Generalized Zorn and added well-ordering theorem
authornipkow
Sun Mar 02 15:02:06 2008 +0100 (2008-03-02)
changeset 26191ae537f315b34
parent 26190 cf51a23c0cd0
child 26192 52617dca8386
Generalized Zorn and added well-ordering theorem
src/HOL/Library/Zorn.thy
     1.1 --- a/src/HOL/Library/Zorn.thy	Sat Mar 01 15:01:03 2008 +0100
     1.2 +++ b/src/HOL/Library/Zorn.thy	Sun Mar 02 15:02:06 2008 +0100
     1.3 @@ -1,7 +1,8 @@
     1.4  (*  Title       : HOL/Library/Zorn.thy
     1.5      ID          : $Id$
     1.6 -    Author      : Jacques D. Fleuriot
     1.7 -    Description : Zorn's Lemma -- see Larry Paulson's Zorn.thy in ZF
     1.8 +    Author      : Jacques D. Fleuriot, Tobias Nipkow
     1.9 +    Description : Zorn's Lemma (ported from Larry Paulson's Zorn.thy in ZF)
    1.10 +                  The well-ordering theorem
    1.11  *)
    1.12  
    1.13  header {* Zorn's Lemma *}
    1.14 @@ -152,7 +153,7 @@
    1.15  lemma maxchain_subset_chain: "maxchain S \<subseteq> chain S"
    1.16    by (unfold maxchain_def) blast
    1.17  
    1.18 -lemma mem_super_Ex: "c \<in> chain S - maxchain S ==> ? d. d \<in> super S c"
    1.19 +lemma mem_super_Ex: "c \<in> chain S - maxchain S ==> EX d. d \<in> super S c"
    1.20    by (unfold super_def maxchain_def) auto
    1.21  
    1.22  lemma select_super:
    1.23 @@ -261,4 +262,353 @@
    1.24  lemma chainD2: "!!(c :: 'a set set). c \<in> chain S ==> c \<subseteq> S"
    1.25    by (unfold chain_def) blast
    1.26  
    1.27 +
    1.28 +(* FIXME into Relation.thy *)
    1.29 +
    1.30 +lemma mono_Field: "r \<subseteq> s \<Longrightarrow> Field r \<subseteq> Field s"
    1.31 +by(auto simp:Field_def Domain_def Range_def)
    1.32 +
    1.33 +lemma Field_empty[simp]: "Field {} = {}"
    1.34 +by(auto simp:Field_def)
    1.35 +
    1.36 +lemma Field_insert[simp]: "Field (insert (a,b) r) = {a,b} \<union> Field r"
    1.37 +by(auto simp:Field_def)
    1.38 +
    1.39 +lemma Field_Un[simp]: "Field (r \<union> s) = Field r \<union> Field s"
    1.40 +by(auto simp:Field_def)
    1.41 +
    1.42 +lemma Field_Union[simp]: "Field (\<Union>R) = \<Union>(Field ` R)"
    1.43 +by(auto simp:Field_def)
    1.44 +
    1.45 +lemma Domain_converse[simp]: "Domain(r^-1) = Range r"
    1.46 +by blast
    1.47 +
    1.48 +lemma Range_converse[simp]: "Range(r^-1) = Domain r"
    1.49 +by blast
    1.50 +
    1.51 +lemma Field_converse[simp]: "Field(r^-1) = Field r"
    1.52 +by(auto simp:Field_def)
    1.53 +
    1.54 +lemma reflexive_reflcl[simp]: "reflexive(r^=)"
    1.55 +by(simp add:refl_def)
    1.56 +
    1.57 +lemma antisym_reflcl[simp]: "antisym(r^=) = antisym r"
    1.58 +by(simp add:antisym_def)
    1.59 +
    1.60 +lemma trans_reflclI[simp]: "trans r \<Longrightarrow> trans(r^=)"
    1.61 +unfolding trans_def by blast
    1.62 +
    1.63 +(*********************************************************)
    1.64 +
    1.65 +(* Define globally? In Set.thy?
