "IsLegalRcvArg ra ==
   14.18 -                         case ra of (memcall m) => True
   14.19 -                                  | (othercall v) => False"
   14.20 +                         case ra of (memcall m) \<Rightarrow> True
   14.21 +                                  | (othercall v) \<Rightarrow> False"
   14.22    RPCRelayArg_def:   "RPCRelayArg ra ==
   14.23 -                         case ra of (memcall m) => m
   14.24 -                                  | (othercall v) => undefined"
   14.25 +                         case ra of (memcall m) \<Rightarrow> m
   14.26 +                                  | (othercall v) \<Rightarrow> undefined"
   14.27  
   14.28  lemmas [simp] = RFNoMemVal NotAResultNotRF OKNotRF BANotRF
   14.29    NotAResultNotRF [symmetric] OKNotRF [symmetric] BANotRF [symmetric]
    15.1 --- a/src/HOL/TLA/Stfun.thy	Fri Jun 26 11:44:22 2015 +0200
    15.2 +++ b/src/HOL/TLA/Stfun.thy	Fri Jun 26 14:53:15 2015 +0200
    15.3 @@ -12,7 +12,7 @@
    15.4  typedecl state
    15.5  instance state :: world ..
    15.6  
    15.7 -type_synonym 'a stfun = "state => 'a"
    15.8 +type_synonym 'a stfun = "state \<Rightarrow> 'a"
    15.9  type_synonym stpred  = "bool stfun"
   15.10  
   15.11  
   15.12 @@ -30,14 +30,14 @@
   15.13       identifies (tuples of) "base" state variables in a specification via the
   15.14       "meta predicate" basevars, which is defined here.
   15.15    *)
   15.16 -  stvars    :: "'a stfun => bool"
   15.17 +  stvars    :: "'a stfun \<Rightarrow> bool"
   15.18  
   15.19  syntax
   15.20 -  "_PRED"   :: "lift => 'a"                          ("PRED _")
   15.21 -  "_stvars" :: "lift => bool"                        ("basevars _")
   15.22 +  "_PRED"   :: "lift \<Rightarrow> 'a"                          ("PRED _")
   15.23 +  "_stvars" :: "lift \<Rightarrow> bool"                        ("basevars _")
   15.24  
   15.25  translations
   15.26 -  "PRED P"   =>  "(P::state => _)"
   15.27 +  "PRED P"   =>  "(P::state \<Rightarrow> _)"
   15.28    "_stvars"  ==  "CONST stvars"
   15.29  
   15.30  defs
   15.31 @@ -50,13 +50,13 @@
   15.32    basevars_def:  "stvars vs == range vs = UNIV"
   15.33  
   15.34  
   15.35 -lemma basevars: "\<And>vs. basevars vs ==> \<exists>u. vs u = c"
   15.36 +lemma basevars: "\<And>vs. basevars vs \<Longrightarrow> \<exists>u. vs u = c"
   15.37    apply (unfold basevars_def)
   15.38    apply (rule_tac b = c and f = vs in rangeE)
   15.39     apply auto
   15.40    done
   15.41  
   15.42 -lemma base_pair1: "\<And>x y. basevars (x,y) ==> basevars x"
   15.43 +lemma base_pair1: "\<And>x y. basevars (x,y) \<Longrightarrow> basevars x"
   15.44    apply (simp (no_asm) add: basevars_def)
   15.45    apply (rule equalityI)
   15.46     apply (rule subset_UNIV)
   15.47 @@ -65,7 +65,7 @@
   15.48    apply auto
   15.49    done
   15.50  
   15.51 -lemma base_pair2: "\<And>x y. basevars (x,y) ==> basevars y"
   15.52 +lemma base_pair2: "\<And>x y. basevars (x,y) \<Longrightarrow> basevars y"
   15.53    apply (simp (no_asm) add: basevars_def)
   15.54    apply (rule equalityI)
   15.55     apply (rule subset_UNIV)
   15.56 @@ -74,7 +74,7 @@
   15.57    apply auto
   15.58    done
   15.59  
   15.60 -lemma base_pair: "\<And>x y. basevars (x,y) ==> basevars x & basevars y"
   15.61 +lemma base_pair: "\<And>x y. basevars (x,y) \<Longrightarrow> basevars x & basevars y"
   15.62    apply (rule conjI)
   15.63    apply (erule base_pair1)
   15.64    apply (erule base_pair2)
   15.65 @@ -89,7 +89,7 @@
   15.66    apply auto
   15.67    done
   15.68  
   15.69 -lemma baseE: "[| basevars v; \<And>x. v x = c ==> Q |] ==> Q"
   15.70 +lemma baseE: "\<lbrakk> basevars v; \<And>x. v x = c \<Longrightarrow> Q \<rbrakk> \<Longrightarrow> Q"
   15.71    apply (erule basevars [THEN exE])
   15.72    apply blast
   15.73    done
   15.74 @@ -99,7 +99,7 @@
   15.75     The following shows that there should not be duplicates in a "stvars" tuple:
   15.76  *)
   15.77  
   15.78 -lemma "\<And>v. basevars (v::bool stfun, v) ==> False"
   15.79 +lemma "\<And>v. basevars (v::bool stfun, v) \<Longrightarrow> False"
   15.80    apply (erule baseE)
   15.81    apply (subgoal_tac "(LIFT (v,v)) x = (True, False)")
   15.82     prefer 2
    16.1 --- a/src/HOL/TLA/TLA.thy	Fri Jun 26 11:44:22 2015 +0200
    16.2 +++ b/src/HOL/TLA/TLA.thy	Fri Jun 26 14:53:15 2015 +0200
    16.3 @@ -11,28 +11,28 @@
    16.4  
    16.5  consts
    16.6    (** abstract syntax **)
    16.7 -  Box        :: "('w::world) form => temporal"
    16.8 -  Dmd        :: "('w::world) form => temporal"
    16.9 -  leadsto    :: "['w::world form, 'v::world form] => temporal"
   16.10 -  Stable     :: "stpred => temporal"
   16.11 -  WF         :: "[action, 'a stfun] => temporal"
   16.12 -  SF         :: "[action, 'a stfun] => temporal"
   16.13 +  Box        :: "('w::world) form \<Rightarrow> temporal"
   16.14 +  Dmd        :: "('w::world) form \<Rightarrow> temporal"
   16.15 +  leadsto    :: "['w::world form, 'v::world form] \<Rightarrow> temporal"
   16.16 +  Stable     :: "stpred \<Rightarrow> temporal"
   16.17 +  WF         :: "[action, 'a stfun] \<Rightarrow> temporal"
   16.18 +  SF         :: "[action, 'a stfun] \<Rightarrow> temporal"
   16.19  
   16.20    (* Quantification over (flexible) state variables *)
   16.21 -  EEx        :: "('a stfun => temporal) => temporal"       (binder "Eex " 10)
   16.22 -  AAll       :: "('a stfun => temporal) => temporal"       (binder "Aall " 10)
   16.23 +  EEx        :: "('a stfun \<Rightarrow> temporal) \<Rightarrow> temporal"       (binder "Eex " 10)
   16.24 +  AAll       :: "('a stfun \<Rightarrow> temporal) \<Rightarrow> temporal"       (binder "Aall " 10)
   16.25  
   16.26    (** concrete syntax **)
   16.27  syntax
   16.28 -  "_Box"     :: "lift => lift"                        ("([]_)" [40] 40)
   16.29 -  "_Dmd"     :: "lift => lift"                        ("(<>_)" [40] 40)
   16.30 -  "_leadsto" :: "[lift,lift] => lift"                 ("(_ ~> _)" [23,22] 22)
   16.31 -  "_stable"  :: "lift => lift"                        ("(stable/ _)")
   16.32 -  "_WF"      :: "[lift,lift] => lift"                 ("(WF'(_')'_(_))" [0,60] 55)
   16.33 -  "_SF"      :: "[lift,lift] => lift"                 ("(SF'(_')'_(_))" [0,60] 55)
   16.34 +  "_Box"     :: "lift \<Rightarrow> lift"                        ("([]_)" [40] 40)
   16.35 +  "_Dmd"     :: "lift \<Rightarrow> lift"                        ("(<>_)" [40] 40)
   16.36 +  "_leadsto" :: "[lift,lift] \<Rightarrow> lift"                 ("(_ ~> _)" [23,22] 22)
   16.37 +  "_stable"  :: "lift \<Rightarrow> lift"                        ("(stable/ _)")
   16.38 +  "_WF"      :: "[lift,lift] \<Rightarrow> lift"                 ("(WF'(_')'_(_))" [0,60] 55)
   16.39 +  "_SF"      :: "[lift,lift] \<Rightarrow> lift"                 ("(SF'(_')'_(_))" [0,60] 55)
   16.40  
   16.41 -  "_EEx"     :: "[idts, lift] => lift"                ("(3EEX _./ _)" [0,10] 10)
   16.42 -  "_AAll"    :: "[idts, lift] => lift"                ("(3AALL _./ _)" [0,10] 10)
   16.43 +  "_EEx"     :: "[idts, lift] \<Rightarrow> lift"                ("(3EEX _./ _)" [0,10] 10)
   16.44 +  "_AAll"    :: "[idts, lift] \<Rightarrow> lift"                ("(3AALL _./ _)" [0,10] 10)
   16.45  
   16.46  translations
   16.47    "_Box"      ==   "CONST Box"
   16.48 @@ -54,11 +54,11 @@
   16.49    "sigma |= AALL x. F"    <= "_AAll x F sigma"
   16.50  
   16.51  syntax (xsymbols)
   16.52 -  "_Box"     :: "lift => lift"                        ("(\<box>_)" [40] 40)
   16.53 -  "_Dmd"     :: "lift => lift"                        ("(\<diamond>_)" [40] 40)
   16.54 -  "_leadsto" :: "[lift,lift] => lift"                 ("(_ \<leadsto> _)" [23,22] 22)
   16.55 -  "_EEx"     :: "[idts, lift] => lift"                ("(3\<exists>\<exists> _./ _)" [0,10] 10)
   16.56 -  "_AAll"    :: "[idts, lift] => lift"                ("(3\<forall>\<forall> _./ _)" [0,10] 10)
   16.57 +  "_Box"     :: "lift \<Rightarrow> lift"                        ("(\<box>_)" [40] 40)
   16.58 +  "_Dmd"     :: "lift \<Rightarrow> lift"                        ("(\<diamond>_)" [40] 40)
   16.59 +  "_leadsto" :: "[lift,lift] \<Rightarrow> lift"                 ("(_ \<leadsto> _)" [23,22] 22)
   16.60 +  "_EEx"     :: "[idts, lift] \<Rightarrow> lift"                ("(3\<exists>\<exists> _./ _)" [0,10] 10)
   16.61 +  "_AAll"    :: "[idts, lift] \<Rightarrow> lift"                ("(3\<forall>\<forall> _./ _)" [0,10] 10)
   16.62  
   16.63  axiomatization where
   16.64    (* Definitions of derived operators *)
   16.65 @@ -66,44 +66,44 @@
   16.66  
   16.67  axiomatization where
   16.68    boxInit:      "\<And>F. TEMP \<box>F  ==  TEMP \<box>Init F" and
   16.69 -  leadsto_def:  "\<And>F G. TEMP F \<leadsto> G  ==  TEMP \<box>(Init F --> \<diamond>G)" and
   16.70 -  stable_def:   "\<And>P. TEMP stable P  ==  TEMP \<box>($P --> P$)" and
   16.71 -  WF_def:       "TEMP WF(A)_v  ==  TEMP \<diamond>\<box> Enabled(<A>_v) --> \<box>\<diamond><A>_v" and
   16.72 -  SF_def:       "TEMP SF(A)_v  ==  TEMP \<box>\<diamond> Enabled(<A>_v) --> \<box>\<diamond><A>_v" and
   16.73 +  leadsto_def:  "\<And>F G. TEMP F \<leadsto> G  ==  TEMP \<box>(Init F \<longrightarrow> \<diamond>G)" and
   16.74 +  stable_def:   "\<And>P. TEMP stable P  ==  TEMP \<box>($P \<longrightarrow> P$)" and
   16.75 +  WF_def:       "TEMP WF(A)_v  ==  TEMP \<diamond>\<box> Enabled(<A>_v) \<longrightarrow> \<box>\<diamond><A>_v" and
   16.76 +  SF_def:       "TEMP SF(A)_v  ==  TEMP \<box>\<diamond> Enabled(<A>_v) \<longrightarrow> \<box>\<diamond><A>_v" and
