NEWS

with_modes []: non-critical;

Isabelle NEWS -- history user-relevant changes
==============================================

New in this Isabelle version
----------------------------

*** General ***

* More uniform information about legacy features, notably a
warning/error of "Legacy feature: ...", depending on the state of the
tolerate_legacy_features flag (default true). FUTURE INCOMPATIBILITY:
legacy features will disappear eventually.

* Theory syntax: the header format ``theory A = B + C:'' has been
discontinued in favour of ``theory A imports B C begin''.  Use isatool
fixheaders to convert existing theory files.  INCOMPATIBILITY.

* Theory syntax: the old non-Isar theory file format has been
discontinued altogether.  Note that ML proof scripts may still be used
with Isar theories; migration is usually quite simple with the ML
function use_legacy_bindings.  INCOMPATIBILITY.

* Theory syntax: some popular names (e.g. 'class', 'declaration',
'fun', 'help', 'if') are now keywords.  INCOMPATIBILITY, use double
quotes.

* Theory loader: be more serious about observing the static theory
header specifications (including optional directories), but not the
accidental file locations of previously successful loads.  The strict
update policy of former update_thy is now already performed by
use_thy, so the former has been removed; use_thys updates several
theories simultaneously, just as 'imports' within a theory header
specification, but without merging the results.  Potential
INCOMPATIBILITY: may need to refine theory headers and commands
ROOT.ML which depend on load order.

* Theory loader: optional support for content-based file
identification, instead of the traditional scheme of full physical
path plus date stamp; configured by the ISABELLE_FILE_IDENT setting
(cf. the system manual).  The new scheme allows to work with
non-finished theories in persistent session images, such that source
files may be moved later on without requiring reloads.

* Theory loader: old-style ML proof scripts being *attached* to a thy
file (with the same base name as the theory) are considered a legacy
feature, which will disappear eventually. Even now, the theory loader no
longer maintains dependencies on such files.

* Syntax: the scope for resolving ambiguities via type-inference is now
limited to individual terms, instead of whole simultaneous
specifications as before. This greatly reduces the complexity of the
syntax module and improves flexibility by separating parsing and
type-checking. INCOMPATIBILITY: additional type-constraints (explicit
'fixes' etc.) are required in rare situations.

* Legacy goal package: reduced interface to the bare minimum required
to keep existing proof scripts running.  Most other user-level
functions are now part of the OldGoals structure, which is *not* open
by default (consider isatool expandshort before open OldGoals).
Removed top_sg, prin, printyp, pprint_term/typ altogether, because
these tend to cause confusion about the actual goal (!) context being
used here, which is not necessarily the same as the_context().

* Command 'find_theorems': supports "*" wild-card in "name:"
criterion; "with_dups" option.  Certain ProofGeneral versions might
support a specific search form (see ProofGeneral/CHANGES).

* The ``prems limit'' option (cf. ProofContext.prems_limit) is now -1
by default, which means that "prems" (and also "fixed variables") are
suppressed from proof state output.  Note that the ProofGeneral
settings mechanism allows to change and save options persistently, but
older versions of Isabelle will fail to start up if a negative prems
limit is imposed.

* Local theory targets may be specified by non-nested blocks of
``context/locale/class ... begin'' followed by ``end''.  The body may
contain definitions, theorems etc., including any derived mechanism
that has been implemented on top of these primitives.  This concept
generalizes the existing ``theorem (in ...)'' towards more versatility
and scalability.

* Proof General interface: proper undo of final 'end' command;
discontinued Isabelle/classic mode (ML proof scripts).


*** Document preparation ***

* Added antiquotation @{theory name} which prints the given name,
after checking that it refers to a valid ancestor theory in the
current context.

* Added antiquotations @{ML_type text} and @{ML_struct text} which
check the given source text as ML type/structure, printing verbatim.

* Added antiquotation @{abbrev "c args"} which prints the abbreviation
"c args == rhs" given in the current context.  (Any number of
arguments may be given on the LHS.)



*** Pure ***

* code generator: consts in 'consts_code' Isar commands are now referred
  to by usual term syntax (including optional type annotations).

* code generator: 
  - Isar 'definition's, 'constdef's and primitive instance definitions are added
    explicitly to the table of defining equations
  - primitive definitions are not used as defining equations by default any longer
  - defining equations are now definitly restricted to meta "==" and object
        equality "="
  - HOL theories have been adopted accordingly

* class_package.ML offers a combination of axclasses and locales to
achieve Haskell-like type classes in Isabelle.  See
HOL/ex/Classpackage.thy for examples.

* Yet another code generator framework allows to generate executable
code for ML and Haskell (including "class"es).  A short usage sketch:

    internal compilation:
        code_gen <list of constants (term syntax)> in SML
    writing SML code to a file:
        code_gen <list of constants (term syntax)> in SML <filename>
    writing OCaml code to a file:
        code_gen <list of constants (term syntax)> in OCaml <filename>
    writing Haskell code to a bunch of files:
        code_gen <list of constants (term syntax)> in Haskell <filename>

Reasonable default setup of framework in HOL/Main.

Theorem attributs for selecting and transforming function equations theorems:

    [code fun]:        select a theorem as function equation for a specific constant
    [code fun del]:    deselect a theorem as function equation for a specific constant
    [code inline]:     select an equation theorem for unfolding (inlining) in place
    [code inline del]: deselect an equation theorem for unfolding (inlining) in place

User-defined serializations (target in {SML, OCaml, Haskell}):

    code_const <and-list of constants (term syntax)>
      {(target) <and-list of const target syntax>}+

    code_type <and-list of type constructors>
      {(target) <and-list of type target syntax>}+

    code_instance <and-list of instances>
      {(target)}+
        where instance ::= <type constructor> :: <class>

    code_class <and_list of classes>
      {(target) <and-list of class target syntax>}+
        where class target syntax ::= <class name> {where {<classop> == <target syntax>}+}?

code_instance and code_class only apply to target Haskell.

See HOL theories and HOL/ex/Codegenerator*.thy for usage examples.
Doc/Isar/Advanced/Codegen/ provides a tutorial.

* Command 'no_translations' removes translation rules from theory
syntax.

* Overloaded definitions are now actually checked for acyclic
dependencies.  The overloading scheme is slightly more general than
that of Haskell98, although Isabelle does not demand an exact
correspondence to type class and instance declarations.
INCOMPATIBILITY, use ``defs (unchecked overloaded)'' to admit more
exotic versions of overloading -- at the discretion of the user!

Polymorphic constants are represented via type arguments, i.e. the
instantiation that matches an instance against the most general
declaration given in the signature.  For example, with the declaration
c :: 'a => 'a => 'a, an instance c :: nat => nat => nat is represented
as c(nat).  Overloading is essentially simultaneous structural
recursion over such type arguments.  Incomplete specification patterns
impose global constraints on all occurrences, e.g. c('a * 'a) on the
LHS means that more general c('a * 'b) will be disallowed on any RHS.
Command 'print_theory' outputs the normalized system of recursive
equations, see section "definitions".

* Configuration options are maintained within the theory or proof
context (with name and type bool/int/string), providing a very simple
interface to a poor-man's version of general context data.  Tools may
declare options in ML (e.g. using Attrib.config_int) and then refer to
these values using Config.get etc.  Users may change options via an
associated attribute of the same name.  This form of context
declaration works particularly well with commands 'declare' or
'using', for example ``declare [[foo = 42]]''.  Thus it has become
very easy to avoid global references, which would not observe Isar
toplevel undo/redo and fail to work with multithreading.

Various global ML references of Pure and HOL have been turned into
configuration options:

  Unify.search_bound		unify_search_bound
  Unify.trace_bound		unify_trace_bound
  Unify.trace_simp		unify_trace_simp
  Unify.trace_types		unify_trace_types
  Simplifier.simp_depth_limit	simp_depth_limit
  Blast.depth_limit		blast_depth_limit
  DatatypeProp.dtK		datatype_distinctness_limit
  fast_arith_neq_limit  	fast_arith_neq_limit
  fast_arith_split_limit	fast_arith_split_limit

* Named collections of theorems may be easily installed as context
data using the functor NamedThmsFun (see
src/Pure/Tools/named_thms.ML).  The user may add or delete facts via
attributes; there is also a toplevel print command.  This facility is
just a common case of general context data, which is the preferred way
for anything more complex than just a list of facts in canonical
order.

* Isar: command 'declaration' augments a local theory by generic
declaration functions written in ML.  This enables arbitrary content
being added to the context, depending on a morphism that tells the
difference of the original declaration context wrt. the application
context encountered later on.

* Isar: proper interfaces for simplification procedures.  Command
'simproc_setup' declares named simprocs (with match patterns, and body
text in ML).  Attribute "simproc" adds/deletes simprocs in the current
context.  ML antiquotation @{simproc name} retrieves named simprocs.

* Isar: an extra pair of brackets around attribute declarations
abbreviates a theorem reference involving an internal dummy fact,
which will be ignored later --- only the effect of the attribute on
the background context will persist.  This form of in-place
declarations is particularly useful with commands like 'declare' and
'using', for example ``have A using [[simproc a]] by simp''.

* Isar: method "assumption" (and implicit closing of subproofs) now
takes simple non-atomic goal assumptions into account: after applying
an assumption as a rule the resulting subgoals are solved by atomic
assumption steps.  This is particularly useful to finish 'obtain'
goals, such as "!!x. (!!x. P x ==> thesis) ==> P x ==> thesis",
without referring to the original premise "!!x. P x ==> thesis" in the
Isar proof context.  POTENTIAL INCOMPATIBILITY: method "assumption" is
more permissive.

* Isar: implicit use of prems from the Isar proof context is
considered a legacy feature.  Common applications like ``have A .''
may be replaced by ``have A by fact'' or ``note `A`''.  In general,
referencing facts explicitly here improves readability and
maintainability of proof texts.

* Isar: improper proof element 'guess' is like 'obtain', but derives
the obtained context from the course of reasoning!  For example:

  assume "EX x y. A x & B y"   -- "any previous fact"
  then guess x and y by clarify

This technique is potentially adventurous, depending on the facts and
proof tools being involved here.

* Isar: known facts from the proof context may be specified as literal
propositions, using ASCII back-quote syntax.  This works wherever
named facts used to be allowed so far, in proof commands, proof
methods, attributes etc.  Literal facts are retrieved from the context
according to unification of type and term parameters.  For example,
provided that "A" and "A ==> B" and "!!x. P x ==> Q x" are known
theorems in the current context, then these are valid literal facts:
`A` and `A ==> B` and `!!x. P x ==> Q x" as well as `P a ==> Q a` etc.

There is also a proof method "fact" which does the same composition
for explicit goal states, e.g. the following proof texts coincide with
certain special cases of literal facts:

  have "A" by fact                 ==  note `A`
  have "A ==> B" by fact           ==  note `A ==> B`
  have "!!x. P x ==> Q x" by fact  ==  note `!!x. P x ==> Q x`
  have "P a ==> Q a" by fact       ==  note `P a ==> Q a`

* Isar: ":" (colon) is no longer a symbolic identifier character in
outer syntax.  Thus symbolic identifiers may be used without
additional white space in declarations like this: ``assume *: A''.

* Isar: 'print_facts' prints all local facts of the current context,
both named and unnamed ones.

* Isar: 'def' now admits simultaneous definitions, e.g.:

  def x == "t" and y == "u"

* Isar: added command 'unfolding', which is structurally similar to
'using', but affects both the goal state and facts by unfolding given
rewrite rules.  Thus many occurrences of the 'unfold' method or
'unfolded' attribute may be replaced by first-class proof text.

* Isar: methods 'unfold' / 'fold', attributes 'unfolded' / 'folded',
and command 'unfolding' now all support object-level equalities
(potentially conditional).  The underlying notion of rewrite rule is
analogous to the 'rule_format' attribute, but *not* that of the
Simplifier (which is usually more generous).

* Isar: the new attribute [rotated n] (default n = 1) rotates the
premises of a theorem by n. Useful in conjunction with drule.

* Isar: the goal restriction operator [N] (default N = 1) evaluates a
method expression within a sandbox consisting of the first N
sub-goals, which need to exist.  For example, ``simp_all [3]''
simplifies the first three sub-goals, while (rule foo, simp_all)[]
simplifies all new goals that emerge from applying rule foo to the
originally first one.

* Isar: schematic goals are no longer restricted to higher-order
patterns; e.g. ``lemma "?P(?x)" by (rule TrueI)'' now works as
expected.

* Isar: the conclusion of a long theorem statement is now either
'shows' (a simultaneous conjunction, as before), or 'obtains'
(essentially a disjunction of cases with local parameters and
assumptions).  The latter allows to express general elimination rules
adequately; in this notation common elimination rules look like this:

  lemma exE:    -- "EX x. P x ==> (!!x. P x ==> thesis) ==> thesis"
    assumes "EX x. P x"
    obtains x where "P x"

  lemma conjE:  -- "A & B ==> (A ==> B ==> thesis) ==> thesis"
    assumes "A & B"
    obtains A and B

  lemma disjE:  -- "A | B ==> (A ==> thesis) ==> (B ==> thesis) ==> thesis"
    assumes "A | B"
    obtains
      A
    | B

The subsequent classical rules even refer to the formal "thesis"
explicitly:

  lemma classical:     -- "(~ thesis ==> thesis) ==> thesis"
    obtains "~ thesis"

  lemma Peirce's_Law:  -- "((thesis ==> something) ==> thesis) ==> thesis"
    obtains "thesis ==> something"

The actual proof of an 'obtains' statement is analogous to that of the
Isar proof element 'obtain', only that there may be several cases.
Optional case names may be specified in parentheses; these will be
available both in the present proof and as annotations in the
resulting rule, for later use with the 'cases' method (cf. attribute
case_names).

* Isar: the assumptions of a long theorem statement are available as
"assms" fact in the proof context.  This is more appropriate than the
(historical) "prems", which refers to all assumptions of the current
context, including those from the target locale, proof body etc.

* Isar: 'print_statement' prints theorems from the current theory or
proof context in long statement form, according to the syntax of a
top-level lemma.

* Isar: 'obtain' takes an optional case name for the local context
introduction rule (default "that").

* Isar: removed obsolete 'concl is' patterns.  INCOMPATIBILITY, use
explicit (is "_ ==> ?foo") in the rare cases where this still happens
to occur.

* Pure: syntax "CONST name" produces a fully internalized constant
according to the current context.  This is particularly useful for
syntax translations that should refer to internal constant
representations independently of name spaces.

* Pure: syntax constant for foo (binder "FOO ") is called "foo_binder"
instead of "FOO ". This allows multiple binder declarations to coexist
in the same context.  INCOMPATIBILITY.