    1.66 +   Use in def of chain at the beginning *)
    1.67 +definition "subset_chain C \<equiv> \<forall>A\<in>C.\<forall>B\<in>C. A \<subseteq> B \<or> B \<subseteq> A"
    1.68 +
    1.69 +(* Define globally? In Relation.thy? *)
    1.70 +definition Chain :: "('a*'a)set \<Rightarrow> 'a set set" where
    1.71 +"Chain r \<equiv> {A. \<forall>a\<in>A.\<forall>b\<in>A. (a,b) : r \<or> (b,a) \<in> r}"
    1.72 +
    1.73 +lemma mono_Chain: "r \<subseteq> s \<Longrightarrow> Chain r \<subseteq> Chain s"
    1.74 +unfolding Chain_def by blast
    1.75 +
    1.76 +(* Are the following definitions the "right" ones?
    1.77 +
    1.78 +Key point: should the set appear as an explicit argument,
    1.79 +(as currently in "refl A r") or should it remain implicitly the Field
    1.80 +(as in Refl below)? I use refl/Refl merely to illusrate the point.
    1.81 +
    1.82 +The notation "refl A r" is closer to the usual (A,<=) in the literature
    1.83 +whereas "Refl r" is shorter and avoids naming the set.
    1.84 +Note that "refl A r \<Longrightarrow> A = Field r & Refl r" and "Refl r \<Longrightarrow> refl (Field r) r"
    1.85 +This makes the A look redundant.
    1.86 +
    1.87 +A slight advantage of having the A around is that one can write "a:A"
    1.88 +rather than "a:Field r". A disavantage is the multiple occurrences of
    1.89 +"refl (Field r) r" (etc) in the proof of the well-ordering thm.
    1.90 +
    1.91 +I propose to move the definitions into Main, either as they are or
    1.92 +with an additional A argument.
    1.93 +
    1.94 +Naming: The capital letters were chosen to distinguish them from
    1.95 +versions on the whole type we have (eg reflexive) or may want to have
    1.96 +(eg preorder). In case of an additional A argument one could append
    1.97 +"_on" to distinguish the relativized versions.
    1.98 +*)
    1.99 +
   1.100 +definition "Refl r \<equiv> \<forall>x \<in> Field r. (x,x) \<in> r"
   1.101 +definition "Preorder r \<equiv> Refl r \<and> trans r"
   1.102 +definition "Partial_order r \<equiv> Preorder r \<and> antisym r"
   1.103 +definition "Total r \<equiv> \<forall>x\<in>Field r.\<forall>y\<in>Field r. x\<noteq>y \<longrightarrow> (x,y)\<in>r \<or> (y,x)\<in>r"
   1.104 +definition "Linear_order r \<equiv> Partial_order r \<and> Total r"
   1.105 +definition "Well_order r \<equiv> Linear_order r \<and> wf(r - Id)"
   1.106 +
   1.107 +lemmas Order_defs =
   1.108 +  Preorder_def Partial_order_def Linear_order_def Well_order_def
   1.109 +
   1.110 +lemma Refl_empty[simp]: "Refl {}"
   1.111 +by(simp add:Refl_def)
   1.112 +lemma Preorder_empty[simp]: "Preorder {}"
   1.113 +by(simp add:Preorder_def trans_def)
   1.114 +lemma Partial_order_empty[simp]: "Partial_order {}"
   1.115 +by(simp add:Partial_order_def)
   1.116 +lemma Total_empty[simp]: "Total {}"
   1.117 +by(simp add:Total_def)