   16.77    aall_def:     "TEMP (\<forall>\<forall>x. F x)  ==  TEMP \<not> (\<exists>\<exists>x. \<not> F x)"
   16.78  
   16.79  axiomatization where
   16.80  (* Base axioms for raw TLA. *)
   16.81 -  normalT:    "\<And>F G. |- \<box>(F --> G) --> (\<box>F --> \<box>G)" and    (* polymorphic *)
   16.82 -  reflT:      "\<And>F. |- \<box>F --> F" and         (* F::temporal *)
   16.83 -  transT:     "\<And>F. |- \<box>F --> \<box>\<box>F" and     (* polymorphic *)
   16.84 -  linT:       "\<And>F G. |- \<diamond>F & \<diamond>G --> (\<diamond>(F & \<diamond>G)) | (\<diamond>(G & \<diamond>F))" and
   16.85 -  discT:      "\<And>F. |- \<box>(F --> \<diamond>(\<not>F & \<diamond>F)) --> (F --> \<box>\<diamond>F)" and
   16.86 -  primeI:     "\<And>P. |- \<box>P --> Init P`" and
   16.87 -  primeE:     "\<And>P F. |- \<box>(Init P --> \<box>F) --> Init P` --> (F --> \<box>F)" and
   16.88 -  indT:       "\<And>P F. |- \<box>(Init P & \<not>\<box>F --> Init P` & F) --> Init P --> \<box>F" and
   16.89 -  allT:       "\<And>F. |- (\<forall>x. \<box>(F x)) = (\<box>(\<forall> x. F x))"
   16.90 +  normalT:    "\<And>F G. \<turnstile> \<box>(F \<longrightarrow> G) \<longrightarrow> (\<box>F \<longrightarrow> \<box>G)" and    (* polymorphic *)
   16.91 +  reflT:      "\<And>F. \<turnstile> \<box>F \<longrightarrow> F" and         (* F::temporal *)
   16.92 +  transT:     "\<And>F. \<turnstile> \<box>F \<longrightarrow> \<box>\<box>F" and     (* polymorphic *)
   16.93 +  linT:       "\<And>F G. \<turnstile> \<diamond>F & \<diamond>G \<longrightarrow> (\<diamond>(F & \<diamond>G)) | (\<diamond>(G & \<diamond>F))" and
   16.94 +  discT:      "\<And>F. \<turnstile> \<box>(F \<longrightarrow> \<diamond>(\<not>F & \<diamond>F)) \<longrightarrow> (F \<longrightarrow> \<box>\<diamond>F)" and
   16.95 +  primeI:     "\<And>P. \<turnstile> \<box>P \<longrightarrow> Init P`" and
   16.96 +  primeE:     "\<And>P F. \<turnstile> \<box>(Init P \<longrightarrow> \<box>F) \<longrightarrow> Init P` \<longrightarrow> (F \<longrightarrow> \<box>F)" and
   16.97 +  indT:       "\<And>P F. \<turnstile> \<box>(Init P & \<not>\<box>F \<longrightarrow> Init P` & F) \<longrightarrow> Init P \<longrightarrow> \<box>F" and
   16.98 +  allT:       "\<And>F. \<turnstile> (\<forall>x. \<box>(F x)) = (\<box>(\<forall> x. F x))"
   16.99  
  16.100  axiomatization where
  16.101 -  necT:       "\<And>F. |- F ==> |- \<box>F"      (* polymorphic *)
  16.102 +  necT:       "\<And>F. \<turnstile> F \<Longrightarrow> \<turnstile> \<box>F"      (* polymorphic *)
  16.103  
  16.104  axiomatization where
  16.105  (* Flexible quantification: refinement mappings, history variables *)
  16.106 -  eexI:       "|- F x --> (\<exists>\<exists>x. F x)" and
  16.107 -  eexE:       "[| sigma |= (\<exists>\<exists>x. F x); basevars vs;
  16.108 -                 (\<And>x. [| basevars (x, vs); sigma |= F x |] ==> (G sigma)::bool)
  16.109 -              |] ==> G sigma" and
  16.110 -  history:    "|- \<exists>\<exists>h. Init(h = ha) & \<box>(\<forall>x. $h = #x --> h` = hb x)"
  16.111 +  eexI:       "\<turnstile> F x \<longrightarrow> (\<exists>\<exists>x. F x)" and
  16.112 +  eexE:       "\<lbrakk> sigma \<Turnstile> (\<exists>\<exists>x. F x); basevars vs;
  16.113 +                 (\<And>x. \<lbrakk> basevars (x, vs); sigma \<Turnstile> F x \<rbrakk> \<Longrightarrow> (G sigma)::bool)
  16.114 +              \<rbrakk> \<Longrightarrow> G sigma" and
  16.115 +  history:    "\<turnstile> \<exists>\<exists>h. Init(h = ha) & \<box>(\<forall>x. $h = #x \<longrightarrow> h` = hb x)"
  16.116  
  16.117  
  16.118  (* Specialize intensional introduction/elimination rules for temporal formulas *)
  16.119  
  16.120 -lemma tempI [intro!]: "(\<And>sigma. sigma |= (F::temporal)) ==> |- F"
  16.121 +lemma tempI [intro!]: "(\<And>sigma. sigma \<Turnstile> (F::temporal)) \<Longrightarrow> \<turnstile> F"
  16.122    apply (rule intI)
  16.123    apply (erule meta_spec)
  16.124    done
  16.125  
  16.126 -lemma tempD [dest]: "|- (F::temporal) ==> sigma |= F"
  16.127 +lemma tempD [dest]: "\<turnstile> (F::temporal) \<Longrightarrow> sigma \<Turnstile> F"
  16.128    by (erule intD)
  16.129  
  16.130  
  16.131 @@ -118,7 +118,7 @@
  16.132    (rewrite_rule ctxt @{thms action_rews} (th RS @{thm tempD}))
  16.133      handle THM _ => action_unlift ctxt th;
  16.134  
  16.135 -(* Turn  |- F = G  into meta-level rewrite rule  F == G *)
  16.136 +(* Turn  \<turnstile> F = G  into meta-level rewrite rule  F == G *)
  16.137  val temp_rewrite = int_rewrite
  16.138  
  16.139  fun temp_use ctxt th =
  16.140 @@ -176,21 +176,21 @@
  16.141  lemmas STL2 = reflT
  16.142  
  16.143  (* The "polymorphic" (generic) variant *)
  16.144 -lemma STL2_gen: "|- \<box>F --> Init F"
  16.145 +lemma STL2_gen: "\<turnstile> \<box>F \<longrightarrow> Init F"
  16.146    apply (unfold boxInit [of F])
  16.147    apply (rule STL2)
  16.148    done
  16.149  
  16.150 -(* see also STL2_pr below: "|- \<box>P --> Init P & Init (P`)" *)
  16.151 +(* see also STL2_pr below: "\<turnstile> \<box>P \<longrightarrow> Init P & Init (P`)" *)
  16.152  
  16.153  
  16.154  (* Dual versions for \<diamond> *)
  16.155 -lemma InitDmd: "|- F --> \<diamond> F"
  16.156 +lemma InitDmd: "\<turnstile> F \<longrightarrow> \<diamond> F"
  16.157    apply (unfold dmd_def)
  16.158    apply (auto dest!: STL2 [temp_use])
  16.159    done
  16.160  
  16.161 -lemma InitDmd_gen: "|- Init F --> \<diamond>F"
  16.162 +lemma InitDmd_gen: "\<turnstile> Init F \<longrightarrow> \<diamond>F"
  16.163    apply clarsimp
  16.164    apply (drule InitDmd [temp_use])
  16.165    apply (simp add: dmdInitD)
  16.166 @@ -198,17 +198,17 @@
  16.167  
  16.168  
  16.169  (* ------------------------ STL3 ------------------------------------------- *)
  16.170 -lemma STL3: "|- (\<box>\<box>F) = (\<box>F)"
  16.171 +lemma STL3: "\<turnstile> (\<box>\<box>F) = (\<box>F)"
  16.172    by (auto elim: transT [temp_use] STL2 [temp_use])
  16.173  
  16.174  (* corresponding elimination rule introduces double boxes:
  16.175 -   [| (sigma |= \<box>F); (sigma |= \<box>\<box>F) ==> PROP W |] ==> PROP W
  16.176 +   \<lbrakk> (sigma \<Turnstile> \<box>F); (sigma \<Turnstile> \<box>\<box>F) \<Longrightarrow> PROP W \<rbrakk> \<Longrightarrow> PROP W
  16.177  *)
  16.178  lemmas dup_boxE = STL3 [temp_unlift, THEN iffD2, elim_format]
  16.179  lemmas dup_boxD = STL3 [temp_unlift, THEN iffD1]
  16.180  
  16.181  (* dual versions for \<diamond> *)
  16.182 -lemma DmdDmd: "|- (\<diamond>\<diamond>F) = (\<diamond>F)"
  16.183 +lemma DmdDmd: "\<turnstile> (\<diamond>\<diamond>F) = (\<diamond>F)"
  16.184    by (auto simp add: dmd_def [try_rewrite] STL3 [try_rewrite])
  16.185  
  16.186  lemmas dup_dmdE = DmdDmd [temp_unlift, THEN iffD2, elim_format]
  16.187 @@ -217,8 +217,8 @@
  16.188  
  16.189  (* ------------------------ STL4 ------------------------------------------- *)
  16.190  lemma STL4:
  16.191 -  assumes "|- F --> G"
  16.192 -  shows "|- \<box>F --> \<box>G"
  16.193 +  assumes "\<turnstile> F \<longrightarrow> G"
  16.194 +  shows "\<turnstile> \<box>F \<longrightarrow> \<box>G"
  16.195    apply clarsimp
  16.196    apply (rule normalT [temp_use])
  16.197     apply (rule assms [THEN necT, temp_use])
  16.198 @@ -226,15 +226,15 @@
  16.199    done
  16.200  
  16.201  (* Unlifted version as an elimination rule *)
  16.202 -lemma STL4E: "[| sigma |= \<box>F; |- F --> G |] ==> sigma |= \<box>G"
  16.203 +lemma STL4E: "\<lbrakk> sigma \<Turnstile> \<box>F; \<turnstile> F \<longrightarrow> G \<rbrakk> \<Longrightarrow> sigma \<Turnstile> \<box>G"
  16.204    by (erule (1) STL4 [temp_use])
  16.205  
  16.206 -lemma STL4_gen: "|- Init F --> Init G ==> |- \<box>F --> \<box>G"
  16.207 +lemma STL4_gen: "\<turnstile> Init F \<longrightarrow> Init G \<Longrightarrow> \<turnstile> \<box>F \<longrightarrow> \<box>G"
  16.208    apply (drule STL4)
  16.209    apply (simp add: boxInitD)
  16.210    done
  16.211  
  16.212 -lemma STL4E_gen: "[| sigma |= \<box>F; |- Init F --> Init G |] ==> sigma |= \<box>G"
  16.213 +lemma STL4E_gen: "\<lbrakk> sigma \<Turnstile> \<box>F; \<turnstile> Init F \<longrightarrow> Init G \<rbrakk> \<Longrightarrow> sigma \<Turnstile> \<box>G"
  16.214    by (erule (1) STL4_gen [temp_use])
  16.215  
  16.216  (* see also STL4Edup below, which allows an auxiliary boxed formula:
  16.217 @@ -245,19 +245,19 @@
  16.218  
  16.219  (* The dual versions for \<diamond> *)
  16.220  lemma DmdImpl:
  16.221 -  assumes prem: "|- F --> G"
  16.222 -  shows "|- \<diamond>F --> \<diamond>G"
  16.223 +  assumes prem: "\<turnstile> F \<longrightarrow> G"
  16.224 +  shows "\<turnstile> \<diamond>F \<longrightarrow> \<diamond>G"
  16.225    apply (unfold dmd_def)
  16.226    apply (fastforce intro!: prem [temp_use] elim!: STL4E [temp_use])
  16.227    done
  16.228  
  16.229 -lemma DmdImplE: "[| sigma |= \<diamond>F; |- F --> G |] ==> sigma |= \<diamond>G"
  16.230 +lemma DmdImplE: "\<lbrakk> sigma \<Turnstile> \<diamond>F; \<turnstile> F \<longrightarrow> G \<rbrakk> \<Longrightarrow> sigma \<Turnstile> \<diamond>G"
  16.231    by (erule (1) DmdImpl [temp_use])
  16.232  
  16.233  (* ------------------------ STL5 ------------------------------------------- *)
  16.234 -lemma STL5: "|- (\<box>F & \<box>G) = (\<box>(F & G))"
  16.235 +lemma STL5: "\<turnstile> (\<box>F & \<box>G) = (\<box>(F & G))"
  16.236    apply auto
  16.237 -  apply (subgoal_tac "sigma |= \<box> (G --> (F & G))")
  16.238 +  apply (subgoal_tac "sigma \<Turnstile> \<box> (G \<longrightarrow> (F & G))")
  16.239       apply (erule normalT [temp_use])