* Isar/locales: 'notation' provides a robust interface to the 'syntax'
primitive that also works in a locale context (both for constants and
fixed variables).  Type declaration and internal syntactic
representation of given constants retrieved from the context.

* Isar/locales: new derived specification elements 'axiomatization',
'definition', 'abbreviation', which support type-inference, admit
object-level specifications (equality, equivalence).  See also the
isar-ref manual.  Examples:

  axiomatization
    eq  (infix "===" 50) where
    eq_refl: "x === x" and eq_subst: "x === y ==> P x ==> P y"

  definition "f x y = x + y + 1"
  definition g where "g x = f x x"

  abbreviation
    neq  (infix "=!=" 50) where
    "x =!= y == ~ (x === y)"

These specifications may be also used in a locale context.  Then the
constants being introduced depend on certain fixed parameters, and the
constant name is qualified by the locale base name.  An internal
abbreviation takes care for convenient input and output, making the
parameters implicit and using the original short name.  See also
HOL/ex/Abstract_NAT.thy for an example of deriving polymorphic
entities from a monomorphic theory.

Presently, abbreviations are only available 'in' a target locale, but
not inherited by general import expressions.  Also note that
'abbreviation' may be used as a type-safe replacement for 'syntax' +
'translations' in common applications.

Concrete syntax is attached to specified constants in internal form,
independently of name spaces.  The parse tree representation is
slightly different -- use 'notation' instead of raw 'syntax', and
'translations' with explicit "CONST" markup to accommodate this.

* Pure: command 'print_abbrevs' prints all constant abbreviations of
the current context.  Print mode "no_abbrevs" prevents inversion of
abbreviations on output.

* Isar/locales: improved parameter handling:
- use of locales "var" and "struct" no longer necessary;
- parameter renamings are no longer required to be injective.
  This enables, for example, to define a locale for endomorphisms thus:
  locale endom = homom mult mult h.

* Isar/locales: changed the way locales with predicates are defined.
Instead of accumulating the specification, the imported expression is
now an interpretation.  INCOMPATIBILITY: different normal form of
locale expressions.  In particular, in interpretations of locales with
predicates, goals repesenting already interpreted fragments are not
removed automatically.  Use methods `intro_locales' and
`unfold_locales'; see below.

* Isar/locales: new methods `intro_locales' and `unfold_locales'
provide backward reasoning on locales predicates.  The methods are
aware of interpretations and discharge corresponding goals.
`intro_locales' is less aggressive then `unfold_locales' and does not
unfold predicates to assumptions.

* Isar/locales: the order in which locale fragments are accumulated
has changed.  This enables to override declarations from fragments due
to interpretations -- for example, unwanted simp rules.

* Isar/locales: interpretation in theories and proof contexts has been
extended.  One may now specify (and prove) equations, which are
unfolded in interpreted theorems.  This is useful for replacing
defined concepts (constants depending on locale parameters) by
concepts already existing in the target context.  Example:

  interpretation partial_order ["op <= :: [int, int] => bool"]
    where "partial_order.less (op <=) (x::int) y = (x < y)"

Typically, the constant `partial_order.less' is created by a definition
specification element in the context of locale partial_order.

* Provers/induct: improved internal context management to support
local fixes and defines on-the-fly.  Thus explicit meta-level
connectives !! and ==> are rarely required anymore in inductive goals
(using object-logic connectives for this purpose has been long
obsolete anyway).  The subsequent proof patterns illustrate advanced
techniques of natural induction; general datatypes and inductive sets
work analogously (see also src/HOL/Lambda for realistic examples).

(1) This is how to ``strengthen'' an inductive goal wrt. certain
parameters:

  lemma
    fixes n :: nat and x :: 'a
    assumes a: "A n x"
    shows "P n x"
    using a                     -- {* make induct insert fact a *}
  proof (induct n arbitrary: x) -- {* generalize goal to "!!x. A n x ==> P n x" *}
    case 0
    show ?case sorry
  next
    case (Suc n)
    note `!!x. A n x ==> P n x` -- {* induction hypothesis, according to induction rule *}
    note `A (Suc n) x`          -- {* induction premise, stemming from fact a *}
    show ?case sorry
  qed

(2) This is how to perform induction over ``expressions of a certain
form'', using a locally defined inductive parameter n == "a x"
together with strengthening (the latter is usually required to get
sufficiently flexible induction hypotheses):

  lemma
    fixes a :: "'a => nat"
    assumes a: "A (a x)"
    shows "P (a x)"
    using a
  proof (induct n == "a x" arbitrary: x)
    ...

See also HOL/Isar_examples/Puzzle.thy for an application of the this
particular technique.

(3) This is how to perform existential reasoning ('obtains' or
'obtain') by induction, while avoiding explicit object-logic
encodings:

  lemma
    fixes n :: nat
    obtains x :: 'a where "P n x" and "Q n x"
  proof (induct n arbitrary: thesis)
    case 0
    obtain x where "P 0 x" and "Q 0 x" sorry
    then show thesis by (rule 0)
  next
    case (Suc n)
    obtain x where "P n x" and "Q n x" by (rule Suc.hyps)
    obtain x where "P (Suc n) x" and "Q (Suc n) x" sorry
    then show thesis by (rule Suc.prems)
  qed

Here the 'arbitrary: thesis' specification essentially modifies the
scope of the formal thesis parameter, in order to the get the whole
existence statement through the induction as expected.

* Provers/induct: mutual induction rules are now specified as a list
of rule sharing the same induction cases.  HOL packages usually
provide foo_bar.inducts for mutually defined items foo and bar
(e.g. inductive sets or datatypes).  INCOMPATIBILITY, users need to
specify mutual induction rules differently, i.e. like this:

  (induct rule: foo_bar.inducts)
  (induct set: foo bar)
  (induct type: foo bar)

The ML function ProjectRule.projections turns old-style rules into the
new format.

* Provers/induct: improved handling of simultaneous goals.  Instead of
introducing object-level conjunction, the statement is now split into
several conclusions, while the corresponding symbolic cases are
nested accordingly.  INCOMPATIBILITY, proofs need to be structured
explicitly.  For example:

  lemma
    fixes n :: nat
    shows "P n" and "Q n"
  proof (induct n)
    case 0 case 1
    show "P 0" sorry
  next
    case 0 case 2
    show "Q 0" sorry
  next
    case (Suc n) case 1
    note `P n` and `Q n`
    show "P (Suc n)" sorry
  next
    case (Suc n) case 2
    note `P n` and `Q n`
    show "Q (Suc n)" sorry
  qed

The split into subcases may be deferred as follows -- this is
particularly relevant for goal statements with local premises.

  lemma
    fixes n :: nat
    shows "A n ==> P n" and "B n ==> Q n"
  proof (induct n)
    case 0
    {
      case 1
      note `A 0`
      show "P 0" sorry
    next
      case 2
      note `B 0`
      show "Q 0" sorry
    }
  next
    case (Suc n)
    note `A n ==> P n` and `B n ==> Q n`
    {
      case 1
      note `A (Suc n)`
      show "P (Suc n)" sorry
    next
      case 2
      note `B (Suc n)`
      show "Q (Suc n)" sorry
    }
  qed

If simultaneous goals are to be used with mutual rules, the statement
needs to be structured carefully as a two-level conjunction, using
lists of propositions separated by 'and':

  lemma
    shows "a : A ==> P1 a"
          "a : A ==> P2 a"
      and "b : B ==> Q1 b"
          "b : B ==> Q2 b"
          "b : B ==> Q3 b"
  proof (induct set: A B)

* Provers/induct: support coinduction as well.  See
src/HOL/Library/Coinductive_List.thy for various examples.

* Attribute "symmetric" produces result with standardized schematic
variables (index 0).  Potential INCOMPATIBILITY.

* Simplifier: by default the simplifier trace only shows top level
rewrites now. That is, trace_simp_depth_limit is set to 1 by
default. Thus there is less danger of being flooded by the trace. The
trace indicates where parts have been suppressed.
  
* Provers/classical: removed obsolete classical version of elim_format
attribute; classical elim/dest rules are now treated uniformly when
manipulating the claset.

* Provers/classical: stricter checks to ensure that supplied intro,
dest and elim rules are well-formed; dest and elim rules must have at
least one premise.

* Provers/classical: attributes dest/elim/intro take an optional
weight argument for the rule (just as the Pure versions).  Weights are
ignored by automated tools, but determine the search order of single
rule steps.

* Syntax: input syntax now supports dummy variable binding "%_. b",
where the body does not mention the bound variable.  Note that dummy
patterns implicitly depend on their context of bounds, which makes
"{_. _}" match any set comprehension as expected.  Potential
INCOMPATIBILITY -- parse translations need to cope with syntactic
constant "_idtdummy" in the binding position.

* Syntax: removed obsolete syntactic constant "_K" and its associated
parse translation.  INCOMPATIBILITY -- use dummy abstraction instead,
for example "A -> B" => "Pi A (%_. B)".

* Pure: 'class_deps' command visualizes the subclass relation, using
the graph browser tool.

* Pure: 'print_theory' now suppresses entities with internal name
(trailing "_") by default; use '!' option for full details.


*** HOL ***

* theory Finite_Set: "name-space" locales Lattice, Distrib_lattice, Linorder etc.
have disappeared; operations defined in terms of fold_set now are named
Inf_fin, Sup_fin.  INCOMPATIBILITY.

* HOL-Word:
  New extensive library and type for generic, fixed size machine
  words, with arithemtic, bit-wise, shifting and rotating operations,
  reflection into int, nat, and bool lists, automation for linear
  arithmetic (by automatic reflection into nat or int), including
  lemmas on overflow and monotonicity. Instantiated to all appropriate
  arithmetic type classes, supporting automatic simplification of
  numerals on all operations. Jointly developed by NICTA, Galois, and
  PSU.

* Library/Boolean_Algebra: locales for abstract boolean algebras.

* Library/Numeral_Type: numbers as types, e.g. TYPE(32).

* Code generator library theories:
  * Pretty_Int represents HOL integers by big integer literals in target
    languages.
  * Pretty_Char represents HOL characters by character literals in target
    languages.
  * Pretty_Char_chr like Pretty_Char, but also offers treatment of character
    codes; includes Pretty_Int.
  * Executable_Set allows to generate code for finite sets using lists.
  * Executable_Rat implements rational numbers as triples (sign, enumerator,
    denominator).
  * Executable_Real implements a subset of real numbers, namly those
    representable by rational numbers.
  * Efficient_Nat implements natural numbers by integers, which in general will
    result in higher efficency; pattern matching with 0/Suc is eliminated;
    includes Pretty_Int.
  * ML_String provides an additional datatype ml_string; in the HOL default
    setup, strings in HOL are mapped to lists of HOL characters in SML; values
    of type ml_string are mapped to strings in SML.
  * ML_Int provides an additional datatype ml_int which is mapped to to SML
    built-in integers.

* New package for inductive predicates

  An n-ary predicate p with m parameters z_1, ..., z_m can now be defined via

    inductive
      p :: "U_1 => ... => U_m => T_1 => ... => T_n => bool"
      for z_1 :: U_1 and ... and z_n :: U_m
    where
      rule_1: "... ==> p z_1 ... z_m t_1_1 ... t_1_n"
    | ...

  rather than

    consts s :: "U_1 => ... => U_m => (T_1 * ... * T_n) set"

    abbreviation p :: "U_1 => ... => U_m => T_1 => ... => T_n => bool"
    where "p z_1 ... z_m x_1 ... x_n == (x_1, ..., x_n) : s z_1 ... z_m"

    inductive "s z_1 ... z_m"
    intros
      rule_1: "... ==> (t_1_1, ..., t_1_n) : s z_1 ... z_m"
      ...

  For backward compatibility, there is a wrapper allowing inductive
  sets to be defined with the new package via

    inductive_set
      s :: "U_1 => ... => U_m => (T_1 * ... * T_n) set"
      for z_1 :: U_1 and ... and z_n :: U_m
    where
      rule_1: "... ==> (t_1_1, ..., t_1_n) : s z_1 ... z_m"
    | ...

  or

    inductive_set
      s :: "U_1 => ... => U_m => (T_1 * ... * T_n) set"
      and p :: "U_1 => ... => U_m => T_1 => ... => T_n => bool"
      for z_1 :: U_1 and ... and z_n :: U_m
    where
      "p z_1 ... z_m x_1 ... x_n == (x_1, ..., x_n) : s z_1 ... z_m"
    | rule_1: "... ==> p z_1 ... z_m t_1_1 ... t_1_n"
    | ...

  if the additional syntax "p ..." is required.

  Many examples can be found in the subdirectories Auth, Bali, Induct,
  or MicroJava.

  INCOMPATIBILITIES:

  - Since declaration and definition of inductive sets or predicates
    is no longer separated, abbreviations involving the newly introduced
    sets or predicates must be specified together with the introduction
    rules after the "where" keyword (see example above), rather than before
    the actual inductive definition.

  - The variables in induction and elimination rules are now quantified
    in the order of their occurrence in the introduction rules, rather than
    in alphabetical order. Since this may break some proofs, these proofs
    either have to be repaired, e.g. by reordering the variables
    a_i_1 ... a_i_{k_i} in Isar "case" statements of the form

      case (rule_i a_i_1 ... a_i_{k_i})

    or the old order of quantification has to be restored by explicitly adding
    meta-level quantifiers in the introduction rules, i.e.

      | rule_i: "!!a_i_1 ... a_i_{k_i}. ... ==> p z_1 ... z_m t_i_1 ... t_i_n"

  - The format of the elimination rules is now

      p z_1 ... z_m x_1 ... x_n ==>
        (!!a_1_1 ... a_1_{k_1}. x_1 = t_1_1 ==> ... ==> x_n = t_1_n ==> ... ==> P)
        ==> ... ==> P

    for predicates and

      (x_1, ..., x_n) : s z_1 ... z_m ==>
        (!!a_1_1 ... a_1_{k_1}. x_1 = t_1_1 ==> ... ==> x_n = t_1_n ==> ... ==> P)
        ==> ... ==> P

    for sets rather than

      x : s z_1 ... z_m ==>
        (!!a_1_1 ... a_1_{k_1}. x = (t_1_1, ..., t_1_n) ==> ... ==> P)
        ==> ... ==> P

    This may require terms in goals to be expanded to n-tuples (e.g. using case_tac
    or simplification with the split_paired_all rule) before the above elimination
    rule is applicable.

  - The elimination or case analysis rules for (mutually) inductive sets or
    predicates are now called "p_1.cases" ... "p_k.cases". The list of rules
    "p_1_..._p_k.elims" is no longer available.