   1.118 +lemma Linear_order_empty[simp]: "Linear_order {}"
   1.119 +by(simp add:Linear_order_def)
   1.120 +lemma Well_order_empty[simp]: "Well_order {}"
   1.121 +by(simp add:Well_order_def)
   1.122 +
   1.123 +lemma Refl_converse[simp]: "Refl(r^-1) = Refl r"
   1.124 +by(simp add:Refl_def)
   1.125 +
   1.126 +lemma Preorder_converse[simp]: "Preorder (r^-1) = Preorder r"
   1.127 +by (simp add:Preorder_def)
   1.128 +
   1.129 +lemma Partial_order_converse[simp]:
   1.130 +  "Partial_order (r^-1) = Partial_order r"
   1.131 +by (simp add: Partial_order_def)
   1.132 +
   1.133 +lemma subset_Image_Image_iff:
   1.134 +  "\<lbrakk> Preorder r; A \<subseteq> Field r; B \<subseteq> Field r\<rbrakk> \<Longrightarrow>
   1.135 +   r `` A \<subseteq> r `` B \<longleftrightarrow> (\<forall>a\<in>A.\<exists>b\<in>B. (b,a):r)"
   1.136 +apply(auto simp add:subset_def Preorder_def Refl_def Image_def)
   1.137 +apply metis
   1.138 +by(metis trans_def)
   1.139 +
   1.140 +lemma subset_Image1_Image1_iff:
   1.141 +  "\<lbrakk> Preorder r; a : Field r; b : Field r\<rbrakk> \<Longrightarrow> r `` {a} \<subseteq> r `` {b} \<longleftrightarrow> (b,a):r"
   1.142 +by(simp add:subset_Image_Image_iff)
   1.143 +
   1.144 +lemma Refl_antisym_eq_Image1_Image1_iff:
   1.145 +  "\<lbrakk>Refl r; antisym r; a:Field r; b:Field r\<rbrakk> \<Longrightarrow> r `` {a} = r `` {b} \<longleftrightarrow> a=b"
   1.146 +by(simp add:Preorder_def expand_set_eq Partial_order_def antisym_def Refl_def)
   1.147 +  metis
   1.148 +
   1.149 +lemma Partial_order_eq_Image1_Image1_iff:
   1.150 +  "\<lbrakk>Partial_order r; a:Field r; b:Field r\<rbrakk> \<Longrightarrow> r `` {a} = r `` {b} \<longleftrightarrow> a=b"
   1.151 +by(auto simp:Preorder_def Partial_order_def Refl_antisym_eq_Image1_Image1_iff)
   1.152 +
   1.153 +text{* Zorn's lemma for partial orders: *}
   1.154 +
   1.155 +lemma Zorns_po_lemma:
   1.156 +assumes po: "Partial_order r" and u: "\<forall>C\<in>Chain r. \<exists>u\<in>Field r. \<forall>a\<in>C. (a,u):r"
   1.157 +shows "\<exists>m\<in>Field r. \<forall>a\<in>Field r. (m,a):r \<longrightarrow> a=m"
   1.158 +proof-
   1.159 +  have "Preorder r" using po by(simp add:Partial_order_def)
   1.160 +--{* Mirror r in the set of subsets below (wrt r) elements of A*}
   1.161 +  let ?B = "%x. r^-1 `` {x}" let ?S = "?B ` Field r"
   1.162 +  have "\<forall>C \<in> chain ?S. EX U:?S. ALL A:C. A\<subseteq>U"
   1.163 +  proof (auto simp:chain_def)
   1.164 +    fix C assume 1: "C \<subseteq> ?S" and 2: "\<forall>A\<in>C.\<forall>B\<in>C. A\<subseteq>B | B\<subseteq>A"
   1.165 +    let ?A = "{x\<in>Field r. \<exists>M\<in>C. M = ?B x}"
   1.166 +    have "C = ?B ` ?A" using 1 by(auto simp: image_def)
   1.167 +    have "?A\<in>Chain r"
   1.168 +    proof (simp add:Chain_def, intro allI impI, elim conjE)
   1.169 +      fix a b
   1.170 +      assume "a \<in> Field r" "?B a \<in> C" "b \<in> Field r" "?B b \<in> C"