  16.240       apply (fastforce elim!: STL4E [temp_use])+
  16.241    done
  16.242 @@ -271,9 +271,9 @@
  16.243     Use "addSE2" etc. if you want to add this to a claset, otherwise it will loop!
  16.244  *)
  16.245  lemma box_conjE:
  16.246 -  assumes "sigma |= \<box>F"
  16.247 -     and "sigma |= \<box>G"
  16.248 -  and "sigma |= \<box>(F&G) ==> PROP R"
  16.249 +  assumes "sigma \<Turnstile> \<box>F"
  16.250 +     and "sigma \<Turnstile> \<box>G"
  16.251 +  and "sigma \<Turnstile> \<box>(F&G) \<Longrightarrow> PROP R"
  16.252    shows "PROP R"
  16.253    by (rule assms STL5 [temp_unlift, THEN iffD1] conjI)+
  16.254  
  16.255 @@ -288,7 +288,7 @@
  16.256     a bit kludgy in order to simulate "double elim-resolution".
  16.257  *)
  16.258  
  16.259 -lemma box_thin: "[| sigma |= \<box>F; PROP W |] ==> PROP W" .
  16.260 +lemma box_thin: "\<lbrakk> sigma \<Turnstile> \<box>F; PROP W \<rbrakk> \<Longrightarrow> PROP W" .
  16.261  
  16.262  ML {*
  16.263  fun merge_box_tac i =
  16.264 @@ -313,21 +313,21 @@
  16.265  method_setup merge_act_box = {* Scan.succeed (SIMPLE_METHOD' o merge_act_box_tac) *}
  16.266  
  16.267  (* rewrite rule to push universal quantification through box:
  16.268 -      (sigma |= \<box>(\<forall>x. F x)) = (\<forall>x. (sigma |= \<box>F x))
  16.269 +      (sigma \<Turnstile> \<box>(\<forall>x. F x)) = (\<forall>x. (sigma \<Turnstile> \<box>F x))
  16.270  *)
  16.271  lemmas all_box = allT [temp_unlift, symmetric]
  16.272  
  16.273 -lemma DmdOr: "|- (\<diamond>(F | G)) = (\<diamond>F | \<diamond>G)"
  16.274 +lemma DmdOr: "\<turnstile> (\<diamond>(F | G)) = (\<diamond>F | \<diamond>G)"
  16.275    apply (auto simp add: dmd_def split_box_conj [try_rewrite])
  16.276    apply (erule contrapos_np, merge_box, fastforce elim!: STL4E [temp_use])+
  16.277    done
  16.278  
  16.279 -lemma exT: "|- (\<exists>x. \<diamond>(F x)) = (\<diamond>(\<exists>x. F x))"
  16.280 +lemma exT: "\<turnstile> (\<exists>x. \<diamond>(F x)) = (\<diamond>(\<exists>x. F x))"
  16.281    by (auto simp: dmd_def Not_Rex [try_rewrite] all_box [try_rewrite])
  16.282  
  16.283  lemmas ex_dmd = exT [temp_unlift, symmetric]
  16.284  
  16.285 -lemma STL4Edup: "\<And>sigma. [| sigma |= \<box>A; sigma |= \<box>F; |- F & \<box>A --> G |] ==> sigma |= \<box>G"
  16.286 +lemma STL4Edup: "\<And>sigma. \<lbrakk> sigma \<Turnstile> \<box>A; sigma \<Turnstile> \<box>F; \<turnstile> F & \<box>A \<longrightarrow> G \<rbrakk> \<Longrightarrow> sigma \<Turnstile> \<box>G"
  16.287    apply (erule dup_boxE)
  16.288    apply merge_box
  16.289    apply (erule STL4E)
  16.290 @@ -335,7 +335,7 @@
  16.291    done
  16.292  
  16.293  lemma DmdImpl2:
  16.294 -    "\<And>sigma. [| sigma |= \<diamond>F; sigma |= \<box>(F --> G) |] ==> sigma |= \<diamond>G"
  16.295 +    "\<And>sigma. \<lbrakk> sigma \<Turnstile> \<diamond>F; sigma \<Turnstile> \<box>(F \<longrightarrow> G) \<rbrakk> \<Longrightarrow> sigma \<Turnstile> \<diamond>G"
  16.296    apply (unfold dmd_def)
  16.297    apply auto
  16.298    apply (erule notE)
  16.299 @@ -344,10 +344,10 @@
  16.300    done
  16.301  
  16.302  lemma InfImpl:
  16.303 -  assumes 1: "sigma |= \<box>\<diamond>F"
  16.304 -    and 2: "sigma |= \<box>G"
  16.305 -    and 3: "|- F & G --> H"
  16.306 -  shows "sigma |= \<box>\<diamond>H"
  16.307 +  assumes 1: "sigma \<Turnstile> \<box>\<diamond>F"
  16.308 +    and 2: "sigma \<Turnstile> \<box>G"
  16.309 +    and 3: "\<turnstile> F & G \<longrightarrow> H"
  16.310 +  shows "sigma \<Turnstile> \<box>\<diamond>H"
  16.311    apply (insert 1 2)
  16.312    apply (erule_tac F = G in dup_boxE)
  16.313    apply merge_box
  16.314 @@ -356,7 +356,7 @@
  16.315  
  16.316  (* ------------------------ STL6 ------------------------------------------- *)
  16.317  (* Used in the proof of STL6, but useful in itself. *)
  16.318 -lemma BoxDmd: "|- \<box>F & \<diamond>G --> \<diamond>(\<box>F & G)"
  16.319 +lemma BoxDmd: "\<turnstile> \<box>F & \<diamond>G \<longrightarrow> \<diamond>(\<box>F & G)"
  16.320    apply (unfold dmd_def)
  16.321    apply clarsimp
  16.322    apply (erule dup_boxE)
  16.323 @@ -366,14 +366,14 @@
  16.324    done
  16.325  
  16.326  (* weaker than BoxDmd, but more polymorphic (and often just right) *)
  16.327 -lemma BoxDmd_simple: "|- \<box>F & \<diamond>G --> \<diamond>(F & G)"
  16.328 +lemma BoxDmd_simple: "\<turnstile> \<box>F & \<diamond>G \<longrightarrow> \<diamond>(F & G)"
  16.329    apply (unfold dmd_def)
  16.330    apply clarsimp
  16.331    apply merge_box
  16.332    apply (fastforce elim!: notE STL4E [temp_use])
  16.333    done
  16.334  
  16.335 -lemma BoxDmd2_simple: "|- \<box>F & \<diamond>G --> \<diamond>(G & F)"
  16.336 +lemma BoxDmd2_simple: "\<turnstile> \<box>F & \<diamond>G \<longrightarrow> \<diamond>(G & F)"
  16.337    apply (unfold dmd_def)
  16.338    apply clarsimp
  16.339    apply merge_box
  16.340 @@ -381,15 +381,15 @@
  16.341    done
  16.342  
  16.343  lemma DmdImpldup:
  16.344 -  assumes 1: "sigma |= \<box>A"
  16.345 -    and 2: "sigma |= \<diamond>F"
  16.346 -    and 3: "|- \<box>A & F --> G"
  16.347 -  shows "sigma |= \<diamond>G"
  16.348 +  assumes 1: "sigma \<Turnstile> \<box>A"
  16.349 +    and 2: "sigma \<Turnstile> \<diamond>F"
  16.350 +    and 3: "\<turnstile> \<box>A & F \<longrightarrow> G"
  16.351 +  shows "sigma \<Turnstile> \<diamond>G"
  16.352    apply (rule 2 [THEN 1 [THEN BoxDmd [temp_use]], THEN DmdImplE])
  16.353    apply (rule 3)
  16.354    done
  16.355  
  16.356 -lemma STL6: "|- \<diamond>\<box>F & \<diamond>\<box>G --> \<diamond>\<box>(F & G)"
  16.357 +lemma STL6: "\<turnstile> \<diamond>\<box>F & \<diamond>\<box>G \<longrightarrow> \<diamond>\<box>(F & G)"
  16.358    apply (auto simp: STL5 [temp_rewrite, symmetric])
  16.359    apply (drule linT [temp_use])
  16.360     apply assumption
  16.361 @@ -410,13 +410,13 @@
  16.362  (* ------------------------ True / False ----------------------------------------- *)
  16.363  section "Simplification of constants"
  16.364  
  16.365 -lemma BoxConst: "|- (\<box>#P) = #P"
  16.366 +lemma BoxConst: "\<turnstile> (\<box>#P) = #P"
  16.367    apply (rule tempI)
  16.368    apply (cases P)
  16.369     apply (auto intro!: necT [temp_use] dest: STL2_gen [temp_use] simp: Init_simps)
  16.370    done
  16.371  
  16.372 -lemma DmdConst: "|- (\<diamond>#P) = #P"
  16.373 +lemma DmdConst: "\<turnstile> (\<diamond>#P) = #P"
  16.374    apply (unfold dmd_def)
  16.375    apply (cases P)
  16.376    apply (simp_all add: BoxConst [try_rewrite])
  16.377 @@ -428,10 +428,10 @@
  16.378  (* ------------------------ Further rewrites ----------------------------------------- *)
  16.379  section "Further rewrites"
  16.380  
  16.381 -lemma NotBox: "|- (\<not>\<box>F) = (\<diamond>\<not>F)"
  16.382 +lemma NotBox: "\<turnstile> (\<not>\<box>F) = (\<diamond>\<not>F)"
  16.383    by (simp add: dmd_def)
  16.384  
  16.385 -lemma NotDmd: "|- (\<not>\<diamond>F) = (\<box>\<not>F)"
  16.386 +lemma NotDmd: "\<turnstile> (\<not>\<diamond>F) = (\<box>\<not>F)"
  16.387    by (simp add: dmd_def)
  16.388  
  16.389  (* These are not declared by default, because they could be harmful,
  16.390 @@ -441,10 +441,10 @@
  16.391    NotBox [temp_unlift, THEN eq_reflection]
  16.392    NotDmd [temp_unlift, THEN eq_reflection]
  16.393  
  16.394 -lemma BoxDmdBox: "|- (\<box>\<diamond>\<box>F) = (\<diamond>\<box>F)"