* Method "metis" proves goals by applying the Metis general-purpose
resolution prover.  Examples are in the directory MetisExamples.  See
also http://gilith.com/software/metis/
  
* Command 'sledgehammer' invokes external automatic theorem provers as
background processes.  It generates calls to the "metis" method if
successful. These can be pasted into the proof.  Users do not have to
wait for the automatic provers to return.

* Case-expressions allow arbitrary constructor-patterns (including "_") and
  take their order into account, like in functional programming.
  Internally, this is translated into nested case-expressions; missing cases
  are added and mapped to the predefined constant "undefined". In complicated
  cases printing may no longer show the original input but the internal
  form. Lambda-abstractions allow the same form of pattern matching:
  "% pat1 => e1 | ..." is an abbreviation for
  "%x. case x of pat1 => e1 | ..." where x is a new variable.

* IntDef: The constant "int :: nat => int" has been removed; now "int"
  is an abbreviation for "of_nat :: nat => int". The simplification rules
  for "of_nat" have been changed to work like "int" did previously.
  (potential INCOMPATIBILITY)
  - "of_nat (Suc m)" simplifies to "1 + of_nat m" instead of "of_nat m + 1"
  - of_nat_diff and of_nat_mult are no longer default simp rules

* Method "algebra" solves polynomial equations over (semi)rings using
  Groebner bases. The (semi)ring structure is defined by locales and
  the tool setup depends on that generic context. Installing the
  method for a specific type involves instantiating the locale and
  possibly adding declarations for computation on the coefficients.
  The method is already instantiated for natural numbers and for the
  axiomatic class of idoms with numerals.  See also the paper by
  Chaieb and Wenzel at CALCULEMUS 2007 for the general principles
  underlying this architecture of context-aware proof-tools.

* constant "List.op @" now named "List.append".  Use ML antiquotations
@{const_name List.append} or @{term " ... @ ... "} to circumvent
possible incompatibilities when working on ML level.

* Constant renames due to introduction of canonical name prefixing for
  class package:

    HOL.abs ~> HOL.minus_class.abs
    HOL.divide ~> HOL.divide_class.divide
    Nat.power ~> Nat.power_class.power
    Nat.size ~> Nat.size_class.size
    Numeral.number_of ~> Numeral.number_class.number_of
    FixedPoint.Inf ~> FixedPoint.complete_lattice_class.Inf
    FixedPoint.Sup ~> FixedPoint.complete_lattice_class.Sup

* Rudimentary class target mechanism involves constant renames:

    Orderings.min ~> Orderings.ord_class.min
    Orderings.max ~> Orderings.ord_class.max

* primrec: missing cases mapped to "undefined" instead of "arbitrary"

* new constant "undefined" with axiom "undefined x = undefined"

* new class "default" with associated constant "default"

* new function listsum :: 'a list => 'a for arbitrary monoids.
  Special syntax: "SUM x <- xs. f x" (and latex variants)

* new (input only) syntax for Haskell-like list comprehension, eg
  [(x,y). x <- xs, y <- ys, x ~= y]
  For details see List.thy.

* The special syntax for function "filter" has changed from [x : xs. P] to
  [x <- xs. P] to avoid an ambiguity caused by list comprehension syntax,
  and for uniformity. INCOMPATIBILITY

* Lemma "set_take_whileD" renamed to "set_takeWhileD"

* New lemma collection field_simps (an extension of ring_simps)
  for manipulating (in)equations involving division. Multiplies
  with all denominators that can be proved to be non-zero (in equations)
  or positive/negative (in inequations).

* Lemma collections ring_eq_simps, group_eq_simps and ring_distrib
  have been improved and renamed to ring_simps, group_simps and ring_distribs.
  Removed lemmas field_xyz in Ring_and_Field
  because they were subsumed by lemmas xyz.
INCOMPATIBILITY.

* Library/Pretty_Int.thy: maps HOL numerals on target language integer literals
  when generating code.

* Library/Pretty_Char.thy: maps HOL characters on target language character literals
  when generating code.

* Library/Commutative_Ring.thy: switched from recdef to function package;
  constants add, mul, pow now curried.  Infix syntax for algebraic operations.

* Some steps towards more uniform lattice theory development in HOL.

    constants "meet" and "join" now named "inf" and "sup"
    constant "Meet" now named "Inf"

    classes "meet_semilorder" and "join_semilorder" now named
      "lower_semilattice" and "upper_semilattice"
    class "lorder" now named "lattice"
    class "comp_lat" now named "complete_lattice"

    Instantiation of lattice classes allows explicit definitions
    for "inf" and "sup" operations (or "Inf" and "Sup" for complete lattices).

  INCOMPATIBILITY.  Theorem renames:

    meet_left_le            ~> inf_le1
    meet_right_le           ~> inf_le2
    join_left_le            ~> sup_ge1
    join_right_le           ~> sup_ge2
    meet_join_le            ~> inf_sup_ord
    le_meetI                ~> le_infI
    join_leI                ~> le_supI
    le_meet                 ~> le_inf_iff
    le_join                 ~> ge_sup_conv
    meet_idempotent         ~> inf_idem
    join_idempotent         ~> sup_idem
    meet_comm               ~> inf_commute
    join_comm               ~> sup_commute
    meet_leI1               ~> le_infI1
    meet_leI2               ~> le_infI2
    le_joinI1               ~> le_supI1
    le_joinI2               ~> le_supI2
    meet_assoc              ~> inf_assoc
    join_assoc              ~> sup_assoc
    meet_left_comm          ~> inf_left_commute
    meet_left_idempotent    ~> inf_left_idem
    join_left_comm          ~> sup_left_commute
    join_left_idempotent    ~> sup_left_idem
    meet_aci                ~> inf_aci
    join_aci                ~> sup_aci
    le_def_meet             ~> le_iff_inf
    le_def_join             ~> le_iff_sup
    join_absorp2            ~> sup_absorb2
    join_absorp1            ~> sup_absorb1
    meet_absorp1            ~> inf_absorb1
    meet_absorp2            ~> inf_absorb2
    meet_join_absorp        ~> inf_sup_absorb
    join_meet_absorp        ~> sup_inf_absorb
    distrib_join_le         ~> distrib_sup_le
    distrib_meet_le         ~> distrib_inf_le

    add_meet_distrib_left   ~> add_inf_distrib_left
    add_join_distrib_left   ~> add_sup_distrib_left
    is_join_neg_meet        ~> is_join_neg_inf
    is_meet_neg_join        ~> is_meet_neg_sup
    add_meet_distrib_right  ~> add_inf_distrib_right
    add_join_distrib_right  ~> add_sup_distrib_right
    add_meet_join_distribs  ~> add_sup_inf_distribs
    join_eq_neg_meet        ~> sup_eq_neg_inf
    meet_eq_neg_join        ~> inf_eq_neg_sup
    add_eq_meet_join        ~> add_eq_inf_sup
    meet_0_imp_0            ~> inf_0_imp_0
    join_0_imp_0            ~> sup_0_imp_0
    meet_0_eq_0             ~> inf_0_eq_0
    join_0_eq_0             ~> sup_0_eq_0
    neg_meet_eq_join        ~> neg_inf_eq_sup
    neg_join_eq_meet        ~> neg_sup_eq_inf
    join_eq_if              ~> sup_eq_if

    mono_meet               ~> mono_inf
    mono_join               ~> mono_sup
    meet_bool_eq            ~> inf_bool_eq
    join_bool_eq            ~> sup_bool_eq
    meet_fun_eq             ~> inf_fun_eq
    join_fun_eq             ~> sup_fun_eq
    meet_set_eq             ~> inf_set_eq
    join_set_eq             ~> sup_set_eq
    meet1_iff               ~> inf1_iff
    meet2_iff               ~> inf2_iff
    meet1I                  ~> inf1I
    meet2I                  ~> inf2I
    meet1D1                 ~> inf1D1
    meet2D1                 ~> inf2D1
    meet1D2                 ~> inf1D2
    meet2D2                 ~> inf2D2
    meet1E                  ~> inf1E
    meet2E                  ~> inf2E
    join1_iff               ~> sup1_iff
    join2_iff               ~> sup2_iff
    join1I1                 ~> sup1I1
    join2I1                 ~> sup2I1
    join1I1                 ~> sup1I1
    join2I2                 ~> sup1I2
    join1CI                 ~> sup1CI
    join2CI                 ~> sup2CI
    join1E                  ~> sup1E
    join2E                  ~> sup2E

    is_meet_Meet            ~> is_meet_Inf
    Meet_bool_def           ~> Inf_bool_def
    Meet_fun_def            ~> Inf_fun_def
    Meet_greatest           ~> Inf_greatest
    Meet_lower              ~> Inf_lower
    Meet_set_def            ~> Inf_set_def

    Sup_def                 ~> Sup_Inf
    Sup_bool_eq             ~> Sup_bool_def
    Sup_fun_eq              ~> Sup_fun_def
    Sup_set_eq              ~> Sup_set_def

    listsp_meetI            ~> listsp_infI
    listsp_meet_eq          ~> listsp_inf_eq

    meet_min                ~> inf_min
    join_max                ~> sup_max

* Classes "order" and "linorder": facts "refl", "trans" and
"cases" renamed ro "order_refl", "order_trans" and "linorder_cases", to
avoid clashes with HOL "refl" and "trans". INCOMPATIBILITY.

* Classes "order" and "linorder": 
potential INCOMPATIBILITY: order of proof goals in order/linorder instance
proofs changed.

* Dropped lemma duplicate def_imp_eq in favor of meta_eq_to_obj_eq.
INCOMPATIBILITY.

* Dropped lemma duplicate if_def2 in favor of if_bool_eq_conj.
INCOMPATIBILITY.

* Added syntactic class "size"; overloaded constant "size" now has
type "'a::size ==> bool"

* Renamed constants "Divides.op div", "Divides.op mod" and "Divides.op
dvd" to "Divides.div_class.div", "Divides.div_class.mod" and "Divides.dvd". INCOMPATIBILITY.

* Added method "lexicographic_order" automatically synthesizes
termination relations as lexicographic combinations of size measures
-- 'function' package.

* HOL/records: generalised field-update to take a function on the
field rather than the new value: r(|A := x|) is translated to A_update
(K x) r The K-combinator that is internally used is called K_record.
INCOMPATIBILITY: Usage of the plain update functions has to be
adapted.
 
* axclass "semiring_0" now contains annihilation axioms x * 0 = 0 and
0 * x = 0, which are required for a semiring.  Richer structures do
not inherit from semiring_0 anymore, because this property is a
theorem there, not an axiom.  INCOMPATIBILITY: In instances of
semiring_0, there is more to prove, but this is mostly trivial.

* axclass "recpower" was generalized to arbitrary monoids, not just
commutative semirings.  INCOMPATIBILITY: If you use recpower and need
commutativity or a semiring property, add the corresponding classes.

* Unified locale partial_order with class definition (cf. theory
Orderings), added parameter ``less''.  INCOMPATIBILITY.

* Constant "List.list_all2" in List.thy now uses authentic syntax.
INCOMPATIBILITY: translations containing list_all2 may go wrong.  On
Isar level, use abbreviations instead.

* Renamed constant "List.op mem" to "List.memberl" INCOMPATIBILITY:
rarely occuring name references (e.g. ``List.op mem.simps'') require
renaming (e.g. ``List.memberl.simps'').

* Renamed constants "0" to "HOL.zero_class.zero" and "1" to "HOL.one_class.one".
INCOMPATIBILITY.

* Added class "HOL.eq", allowing for code generation with polymorphic equality.

* Numeral syntax: type 'bin' which was a mere type copy of 'int' has
been abandoned in favour of plain 'int'. INCOMPATIBILITY --
significant changes for setting up numeral syntax for types:

  - new constants Numeral.pred and Numeral.succ instead
      of former Numeral.bin_pred and Numeral.bin_succ.
  - Use integer operations instead of bin_add, bin_mult and so on.
  - Numeral simplification theorems named Numeral.numeral_simps instead of Bin_simps.
  - ML structure Bin_Simprocs now named Int_Numeral_Base_Simprocs.

See HOL/Integ/IntArith.thy for an example setup.

* New top level command 'normal_form' computes the normal form of a
term that may contain free variables. For example ``normal_form
"rev[a,b,c]"'' produces ``[b,c,a]'' (without proof).  This command is
suitable for heavy-duty computations because the functions are
compiled to ML first.

* Alternative iff syntax "A <-> B" for equality on bool (with priority
25 like -->); output depends on the "iff" print_mode, the default is
"A = B" (with priority 50).

* Renamed constants in HOL.thy and Orderings.thy:
    op +   ~> HOL.plus_class.plus
    op -   ~> HOL.minus_class.minus
    uminus ~> HOL.minus_class.uminus
    abs    ~> HOL.abs_class.abs
    op *   ~> HOL.times_class.times
    op <   ~> HOL.ord_class.less
    op <=  ~> HOL.ord_class.less_eq

Adaptions may be required in the following cases:

a) User-defined constants using any of the names "plus", "minus", "times",
"less" or "less_eq". The standard syntax translations for "+", "-" and "*"
may go wrong.
INCOMPATIBILITY: use more specific names.

b) Variables named "plus", "minus", "times", "less", "less_eq"
INCOMPATIBILITY: use more specific names.

c) Permutative equations (e.g. "a + b = b + a")
Since the change of names also changes the order of terms, permutative
rewrite rules may get applied in a different order. Experience shows that
this is rarely the case (only two adaptions in the whole Isabelle
distribution).
INCOMPATIBILITY: rewrite proofs

d) ML code directly refering to constant names
This in general only affects hand-written proof tactics, simprocs and so on.
INCOMPATIBILITY: grep your sourcecode and replace names.  Consider use
of const_name ML antiquotations.

* Relations less (<) and less_eq (<=) are also available on type bool.
Modified syntax to disallow nesting without explicit parentheses,
e.g. "(x < y) < z" or "x < (y < z)", but NOT "x < y < z".

* "LEAST x:A. P" expands to "LEAST x. x:A & P" (input only).

* Relation composition operator "op O" now has precedence 75 and binds
stronger than union and intersection. INCOMPATIBILITY.

* The old set interval syntax "{m..n(}" (and relatives) has been
removed.  Use "{m..<n}" (and relatives) instead.

* In the context of the assumption "~(s = t)" the Simplifier rewrites
"t = s" to False (by simproc "neq_simproc").  For backward
compatibility this can be disabled by ML "reset use_neq_simproc".

* "m dvd n" where m and n are numbers is evaluated to True/False by
simp.