   1.171 +      hence "?B a \<subseteq> ?B b \<or> ?B b \<subseteq> ?B a" using 2 by auto
   1.172 +      thus "(a, b) \<in> r \<or> (b, a) \<in> r" using `Preorder r` `a:Field r` `b:Field r`
   1.173 +	by(simp add:subset_Image1_Image1_iff)
   1.174 +    qed
   1.175 +    then obtain u where uA: "u:Field r" "\<forall>a\<in>?A. (a,u) : r" using u by auto
   1.176 +    have "\<forall>A\<in>C. A \<subseteq> r^-1 `` {u}" (is "?P u")
   1.177 +    proof auto
   1.178 +      fix a B assume aB: "B:C" "a:B"
   1.179 +      with 1 obtain x where "x:Field r" "B = r^-1 `` {x}" by auto
   1.180 +      thus "(a,u) : r" using uA aB `Preorder r`
   1.181 +	by (auto simp add: Preorder_def Refl_def) (metis transD)
   1.182 +    qed
   1.183 +    thus "EX u:Field r. ?P u" using `u:Field r` by blast
   1.184 +  qed
   1.185 +  from Zorn_Lemma2[OF this]
   1.186 +  obtain m B where "m:Field r" "B = r^-1 `` {m}"
   1.187 +    "\<forall>x\<in>Field r. B \<subseteq> r^-1 `` {x} \<longrightarrow> B = r^-1 `` {x}"
   1.188 +    by(auto simp:image_def) blast
   1.189 +  hence "\<forall>a\<in>Field r. (m, a) \<in> r \<longrightarrow> a = m" using po `Preorder r` `m:Field r`
   1.190 +    by(auto simp:subset_Image1_Image1_iff Partial_order_eq_Image1_Image1_iff)
   1.191 +  thus ?thesis using `m:Field r` by blast
   1.192 +qed
   1.193 +
   1.194 +(* The initial segment of a relation appears generally useful.
   1.195 +   Move to Relation.thy?
   1.196 +   Definition correct/most general?
   1.197 +   Naming?
   1.198 +*)
   1.199 +definition init_seg_of :: "(('a*'a)set * ('a*'a)set)set" where
   1.200 +"init_seg_of == {(r,s). r \<subseteq> s \<and> (\<forall>a b c. (a,b):s \<and> (b,c):r \<longrightarrow> (a,b):r)}"
   1.201 +
   1.202 +abbreviation initialSegmentOf :: "('a*'a)set \<Rightarrow> ('a*'a)set \<Rightarrow> bool"
   1.203 +             (infix "initial'_segment'_of" 55) where
   1.204 +"r initial_segment_of s == (r,s):init_seg_of"
   1.205 +
   1.206 +lemma refl_init_seg_of[simp]: "r initial_segment_of r"
   1.207 +by(simp add:init_seg_of_def)
   1.208 +
   1.209 +lemma trans_init_seg_of:
   1.210 +  "r initial_segment_of s \<Longrightarrow> s initial_segment_of t \<Longrightarrow> r initial_segment_of t"
   1.211 +by(simp (no_asm_use) add: init_seg_of_def)
   1.212 +  (metis Domain_iff UnCI Un_absorb2 subset_trans)
   1.213 +
   1.214 +lemma antisym_init_seg_of:
   1.215 +  "r initial_segment_of s \<Longrightarrow> s initial_segment_of r \<Longrightarrow> r=s"
   1.216 +by(auto simp:init_seg_of_def)
   1.217 +
   1.218 +lemma Chain_init_seg_of_Union:
   1.219 +  "R \<in> Chain init_seg_of \<Longrightarrow> r\<in>R \<Longrightarrow> r initial_segment_of \<Union>R"
   1.220 +by(auto simp add:init_seg_of_def Chain_def Ball_def) blast
   1.221 +
   1.222 +lemma subset_chain_trans_Union:
   1.223 +  "subset_chain R \<Longrightarrow> \<forall>r\<in>R. trans r \<Longrightarrow> trans(\<Union>R)"