  16.395 +lemma BoxDmdBox: "\<turnstile> (\<box>\<diamond>\<box>F) = (\<diamond>\<box>F)"
  16.396    apply (auto dest!: STL2 [temp_use])
  16.397    apply (rule ccontr)
  16.398 -  apply (subgoal_tac "sigma |= \<diamond>\<box>\<box>F & \<diamond>\<box>\<not>\<box>F")
  16.399 +  apply (subgoal_tac "sigma \<Turnstile> \<diamond>\<box>\<box>F & \<diamond>\<box>\<not>\<box>F")
  16.400     apply (erule thin_rl)
  16.401     apply auto
  16.402      apply (drule STL6 [temp_use])
  16.403 @@ -453,7 +453,7 @@
  16.404     apply (simp_all add: more_temp_simps1)
  16.405    done
  16.406  
  16.407 -lemma DmdBoxDmd: "|- (\<diamond>\<box>\<diamond>F) = (\<box>\<diamond>F)"
  16.408 +lemma DmdBoxDmd: "\<turnstile> (\<diamond>\<box>\<diamond>F) = (\<box>\<diamond>F)"
  16.409    apply (unfold dmd_def)
  16.410    apply (auto simp: BoxDmdBox [unfolded dmd_def, try_rewrite])
  16.411    done
  16.412 @@ -463,11 +463,11 @@
  16.413  
  16.414  (* ------------------------ Miscellaneous ----------------------------------- *)
  16.415  
  16.416 -lemma BoxOr: "\<And>sigma. [| sigma |= \<box>F | \<box>G |] ==> sigma |= \<box>(F | G)"
  16.417 +lemma BoxOr: "\<And>sigma. \<lbrakk> sigma \<Turnstile> \<box>F | \<box>G \<rbrakk> \<Longrightarrow> sigma \<Turnstile> \<box>(F | G)"
  16.418    by (fastforce elim!: STL4E [temp_use])
  16.419  
  16.420  (* "persistently implies infinitely often" *)
  16.421 -lemma DBImplBD: "|- \<diamond>\<box>F --> \<box>\<diamond>F"
  16.422 +lemma DBImplBD: "\<turnstile> \<diamond>\<box>F \<longrightarrow> \<box>\<diamond>F"
  16.423    apply clarsimp
  16.424    apply (rule ccontr)
  16.425    apply (simp add: more_temp_simps2)
  16.426 @@ -476,13 +476,13 @@
  16.427    apply simp
  16.428    done
  16.429  
  16.430 -lemma BoxDmdDmdBox: "|- \<box>\<diamond>F & \<diamond>\<box>G --> \<box>\<diamond>(F & G)"
  16.431 +lemma BoxDmdDmdBox: "\<turnstile> \<box>\<diamond>F & \<diamond>\<box>G \<longrightarrow> \<box>\<diamond>(F & G)"
  16.432    apply clarsimp
  16.433    apply (rule ccontr)
  16.434    apply (unfold more_temp_simps2)
  16.435    apply (drule STL6 [temp_use])
  16.436     apply assumption
  16.437 -  apply (subgoal_tac "sigma |= \<diamond>\<box>\<not>F")
  16.438 +  apply (subgoal_tac "sigma \<Turnstile> \<diamond>\<box>\<not>F")
  16.439     apply (force simp: dmd_def)
  16.440    apply (fastforce elim: DmdImplE [temp_use] STL4E [temp_use])
  16.441    done
  16.442 @@ -494,11 +494,11 @@
  16.443  section "priming"
  16.444  
  16.445  (* ------------------------ TLA2 ------------------------------------------- *)
  16.446 -lemma STL2_pr: "|- \<box>P --> Init P & Init P`"
  16.447 +lemma STL2_pr: "\<turnstile> \<box>P \<longrightarrow> Init P & Init P`"
  16.448    by (fastforce intro!: STL2_gen [temp_use] primeI [temp_use])
  16.449  
  16.450  (* Auxiliary lemma allows priming of boxed actions *)
  16.451 -lemma BoxPrime: "|- \<box>P --> \<box>($P & P$)"
  16.452 +lemma BoxPrime: "\<turnstile> \<box>P \<longrightarrow> \<box>($P & P$)"
  16.453    apply clarsimp
  16.454    apply (erule dup_boxE)
  16.455    apply (unfold boxInit_act)
  16.456 @@ -507,18 +507,18 @@
  16.457    done
  16.458  
  16.459  lemma TLA2:
  16.460 -  assumes "|- $P & P$ --> A"
  16.461 -  shows "|- \<box>P --> \<box>A"
  16.462 +  assumes "\<turnstile> $P & P$ \<longrightarrow> A"
  16.463 +  shows "\<turnstile> \<box>P \<longrightarrow> \<box>A"
  16.464    apply clarsimp
  16.465    apply (drule BoxPrime [temp_use])
  16.466    apply (auto simp: Init_stp_act_rev [try_rewrite] intro!: assms [temp_use]
  16.467      elim!: STL4E [temp_use])
  16.468    done
  16.469  
  16.470 -lemma TLA2E: "[| sigma |= \<box>P; |- $P & P$ --> A |] ==> sigma |= \<box>A"
  16.471 +lemma TLA2E: "\<lbrakk> sigma \<Turnstile> \<box>P; \<turnstile> $P & P$ \<longrightarrow> A \<rbrakk> \<Longrightarrow> sigma \<Turnstile> \<box>A"
  16.472    by (erule (1) TLA2 [temp_use])
  16.473  
  16.474 -lemma DmdPrime: "|- (\<diamond>P`) --> (\<diamond>P)"
  16.475 +lemma DmdPrime: "\<turnstile> (\<diamond>P`) \<longrightarrow> (\<diamond>P)"
  16.476    apply (unfold dmd_def)
  16.477    apply (fastforce elim!: TLA2E [temp_use])
  16.478    done
  16.479 @@ -529,13 +529,13 @@
  16.480  section "stable, invariant"
  16.481  
  16.482  lemma ind_rule:
  16.483 -   "[| sigma |= \<box>H; sigma |= Init P; |- H --> (Init P & \<not>\<box>F --> Init(P`) & F) |]
  16.484 -    ==> sigma |= \<box>F"
  16.485 +   "\<lbrakk> sigma \<Turnstile> \<box>H; sigma \<Turnstile> Init P; \<turnstile> H \<longrightarrow> (Init P & \<not>\<box>F \<longrightarrow> Init(P`) & F) \<rbrakk>
  16.486 +    \<Longrightarrow> sigma \<Turnstile> \<box>F"
  16.487    apply (rule indT [temp_use])
  16.488     apply (erule (2) STL4E)
  16.489    done
  16.490  
  16.491 -lemma box_stp_act: "|- (\<box>$P) = (\<box>P)"
  16.492 +lemma box_stp_act: "\<turnstile> (\<box>$P) = (\<box>P)"
  16.493    by (simp add: boxInit_act Init_simps)
  16.494  
  16.495  lemmas box_stp_actI = box_stp_act [temp_use, THEN iffD2]
  16.496 @@ -544,7 +544,7 @@
  16.497  lemmas more_temp_simps3 = box_stp_act [temp_rewrite] more_temp_simps2
  16.498  
  16.499  lemma INV1:
  16.500 -  "|- (Init P) --> (stable P) --> \<box>P"
  16.501 +  "\<turnstile> (Init P) \<longrightarrow> (stable P) \<longrightarrow> \<box>P"
  16.502    apply (unfold stable_def boxInit_stp boxInit_act)
  16.503    apply clarsimp
  16.504    apply (erule ind_rule)
  16.505 @@ -552,23 +552,23 @@
  16.506    done
  16.507  
  16.508  lemma StableT:
  16.509 -    "\<And>P. |- $P & A --> P` ==> |- \<box>A --> stable P"
  16.510 +    "\<And>P. \<turnstile> $P & A \<longrightarrow> P` \<Longrightarrow> \<turnstile> \<box>A \<longrightarrow> stable P"
  16.511    apply (unfold stable_def)
  16.512    apply (fastforce elim!: STL4E [temp_use])
  16.513    done
  16.514  
  16.515 -lemma Stable: "[| sigma |= \<box>A; |- $P & A --> P` |] ==> sigma |= stable P"
  16.516 +lemma Stable: "\<lbrakk> sigma \<Turnstile> \<box>A; \<turnstile> $P & A --> P` \<rbrakk> \<Longrightarrow> sigma \<Turnstile> stable P"
  16.517    by (erule (1) StableT [temp_use])
  16.518  
  16.519  (* Generalization of INV1 *)
  16.520 -lemma StableBox: "|- (stable P) --> \<box>(Init P --> \<box>P)"
  16.521 +lemma StableBox: "\<turnstile> (stable P) \<longrightarrow> \<box>(Init P \<longrightarrow> \<box>P)"
  16.522    apply (unfold stable_def)
  16.523    apply clarsimp
  16.524    apply (erule dup_boxE)
  16.525    apply (force simp: stable_def elim: STL4E [temp_use] INV1 [temp_use])
  16.526    done
  16.527  
  16.528 -lemma DmdStable: "|- (stable P) & \<diamond>P --> \<diamond>\<box>P"
  16.529 +lemma DmdStable: "\<turnstile> (stable P) & \<diamond>P \<longrightarrow> \<diamond>\<box>P"
  16.530    apply clarsimp
  16.531    apply (rule DmdImpl2)
  16.532     prefer 2
  16.533 @@ -579,7 +579,7 @@
  16.534  (* ---------------- (Semi-)automatic invariant tactics ---------------------- *)
  16.535  
  16.536  ML {*
  16.537 -(* inv_tac reduces goals of the form ... ==> sigma |= \<box>P *)
  16.538 +(* inv_tac reduces goals of the form ... \<Longrightarrow> sigma \<Turnstile> \<box>P *)
  16.539  fun inv_tac ctxt =
  16.540    SELECT_GOAL
  16.541      (EVERY
  16.542 @@ -589,7 +589,7 @@
  16.543        TRYALL (etac @{thm Stable})]);
  16.544  
  16.545  (* auto_inv_tac applies inv_tac and then tries to attack the subgoals
  16.546 -   in simple cases it may be able to handle goals like |- MyProg --> \<box>Inv.