* Theorem Cons_eq_map_conv no longer declared as ``simp''.

* Theorem setsum_mult renamed to setsum_right_distrib.

* Prefer ex1I over ex_ex1I in single-step reasoning, e.g. by the
``rule'' method.

* Reimplemented methods ``sat'' and ``satx'', with several
improvements: goals no longer need to be stated as "<prems> ==>
False", equivalences (i.e. "=" on type bool) are handled, variable
names of the form "lit_<n>" are no longer reserved, significant
speedup.

* Methods ``sat'' and ``satx'' can now replay MiniSat proof traces.
zChaff is still supported as well.

* 'inductive' and 'datatype': provide projections of mutual rules,
bundled as foo_bar.inducts;

* Library: moved theories Parity, GCD, Binomial, Infinite_Set to
Library.

* Library: moved theory Accessible_Part to main HOL.

* Library: added theory Coinductive_List of potentially infinite lists
as greatest fixed-point.

* Library: added theory AssocList which implements (finite) maps as
association lists.

* Added proof method ``evaluation'' for efficiently solving a goal
(i.e. a boolean expression) by compiling it to ML. The goal is
"proved" (via an oracle) if it evaluates to True.

* Linear arithmetic now splits certain operators (e.g. min, max, abs)
also when invoked by the simplifier.  This results in the simplifier
being more powerful on arithmetic goals.  INCOMPATIBILITY.  Set
fast_arith_split_limit to 0 to obtain the old behavior.

* Support for hex (0x20) and binary (0b1001) numerals.

* New method: reify eqs (t), where eqs are equations for an
interpretation I :: 'a list => 'b => 'c and t::'c is an optional
parameter, computes a term s::'b and a list xs::'a list and proves the
theorem I xs s = t. This is also known as reification or quoting. The
resulting theorem is applied to the subgoal to substitute t with I xs
s.  If t is omitted, the subgoal itself is reified.

* New method: reflection corr_thm eqs (t). The parameters eqs and (t)
are as explained above. corr_thm is a theorem for I vs (f t) = I vs t,
where f is supposed to be a computable function (in the sense of code
generattion). The method uses reify to compute s and xs as above then
applies corr_thm and uses normalization by evaluation to "prove" f s =
r and finally gets the theorem t = r, which is again applied to the
subgoal. An Example is available in HOL/ex/ReflectionEx.thy.

* Reflection: Automatic reification now handels binding, an example
is available in HOL/ex/ReflectionEx.thy


*** HOL-Algebra ***

* Formalisation of ideals and the quotient construction over rings.

* Order and lattice theory no longer based on records.
INCOMPATIBILITY.

* Renamed lemmas least_carrier -> least_closed and greatest_carrier ->
greatest_closed.  INCOMPATIBILITY.

* Method algebra is now set up via an attribute.  For examples see
Ring.thy.  INCOMPATIBILITY: the method is now weaker on combinations
of algebraic structures.

* Renamed theory CRing to Ring.


*** HOL-Complex ***

* Theory Real: new method ferrack implements quantifier elimination
for linear arithmetic over the reals. The quantifier elimination
feature is used only for decision, for compatibility with arith. This
means a goal is either solved or left unchanged, no simplification.

* Hyperreal: Functions root and sqrt are now defined on negative real
inputs so that root n (- x) = - root n x and sqrt (- x) = - sqrt x.
Nonnegativity side conditions have been removed from many lemmas, so
that more subgoals may now be solved by simplification; potential
INCOMPATIBILITY.

* Real: New axiomatic classes formalize real normed vector spaces and
algebras, using new overloaded constants scaleR :: real => 'a => 'a
and norm :: 'a => real.

* Real: New constant of_real :: real => 'a::real_algebra_1 injects
from reals into other types. The overloaded constant Reals :: 'a set
is now defined as range of_real; potential INCOMPATIBILITY.

* Real: ML code generation is supported now and hence also quickcheck.
Reals are implemented as arbitrary precision rationals.

* Hyperreal: Several constants that previously worked only for the
reals have been generalized, so they now work over arbitrary vector
spaces. Type annotations may need to be added in some cases; potential
INCOMPATIBILITY.

  Infinitesimal  :: ('a::real_normed_vector) star set
  HFinite        :: ('a::real_normed_vector) star set
  HInfinite      :: ('a::real_normed_vector) star set
  approx         :: ('a::real_normed_vector) star => 'a star => bool
  monad          :: ('a::real_normed_vector) star => 'a star set
  galaxy         :: ('a::real_normed_vector) star => 'a star set
  (NS)LIMSEQ     :: [nat => 'a::real_normed_vector, 'a] => bool
  (NS)convergent :: (nat => 'a::real_normed_vector) => bool
  (NS)Bseq       :: (nat => 'a::real_normed_vector) => bool
  (NS)Cauchy     :: (nat => 'a::real_normed_vector) => bool
  (NS)LIM        :: ['a::real_normed_vector => 'b::real_normed_vector, 'a, 'b] => bool
  is(NS)Cont     :: ['a::real_normed_vector => 'b::real_normed_vector, 'a] => bool
  deriv          :: ['a::real_normed_field => 'a, 'a, 'a] => bool
  sgn            :: 'a::real_normed_vector => 'a
  exp            :: 'a::{recpower,real_normed_field,banach} => 'a

* Complex: Some complex-specific constants are now abbreviations for
overloaded ones: complex_of_real = of_real, cmod = norm, hcmod =
hnorm.  Other constants have been entirely removed in favor of the
polymorphic versions (INCOMPATIBILITY):

  approx        <-- capprox
  HFinite       <-- CFinite
  HInfinite     <-- CInfinite
  Infinitesimal <-- CInfinitesimal
  monad         <-- cmonad
  galaxy        <-- cgalaxy
  (NS)LIM       <-- (NS)CLIM, (NS)CRLIM
  is(NS)Cont    <-- is(NS)Contc, is(NS)contCR
  (ns)deriv     <-- (ns)cderiv


*** ML ***

* Generic arithmetic modules: Tools/integer.ML, Tools/rat.ML, Tools/float.ML

* Context data interfaces (Theory/Proof/GenericDataFun): removed
name/print, uninitialized data defaults to ad-hoc copy of empty value,
init only required for impure data.  INCOMPATIBILITY: empty really
need to be empty (no dependencies on theory content!)

* ML within Isar: antiquotations allow to embed statically-checked
formal entities in the source, referring to the context available at
compile-time.  For example:

ML {* @{typ "'a => 'b"} *}
ML {* @{term "%x. x"} *}
ML {* @{prop "x == y"} *}
ML {* @{ctyp "'a => 'b"} *}
ML {* @{cterm "%x. x"} *}
ML {* @{cprop "x == y"} *}
ML {* @{thm asm_rl} *}
ML {* @{thms asm_rl} *}
ML {* @{const_name c} *}
ML {* @{const_syntax c} *}
ML {* @{context} *}
ML {* @{theory} *}
ML {* @{theory Pure} *}
ML {* @{simpset} *}
ML {* @{claset} *}
ML {* @{clasimpset} *}

The same works for sources being ``used'' within an Isar context.

* ML in Isar: improved error reporting; extra verbosity with
Toplevel.debug enabled.

* Pure/library:

  val burrow: ('a list -> 'b list) -> 'a list list -> 'b list list
  val fold_burrow: ('a list -> 'c -> 'b list * 'd) -> 'a list list -> 'c -> 'b list list * 'd

The semantics of "burrow" is: "take a function with *simulatanously*
transforms a list of value, and apply it *simulatanously* to a list of
list of values of the appropriate type". Compare this with "map" which
would *not* apply its argument function simulatanously but in
sequence; "fold_burrow" has an additional context.

* Pure/library: functions map2 and fold2 with curried syntax for
simultanous mapping and folding:

    val map2: ('a -> 'b -> 'c) -> 'a list -> 'b list -> 'c list
    val fold2: ('a -> 'b -> 'c -> 'c) -> 'a list -> 'b list -> 'c -> 'c

* Pure/library: indexed lists - some functions in the Isabelle library
treating lists over 'a as finite mappings from [0...n] to 'a have been
given more convenient names and signatures reminiscent of similar
functions for alists, tables, etc:

  val nth: 'a list -> int -> 'a 
  val nth_map: int -> ('a -> 'a) -> 'a list -> 'a list
  val fold_index: (int * 'a -> 'b -> 'b) -> 'a list -> 'b -> 'b

Note that fold_index starts counting at index 0, not 1 like foldln
used to.

* Pure/library: added general ``divide_and_conquer'' combinator on
lists.

* Pure/General/table.ML: the join operations now works via exceptions
DUP/SAME instead of type option.  This is simpler in simple cases, and
admits slightly more efficient complex applications.

* Pure: datatype Context.generic joins theory/Proof.context and
provides some facilities for code that works in either kind of
context, notably GenericDataFun for uniform theory and proof data.

* Pure: 'advanced' translation functions (parse_translation etc.) now
use Context.generic instead of just theory.

* Pure: simplified internal attribute type, which is now always
Context.generic * thm -> Context.generic * thm.  Global (theory)
vs. local (Proof.context) attributes have been discontinued, while
minimizing code duplication.  Thm.rule_attribute and
Thm.declaration_attribute build canonical attributes; see also
structure Context for further operations on Context.generic, notably
GenericDataFun.  INCOMPATIBILITY, need to adapt attribute type
declarations and definitions.

* Pure/kernel: consts certification ignores sort constraints given in
signature declarations.  (This information is not relevant to the
logic, but only for type inference.)  IMPORTANT INTERNAL CHANGE,
potential INCOMPATIBILITY.

* Pure: axiomatic type classes are now purely definitional, with
explicit proofs of class axioms and super class relations performed
internally.  See Pure/axclass.ML for the main internal interfaces --
notably AxClass.define_class supercedes AxClass.add_axclass, and
AxClass.axiomatize_class/classrel/arity supercede
Sign.add_classes/classrel/arities.

* Pure/Isar: Args/Attrib parsers operate on Context.generic --
global/local versions on theory vs. Proof.context have been
discontinued; Attrib.syntax and Method.syntax have been adapted
accordingly.  INCOMPATIBILITY, need to adapt parser expressions for
attributes, methods, etc.

* Pure: several functions of signature "... -> theory -> theory * ..."
have been reoriented to "... -> theory -> ... * theory" in order to
allow natural usage in combination with the ||>, ||>>, |-> and
fold_map combinators.

* Pure: official theorem names (closed derivations) and additional
comments (tags) are now strictly separate.  Name hints -- which are
maintained as tags -- may be attached any time without affecting the
derivation.

* Pure: primitive rule lift_rule now takes goal cterm instead of an
actual goal state (thm).  Use Thm.lift_rule (Thm.cprem_of st i) to
achieve the old behaviour.

* Pure: the "Goal" constant is now called "prop", supporting a
slightly more general idea of ``protecting'' meta-level rule
statements.

* Pure: Logic.(un)varify only works in a global context, which is now
enforced instead of silently assumed.  INCOMPATIBILITY, may use
Logic.legacy_(un)varify as temporary workaround.

* Pure: structure Name provides scalable operations for generating
internal variable names, notably Name.variants etc.  This replaces
some popular functions from term.ML:

  Term.variant		->  Name.variant
  Term.variantlist	->  Name.variant_list  (*canonical argument order*)
  Term.invent_names	->  Name.invent_list

Note that low-level renaming rarely occurs in new code -- operations
from structure Variable are used instead (see below).

* Pure: structure Variable provides fundamental operations for proper
treatment of fixed/schematic variables in a context.  For example,
Variable.import introduces fixes for schematics of given facts and
Variable.export reverses the effect (up to renaming) -- this replaces
various freeze_thaw operations.

* Pure: structure Goal provides simple interfaces for
init/conclude/finish and tactical prove operations (replacing former
Tactic.prove).  Goal.prove is the canonical way to prove results
within a given context; Goal.prove_global is a degraded version for
theory level goals, including a global Drule.standard.  Note that
OldGoals.prove_goalw_cterm has long been obsolete, since it is
ill-behaved in a local proof context (e.g. with local fixes/assumes or
in a locale context).

* Isar: simplified treatment of user-level errors, using exception
ERROR of string uniformly.  Function error now merely raises ERROR,
without any side effect on output channels.  The Isar toplevel takes
care of proper display of ERROR exceptions.  ML code may use plain
handle/can/try; cat_error may be used to concatenate errors like this:

  ... handle ERROR msg => cat_error msg "..."

Toplevel ML code (run directly or through the Isar toplevel) may be
embedded into the Isar toplevel with exception display/debug like
this:

  Isar.toplevel (fn () => ...)

INCOMPATIBILITY, removed special transform_error facilities, removed
obsolete variants of user-level exceptions (ERROR_MESSAGE,
Context.PROOF, ProofContext.CONTEXT, Proof.STATE, ProofHistory.FAIL)
-- use plain ERROR instead.

* Isar: theory setup now has type (theory -> theory), instead of a
list.  INCOMPATIBILITY, may use #> to compose setup functions.

* Isar: installed ML toplevel pretty printer for type Proof.context,
subject to ProofContext.debug/verbose flags.

* Isar: Toplevel.theory_to_proof admits transactions that modify the
theory before entering a proof state.  Transactions now always see a
quasi-functional intermediate checkpoint, both in interactive and
batch mode.

* Simplifier: the simpset of a running simplification process now
contains a proof context (cf. Simplifier.the_context), which is the
very context that the initial simpset has been retrieved from (by
simpset_of/local_simpset_of).  Consequently, all plug-in components
(solver, looper etc.) may depend on arbitrary proof data.

* Simplifier.inherit_context inherits the proof context (plus the
local bounds) of the current simplification process; any simproc
etc. that calls the Simplifier recursively should do this!  Removed
former Simplifier.inherit_bounds, which is already included here --
INCOMPATIBILITY.  Tools based on low-level rewriting may even have to
specify an explicit context using Simplifier.context/theory_context.

* Simplifier/Classical Reasoner: more abstract interfaces
change_simpset/claset for modifying the simpset/claset reference of a
theory; raw versions simpset/claset_ref etc. have been discontinued --
INCOMPATIBILITY.

* Provers: more generic wrt. syntax of object-logics, avoid hardwired
"Trueprop" etc.


*** System ***

* settings: ML_IDENTIFIER -- which is appended to user specific heap
locations -- now includes the Isabelle version identifier as well.
This simplifies use of multiple Isabelle installations.

* isabelle-process: option -S (secure mode) disables some critical
operations, notably runtime compilation and evaluation of ML source
code.