   1.224 +apply(auto simp add:subset_chain_def)
   1.225 +apply(simp (no_asm_use) add:trans_def)
   1.226 +apply (metis subsetD)
   1.227 +done
   1.228 +
   1.229 +lemma subset_chain_antisym_Union:
   1.230 +  "subset_chain R \<Longrightarrow> \<forall>r\<in>R. antisym r \<Longrightarrow> antisym(\<Union>R)"
   1.231 +apply(auto simp add:subset_chain_def antisym_def)
   1.232 +apply (metis subsetD)
   1.233 +done
   1.234 +
   1.235 +lemma subset_chain_Total_Union:
   1.236 +assumes "subset_chain R" "\<forall>r\<in>R. Total r"
   1.237 +shows "Total (\<Union>R)"
   1.238 +proof (simp add: Total_def Ball_def, auto del:disjCI)
   1.239 +  fix r s a b assume A: "r:R" "s:R" "a:Field r" "b:Field s" "a\<noteq>b"
   1.240 +  from `subset_chain R` `r:R` `s:R` have "r\<subseteq>s \<or> s\<subseteq>r"
   1.241 +    by(simp add:subset_chain_def)
   1.242 +  thus "(\<exists>r\<in>R. (a,b) \<in> r) \<or> (\<exists>r\<in>R. (b,a) \<in> r)"
   1.243 +  proof
   1.244 +    assume "r\<subseteq>s" hence "(a,b):s \<or> (b,a):s" using assms(2) A
   1.245 +      by(simp add:Total_def)(metis mono_Field subsetD)
   1.246 +    thus ?thesis using `s:R` by blast
   1.247 +  next
   1.248 +    assume "s\<subseteq>r" hence "(a,b):r \<or> (b,a):r" using assms(2) A
   1.249 +      by(simp add:Total_def)(metis mono_Field subsetD)
   1.250 +    thus ?thesis using `r:R` by blast
   1.251 +  qed
   1.252 +qed
   1.253 +
   1.254 +lemma wf_Union_wf_init_segs:
   1.255 +assumes "R \<in> Chain init_seg_of" and "\<forall>r\<in>R. wf r" shows "wf(\<Union>R)"
   1.256 +proof(simp add:wf_iff_no_infinite_down_chain, rule ccontr, auto)
   1.257 +  fix f assume 1: "\<forall>i. \<exists>r\<in>R. (f(Suc i), f i) \<in> r"
   1.258 +  then obtain r where "r:R" and "(f(Suc 0), f 0) : r" by auto
   1.259 +  { fix i have "(f(Suc i), f i) \<in> r"
   1.260 +    proof(induct i)
   1.261 +      case 0 show ?case by fact
   1.262 +    next
   1.263 +      case (Suc i)
   1.264 +      moreover obtain s where "s\<in>R" and "(f(Suc(Suc i)), f(Suc i)) \<in> s"
   1.265 +	using 1 by auto
   1.266 +      moreover hence "s initial_segment_of r \<or> r initial_segment_of s"
   1.267 +	using assms(1) `r:R` by(simp add: Chain_def)
   1.268 +      ultimately show ?case by(simp add:init_seg_of_def) blast
   1.269 +    qed
   1.270 +  }
   1.271 +  thus False using assms(2) `r:R`
   1.272 +    by(simp add:wf_iff_no_infinite_down_chain) blast
   1.273 +qed
   1.274 +
   1.275 +lemma Chain_inits_DiffI:
   1.276 +  "R \<in> Chain init_seg_of \<Longrightarrow> {r - s |r. r \<in> R} \<in> Chain init_seg_of"
   1.277 +apply(auto simp:Chain_def init_seg_of_def)
   1.278 +apply (metis subsetD)
   1.279 +apply (metis subsetD)
   1.280 +done
   1.281 +
   1.282 +theorem well_ordering: "\<exists>r::('a*'a)set. Well_order r"
   1.283 +proof-
   1.284 +-- {*The initial segment relation on well-orders: *}