  16.547 +   in simple cases it may be able to handle goals like \<turnstile> MyProg \<longrightarrow> \<box>Inv.
  16.548     In these simple cases the simplifier seems to be more useful than the
  16.549     auto-tactic, which applies too much propositional logic and simplifies
  16.550     too late.
  16.551 @@ -609,7 +609,7 @@
  16.552    Method.sections Clasimp.clasimp_modifiers >> (K (SIMPLE_METHOD' o auto_inv_tac))
  16.553  *}
  16.554  
  16.555 -lemma unless: "|- \<box>($P --> P` | Q`) --> (stable P) | \<diamond>Q"
  16.556 +lemma unless: "\<turnstile> \<box>($P \<longrightarrow> P` | Q`) \<longrightarrow> (stable P) | \<diamond>Q"
  16.557    apply (unfold dmd_def)
  16.558    apply (clarsimp dest!: BoxPrime [temp_use])
  16.559    apply merge_box
  16.560 @@ -622,28 +622,28 @@
  16.561  section "recursive expansions"
  16.562  
  16.563  (* Recursive expansions of \<box> and \<diamond> for state predicates *)
  16.564 -lemma BoxRec: "|- (\<box>P) = (Init P & \<box>P`)"
  16.565 +lemma BoxRec: "\<turnstile> (\<box>P) = (Init P & \<box>P`)"
  16.566    apply (auto intro!: STL2_gen [temp_use])
  16.567     apply (fastforce elim!: TLA2E [temp_use])
  16.568    apply (auto simp: stable_def elim!: INV1 [temp_use] STL4E [temp_use])
  16.569    done
  16.570  
  16.571 -lemma DmdRec: "|- (\<diamond>P) = (Init P | \<diamond>P`)"
  16.572 +lemma DmdRec: "\<turnstile> (\<diamond>P) = (Init P | \<diamond>P`)"
  16.573    apply (unfold dmd_def BoxRec [temp_rewrite])
  16.574    apply (auto simp: Init_simps)
  16.575    done
  16.576  
  16.577 -lemma DmdRec2: "\<And>sigma. [| sigma |= \<diamond>P; sigma |= \<box>\<not>P` |] ==> sigma |= Init P"
  16.578 +lemma DmdRec2: "\<And>sigma. \<lbrakk> sigma \<Turnstile> \<diamond>P; sigma \<Turnstile> \<box>\<not>P` \<rbrakk> \<Longrightarrow> sigma \<Turnstile> Init P"
  16.579    apply (force simp: DmdRec [temp_rewrite] dmd_def)
  16.580    done
  16.581  
  16.582 -lemma InfinitePrime: "|- (\<box>\<diamond>P) = (\<box>\<diamond>P`)"
  16.583 +lemma InfinitePrime: "\<turnstile> (\<box>\<diamond>P) = (\<box>\<diamond>P`)"
  16.584    apply auto
  16.585     apply (rule classical)
  16.586     apply (rule DBImplBD [temp_use])
  16.587 -   apply (subgoal_tac "sigma |= \<diamond>\<box>P")
  16.588 +   apply (subgoal_tac "sigma \<Turnstile> \<diamond>\<box>P")
  16.589      apply (fastforce elim!: DmdImplE [temp_use] TLA2E [temp_use])
  16.590 -   apply (subgoal_tac "sigma |= \<diamond>\<box> (\<diamond>P & \<box>\<not>P`)")
  16.591 +   apply (subgoal_tac "sigma \<Turnstile> \<diamond>\<box> (\<diamond>P & \<box>\<not>P`)")
  16.592      apply (force simp: boxInit_stp [temp_use]
  16.593        elim!: DmdImplE [temp_use] STL4E [temp_use] DmdRec2 [temp_use])
  16.594     apply (force intro!: STL6 [temp_use] simp: more_temp_simps3)
  16.595 @@ -651,7 +651,7 @@
  16.596    done
  16.597  
  16.598  lemma InfiniteEnsures:
  16.599 -  "[| sigma |= \<box>N; sigma |= \<box>\<diamond>A; |- A & N --> P` |] ==> sigma |= \<box>\<diamond>P"
  16.600 +  "\<lbrakk> sigma \<Turnstile> \<box>N; sigma \<Turnstile> \<box>\<diamond>A; \<turnstile> A & N \<longrightarrow> P` \<rbrakk> \<Longrightarrow> sigma \<Turnstile> \<box>\<diamond>P"
  16.601    apply (unfold InfinitePrime [temp_rewrite])
  16.602    apply (rule InfImpl)
  16.603      apply assumption+
  16.604 @@ -661,32 +661,32 @@
  16.605  section "fairness"
  16.606  
  16.607  (* alternative definitions of fairness *)
  16.608 -lemma WF_alt: "|- WF(A)_v = (\<box>\<diamond>\<not>Enabled(<A>_v) | \<box>\<diamond><A>_v)"
  16.609 +lemma WF_alt: "\<turnstile> WF(A)_v = (\<box>\<diamond>\<not>Enabled(<A>_v) | \<box>\<diamond><A>_v)"
  16.610    apply (unfold WF_def dmd_def)
  16.611    apply fastforce
  16.612    done
  16.613  
  16.614 -lemma SF_alt: "|- SF(A)_v = (\<diamond>\<box>\<not>Enabled(<A>_v) | \<box>\<diamond><A>_v)"
  16.615 +lemma SF_alt: "\<turnstile> SF(A)_v = (\<diamond>\<box>\<not>Enabled(<A>_v) | \<box>\<diamond><A>_v)"
  16.616    apply (unfold SF_def dmd_def)
  16.617    apply fastforce
  16.618    done
  16.619  
  16.620  (* theorems to "box" fairness conditions *)
  16.621 -lemma BoxWFI: "|- WF(A)_v --> \<box>WF(A)_v"
  16.622 +lemma BoxWFI: "\<turnstile> WF(A)_v \<longrightarrow> \<box>WF(A)_v"
  16.623    by (auto simp: WF_alt [try_rewrite] more_temp_simps3 intro!: BoxOr [temp_use])
  16.624  
  16.625 -lemma WF_Box: "|- (\<box>WF(A)_v) = WF(A)_v"
  16.626 +lemma WF_Box: "\<turnstile> (\<box>WF(A)_v) = WF(A)_v"
  16.627    by (fastforce intro!: BoxWFI [temp_use] dest!: STL2 [temp_use])
  16.628  
  16.629 -lemma BoxSFI: "|- SF(A)_v --> \<box>SF(A)_v"
  16.630 +lemma BoxSFI: "\<turnstile> SF(A)_v \<longrightarrow> \<box>SF(A)_v"
  16.631    by (auto simp: SF_alt [try_rewrite] more_temp_simps3 intro!: BoxOr [temp_use])
  16.632  
  16.633 -lemma SF_Box: "|- (\<box>SF(A)_v) = SF(A)_v"
  16.634 +lemma SF_Box: "\<turnstile> (\<box>SF(A)_v) = SF(A)_v"
  16.635    by (fastforce intro!: BoxSFI [temp_use] dest!: STL2 [temp_use])
  16.636  
  16.637  lemmas more_temp_simps = more_temp_simps3 WF_Box [temp_rewrite] SF_Box [temp_rewrite]
  16.638  
  16.639 -lemma SFImplWF: "|- SF(A)_v --> WF(A)_v"
  16.640 +lemma SFImplWF: "\<turnstile> SF(A)_v \<longrightarrow> WF(A)_v"
  16.641    apply (unfold SF_def WF_def)
  16.642    apply (fastforce dest!: DBImplBD [temp_use])
  16.643    done
  16.644 @@ -702,28 +702,28 @@
  16.645  
  16.646  section "\<leadsto>"
  16.647  
  16.648 -lemma leadsto_init: "|- (Init F) & (F \<leadsto> G) --> \<diamond>G"
  16.649 +lemma leadsto_init: "\<turnstile> (Init F) & (F \<leadsto> G) \<longrightarrow> \<diamond>G"
  16.650    apply (unfold leadsto_def)
  16.651    apply (auto dest!: STL2 [temp_use])
  16.652    done
  16.653  
  16.654 -(* |- F & (F \<leadsto> G) --> \<diamond>G *)
  16.655 +(* \<turnstile> F & (F \<leadsto> G) \<longrightarrow> \<diamond>G *)
  16.656  lemmas leadsto_init_temp = leadsto_init [where 'a = behavior, unfolded Init_simps]
  16.657  
  16.658 -lemma streett_leadsto: "|- (\<box>\<diamond>Init F --> \<box>\<diamond>G) = (\<diamond>(F \<leadsto> G))"
  16.659 +lemma streett_leadsto: "\<turnstile> (\<box>\<diamond>Init F \<longrightarrow> \<box>\<diamond>G) = (\<diamond>(F \<leadsto> G))"
  16.660    apply (unfold leadsto_def)
  16.661    apply auto
  16.662      apply (simp add: more_temp_simps)
  16.663      apply (fastforce elim!: DmdImplE [temp_use] STL4E [temp_use])
  16.664     apply (fastforce intro!: InitDmd [temp_use] elim!: STL4E [temp_use])
  16.665 -  apply (subgoal_tac "sigma |= \<box>\<diamond>\<diamond>G")
  16.666 +  apply (subgoal_tac "sigma \<Turnstile> \<box>\<diamond>\<diamond>G")
  16.667     apply (simp add: more_temp_simps)
  16.668    apply (drule BoxDmdDmdBox [temp_use])
  16.669     apply assumption
  16.670    apply (fastforce elim!: DmdImplE [temp_use] STL4E [temp_use])
  16.671    done
  16.672  
  16.673 -lemma leadsto_infinite: "|- \<box>\<diamond>F & (F \<leadsto> G) --> \<box>\<diamond>G"
  16.674 +lemma leadsto_infinite: "\<turnstile> \<box>\<diamond>F & (F \<leadsto> G) \<longrightarrow> \<box>\<diamond>G"
  16.675    apply clarsimp
  16.676    apply (erule InitDmd [temp_use, THEN streett_leadsto [temp_unlift, THEN iffD2, THEN mp]])
  16.677    apply (simp add: dmdInitD)
  16.678 @@ -732,18 +732,18 @@
  16.679  (* In particular, strong fairness is a Streett condition. The following
  16.680     rules are sometimes easier to use than WF2 or SF2 below.
  16.681  *)
  16.682 -lemma leadsto_SF: "|- (Enabled(<A>_v) \<leadsto> <A>_v) --> SF(A)_v"
  16.683 +lemma leadsto_SF: "\<turnstile> (Enabled(<A>_v) \<leadsto> <A>_v) \<longrightarrow> SF(A)_v"
  16.684    apply (unfold SF_def)
  16.685    apply (clarsimp elim!: leadsto_infinite [temp_use])
  16.686    done
  16.687  
  16.688 -lemma leadsto_WF: "|- (Enabled(<A>_v) \<leadsto> <A>_v) --> WF(A)_v"
  16.689 +lemma leadsto_WF: "\<turnstile> (Enabled(<A>_v) \<leadsto> <A>_v) \<longrightarrow> WF(A)_v"
  16.690    by (clarsimp intro!: SFImplWF [temp_use] leadsto_SF [temp_use])
  16.691  
  16.692  (* introduce an invariant into the proof of a leadsto assertion.