* Experimental support for multithreading, using Poly/ML 5.1 (internal
version from CVS). The theory loader exploits parallelism when
processing independent theories, following the header specifications.
The maximum number of worker threads is specified via usedir option -M
or the "max-threads" setting in Proof General.  User-code needs to
observe certain guidelines for thread-safe programming, see appendix A
in the Isar Implementation manual.


New in Isabelle2005 (October 2005)
----------------------------------

*** General ***

* Theory headers: the new header syntax for Isar theories is

  theory <name>
  imports <theory1> ... <theoryN>
  uses <file1> ... <fileM>
  begin

where the 'uses' part is optional.  The previous syntax

  theory <name> = <theory1> + ... + <theoryN>:

will disappear in the next release.  Use isatool fixheaders to convert
existing theory files.  Note that there is no change in ancient
non-Isar theories now, but these will disappear soon.

* Theory loader: parent theories can now also be referred to via
relative and absolute paths.

* Command 'find_theorems' searches for a list of criteria instead of a
list of constants. Known criteria are: intro, elim, dest, name:string,
simp:term, and any term. Criteria can be preceded by '-' to select
theorems that do not match. Intro, elim, dest select theorems that
match the current goal, name:s selects theorems whose fully qualified
name contain s, and simp:term selects all simplification rules whose
lhs match term.  Any other term is interpreted as pattern and selects
all theorems matching the pattern. Available in ProofGeneral under
'ProofGeneral -> Find Theorems' or C-c C-f.  Example:

  C-c C-f (100) "(_::nat) + _ + _" intro -name: "HOL."

prints the last 100 theorems matching the pattern "(_::nat) + _ + _",
matching the current goal as introduction rule and not having "HOL."
in their name (i.e. not being defined in theory HOL).

* Command 'thms_containing' has been discontinued in favour of
'find_theorems'; INCOMPATIBILITY.

* Communication with Proof General is now 8bit clean, which means that
Unicode text in UTF-8 encoding may be used within theory texts (both
formal and informal parts).  Cf. option -U of the Isabelle Proof
General interface.  Here are some simple examples (cf. src/HOL/ex):

  http://isabelle.in.tum.de/library/HOL/ex/Hebrew.html
  http://isabelle.in.tum.de/library/HOL/ex/Chinese.html

* Improved efficiency of the Simplifier and, to a lesser degree, the
Classical Reasoner.  Typical big applications run around 2 times
faster.


*** Document preparation ***

* Commands 'display_drafts' and 'print_drafts' perform simple output
of raw sources.  Only those symbols that do not require additional
LaTeX packages (depending on comments in isabellesym.sty) are
displayed properly, everything else is left verbatim.  isatool display
and isatool print are used as front ends (these are subject to the
DVI/PDF_VIEWER and PRINT_COMMAND settings, respectively).

* Command tags control specific markup of certain regions of text,
notably folding and hiding.  Predefined tags include "theory" (for
theory begin and end), "proof" for proof commands, and "ML" for
commands involving ML code; the additional tags "visible" and
"invisible" are unused by default.  Users may give explicit tag
specifications in the text, e.g. ''by %invisible (auto)''.  The
interpretation of tags is determined by the LaTeX job during document
preparation: see option -V of isatool usedir, or options -n and -t of
isatool document, or even the LaTeX macros \isakeeptag, \isafoldtag,
\isadroptag.

Several document versions may be produced at the same time via isatool
usedir (the generated index.html will link all of them).  Typical
specifications include ''-V document=theory,proof,ML'' to present
theory/proof/ML parts faithfully, ''-V outline=/proof,/ML'' to fold
proof and ML commands, and ''-V mutilated=-theory,-proof,-ML'' to omit
these parts without any formal replacement text.  The Isabelle site
default settings produce ''document'' and ''outline'' versions as
specified above.

* Several new antiquotations:

  @{term_type term} prints a term with its type annotated;

  @{typeof term} prints the type of a term;

  @{const const} is the same as @{term const}, but checks that the
  argument is a known logical constant;

  @{term_style style term} and @{thm_style style thm} print a term or
  theorem applying a "style" to it

  @{ML text}

Predefined styles are 'lhs' and 'rhs' printing the lhs/rhs of
definitions, equations, inequations etc., 'concl' printing only the
conclusion of a meta-logical statement theorem, and 'prem1' .. 'prem19'
to print the specified premise.  TermStyle.add_style provides an ML
interface for introducing further styles.  See also the "LaTeX Sugar"
document practical applications.  The ML antiquotation prints
type-checked ML expressions verbatim.

* Markup commands 'chapter', 'section', 'subsection', 'subsubsection',
and 'text' support optional locale specification '(in loc)', which
specifies the default context for interpreting antiquotations.  For
example: 'text (in lattice) {* @{thm inf_assoc}*}'.

* Option 'locale=NAME' of antiquotations specifies an alternative
context interpreting the subsequent argument.  For example: @{thm
[locale=lattice] inf_assoc}.

* Proper output of proof terms (@{prf ...} and @{full_prf ...}) within
a proof context.

* Proper output of antiquotations for theory commands involving a
proof context (such as 'locale' or 'theorem (in loc) ...').

* Delimiters of outer tokens (string etc.) now produce separate LaTeX
macros (\isachardoublequoteopen, isachardoublequoteclose etc.).

* isatool usedir: new option -C (default true) controls whether option
-D should include a copy of the original document directory; -C false
prevents unwanted effects such as copying of administrative CVS data.


*** Pure ***

* Considerably improved version of 'constdefs' command.  Now performs
automatic type-inference of declared constants; additional support for
local structure declarations (cf. locales and HOL records), see also
isar-ref manual.  Potential INCOMPATIBILITY: need to observe strictly
sequential dependencies of definitions within a single 'constdefs'
section; moreover, the declared name needs to be an identifier.  If
all fails, consider to fall back on 'consts' and 'defs' separately.

* Improved indexed syntax and implicit structures.  First of all,
indexed syntax provides a notational device for subscripted
application, using the new syntax \<^bsub>term\<^esub> for arbitrary
expressions.  Secondly, in a local context with structure
declarations, number indexes \<^sub>n or the empty index (default
number 1) refer to a certain fixed variable implicitly; option
show_structs controls printing of implicit structures.  Typical
applications of these concepts involve record types and locales.

* New command 'no_syntax' removes grammar declarations (and
translations) resulting from the given syntax specification, which is
interpreted in the same manner as for the 'syntax' command.

* 'Advanced' translation functions (parse_translation etc.) may depend
on the signature of the theory context being presently used for
parsing/printing, see also isar-ref manual.

* Improved 'oracle' command provides a type-safe interface to turn an
ML expression of type theory -> T -> term into a primitive rule of
type theory -> T -> thm (i.e. the functionality of Thm.invoke_oracle
is already included here); see also FOL/ex/IffExample.thy;
INCOMPATIBILITY.

* axclass: name space prefix for class "c" is now "c_class" (was "c"
before); "cI" is no longer bound, use "c.intro" instead.
INCOMPATIBILITY.  This change avoids clashes of fact bindings for
axclasses vs. locales.

* Improved internal renaming of symbolic identifiers -- attach primes
instead of base 26 numbers.

* New flag show_question_marks controls printing of leading question
marks in schematic variable names.

* In schematic variable names, *any* symbol following \<^isub> or
\<^isup> is now treated as part of the base name.  For example, the
following works without printing of awkward ".0" indexes:

  lemma "x\<^isub>1 = x\<^isub>2 ==> x\<^isub>2 = x\<^isub>1"
    by simp

* Inner syntax includes (*(*nested*) comments*).

* Pretty printer now supports unbreakable blocks, specified in mixfix
annotations as "(00...)".

* Clear separation of logical types and nonterminals, where the latter
may only occur in 'syntax' specifications or type abbreviations.
Before that distinction was only partially implemented via type class
"logic" vs. "{}".  Potential INCOMPATIBILITY in rare cases of improper
use of 'types'/'consts' instead of 'nonterminals'/'syntax'.  Some very
exotic syntax specifications may require further adaption
(e.g. Cube/Cube.thy).

* Removed obsolete type class "logic", use the top sort {} instead.
Note that non-logical types should be declared as 'nonterminals'
rather than 'types'.  INCOMPATIBILITY for new object-logic
specifications.

* Attributes 'induct' and 'cases': type or set names may now be
locally fixed variables as well.

* Simplifier: can now control the depth to which conditional rewriting
is traced via the PG menu Isabelle -> Settings -> Trace Simp Depth
Limit.

* Simplifier: simplification procedures may now take the current
simpset into account (cf. Simplifier.simproc(_i) / mk_simproc
interface), which is very useful for calling the Simplifier
recursively.  Minor INCOMPATIBILITY: the 'prems' argument of simprocs
is gone -- use prems_of_ss on the simpset instead.  Moreover, the
low-level mk_simproc no longer applies Logic.varify internally, to
allow for use in a context of fixed variables.

* thin_tac now works even if the assumption being deleted contains !!
or ==>.  More generally, erule now works even if the major premise of
the elimination rule contains !! or ==>.

* Method 'rules' has been renamed to 'iprover'. INCOMPATIBILITY.

* Reorganized bootstrapping of the Pure theories; CPure is now derived
from Pure, which contains all common declarations already.  Both
theories are defined via plain Isabelle/Isar .thy files.
INCOMPATIBILITY: elements of CPure (such as the CPure.intro /
CPure.elim / CPure.dest attributes) now appear in the Pure name space;
use isatool fixcpure to adapt your theory and ML sources.

* New syntax 'name(i-j, i-, i, ...)' for referring to specific
selections of theorems in named facts via index ranges.

* 'print_theorems': in theory mode, really print the difference
wrt. the last state (works for interactive theory development only),
in proof mode print all local facts (cf. 'print_facts');

* 'hide': option '(open)' hides only base names.

* More efficient treatment of intermediate checkpoints in interactive
theory development.

* Code generator is now invoked via code_module (incremental code
generation) and code_library (modular code generation, ML structures
for each theory).  INCOMPATIBILITY: new keywords 'file' and 'contains'
must be quoted when used as identifiers.

* New 'value' command for reading, evaluating and printing terms using
the code generator.  INCOMPATIBILITY: command keyword 'value' must be
quoted when used as identifier.


*** Locales ***

* New commands for the interpretation of locale expressions in
theories (1), locales (2) and proof contexts (3).  These generate
proof obligations from the expression specification.  After the
obligations have been discharged, theorems of the expression are added
to the theory, target locale or proof context.  The synopsis of the
commands is a follows:

  (1) interpretation expr inst
  (2) interpretation target < expr
  (3) interpret expr inst

Interpretation in theories and proof contexts require a parameter
instantiation of terms from the current context.  This is applied to
specifications and theorems of the interpreted expression.
Interpretation in locales only permits parameter renaming through the
locale expression.  Interpretation is smart in that interpretations
that are active already do not occur in proof obligations, neither are
instantiated theorems stored in duplicate.  Use 'print_interps' to
inspect active interpretations of a particular locale.  For details,
see the Isar Reference manual.  Examples can be found in
HOL/Finite_Set.thy and HOL/Algebra/UnivPoly.thy.

INCOMPATIBILITY: former 'instantiate' has been withdrawn, use
'interpret' instead.

* New context element 'constrains' for adding type constraints to
parameters.

* Context expressions: renaming of parameters with syntax
redeclaration.

* Locale declaration: 'includes' disallowed.

* Proper static binding of attribute syntax -- i.e. types / terms /
facts mentioned as arguments are always those of the locale definition
context, independently of the context of later invocations.  Moreover,
locale operations (renaming and type / term instantiation) are applied
to attribute arguments as expected.

INCOMPATIBILITY of the ML interface: always pass Attrib.src instead of
actual attributes; rare situations may require Attrib.attribute to
embed those attributes into Attrib.src that lack concrete syntax.
Attribute implementations need to cooperate properly with the static
binding mechanism.  Basic parsers Args.XXX_typ/term/prop and
Attrib.XXX_thm etc. already do the right thing without further
intervention.  Only unusual applications -- such as "where" or "of"
(cf. src/Pure/Isar/attrib.ML), which process arguments depending both
on the context and the facts involved -- may have to assign parsed
values to argument tokens explicitly.

* Changed parameter management in theorem generation for long goal
statements with 'includes'.  INCOMPATIBILITY: produces a different
theorem statement in rare situations.

* Locale inspection command 'print_locale' omits notes elements.  Use
'print_locale!' to have them included in the output.


*** Provers ***

* Provers/hypsubst.ML: improved version of the subst method, for
single-step rewriting: it now works in bound variable contexts. New is
'subst (asm)', for rewriting an assumption.  INCOMPATIBILITY: may
rewrite a different subterm than the original subst method, which is
still available as 'simplesubst'.

* Provers/quasi.ML: new transitivity reasoners for transitivity only
and quasi orders.

* Provers/trancl.ML: new transitivity reasoner for transitive and
reflexive-transitive closure of relations.

* Provers/blast.ML: new reference depth_limit to make blast's depth
limit (previously hard-coded with a value of 20) user-definable.

* Provers/simplifier.ML has been moved to Pure, where Simplifier.setup
is peformed already.  Object-logics merely need to finish their
initial simpset configuration as before.  INCOMPATIBILITY.


*** HOL ***

* Symbolic syntax of Hilbert Choice Operator is now as follows:

  syntax (epsilon)
    "_Eps" :: "[pttrn, bool] => 'a"    ("(3\<some>_./ _)" [0, 10] 10)

The symbol \<some> is displayed as the alternative epsilon of LaTeX
and x-symbol; use option '-m epsilon' to get it actually printed.
Moreover, the mathematically important symbolic identifier \<epsilon>
becomes available as variable, constant etc.  INCOMPATIBILITY,

* "x > y" abbreviates "y < x" and "x >= y" abbreviates "y <= x".
Similarly for all quantifiers: "ALL x > y" etc.  The x-symbol for >=
is \<ge>. New transitivity rules have been added to HOL/Orderings.thy to
support corresponding Isar calculations.

* "{x:A. P}" abbreviates "{x. x:A & P}", and similarly for "\<in>"
instead of ":".

* theory SetInterval: changed the syntax for open intervals:

  Old       New
  {..n(}    {..<n}
  {)n..}    {n<..}
  {m..n(}   {m..<n}
  {)m..n}   {m<..n}
  {)m..n(}  {m<..<n}

The old syntax is still supported but will disappear in the next
release.  For conversion use the following Emacs search and replace
patterns (these are not perfect but work quite well):

  {)\([^\.]*\)\.\.  ->  {\1<\.\.}
  \.\.\([^(}]*\)(}  ->  \.\.<\1}

* Theory Commutative_Ring (in Library): method comm_ring for proving
equalities in commutative rings; method 'algebra' provides a generic
interface.