   1.285 +  let ?WO = "{r::('a*'a)set. Well_order r}"
   1.286 +  def I \<equiv> "init_seg_of \<inter> ?WO \<times> ?WO"
   1.287 +  have I_init: "I \<subseteq> init_seg_of" by(auto simp:I_def)
   1.288 +  hence subch: "!!R. R : Chain I \<Longrightarrow> subset_chain R"
   1.289 +    by(auto simp:init_seg_of_def subset_chain_def Chain_def)
   1.290 +  have Chain_wo: "!!R r. R \<in> Chain I \<Longrightarrow> r \<in> R \<Longrightarrow> Well_order r"
   1.291 +    by(simp add:Chain_def I_def) blast
   1.292 +  have FI: "Field I = ?WO" by(auto simp add:I_def init_seg_of_def Field_def)
   1.293 +  hence 0: "Partial_order I"
   1.294 +    by(auto simp add: Partial_order_def Preorder_def antisym_def antisym_init_seg_of Refl_def trans_def I_def)(metis trans_init_seg_of)
   1.295 +-- {*I-chains have upper bounds in ?WO wrt I: their Union*}
   1.296 +  { fix R assume "R \<in> Chain I"
   1.297 +    hence Ris: "R \<in> Chain init_seg_of" using mono_Chain[OF I_init] by blast
   1.298 +    have subch: "subset_chain R" using `R : Chain I` I_init
   1.299 +      by(auto simp:init_seg_of_def subset_chain_def Chain_def)
   1.300 +    have "\<forall>r\<in>R. Refl r" "\<forall>r\<in>R. trans r" "\<forall>r\<in>R. antisym r" "\<forall>r\<in>R. Total r"
   1.301 +         "\<forall>r\<in>R. wf(r-Id)"
   1.302 +      using Chain_wo[OF `R \<in> Chain I`] by(simp_all add:Order_defs)
   1.303 +    have "Refl (\<Union>R)" using `\<forall>r\<in>R. Refl r` by(auto simp:Refl_def)
   1.304 +    moreover have "trans (\<Union>R)"
   1.305 +      by(rule subset_chain_trans_Union[OF subch `\<forall>r\<in>R. trans r`])
   1.306 +    moreover have "antisym(\<Union>R)"
   1.307 +      by(rule subset_chain_antisym_Union[OF subch `\<forall>r\<in>R. antisym r`])
   1.308 +    moreover have "Total (\<Union>R)"
   1.309 +      by(rule subset_chain_Total_Union[OF subch `\<forall>r\<in>R. Total r`])
   1.310 +    moreover have "wf((\<Union>R)-Id)"
   1.311 +    proof-
   1.312 +      have "(\<Union>R)-Id = \<Union>{r-Id|r. r \<in> R}" by blast
   1.313 +      with `\<forall>r\<in>R. wf(r-Id)` wf_Union_wf_init_segs[OF Chain_inits_DiffI[OF Ris]]
   1.314 +      show ?thesis by (simp (no_asm_simp)) blast
   1.315 +    qed
   1.316 +    ultimately have "Well_order (\<Union>R)" by(simp add:Order_defs)
   1.317 +    moreover have "\<forall>r \<in> R. r initial_segment_of \<Union>R" using Ris
   1.318 +      by(simp add: Chain_init_seg_of_Union)
   1.319 +    ultimately have "\<Union>R : ?WO \<and> (\<forall>r\<in>R. (r,\<Union>R) : I)"
   1.320 +      using mono_Chain[OF I_init] `R \<in> Chain I`
   1.321 +      by(simp (no_asm) add:I_def del:Field_Union)(metis Chain_wo subsetD)
   1.322 +  }
   1.323 +  hence 1: "\<forall>R \<in> Chain I. \<exists>u\<in>Field I. \<forall>r\<in>R. (r,u) : I" by (subst FI) blast
   1.324 +--{*Zorn's Lemma yields a maximal well-order m:*}