  16.693 -   \<box>I --> ((P \<leadsto> Q)  =  (P /\ I \<leadsto> Q))
  16.694 +   \<box>I \<longrightarrow> ((P \<leadsto> Q)  =  (P /\ I \<leadsto> Q))
  16.695  *)
  16.696 -lemma INV_leadsto: "|- \<box>I & (P & I \<leadsto> Q) --> (P \<leadsto> Q)"
  16.697 +lemma INV_leadsto: "\<turnstile> \<box>I & (P & I \<leadsto> Q) \<longrightarrow> (P \<leadsto> Q)"
  16.698    apply (unfold leadsto_def)
  16.699    apply clarsimp
  16.700    apply (erule STL4Edup)
  16.701 @@ -751,24 +751,24 @@
  16.702    apply (auto simp: Init_simps dest!: STL2_gen [temp_use])
  16.703    done
  16.704  
  16.705 -lemma leadsto_classical: "|- (Init F & \<box>\<not>G \<leadsto> G) --> (F \<leadsto> G)"
  16.706 +lemma leadsto_classical: "\<turnstile> (Init F & \<box>\<not>G \<leadsto> G) \<longrightarrow> (F \<leadsto> G)"
  16.707    apply (unfold leadsto_def dmd_def)
  16.708    apply (force simp: Init_simps elim!: STL4E [temp_use])
  16.709    done
  16.710  
  16.711 -lemma leadsto_false: "|- (F \<leadsto> #False) = (\<box>~F)"
  16.712 +lemma leadsto_false: "\<turnstile> (F \<leadsto> #False) = (\<box>~F)"
  16.713    apply (unfold leadsto_def)
  16.714    apply (simp add: boxNotInitD)
  16.715    done
  16.716  
  16.717 -lemma leadsto_exists: "|- ((\<exists>x. F x) \<leadsto> G) = (\<forall>x. (F x \<leadsto> G))"
  16.718 +lemma leadsto_exists: "\<turnstile> ((\<exists>x. F x) \<leadsto> G) = (\<forall>x. (F x \<leadsto> G))"
  16.719    apply (unfold leadsto_def)
  16.720    apply (auto simp: allT [try_rewrite] Init_simps elim!: STL4E [temp_use])
  16.721    done
  16.722  
  16.723  (* basic leadsto properties, cf. Unity *)
  16.724  
  16.725 -lemma ImplLeadsto_gen: "|- \<box>(Init F --> Init G) --> (F \<leadsto> G)"
  16.726 +lemma ImplLeadsto_gen: "\<turnstile> \<box>(Init F \<longrightarrow> Init G) \<longrightarrow> (F \<leadsto> G)"
  16.727    apply (unfold leadsto_def)
  16.728    apply (auto intro!: InitDmd_gen [temp_use]
  16.729      elim!: STL4E_gen [temp_use] simp: Init_simps)
  16.730 @@ -777,19 +777,19 @@
  16.731  lemmas ImplLeadsto =
  16.732    ImplLeadsto_gen [where 'a = behavior and 'b = behavior, unfolded Init_simps]
  16.733  
  16.734 -lemma ImplLeadsto_simple: "\<And>F G. |- F --> G ==> |- F \<leadsto> G"
  16.735 +lemma ImplLeadsto_simple: "\<And>F G. \<turnstile> F \<longrightarrow> G \<Longrightarrow> \<turnstile> F \<leadsto> G"
  16.736    by (auto simp: Init_def intro!: ImplLeadsto_gen [temp_use] necT [temp_use])
  16.737  
  16.738  lemma EnsuresLeadsto:
  16.739 -  assumes "|- A & $P --> Q`"
  16.740 -  shows "|- \<box>A --> (P \<leadsto> Q)"
  16.741 +  assumes "\<turnstile> A & $P \<longrightarrow> Q`"
  16.742 +  shows "\<turnstile> \<box>A \<longrightarrow> (P \<leadsto> Q)"
  16.743    apply (unfold leadsto_def)
  16.744    apply (clarsimp elim!: INV_leadsto [temp_use])
  16.745    apply (erule STL4E_gen)
  16.746    apply (auto simp: Init_defs intro!: PrimeDmd [temp_use] assms [temp_use])
  16.747    done
  16.748  
  16.749 -lemma EnsuresLeadsto2: "|- \<box>($P --> Q`) --> (P \<leadsto> Q)"
  16.750 +lemma EnsuresLeadsto2: "\<turnstile> \<box>($P \<longrightarrow> Q`) \<longrightarrow> (P \<leadsto> Q)"
  16.751    apply (unfold leadsto_def)
  16.752    apply clarsimp
  16.753    apply (erule STL4E_gen)
  16.754 @@ -797,15 +797,15 @@
  16.755    done
  16.756  
  16.757  lemma ensures:
  16.758 -  assumes 1: "|- $P & N --> P` | Q`"
  16.759 -    and 2: "|- ($P & N) & A --> Q`"
  16.760 -  shows "|- \<box>N & \<box>(\<box>P --> \<diamond>A) --> (P \<leadsto> Q)"
  16.761 +  assumes 1: "\<turnstile> $P & N \<longrightarrow> P` | Q`"
  16.762 +    and 2: "\<turnstile> ($P & N) & A \<longrightarrow> Q`"
  16.763 +  shows "\<turnstile> \<box>N & \<box>(\<box>P \<longrightarrow> \<diamond>A) \<longrightarrow> (P \<leadsto> Q)"
  16.764    apply (unfold leadsto_def)
  16.765    apply clarsimp
  16.766    apply (erule STL4Edup)
  16.767     apply assumption
  16.768    apply clarsimp
  16.769 -  apply (subgoal_tac "sigmaa |= \<box>($P --> P` | Q`) ")
  16.770 +  apply (subgoal_tac "sigmaa \<Turnstile> \<box>($P \<longrightarrow> P` | Q`) ")
  16.771     apply (drule unless [temp_use])
  16.772     apply (clarsimp dest!: INV1 [temp_use])
  16.773    apply (rule 2 [THEN DmdImpl, temp_use, THEN DmdPrime [temp_use]])
  16.774 @@ -815,16 +815,16 @@
  16.775    done
  16.776  
  16.777  lemma ensures_simple:
  16.778 -  "[| |- $P & N --> P` | Q`;
  16.779 -      |- ($P & N) & A --> Q`
  16.780 -   |] ==> |- \<box>N & \<box>\<diamond>A --> (P \<leadsto> Q)"
  16.781 +  "\<lbrakk> \<turnstile> $P & N \<longrightarrow> P` | Q`;
  16.782 +      \<turnstile> ($P & N) & A \<longrightarrow> Q`
  16.783 +   \<rbrakk> \<Longrightarrow> \<turnstile> \<box>N & \<box>\<diamond>A \<longrightarrow> (P \<leadsto> Q)"
  16.784    apply clarsimp
  16.785    apply (erule (2) ensures [temp_use])
  16.786    apply (force elim!: STL4E [temp_use])
  16.787    done
  16.788  
  16.789  lemma EnsuresInfinite:
  16.790 -    "[| sigma |= \<box>\<diamond>P; sigma |= \<box>A; |- A & $P --> Q` |] ==> sigma |= \<box>\<diamond>Q"
  16.791 +    "\<lbrakk> sigma \<Turnstile> \<box>\<diamond>P; sigma \<Turnstile> \<box>A; \<turnstile> A & $P \<longrightarrow> Q` \<rbrakk> \<Longrightarrow> sigma \<Turnstile> \<box>\<diamond>Q"
  16.792    apply (erule leadsto_infinite [temp_use])
  16.793    apply (erule EnsuresLeadsto [temp_use])
  16.794    apply assumption
  16.795 @@ -834,64 +834,64 @@
  16.796  (*** Gronning's lattice rules (taken from TLP) ***)
  16.797  section "Lattice rules"
  16.798  
  16.799 -lemma LatticeReflexivity: "|- F \<leadsto> F"
  16.800 +lemma LatticeReflexivity: "\<turnstile> F \<leadsto> F"
  16.801    apply (unfold leadsto_def)
  16.802    apply (rule necT InitDmd_gen)+
  16.803    done
  16.804  
  16.805 -lemma LatticeTransitivity: "|- (G \<leadsto> H) & (F \<leadsto> G) --> (F \<leadsto> H)"
  16.806 +lemma LatticeTransitivity: "\<turnstile> (G \<leadsto> H) & (F \<leadsto> G) \<longrightarrow> (F \<leadsto> H)"
  16.807    apply (unfold leadsto_def)
  16.808    apply clarsimp
  16.809 -  apply (erule dup_boxE) (* \<box>\<box>(Init G --> H) *)
  16.810 +  apply (erule dup_boxE) (* \<box>\<box>(Init G \<longrightarrow> H) *)
  16.811    apply merge_box
  16.812    apply (clarsimp elim!: STL4E [temp_use])
  16.813    apply (rule dup_dmdD)
  16.814 -  apply (subgoal_tac "sigmaa |= \<diamond>Init G")
  16.815 +  apply (subgoal_tac "sigmaa \<Turnstile> \<diamond>Init G")
  16.816     apply (erule DmdImpl2)
  16.817     apply assumption
  16.818    apply (simp add: dmdInitD)
  16.819    done
  16.820  
  16.821 -lemma LatticeDisjunctionElim1: "|- (F | G \<leadsto> H) --> (F \<leadsto> H)"
  16.822 +lemma LatticeDisjunctionElim1: "\<turnstile> (F | G \<leadsto> H) \<longrightarrow> (F \<leadsto> H)"
  16.823    apply (unfold leadsto_def)
  16.824    apply (auto simp: Init_simps elim!: STL4E [temp_use])
  16.825    done
  16.826  
  16.827 -lemma LatticeDisjunctionElim2: "|- (F | G \<leadsto> H) --> (G \<leadsto> H)"
  16.828 +lemma LatticeDisjunctionElim2: "\<turnstile> (F | G \<leadsto> H) \<longrightarrow> (G \<leadsto> H)"
  16.829    apply (unfold leadsto_def)
  16.830    apply (auto simp: Init_simps elim!: STL4E [temp_use])
  16.831    done
  16.832  
  16.833 -lemma LatticeDisjunctionIntro: "|- (F \<leadsto> H) & (G \<leadsto> H) --> (F | G \<leadsto> H)"
  16.834 +lemma LatticeDisjunctionIntro: "\<turnstile> (F \<leadsto> H) & (G \<leadsto> H) \<longrightarrow> (F | G \<leadsto> H)"
  16.835    apply (unfold leadsto_def)
  16.836    apply clarsimp
  16.837    apply merge_box
  16.838    apply (auto simp: Init_simps elim!: STL4E [temp_use])
  16.839    done
  16.840  
  16.841 -lemma LatticeDisjunction: "|- (F | G \<leadsto> H) = ((F \<leadsto> H) & (G \<leadsto> H))"
  16.842 +lemma LatticeDisjunction: "\<turnstile> (F | G \<leadsto> H) = ((F \<leadsto> H) & (G \<leadsto> H))"