* Theory Finite_Set: changed the syntax for 'setsum', summation over
finite sets: "setsum (%x. e) A", which used to be "\<Sum>x:A. e", is
now either "SUM x:A. e" or "\<Sum>x \<in> A. e". The bound variable can
be a tuple pattern.

Some new syntax forms are available:

  "\<Sum>x | P. e"      for     "setsum (%x. e) {x. P}"
  "\<Sum>x = a..b. e"   for     "setsum (%x. e) {a..b}"
  "\<Sum>x = a..<b. e"  for     "setsum (%x. e) {a..<b}"
  "\<Sum>x < k. e"      for     "setsum (%x. e) {..<k}"

The latter form "\<Sum>x < k. e" used to be based on a separate
function "Summation", which has been discontinued.

* theory Finite_Set: in structured induction proofs, the insert case
is now 'case (insert x F)' instead of the old counterintuitive 'case
(insert F x)'.

* The 'refute' command has been extended to support a much larger
fragment of HOL, including axiomatic type classes, constdefs and
typedefs, inductive datatypes and recursion.

* New tactics 'sat' and 'satx' to prove propositional tautologies.
Requires zChaff with proof generation to be installed.  See
HOL/ex/SAT_Examples.thy for examples.

* Datatype induction via method 'induct' now preserves the name of the
induction variable. For example, when proving P(xs::'a list) by
induction on xs, the induction step is now P(xs) ==> P(a#xs) rather
than P(list) ==> P(a#list) as previously.  Potential INCOMPATIBILITY
in unstructured proof scripts.

* Reworked implementation of records.  Improved scalability for
records with many fields, avoiding performance problems for type
inference. Records are no longer composed of nested field types, but
of nested extension types. Therefore the record type only grows linear
in the number of extensions and not in the number of fields.  The
top-level (users) view on records is preserved.  Potential
INCOMPATIBILITY only in strange cases, where the theory depends on the
old record representation. The type generated for a record is called
<record_name>_ext_type.

Flag record_quick_and_dirty_sensitive can be enabled to skip the
proofs triggered by a record definition or a simproc (if
quick_and_dirty is enabled).  Definitions of large records can take
quite long.

New simproc record_upd_simproc for simplification of multiple record
updates enabled by default.  Moreover, trivial updates are also
removed: r(|x := x r|) = r.  INCOMPATIBILITY: old proofs break
occasionally, since simplification is more powerful by default.

* typedef: proper support for polymorphic sets, which contain extra
type-variables in the term.

* Simplifier: automatically reasons about transitivity chains
involving "trancl" (r^+) and "rtrancl" (r^*) by setting up tactics
provided by Provers/trancl.ML as additional solvers.  INCOMPATIBILITY:
old proofs break occasionally as simplification may now solve more
goals than previously.

* Simplifier: converts x <= y into x = y if assumption y <= x is
present.  Works for all partial orders (class "order"), in particular
numbers and sets.  For linear orders (e.g. numbers) it treats ~ x < y
just like y <= x.

* Simplifier: new simproc for "let x = a in f x".  If a is a free or
bound variable or a constant then the let is unfolded.  Otherwise
first a is simplified to b, and then f b is simplified to g. If
possible we abstract b from g arriving at "let x = b in h x",
otherwise we unfold the let and arrive at g.  The simproc can be
enabled/disabled by the reference use_let_simproc.  Potential
INCOMPATIBILITY since simplification is more powerful by default.

* Classical reasoning: the meson method now accepts theorems as arguments.

* Prover support: pre-release of the Isabelle-ATP linkup, which runs background
jobs to provide advice on the provability of subgoals.

* Theory OrderedGroup and Ring_and_Field: various additions and
improvements to faciliate calculations involving equalities and
inequalities.

The following theorems have been eliminated or modified
(INCOMPATIBILITY):

  abs_eq             now named abs_of_nonneg
  abs_of_ge_0        now named abs_of_nonneg
  abs_minus_eq       now named abs_of_nonpos
  imp_abs_id         now named abs_of_nonneg
  imp_abs_neg_id     now named abs_of_nonpos
  mult_pos           now named mult_pos_pos
  mult_pos_le        now named mult_nonneg_nonneg
  mult_pos_neg_le    now named mult_nonneg_nonpos
  mult_pos_neg2_le   now named mult_nonneg_nonpos2
  mult_neg           now named mult_neg_neg
  mult_neg_le        now named mult_nonpos_nonpos

* The following lemmas in Ring_and_Field have been added to the simplifier:
     
     zero_le_square
     not_square_less_zero 

  The following lemmas have been deleted from Real/RealPow:
  
     realpow_zero_zero
     realpow_two
     realpow_less
     zero_le_power
     realpow_two_le
     abs_realpow_two
     realpow_two_abs     

* Theory Parity: added rules for simplifying exponents.

* Theory List:

The following theorems have been eliminated or modified
(INCOMPATIBILITY):

  list_all_Nil       now named list_all.simps(1)
  list_all_Cons      now named list_all.simps(2)
  list_all_conv      now named list_all_iff
  set_mem_eq         now named mem_iff

* Theories SetsAndFunctions and BigO (see HOL/Library) support
asymptotic "big O" calculations.  See the notes in BigO.thy.


*** HOL-Complex ***

* Theory RealDef: better support for embedding natural numbers and
integers in the reals.

The following theorems have been eliminated or modified
(INCOMPATIBILITY):

  exp_ge_add_one_self  now requires no hypotheses
  real_of_int_add      reversed direction of equality (use [symmetric])
  real_of_int_minus    reversed direction of equality (use [symmetric])
  real_of_int_diff     reversed direction of equality (use [symmetric])
  real_of_int_mult     reversed direction of equality (use [symmetric])

* Theory RComplete: expanded support for floor and ceiling functions.

* Theory Ln is new, with properties of the natural logarithm

* Hyperreal: There is a new type constructor "star" for making
nonstandard types.  The old type names are now type synonyms:

  hypreal = real star
  hypnat = nat star
  hcomplex = complex star

* Hyperreal: Many groups of similarly-defined constants have been
replaced by polymorphic versions (INCOMPATIBILITY):

  star_of <-- hypreal_of_real, hypnat_of_nat, hcomplex_of_complex

  starset      <-- starsetNat, starsetC
  *s*          <-- *sNat*, *sc*
  starset_n    <-- starsetNat_n, starsetC_n
  *sn*         <-- *sNatn*, *scn*
  InternalSets <-- InternalNatSets, InternalCSets

  starfun      <-- starfun{Nat,Nat2,C,RC,CR}
  *f*          <-- *fNat*, *fNat2*, *fc*, *fRc*, *fcR*
  starfun_n    <-- starfun{Nat,Nat2,C,RC,CR}_n
  *fn*         <-- *fNatn*, *fNat2n*, *fcn*, *fRcn*, *fcRn*
  InternalFuns <-- InternalNatFuns, InternalNatFuns2, Internal{C,RC,CR}Funs

* Hyperreal: Many type-specific theorems have been removed in favor of
theorems specific to various axiomatic type classes (INCOMPATIBILITY):

  add_commute <-- {hypreal,hypnat,hcomplex}_add_commute
  add_assoc   <-- {hypreal,hypnat,hcomplex}_add_assocs
  OrderedGroup.add_0 <-- {hypreal,hypnat,hcomplex}_add_zero_left
  OrderedGroup.add_0_right <-- {hypreal,hcomplex}_add_zero_right
  right_minus <-- hypreal_add_minus
  left_minus <-- {hypreal,hcomplex}_add_minus_left
  mult_commute <-- {hypreal,hypnat,hcomplex}_mult_commute
  mult_assoc <-- {hypreal,hypnat,hcomplex}_mult_assoc
  mult_1_left <-- {hypreal,hypnat}_mult_1, hcomplex_mult_one_left
  mult_1_right <-- hcomplex_mult_one_right
  mult_zero_left <-- hcomplex_mult_zero_left
  left_distrib <-- {hypreal,hypnat,hcomplex}_add_mult_distrib
  right_distrib <-- hypnat_add_mult_distrib2
  zero_neq_one <-- {hypreal,hypnat,hcomplex}_zero_not_eq_one
  right_inverse <-- hypreal_mult_inverse
  left_inverse <-- hypreal_mult_inverse_left, hcomplex_mult_inv_left
  order_refl <-- {hypreal,hypnat}_le_refl
  order_trans <-- {hypreal,hypnat}_le_trans
  order_antisym <-- {hypreal,hypnat}_le_anti_sym
  order_less_le <-- {hypreal,hypnat}_less_le
  linorder_linear <-- {hypreal,hypnat}_le_linear
  add_left_mono <-- {hypreal,hypnat}_add_left_mono
  mult_strict_left_mono <-- {hypreal,hypnat}_mult_less_mono2
  add_nonneg_nonneg <-- hypreal_le_add_order

* Hyperreal: Separate theorems having to do with type-specific
versions of constants have been merged into theorems that apply to the
new polymorphic constants (INCOMPATIBILITY):

  STAR_UNIV_set <-- {STAR_real,NatStar_real,STARC_complex}_set
  STAR_empty_set <-- {STAR,NatStar,STARC}_empty_set
  STAR_Un <-- {STAR,NatStar,STARC}_Un
  STAR_Int <-- {STAR,NatStar,STARC}_Int
  STAR_Compl <-- {STAR,NatStar,STARC}_Compl
  STAR_subset <-- {STAR,NatStar,STARC}_subset
  STAR_mem <-- {STAR,NatStar,STARC}_mem
  STAR_mem_Compl <-- {STAR,STARC}_mem_Compl
  STAR_diff <-- {STAR,STARC}_diff
  STAR_star_of_image_subset <-- {STAR_hypreal_of_real, NatStar_hypreal_of_real,
    STARC_hcomplex_of_complex}_image_subset
  starset_n_Un <-- starset{Nat,C}_n_Un
  starset_n_Int <-- starset{Nat,C}_n_Int
  starset_n_Compl <-- starset{Nat,C}_n_Compl
  starset_n_diff <-- starset{Nat,C}_n_diff
  InternalSets_Un <-- Internal{Nat,C}Sets_Un
  InternalSets_Int <-- Internal{Nat,C}Sets_Int
  InternalSets_Compl <-- Internal{Nat,C}Sets_Compl
  InternalSets_diff <-- Internal{Nat,C}Sets_diff
  InternalSets_UNIV_diff <-- Internal{Nat,C}Sets_UNIV_diff
  InternalSets_starset_n <-- Internal{Nat,C}Sets_starset{Nat,C}_n
  starset_starset_n_eq <-- starset{Nat,C}_starset{Nat,C}_n_eq
  starset_n_starset <-- starset{Nat,C}_n_starset{Nat,C}
  starfun_n_starfun <-- starfun{Nat,Nat2,C,RC,CR}_n_starfun{Nat,Nat2,C,RC,CR}
  starfun <-- starfun{Nat,Nat2,C,RC,CR}
  starfun_mult <-- starfun{Nat,Nat2,C,RC,CR}_mult
  starfun_add <-- starfun{Nat,Nat2,C,RC,CR}_add
  starfun_minus <-- starfun{Nat,Nat2,C,RC,CR}_minus
  starfun_diff <-- starfun{C,RC,CR}_diff
  starfun_o <-- starfun{NatNat2,Nat2,_stafunNat,C,C_starfunRC,_starfunCR}_o
  starfun_o2 <-- starfun{NatNat2,_stafunNat,C,C_starfunRC,_starfunCR}_o2
  starfun_const_fun <-- starfun{Nat,Nat2,C,RC,CR}_const_fun
  starfun_inverse <-- starfun{Nat,C,RC,CR}_inverse
  starfun_eq <-- starfun{Nat,Nat2,C,RC,CR}_eq
  starfun_eq_iff <-- starfun{C,RC,CR}_eq_iff
  starfun_Id <-- starfunC_Id
  starfun_approx <-- starfun{Nat,CR}_approx
  starfun_capprox <-- starfun{C,RC}_capprox
  starfun_abs <-- starfunNat_rabs
  starfun_lambda_cancel <-- starfun{C,CR,RC}_lambda_cancel
  starfun_lambda_cancel2 <-- starfun{C,CR,RC}_lambda_cancel2
  starfun_mult_HFinite_approx <-- starfunCR_mult_HFinite_capprox
  starfun_mult_CFinite_capprox <-- starfun{C,RC}_mult_CFinite_capprox
  starfun_add_capprox <-- starfun{C,RC}_add_capprox
  starfun_add_approx <-- starfunCR_add_approx
  starfun_inverse_inverse <-- starfunC_inverse_inverse
  starfun_divide <-- starfun{C,CR,RC}_divide
  starfun_n <-- starfun{Nat,C}_n
  starfun_n_mult <-- starfun{Nat,C}_n_mult
  starfun_n_add <-- starfun{Nat,C}_n_add
  starfun_n_add_minus <-- starfunNat_n_add_minus
  starfun_n_const_fun <-- starfun{Nat,C}_n_const_fun
  starfun_n_minus <-- starfun{Nat,C}_n_minus
  starfun_n_eq <-- starfun{Nat,C}_n_eq

  star_n_add <-- {hypreal,hypnat,hcomplex}_add
  star_n_minus <-- {hypreal,hcomplex}_minus
  star_n_diff <-- {hypreal,hcomplex}_diff
  star_n_mult <-- {hypreal,hcomplex}_mult
  star_n_inverse <-- {hypreal,hcomplex}_inverse
  star_n_le <-- {hypreal,hypnat}_le
  star_n_less <-- {hypreal,hypnat}_less
  star_n_zero_num <-- {hypreal,hypnat,hcomplex}_zero_num
  star_n_one_num <-- {hypreal,hypnat,hcomplex}_one_num
  star_n_abs <-- hypreal_hrabs
  star_n_divide <-- hcomplex_divide

  star_of_add <-- {hypreal_of_real,hypnat_of_nat,hcomplex_of_complex}_add
  star_of_minus <-- {hypreal_of_real,hcomplex_of_complex}_minus
  star_of_diff <-- hypreal_of_real_diff
  star_of_mult <-- {hypreal_of_real,hypnat_of_nat,hcomplex_of_complex}_mult
  star_of_one <-- {hypreal_of_real,hcomplex_of_complex}_one
  star_of_zero <-- {hypreal_of_real,hypnat_of_nat,hcomplex_of_complex}_zero
  star_of_le <-- {hypreal_of_real,hypnat_of_nat}_le_iff
  star_of_less <-- {hypreal_of_real,hypnat_of_nat}_less_iff
  star_of_eq <-- {hypreal_of_real,hypnat_of_nat,hcomplex_of_complex}_eq_iff
  star_of_inverse <-- {hypreal_of_real,hcomplex_of_complex}_inverse
  star_of_divide <-- {hypreal_of_real,hcomplex_of_complex}_divide
  star_of_of_nat <-- {hypreal_of_real,hcomplex_of_complex}_of_nat
  star_of_of_int <-- {hypreal_of_real,hcomplex_of_complex}_of_int
  star_of_number_of <-- {hypreal,hcomplex}_number_of
  star_of_number_less <-- number_of_less_hypreal_of_real_iff
  star_of_number_le <-- number_of_le_hypreal_of_real_iff
  star_of_eq_number <-- hypreal_of_real_eq_number_of_iff
  star_of_less_number <-- hypreal_of_real_less_number_of_iff
  star_of_le_number <-- hypreal_of_real_le_number_of_iff
  star_of_power <-- hypreal_of_real_power
  star_of_eq_0 <-- hcomplex_of_complex_zero_iff

* Hyperreal: new method "transfer" that implements the transfer
principle of nonstandard analysis. With a subgoal that mentions
nonstandard types like "'a star", the command "apply transfer"
replaces it with an equivalent one that mentions only standard types.
To be successful, all free variables must have standard types; non-
standard variables must have explicit universal quantifiers.