   1.325 +  then obtain m::"('a*'a)set" where "Well_order m" and
   1.326 +    max: "\<forall>r. Well_order r \<and> (m,r):I \<longrightarrow> r=m"
   1.327 +    using Zorns_po_lemma[OF 0 1] by (auto simp:FI)
   1.328 +--{*Now show by contradiction that m covers the whole type:*}
   1.329 +  { fix x::'a assume "x \<notin> Field m"
   1.330 +--{*We assume that x is not covered and extend m at the top with x*}
   1.331 +    have "m \<noteq> {}"
   1.332 +    proof
   1.333 +      assume "m={}"
   1.334 +      moreover have "Well_order {(x,x)}"
   1.335 +	by(simp add:Order_defs Refl_def trans_def antisym_def Total_def Field_def Domain_def Range_def)
   1.336 +      ultimately show False using max
   1.337 +	by (auto simp:I_def init_seg_of_def simp del:Field_insert)
   1.338 +    qed
   1.339 +    hence "Field m \<noteq> {}" by(auto simp:Field_def)
   1.340 +    moreover have "wf(m-Id)" using `Well_order m` by(simp add:Well_order_def)
   1.341 +--{*The extension of m by x:*}
   1.342 +    let ?s = "{(a,x)|a. a : Field m}" let ?m = "insert (x,x) m Un ?s"
   1.343 +    have Fm: "Field ?m = insert x (Field m)"
   1.344 +      apply(simp add:Field_insert Field_Un)
   1.345 +      unfolding Field_def by auto
   1.346 +    have "Refl m" "trans m" "antisym m" "Total m" "wf(m-Id)"
   1.347 +      using `Well_order m` by(simp_all add:Order_defs)
   1.348 +--{*We show that the extension is a well-order*}
   1.349 +    have "Refl ?m" using `Refl m` Fm by(auto simp:Refl_def)
   1.350 +    moreover have "trans ?m" using `trans m` `x \<notin> Field m`
   1.351 +      unfolding trans_def Field_def Domain_def Range_def by blast
   1.352 +    moreover have "antisym ?m" using `antisym m` `x \<notin> Field m`
   1.353 +      unfolding antisym_def Field_def Domain_def Range_def by blast
   1.354 +    moreover have "Total ?m" using `Total m` Fm by(auto simp: Total_def)
   1.355 +    moreover have "wf(?m-Id)"
   1.356 +    proof-
   1.357 +      have "wf ?s" using `x \<notin> Field m`
   1.358 +	by(auto simp add:wf_eq_minimal Field_def Domain_def Range_def) metis
   1.359 +      thus ?thesis using `wf(m-Id)` `x \<notin> Field m`
   1.360 +	wf_subset[OF `wf ?s` Diff_subset]
   1.361 +	by (fastsimp intro!: wf_Un simp add: Un_Diff Field_def)
   1.362 +    qed
   1.363 +    ultimately have "Well_order ?m" by(simp add:Order_defs)
   1.364 +--{*We show that the extension is above m*}
   1.365 +    moreover hence "(m,?m) : I" using `Well_order m` `x \<notin> Field m`
   1.366 +      by(fastsimp simp:I_def init_seg_of_def Field_def Domain_def Range_def)
   1.367 +    ultimately
   1.368 +--{*This contradicts maximality of m:*}
   1.369 +    have False using max `x \<notin> Field m` unfolding Field_def by blast
   1.370 +  }
   1.371 +  hence "Field m = UNIV" by auto
   1.372 +  with `Well_order m` have "Well_order m" by simp
   1.373 +  thus ?thesis ..
   1.374 +qed
   1.375 +
   1.376  end