  16.843    by (auto intro: LatticeDisjunctionIntro [temp_use]
  16.844      LatticeDisjunctionElim1 [temp_use]
  16.845      LatticeDisjunctionElim2 [temp_use])
  16.846  
  16.847 -lemma LatticeDiamond: "|- (A \<leadsto> B | C) & (B \<leadsto> D) & (C \<leadsto> D) --> (A \<leadsto> D)"
  16.848 +lemma LatticeDiamond: "\<turnstile> (A \<leadsto> B | C) & (B \<leadsto> D) & (C \<leadsto> D) \<longrightarrow> (A \<leadsto> D)"
  16.849    apply clarsimp
  16.850 -  apply (subgoal_tac "sigma |= (B | C) \<leadsto> D")
  16.851 +  apply (subgoal_tac "sigma \<Turnstile> (B | C) \<leadsto> D")
  16.852    apply (erule_tac G = "LIFT (B | C)" in LatticeTransitivity [temp_use])
  16.853     apply (fastforce intro!: LatticeDisjunctionIntro [temp_use])+
  16.854    done
  16.855  
  16.856 -lemma LatticeTriangle: "|- (A \<leadsto> D | B) & (B \<leadsto> D) --> (A \<leadsto> D)"
  16.857 +lemma LatticeTriangle: "\<turnstile> (A \<leadsto> D | B) & (B \<leadsto> D) \<longrightarrow> (A \<leadsto> D)"
  16.858    apply clarsimp
  16.859 -  apply (subgoal_tac "sigma |= (D | B) \<leadsto> D")
  16.860 +  apply (subgoal_tac "sigma \<Turnstile> (D | B) \<leadsto> D")
  16.861     apply (erule_tac G = "LIFT (D | B)" in LatticeTransitivity [temp_use])
  16.862    apply assumption
  16.863    apply (auto intro: LatticeDisjunctionIntro [temp_use] LatticeReflexivity [temp_use])
  16.864    done
  16.865  
  16.866 -lemma LatticeTriangle2: "|- (A \<leadsto> B | D) & (B \<leadsto> D) --> (A \<leadsto> D)"
  16.867 +lemma LatticeTriangle2: "\<turnstile> (A \<leadsto> B | D) & (B \<leadsto> D) \<longrightarrow> (A \<leadsto> D)"
  16.868    apply clarsimp
  16.869 -  apply (subgoal_tac "sigma |= B | D \<leadsto> D")
  16.870 +  apply (subgoal_tac "sigma \<Turnstile> B | D \<leadsto> D")
  16.871     apply (erule_tac G = "LIFT (B | D)" in LatticeTransitivity [temp_use])
  16.872     apply assumption
  16.873    apply (auto intro: LatticeDisjunctionIntro [temp_use] LatticeReflexivity [temp_use])
  16.874 @@ -901,10 +901,10 @@
  16.875  section "Fairness rules"
  16.876  
  16.877  lemma WF1:
  16.878 -  "[| |- $P & N  --> P` | Q`;
  16.879 -      |- ($P & N) & <A>_v --> Q`;
  16.880 -      |- $P & N --> $(Enabled(<A>_v)) |]
  16.881 -  ==> |- \<box>N & WF(A)_v --> (P \<leadsto> Q)"
  16.882 +  "\<lbrakk> \<turnstile> $P & N  \<longrightarrow> P` | Q`;
  16.883 +      \<turnstile> ($P & N) & <A>_v \<longrightarrow> Q`;
  16.884 +      \<turnstile> $P & N \<longrightarrow> $(Enabled(<A>_v)) \<rbrakk>
  16.885 +  \<Longrightarrow> \<turnstile> \<box>N & WF(A)_v \<longrightarrow> (P \<leadsto> Q)"
  16.886    apply (clarsimp dest!: BoxWFI [temp_use])
  16.887    apply (erule (2) ensures [temp_use])
  16.888    apply (erule (1) STL4Edup)
  16.889 @@ -917,10 +917,10 @@
  16.890  
  16.891  (* Sometimes easier to use; designed for action B rather than state predicate Q *)
  16.892  lemma WF_leadsto:
  16.893 -  assumes 1: "|- N & $P --> $Enabled (<A>_v)"
  16.894 -    and 2: "|- N & <A>_v --> B"
  16.895 -    and 3: "|- \<box>(N & [~A]_v) --> stable P"
  16.896 -  shows "|- \<box>N & WF(A)_v --> (P \<leadsto> B)"
  16.897 +  assumes 1: "\<turnstile> N & $P \<longrightarrow> $Enabled (<A>_v)"
  16.898 +    and 2: "\<turnstile> N & <A>_v \<longrightarrow> B"
  16.899 +    and 3: "\<turnstile> \<box>(N & [~A]_v) \<longrightarrow> stable P"
  16.900 +  shows "\<turnstile> \<box>N & WF(A)_v \<longrightarrow> (P \<leadsto> B)"
  16.901    apply (unfold leadsto_def)
  16.902    apply (clarsimp dest!: BoxWFI [temp_use])
  16.903    apply (erule (1) STL4Edup)
  16.904 @@ -939,10 +939,10 @@
  16.905    done
  16.906  
  16.907  lemma SF1:
  16.908 -  "[| |- $P & N  --> P` | Q`;
  16.909 -      |- ($P & N) & <A>_v --> Q`;
  16.910 -      |- \<box>P & \<box>N & \<box>F --> \<diamond>Enabled(<A>_v) |]
  16.911 -  ==> |- \<box>N & SF(A)_v & \<box>F --> (P \<leadsto> Q)"
  16.912 +  "\<lbrakk> \<turnstile> $P & N  \<longrightarrow> P` | Q`;
  16.913 +      \<turnstile> ($P & N) & <A>_v \<longrightarrow> Q`;
  16.914 +      \<turnstile> \<box>P & \<box>N & \<box>F \<longrightarrow> \<diamond>Enabled(<A>_v) \<rbrakk>
  16.915 +  \<Longrightarrow> \<turnstile> \<box>N & SF(A)_v & \<box>F \<longrightarrow> (P \<leadsto> Q)"
  16.916    apply (clarsimp dest!: BoxSFI [temp_use])
  16.917    apply (erule (2) ensures [temp_use])
  16.918    apply (erule_tac F = F in dup_boxE)
  16.919 @@ -957,11 +957,11 @@
  16.920    done
  16.921  
  16.922  lemma WF2:
  16.923 -  assumes 1: "|- N & <B>_f --> <M>_g"
  16.924 -    and 2: "|- $P & P` & <N & A>_f --> B"
  16.925 -    and 3: "|- P & Enabled(<M>_g) --> Enabled(<A>_f)"
  16.926 -    and 4: "|- \<box>(N & [~B]_f) & WF(A)_f & \<box>F & \<diamond>\<box>Enabled(<M>_g) --> \<diamond>\<box>P"
  16.927 -  shows "|- \<box>N & WF(A)_f & \<box>F --> WF(M)_g"
  16.928 +  assumes 1: "\<turnstile> N & <B>_f \<longrightarrow> <M>_g"
  16.929 +    and 2: "\<turnstile> $P & P` & <N & A>_f \<longrightarrow> B"
  16.930 +    and 3: "\<turnstile> P & Enabled(<M>_g) \<longrightarrow> Enabled(<A>_f)"
  16.931 +    and 4: "\<turnstile> \<box>(N & [~B]_f) & WF(A)_f & \<box>F & \<diamond>\<box>Enabled(<M>_g) \<longrightarrow> \<diamond>\<box>P"
  16.932 +  shows "\<turnstile> \<box>N & WF(A)_f & \<box>F \<longrightarrow> WF(M)_g"
  16.933    apply (clarsimp dest!: BoxWFI [temp_use] BoxDmdBox [temp_use, THEN iffD2]
  16.934      simp: WF_def [where A = M])
  16.935    apply (erule_tac F = F in dup_boxE)
  16.936 @@ -970,7 +970,7 @@
  16.937     apply assumption
  16.938    apply (clarsimp intro!: BoxDmd_simple [temp_use, THEN 1 [THEN DmdImpl, temp_use]])
  16.939    apply (rule classical)
  16.940 -  apply (subgoal_tac "sigmaa |= \<diamond> (($P & P` & N) & <A>_f)")
  16.941 +  apply (subgoal_tac "sigmaa \<Turnstile> \<diamond> (($P & P` & N) & <A>_f)")
  16.942     apply (force simp: angle_def intro!: 2 [temp_use] elim!: DmdImplE [temp_use])
  16.943    apply (rule BoxDmd_simple [THEN DmdImpl, unfolded DmdDmd [temp_rewrite], temp_use])
  16.944    apply (simp add: NotDmd [temp_use] not_angle [try_rewrite])
  16.945 @@ -979,8 +979,8 @@
  16.946       apply assumption+
  16.947    apply (drule STL6 [temp_use])
  16.948     apply assumption
  16.949 -  apply (erule_tac V = "sigmaa |= \<diamond>\<box>P" in thin_rl)
  16.950 -  apply (erule_tac V = "sigmaa |= \<box>F" in thin_rl)
  16.951 +  apply (erule_tac V = "sigmaa \<Turnstile> \<diamond>\<box>P" in thin_rl)
  16.952 +  apply (erule_tac V = "sigmaa \<Turnstile> \<box>F" in thin_rl)
  16.953    apply (drule BoxWFI [temp_use])
  16.954    apply (erule_tac F = "ACT N & [~B]_f" in dup_boxE)
  16.955    apply merge_temp_box
  16.956 @@ -995,11 +995,11 @@
  16.957    done
  16.958  
  16.959  lemma SF2:
  16.960 -  assumes 1: "|- N & <B>_f --> <M>_g"
  16.961 -    and 2: "|- $P & P` & <N & A>_f --> B"
  16.962 -    and 3: "|- P & Enabled(<M>_g) --> Enabled(<A>_f)"
  16.963 -    and 4: "|- \<box>(N & [~B]_f) & SF(A)_f & \<box>F & \<box>\<diamond>Enabled(<M>_g) --> \<diamond>\<box>P"
  16.964 -  shows "|- \<box>N & SF(A)_f & \<box>F --> SF(M)_g"
  16.965 +  assumes 1: "\<turnstile> N & <B>_f \<longrightarrow> <M>_g"
  16.966 +    and 2: "\<turnstile> $P & P` & <N & A>_f \<longrightarrow> B"
  16.967 +    and 3: "\<turnstile> P & Enabled(<M>_g) \<longrightarrow> Enabled(<A>_f)"
  16.968 +    and 4: "\<turnstile> \<box>(N & [~B]_f) & SF(A)_f & \<box>F & \<box>\<diamond>Enabled(<M>_g) \<longrightarrow> \<diamond>\<box>P"
  16.969 +  shows "\<turnstile> \<box>N & SF(A)_f & \<box>F \<longrightarrow> SF(M)_g"
  16.970    apply (clarsimp dest!: BoxSFI [temp_use] simp: 2 [try_rewrite] SF_def [where A = M])
  16.971    apply (erule_tac F = F in dup_boxE)
  16.972    apply (erule_tac F = "TEMP \<diamond>Enabled (<M>_g) " in dup_boxE)
  16.973 @@ -1008,14 +1008,14 @@
  16.974     apply assumption
  16.975    apply (clarsimp intro!: BoxDmd_simple [temp_use, THEN 1 [THEN DmdImpl, temp_use]])