* Hyperreal: A theory of Taylor series.


*** HOLCF ***

* Discontinued special version of 'constdefs' (which used to support
continuous functions) in favor of the general Pure one with full
type-inference.

* New simplification procedure for solving continuity conditions; it
is much faster on terms with many nested lambda abstractions (cubic
instead of exponential time).

* New syntax for domain package: selector names are now optional.
Parentheses should be omitted unless argument is lazy, for example:

  domain 'a stream = cons "'a" (lazy "'a stream")

* New command 'fixrec' for defining recursive functions with pattern
matching; defining multiple functions with mutual recursion is also
supported.  Patterns may include the constants cpair, spair, up, sinl,
sinr, or any data constructor defined by the domain package. The given
equations are proven as rewrite rules. See HOLCF/ex/Fixrec_ex.thy for
syntax and examples.

* New commands 'cpodef' and 'pcpodef' for defining predicate subtypes
of cpo and pcpo types. Syntax is exactly like the 'typedef' command,
but the proof obligation additionally includes an admissibility
requirement. The packages generate instances of class cpo or pcpo,
with continuity and strictness theorems for Rep and Abs.

* HOLCF: Many theorems have been renamed according to a more standard naming
scheme (INCOMPATIBILITY):

  foo_inject:  "foo$x = foo$y ==> x = y"
  foo_eq:      "(foo$x = foo$y) = (x = y)"
  foo_less:    "(foo$x << foo$y) = (x << y)"
  foo_strict:  "foo$UU = UU"
  foo_defined: "... ==> foo$x ~= UU"
  foo_defined_iff: "(foo$x = UU) = (x = UU)"


*** ZF ***

* ZF/ex: theories Group and Ring provide examples in abstract algebra,
including the First Isomorphism Theorem (on quotienting by the kernel
of a homomorphism).

* ZF/Simplifier: install second copy of type solver that actually
makes use of TC rules declared to Isar proof contexts (or locales);
the old version is still required for ML proof scripts.


*** Cube ***

* Converted to Isar theory format; use locales instead of axiomatic
theories.


*** ML ***

* Pure/library.ML: added ##>, ##>>, #>> -- higher-order counterparts
for ||>, ||>>, |>>,

* Pure/library.ML no longer defines its own option datatype, but uses
that of the SML basis, which has constructors NONE and SOME instead of
None and Some, as well as exception Option.Option instead of OPTION.
The functions the, if_none, is_some, is_none have been adapted
accordingly, while Option.map replaces apsome.

* Pure/library.ML: the exception LIST has been given up in favour of
the standard exceptions Empty and Subscript, as well as
Library.UnequalLengths.  Function like Library.hd and Library.tl are
superceded by the standard hd and tl functions etc.

A number of basic list functions are no longer exported to the ML
toplevel, as they are variants of predefined functions.  The following
suggests how one can translate existing code:

    rev_append xs ys = List.revAppend (xs, ys)
    nth_elem (i, xs) = List.nth (xs, i)
    last_elem xs = List.last xs
    flat xss = List.concat xss
    seq fs = List.app fs
    partition P xs = List.partition P xs
    mapfilter f xs = List.mapPartial f xs

* Pure/library.ML: several combinators for linear functional
transformations, notably reverse application and composition:

  x |> f                f #> g
  (x, y) |-> f          f #-> g

* Pure/library.ML: introduced/changed precedence of infix operators:

  infix 1 |> |-> ||> ||>> |>> |>>> #> #->;
  infix 2 ?;
  infix 3 o oo ooo oooo;
  infix 4 ~~ upto downto;

Maybe INCOMPATIBILITY when any of those is used in conjunction with other
infix operators.

* Pure/library.ML: natural list combinators fold, fold_rev, and
fold_map support linear functional transformations and nesting.  For
example:

  fold f [x1, ..., xN] y =
    y |> f x1 |> ... |> f xN

  (fold o fold) f [xs1, ..., xsN] y =
    y |> fold f xs1 |> ... |> fold f xsN

  fold f [x1, ..., xN] =
    f x1 #> ... #> f xN

  (fold o fold) f [xs1, ..., xsN] =
    fold f xs1 #> ... #> fold f xsN

* Pure/library.ML: the following selectors on type 'a option are
available:

  the:               'a option -> 'a  (*partial*)
  these:             'a option -> 'a  where 'a = 'b list
  the_default: 'a -> 'a option -> 'a
  the_list:          'a option -> 'a list

* Pure/General: structure AList (cf. Pure/General/alist.ML) provides
basic operations for association lists, following natural argument
order; moreover the explicit equality predicate passed here avoids
potentially expensive polymorphic runtime equality checks.
The old functions may be expressed as follows:

  assoc = uncurry (AList.lookup (op =))
  assocs = these oo AList.lookup (op =)
  overwrite = uncurry (AList.update (op =)) o swap

* Pure/General: structure AList (cf. Pure/General/alist.ML) provides

  val make: ('a -> 'b) -> 'a list -> ('a * 'b) list
  val find: ('a * 'b -> bool) -> ('c * 'b) list -> 'a -> 'c list

replacing make_keylist and keyfilter (occassionally used)
Naive rewrites:

  make_keylist = AList.make
  keyfilter = AList.find (op =)

* eq_fst and eq_snd now take explicit equality parameter, thus
  avoiding eqtypes. Naive rewrites:

    eq_fst = eq_fst (op =)
    eq_snd = eq_snd (op =)

* Removed deprecated apl and apr (rarely used).
  Naive rewrites:

    apl (n, op) =>>= curry op n
    apr (op, m) =>>= fn n => op (n, m)

* Pure/General: structure OrdList (cf. Pure/General/ord_list.ML)
provides a reasonably efficient light-weight implementation of sets as
lists.

* Pure/General: generic tables (cf. Pure/General/table.ML) provide a
few new operations; existing lookup and update are now curried to
follow natural argument order (for use with fold etc.);
INCOMPATIBILITY, use (uncurry Symtab.lookup) etc. as last resort.

* Pure/General: output via the Isabelle channels of
writeln/warning/error etc. is now passed through Output.output, with a
hook for arbitrary transformations depending on the print_mode
(cf. Output.add_mode -- the first active mode that provides a output
function wins).  Already formatted output may be embedded into further
text via Output.raw; the result of Pretty.string_of/str_of and derived
functions (string_of_term/cterm/thm etc.) is already marked raw to
accommodate easy composition of diagnostic messages etc.  Programmers
rarely need to care about Output.output or Output.raw at all, with
some notable exceptions: Output.output is required when bypassing the
standard channels (writeln etc.), or in token translations to produce
properly formatted results; Output.raw is required when capturing
already output material that will eventually be presented to the user
a second time.  For the default print mode, both Output.output and
Output.raw have no effect.

* Pure/General: Output.time_accumulator NAME creates an operator ('a
-> 'b) -> 'a -> 'b to measure runtime and count invocations; the
cumulative results are displayed at the end of a batch session.

* Pure/General: File.sysify_path and File.quote_sysify path have been
replaced by File.platform_path and File.shell_path (with appropriate
hooks).  This provides a clean interface for unusual systems where the
internal and external process view of file names are different.

* Pure: more efficient orders for basic syntactic entities: added
fast_string_ord, fast_indexname_ord, fast_term_ord; changed sort_ord
and typ_ord to use fast_string_ord and fast_indexname_ord (term_ord is
NOT affected); structures Symtab, Vartab, Typtab, Termtab use the fast
orders now -- potential INCOMPATIBILITY for code that depends on a
particular order for Symtab.keys, Symtab.dest, etc. (consider using
Library.sort_strings on result).

* Pure/term.ML: combinators fold_atyps, fold_aterms, fold_term_types,
fold_types traverse types/terms from left to right, observing natural
argument order.  Supercedes previous foldl_XXX versions, add_frees,
add_vars etc. have been adapted as well: INCOMPATIBILITY.

* Pure: name spaces have been refined, with significant changes of the
internal interfaces -- INCOMPATIBILITY.  Renamed cond_extern(_table)
to extern(_table).  The plain name entry path is superceded by a
general 'naming' context, which also includes the 'policy' to produce
a fully qualified name and external accesses of a fully qualified
name; NameSpace.extend is superceded by context dependent
Sign.declare_name.  Several theory and proof context operations modify
the naming context.  Especially note Theory.restore_naming and
ProofContext.restore_naming to get back to a sane state; note that
Theory.add_path is no longer sufficient to recover from
Theory.absolute_path in particular.

* Pure: new flags short_names (default false) and unique_names
(default true) for controlling output of qualified names.  If
short_names is set, names are printed unqualified.  If unique_names is
reset, the name prefix is reduced to the minimum required to achieve
the original result when interning again, even if there is an overlap
with earlier declarations.

* Pure/TheoryDataFun: change of the argument structure; 'prep_ext' is
now 'extend', and 'merge' gets an additional Pretty.pp argument
(useful for printing error messages).  INCOMPATIBILITY.

* Pure: major reorganization of the theory context.  Type Sign.sg and
Theory.theory are now identified, referring to the universal
Context.theory (see Pure/context.ML).  Actual signature and theory
content is managed as theory data.  The old code and interfaces were
spread over many files and structures; the new arrangement introduces
considerable INCOMPATIBILITY to gain more clarity:

  Context -- theory management operations (name, identity, inclusion,
    parents, ancestors, merge, etc.), plus generic theory data;

  Sign -- logical signature and syntax operations (declaring consts,
    types, etc.), plus certify/read for common entities;

  Theory -- logical theory operations (stating axioms, definitions,
    oracles), plus a copy of logical signature operations (consts,
    types, etc.); also a few basic management operations (Theory.copy,
    Theory.merge, etc.)

The most basic sign_of operations (Theory.sign_of, Thm.sign_of_thm
etc.) as well as the sign field in Thm.rep_thm etc. have been retained
for convenience -- they merely return the theory.

* Pure: type Type.tsig is superceded by theory in most interfaces.

* Pure: the Isar proof context type is already defined early in Pure
as Context.proof (note that ProofContext.context and Proof.context are
aliases, where the latter is the preferred name).  This enables other
Isabelle components to refer to that type even before Isar is present.

* Pure/sign/theory: discontinued named name spaces (i.e. classK,
typeK, constK, axiomK, oracleK), but provide explicit operations for
any of these kinds.  For example, Sign.intern typeK is now
Sign.intern_type, Theory.hide_space Sign.typeK is now
Theory.hide_types.  Also note that former
Theory.hide_classes/types/consts are now
Theory.hide_classes_i/types_i/consts_i, while the non '_i' versions
internalize their arguments!  INCOMPATIBILITY.

* Pure: get_thm interface (of PureThy and ProofContext) expects
datatype thmref (with constructors Name and NameSelection) instead of
plain string -- INCOMPATIBILITY;

* Pure: cases produced by proof methods specify options, where NONE
means to remove case bindings -- INCOMPATIBILITY in
(RAW_)METHOD_CASES.

* Pure: the following operations retrieve axioms or theorems from a
theory node or theory hierarchy, respectively:

  Theory.axioms_of: theory -> (string * term) list
  Theory.all_axioms_of: theory -> (string * term) list
  PureThy.thms_of: theory -> (string * thm) list
  PureThy.all_thms_of: theory -> (string * thm) list

* Pure: print_tac now outputs the goal through the trace channel.

* Isar toplevel: improved diagnostics, mostly for Poly/ML only.
Reference Toplevel.debug (default false) controls detailed printing
and tracing of low-level exceptions; Toplevel.profiling (default 0)
controls execution profiling -- set to 1 for time and 2 for space
(both increase the runtime).

* Isar session: The initial use of ROOT.ML is now always timed,
i.e. the log will show the actual process times, in contrast to the
elapsed wall-clock time that the outer shell wrapper produces.

* Simplifier: improved handling of bound variables (nameless
representation, avoid allocating new strings).  Simprocs that invoke
the Simplifier recursively should use Simplifier.inherit_bounds to
avoid local name clashes.  Failure to do so produces warnings
"Simplifier: renamed bound variable ..."; set Simplifier.debug_bounds
for further details.

* ML functions legacy_bindings and use_legacy_bindings produce ML fact
bindings for all theorems stored within a given theory; this may help
in porting non-Isar theories to Isar ones, while keeping ML proof
scripts for the time being.

* ML operator HTML.with_charset specifies the charset begin used for
generated HTML files.  For example:

  HTML.with_charset "utf-8" use_thy "Hebrew";
  HTML.with_charset "utf-8" use_thy "Chinese";


*** System ***

* Allow symlinks to all proper Isabelle executables (Isabelle,
isabelle, isatool etc.).

* ISABELLE_DOC_FORMAT setting specifies preferred document format (for
isatool doc, isatool mkdir, display_drafts etc.).

* isatool usedir: option -f allows specification of the ML file to be
used by Isabelle; default is ROOT.ML.

* New isatool version outputs the version identifier of the Isabelle
distribution being used.

* HOL: new isatool dimacs2hol converts files in DIMACS CNF format
(containing Boolean satisfiability problems) into Isabelle/HOL
theories.



New in Isabelle2004 (April 2004)
--------------------------------

*** General ***

* Provers/order.ML:  new efficient reasoner for partial and linear orders.
  Replaces linorder.ML.