  16.976    apply (rule classical)
  16.977 -  apply (subgoal_tac "sigmaa |= \<diamond> (($P & P` & N) & <A>_f)")
  16.978 +  apply (subgoal_tac "sigmaa \<Turnstile> \<diamond> (($P & P` & N) & <A>_f)")
  16.979     apply (force simp: angle_def intro!: 2 [temp_use] elim!: DmdImplE [temp_use])
  16.980    apply (rule BoxDmd_simple [THEN DmdImpl, unfolded DmdDmd [temp_rewrite], temp_use])
  16.981    apply (simp add: NotDmd [temp_use] not_angle [try_rewrite])
  16.982    apply merge_act_box
  16.983    apply (frule 4 [temp_use])
  16.984       apply assumption+
  16.985 -  apply (erule_tac V = "sigmaa |= \<box>F" in thin_rl)
  16.986 +  apply (erule_tac V = "sigmaa \<Turnstile> \<box>F" in thin_rl)
  16.987    apply (drule BoxSFI [temp_use])
  16.988    apply (erule_tac F = "TEMP \<diamond>Enabled (<M>_g)" in dup_boxE)
  16.989    apply (erule_tac F = "ACT N & [~B]_f" in dup_boxE)
  16.990 @@ -1037,8 +1037,8 @@
  16.991  
  16.992  lemma wf_leadsto:
  16.993    assumes 1: "wf r"
  16.994 -    and 2: "\<And>x. sigma |= F x \<leadsto> (G | (\<exists>y. #((y,x):r) & F y))    "
  16.995 -  shows "sigma |= F x \<leadsto> G"
  16.996 +    and 2: "\<And>x. sigma \<Turnstile> F x \<leadsto> (G | (\<exists>y. #((y,x):r) & F y))    "
  16.997 +  shows "sigma \<Turnstile> F x \<leadsto> G"
  16.998    apply (rule 1 [THEN wf_induct])
  16.999    apply (rule LatticeTriangle [temp_use])
 16.1000     apply (rule 2)
 16.1001 @@ -1049,10 +1049,10 @@
 16.1002    done
 16.1003  
 16.1004  (* If r is well-founded, state function v cannot decrease forever *)
 16.1005 -lemma wf_not_box_decrease: "\<And>r. wf r ==> |- \<box>[ (v`, $v) : #r ]_v --> \<diamond>\<box>[#False]_v"
 16.1006 +lemma wf_not_box_decrease: "\<And>r. wf r \<Longrightarrow> \<turnstile> \<box>[ (v`, $v) : #r ]_v \<longrightarrow> \<diamond>\<box>[#False]_v"
 16.1007    apply clarsimp
 16.1008    apply (rule ccontr)
 16.1009 -  apply (subgoal_tac "sigma |= (\<exists>x. v=#x) \<leadsto> #False")
 16.1010 +  apply (subgoal_tac "sigma \<Turnstile> (\<exists>x. v=#x) \<leadsto> #False")
 16.1011     apply (drule leadsto_false [temp_use, THEN iffD1, THEN STL2_gen [temp_use]])
 16.1012     apply (force simp: Init_defs)
 16.1013    apply (clarsimp simp: leadsto_exists [try_rewrite] not_square [try_rewrite] more_temp_simps)
 16.1014 @@ -1061,7 +1061,7 @@
 16.1015     apply (auto simp: square_def angle_def)
 16.1016    done
 16.1017  
 16.1018 -(* "wf r  ==>  |- \<diamond>\<box>[ (v`, $v) : #r ]_v --> \<diamond>\<box>[#False]_v" *)
 16.1019 +(* "wf r  \<Longrightarrow>  \<turnstile> \<diamond>\<box>[ (v`, $v) : #r ]_v \<longrightarrow> \<diamond>\<box>[#False]_v" *)
 16.1020  lemmas wf_not_dmd_box_decrease =
 16.1021    wf_not_box_decrease [THEN DmdImpl, unfolded more_temp_simps]
 16.1022  
 16.1023 @@ -1070,14 +1070,14 @@
 16.1024  *)
 16.1025  lemma wf_box_dmd_decrease:
 16.1026    assumes 1: "wf r"
 16.1027 -  shows "|- \<box>\<diamond>((v`, $v) : #r) --> \<box>\<diamond><(v`, $v) \<notin> #r>_v"
 16.1028 +  shows "\<turnstile> \<box>\<diamond>((v`, $v) : #r) \<longrightarrow> \<box>\<diamond><(v`, $v) \<notin> #r>_v"
 16.1029    apply clarsimp
 16.1030    apply (rule ccontr)
 16.1031    apply (simp add: not_angle [try_rewrite] more_temp_simps)
 16.1032    apply (drule 1 [THEN wf_not_dmd_box_decrease [temp_use]])
 16.1033    apply (drule BoxDmdDmdBox [temp_use])
 16.1034     apply assumption
 16.1035 -  apply (subgoal_tac "sigma |= \<box>\<diamond> ((#False) ::action)")
 16.1036 +  apply (subgoal_tac "sigma \<Turnstile> \<box>\<diamond> ((#False) ::action)")
 16.1037     apply force
 16.1038    apply (erule STL4E)
 16.1039    apply (rule DmdImpl)
 16.1040 @@ -1087,9 +1087,9 @@
 16.1041  (* In particular, for natural numbers, if n decreases infinitely often
 16.1042     then it has to increase infinitely often.
 16.1043  *)
 16.1044 -lemma nat_box_dmd_decrease: "\<And>n::nat stfun. |- \<box>\<diamond>(n` < $n) --> \<box>\<diamond>($n < n`)"
 16.1045 +lemma nat_box_dmd_decrease: "\<And>n::nat stfun. \<turnstile> \<box>\<diamond>(n` < $n) \<longrightarrow> \<box>\<diamond>($n < n`)"
 16.1046    apply clarsimp
 16.1047 -  apply (subgoal_tac "sigma |= \<box>\<diamond><~ ((n`,$n) : #less_than) >_n")
 16.1048 +  apply (subgoal_tac "sigma \<Turnstile> \<box>\<diamond><~ ((n`,$n) : #less_than) >_n")
 16.1049     apply (erule thin_rl)
 16.1050     apply (erule STL4E)
 16.1051     apply (rule DmdImpl)
 16.1052 @@ -1106,11 +1106,11 @@
 16.1053  
 16.1054  lemma aallI:
 16.1055    assumes 1: "basevars vs"
 16.1056 -    and 2: "(\<And>x. basevars (x,vs) ==> sigma |= F x)"
 16.1057 -  shows "sigma |= (\<forall>\<forall>x. F x)"
 16.1058 +    and 2: "(\<And>x. basevars (x,vs) \<Longrightarrow> sigma \<Turnstile> F x)"
 16.1059 +  shows "sigma \<Turnstile> (\<forall>\<forall>x. F x)"
 16.1060    by (auto simp: aall_def elim!: eexE [temp_use] intro!: 1 dest!: 2 [temp_use])
 16.1061  
 16.1062 -lemma aallE: "|- (\<forall>\<forall>x. F x) --> F x"
 16.1063 +lemma aallE: "\<turnstile> (\<forall>\<forall>x. F x) \<longrightarrow> F x"
 16.1064    apply (unfold aall_def)
 16.1065    apply clarsimp
 16.1066    apply (erule contrapos_np)
 16.1067 @@ -1119,18 +1119,18 @@
 16.1068  
 16.1069  (* monotonicity of quantification *)
 16.1070  lemma eex_mono:
 16.1071 -  assumes 1: "sigma |= \<exists>\<exists>x. F x"
 16.1072 -    and 2: "\<And>x. sigma |= F x --> G x"
 16.1073 -  shows "sigma |= \<exists>\<exists>x. G x"
 16.1074 +  assumes 1: "sigma \<Turnstile> \<exists>\<exists>x. F x"
 16.1075 +    and 2: "\<And>x. sigma \<Turnstile> F x \<longrightarrow> G x"
 16.1076 +  shows "sigma \<Turnstile> \<exists>\<exists>x. G x"
 16.1077    apply (rule unit_base [THEN 1 [THEN eexE]])
 16.1078    apply (rule eexI [temp_use])
 16.1079    apply (erule 2 [unfolded intensional_rews, THEN mp])
 16.1080    done
 16.1081  
 16.1082  lemma aall_mono:
 16.1083 -  assumes 1: "sigma |= \<forall>\<forall>x. F(x)"
 16.1084 -    and 2: "\<And>x. sigma |= F(x) --> G(x)"
 16.1085 -  shows "sigma |= \<forall>\<forall>x. G(x)"
 16.1086 +  assumes 1: "sigma \<Turnstile> \<forall>\<forall>x. F(x)"
 16.1087 +    and 2: "\<And>x. sigma \<Turnstile> F(x) \<longrightarrow> G(x)"
 16.1088 +  shows "sigma \<Turnstile> \<forall>\<forall>x. G(x)"
 16.1089    apply (rule unit_base [THEN aallI])
 16.1090    apply (rule 2 [unfolded intensional_rews, THEN mp])
 16.1091    apply (rule 1 [THEN aallE [temp_use]])
 16.1092 @@ -1138,12 +1138,12 @@
 16.1093  
 16.1094  (* Derived history introduction rule *)
 16.1095  lemma historyI:
 16.1096 -  assumes 1: "sigma |= Init I"
 16.1097 -    and 2: "sigma |= \<box>N"
 16.1098 +  assumes 1: "sigma \<Turnstile> Init I"
 16.1099 +    and 2: "sigma \<Turnstile> \<box>N"
 16.1100      and 3: "basevars vs"
 16.1101 -    and 4: "\<And>h. basevars(h,vs) ==> |- I & h = ha --> HI h"
 16.1102 -    and 5: "\<And>h s t. [| basevars(h,vs); N (s,t); h t = hb (h s) (s,t) |] ==> HN h (s,t)"
 16.1103 -  shows "sigma |= \<exists>\<exists>h. Init (HI h) & \<box>(HN h)"
 16.1104 +    and 4: "\<And>h. basevars(h,vs) \<Longrightarrow> \<turnstile> I & h = ha \<longrightarrow> HI h"
 16.1105 +    and 5: "\<And>h s t. \<lbrakk> basevars(h,vs); N (s,t); h t = hb (h s) (s,t) \<rbrakk> \<Longrightarrow> HN h (s,t)"
 16.1106 +  shows "sigma \<Turnstile> \<exists>\<exists>h. Init (HI h) & \<box>(HN h)"
 16.1107    apply (rule history [temp_use, THEN eexE])
 16.1108    apply (rule 3)
 16.1109    apply (rule eexI [temp_use])
 16.1110 @@ -1161,7 +1161,7 @@
 16.1111     example of a history variable: existence of a clock
 16.1112  *)
 16.1113  
 16.1114 -lemma "|- \<exists>\<exists>h. Init(h = #True) & \<box>(h` = (~$h))"
 16.1115 +lemma "\<turnstile> \<exists>\<exists>h. Init(h = #True) & \<box>(h` = (~$h))"
 16.1116    apply (rule tempI)
 16.1117    apply (rule historyI)
 16.1118    apply (force simp: Init_defs intro!: unit_base [temp_use] necT [temp_use])+