* Pure: Greek letters (except small lambda, \<lambda>), as well as Gothic
  (\<aa>...\<zz>\<AA>...\<ZZ>), calligraphic (\<A>...\<Z>), and Euler
  (\<a>...\<z>), are now considered normal letters, and can therefore
  be used anywhere where an ASCII letter (a...zA...Z) has until
  now. COMPATIBILITY: This obviously changes the parsing of some
  terms, especially where a symbol has been used as a binder, say
  '\<Pi>x. ...', which is now a type error since \<Pi>x will be parsed
  as an identifier.  Fix it by inserting a space around former
  symbols.  Call 'isatool fixgreek' to try to fix parsing errors in
  existing theory and ML files.

* Pure: Macintosh and Windows line-breaks are now allowed in theory files.

* Pure: single letter sub/superscripts (\<^isub> and \<^isup>) are now
  allowed in identifiers. Similar to Greek letters \<^isub> is now considered
  a normal (but invisible) letter. For multiple letter subscripts repeat
  \<^isub> like this: x\<^isub>1\<^isub>2.

* Pure: There are now sub-/superscripts that can span more than one
  character. Text between \<^bsub> and \<^esub> is set in subscript in
  ProofGeneral and LaTeX, text between \<^bsup> and \<^esup> in
  superscript. The new control characters are not identifier parts.

* Pure: Control-symbols of the form \<^raw:...> will literally print the
  content of "..." to the latex file instead of \isacntrl... . The "..."
  may consist of any printable characters excluding the end bracket >.

* Pure: Using new Isar command "finalconsts" (or the ML functions
  Theory.add_finals or Theory.add_finals_i) it is now possible to
  declare constants "final", which prevents their being given a definition
  later.  It is useful for constants whose behaviour is fixed axiomatically
  rather than definitionally, such as the meta-logic connectives.

* Pure: 'instance' now handles general arities with general sorts
  (i.e. intersections of classes),

* Presentation: generated HTML now uses a CSS style sheet to make layout
  (somewhat) independent of content. It is copied from lib/html/isabelle.css.
  It can be changed to alter the colors/layout of generated pages.


*** Isar ***

* Tactic emulation methods rule_tac, erule_tac, drule_tac, frule_tac,
  cut_tac, subgoal_tac and thin_tac:
  - Now understand static (Isar) contexts.  As a consequence, users of Isar
    locales are no longer forced to write Isar proof scripts.
    For details see Isar Reference Manual, paragraph 4.3.2: Further tactic
    emulations.
  - INCOMPATIBILITY: names of variables to be instantiated may no
    longer be enclosed in quotes.  Instead, precede variable name with `?'.
    This is consistent with the instantiation attribute "where".

* Attributes "where" and "of":
  - Now take type variables of instantiated theorem into account when reading
    the instantiation string.  This fixes a bug that caused instantiated
    theorems to have too special types in some circumstances.
  - "where" permits explicit instantiations of type variables.

* Calculation commands "moreover" and "also" no longer interfere with
  current facts ("this"), admitting arbitrary combinations with "then"
  and derived forms.

* Locales:
  - Goal statements involving the context element "includes" no longer
    generate theorems with internal delta predicates (those ending on
    "_axioms") in the premise.
    Resolve particular premise with <locale>.intro to obtain old form.
  - Fixed bug in type inference ("unify_frozen") that prevented mix of target
    specification and "includes" elements in goal statement.
  - Rule sets <locale>.intro and <locale>.axioms no longer declared as
    [intro?] and [elim?] (respectively) by default.
  - Experimental command for instantiation of locales in proof contexts:
        instantiate <label>[<attrs>]: <loc>
    Instantiates locale <loc> and adds all its theorems to the current context
    taking into account their attributes.  Label and attrs are optional
    modifiers, like in theorem declarations.  If present, names of
    instantiated theorems are qualified with <label>, and the attributes
    <attrs> are applied after any attributes these theorems might have already.
      If the locale has assumptions, a chained fact of the form
    "<loc> t1 ... tn" is expected from which instantiations of the parameters
    are derived.  The command does not support old-style locales declared
    with "locale (open)".
      A few (very simple) examples can be found in FOL/ex/LocaleInst.thy.

* HOL: Tactic emulation methods induct_tac and case_tac understand static
  (Isar) contexts.


*** HOL ***

* Proof import: new image HOL4 contains the imported library from
  the HOL4 system with about 2500 theorems. It is imported by
  replaying proof terms produced by HOL4 in Isabelle. The HOL4 image
  can be used like any other Isabelle image.  See
  HOL/Import/HOL/README for more information.

* Simplifier:
  - Much improved handling of linear and partial orders.
    Reasoners for linear and partial orders are set up for type classes
    "linorder" and "order" respectively, and are added to the default simpset
    as solvers.  This means that the simplifier can build transitivity chains
    to solve goals from the assumptions.
  - INCOMPATIBILITY: old proofs break occasionally.  Typically, applications
    of blast or auto after simplification become unnecessary because the goal
    is solved by simplification already.

* Numerics: new theory Ring_and_Field contains over 250 basic numerical laws,
    all proved in axiomatic type classes for semirings, rings and fields.

* Numerics:
  - Numeric types (nat, int, and in HOL-Complex rat, real, complex, etc.) are
    now formalized using the Ring_and_Field theory mentioned above.
  - INCOMPATIBILITY: simplification and arithmetic behaves somewhat differently
    than before, because now they are set up once in a generic manner.
  - INCOMPATIBILITY: many type-specific arithmetic laws have gone.
    Look for the general versions in Ring_and_Field (and Power if they concern
    exponentiation).

* Type "rat" of the rational numbers is now available in HOL-Complex.

* Records:
  - Record types are now by default printed with their type abbreviation
    instead of the list of all field types. This can be configured via
    the reference "print_record_type_abbr".
  - Simproc "record_upd_simproc" for simplification of multiple updates added
    (not enabled by default).
  - Simproc "record_ex_sel_eq_simproc" to simplify EX x. sel r = x resp.
    EX x. x = sel r to True (not enabled by default).
  - Tactic "record_split_simp_tac" to split and simplify records added.

* 'specification' command added, allowing for definition by
  specification.  There is also an 'ax_specification' command that
  introduces the new constants axiomatically.

* arith(_tac) is now able to generate counterexamples for reals as well.

* HOL-Algebra: new locale "ring" for non-commutative rings.

* HOL-ex: InductiveInvariant_examples illustrates advanced recursive function
  definitions, thanks to Sava Krsti\'{c} and John Matthews.

* HOL-Matrix: a first theory for matrices in HOL with an application of
  matrix theory to linear programming.

* Unions and Intersections:
  The latex output syntax of UN and INT has been changed
  from "\Union x \in A. B" to "\Union_{x \in A} B"
  i.e. the index formulae has become a subscript.
  Similarly for "\Union x. B", and for \Inter instead of \Union.

* Unions and Intersections over Intervals:
  There is new short syntax "UN i<=n. A" for "UN i:{0..n}. A". There is
  also an x-symbol version with subscripts "\<Union>\<^bsub>i <= n\<^esub>. A"
  like in normal math, and corresponding versions for < and for intersection.

* HOL/List: Ordering "lexico" is renamed "lenlex" and the standard
  lexicographic dictonary ordering has been added as "lexord".

* ML: the legacy theory structures Int and List have been removed. They had
  conflicted with ML Basis Library structures having the same names.

* 'refute' command added to search for (finite) countermodels.  Only works
  for a fragment of HOL.  The installation of an external SAT solver is
  highly recommended.  See "HOL/Refute.thy" for details.

* 'quickcheck' command: Allows to find counterexamples by evaluating
  formulae under an assignment of free variables to random values.
  In contrast to 'refute', it can deal with inductive datatypes,
  but cannot handle quantifiers. See "HOL/ex/Quickcheck_Examples.thy"
  for examples.


*** HOLCF ***

* Streams now come with concatenation and are part of the HOLCF image



New in Isabelle2003 (May 2003)
------------------------------

*** General ***

* Provers/simplifier:

  - Completely reimplemented method simp (ML: Asm_full_simp_tac):
    Assumptions are now subject to complete mutual simplification,
    not just from left to right. The simplifier now preserves
    the order of assumptions.

    Potential INCOMPATIBILITY:

    -- simp sometimes diverges where the old version did
       not, e.g. invoking simp on the goal

        [| P (f x); y = x; f x = f y |] ==> Q

       now gives rise to the infinite reduction sequence

        P(f x) --(f x = f y)--> P(f y) --(y = x)--> P(f x) --(f x = f y)--> ...

       Using "simp (asm_lr)" (ML: Asm_lr_simp_tac) instead often solves this
       kind of problem.

    -- Tactics combining classical reasoner and simplification (such as auto)
       are also affected by this change, because many of them rely on
       simp. They may sometimes diverge as well or yield a different numbers
       of subgoals. Try to use e.g. force, fastsimp, or safe instead of auto
       in case of problems. Sometimes subsequent calls to the classical
       reasoner will fail because a preceeding call to the simplifier too
       eagerly simplified the goal, e.g. deleted redundant premises.

  - The simplifier trace now shows the names of the applied rewrite rules

  - You can limit the number of recursive invocations of the simplifier
    during conditional rewriting (where the simplifie tries to solve the
    conditions before applying the rewrite rule):
    ML "simp_depth_limit := n"
    where n is an integer. Thus you can force termination where previously
    the simplifier would diverge.

  - Accepts free variables as head terms in congruence rules.  Useful in Isar.

  - No longer aborts on failed congruence proof.  Instead, the
    congruence is ignored.

* Pure: New generic framework for extracting programs from constructive
  proofs. See HOL/Extraction.thy for an example instantiation, as well
  as HOL/Extraction for some case studies.

* Pure: The main goal of the proof state is no longer shown by default, only
the subgoals. This behaviour is controlled by a new flag.
   PG menu: Isabelle/Isar -> Settings -> Show Main Goal
(ML: Proof.show_main_goal).

* Pure: You can find all matching introduction rules for subgoal 1, i.e. all
rules whose conclusion matches subgoal 1:
      PG menu: Isabelle/Isar -> Show me -> matching rules
The rules are ordered by how closely they match the subgoal.
In particular, rules that solve a subgoal outright are displayed first
(or rather last, the way they are printed).
(ML: ProofGeneral.print_intros())

* Pure: New flag trace_unify_fail causes unification to print
diagnostic information (PG: in trace buffer) when it fails. This is
useful for figuring out why single step proofs like rule, erule or
assumption failed.

* Pure: Locale specifications now produce predicate definitions
according to the body of text (covering assumptions modulo local
definitions); predicate "loc_axioms" covers newly introduced text,
while "loc" is cumulative wrt. all included locale expressions; the
latter view is presented only on export into the global theory
context; potential INCOMPATIBILITY, use "(open)" option to fall back
on the old view without predicates;

* Pure: predefined locales "var" and "struct" are useful for sharing
parameters (as in CASL, for example); just specify something like
``var x + var y + struct M'' as import;

* Pure: improved thms_containing: proper indexing of facts instead of
raw theorems; check validity of results wrt. current name space;
include local facts of proof configuration (also covers active
locales), cover fixed variables in index; may use "_" in term
specification; an optional limit for the number of printed facts may
be given (the default is 40);

* Pure: disallow duplicate fact bindings within new-style theory files
(batch-mode only);

* Provers: improved induct method: assumptions introduced by case
"foo" are split into "foo.hyps" (from the rule) and "foo.prems" (from
the goal statement); "foo" still refers to all facts collectively;

* Provers: the function blast.overloaded has been removed: all constants
are regarded as potentially overloaded, which improves robustness in exchange
for slight decrease in efficiency;

* Provers/linorder: New generic prover for transitivity reasoning over
linear orders.  Note: this prover is not efficient!

* Isar: preview of problems to finish 'show' now produce an error
rather than just a warning (in interactive mode);


*** HOL ***

* arith(_tac)

 - Produces a counter example if it cannot prove a goal.
   Note that the counter example may be spurious if the goal is not a formula
   of quantifier-free linear arithmetic.
   In ProofGeneral the counter example appears in the trace buffer.

 - Knows about div k and mod k where k is a numeral of type nat or int.

 - Calls full Presburger arithmetic (by Amine Chaieb) if quantifier-free
   linear arithmetic fails. This takes account of quantifiers and divisibility.
   Presburger arithmetic can also be called explicitly via presburger(_tac).

* simp's arithmetic capabilities have been enhanced a bit: it now
takes ~= in premises into account (by performing a case split);

* simp reduces "m*(n div m) + n mod m" to n, even if the two summands
are distributed over a sum of terms;

* New tactic "trans_tac" and method "trans" instantiate
Provers/linorder.ML for axclasses "order" and "linorder" (predicates
"<=", "<" and "=").

* function INCOMPATIBILITIES: Pi-sets have been redefined and moved from main
HOL to Library/FuncSet; constant "Fun.op o" is now called "Fun.comp";

* 'typedef' command has new option "open" to suppress the set
definition;

* functions Min and Max on finite sets have been introduced (theory
Finite_Set);

* attribute [symmetric] now works for relations as well; it turns
(x,y) : R^-1 into (y,x) : R, and vice versa;

* induct over a !!-quantified statement (say !!x1..xn):
  each "case" automatically performs "fix x1 .. xn" with exactly those names.

* Map: `empty' is no longer a constant but a syntactic abbreviation for
%x. None. Warning: empty_def now refers to the previously hidden definition
of the empty set.

* Algebra: formalization of classical algebra.  Intended as base for
any algebraic development in Isabelle.  Currently covers group theory
(up to Sylow's theorem) and ring theory (Universal Property of
Univariate Polynomials).  Contributions welcome;

* GroupTheory: deleted, since its material has been moved to Algebra;

* Complex: new directory of the complex numbers with numeric constants,
nonstandard complex numbers, and some complex analysis, standard and
nonstandard (Jacques Fleuriot);

* HOL-Complex: new image for analysis, replacing HOL-Real and HOL-Hyperreal;

* Hyperreal: introduced Gauge integration and hyperreal logarithms (Jacques
Fleuriot);

* Real/HahnBanach: updated and adapted to locales;

* NumberTheory: added Gauss's law of quadratic reciprocity (by Avigad,
Gray and Kramer);

* UNITY: added the Meier-Sanders theory of progress sets;

* MicroJava: bytecode verifier and lightweight bytecode verifier
as abstract algorithms, instantiated to the JVM;

* Bali: Java source language formalization. Type system, operational
semantics, axiomatic semantics. Supported language features:
classes, interfaces, objects,virtual methods, static methods,
static/instance fields, arrays, access modifiers, definite
assignment, exceptions.


*** ZF ***

* ZF/Constructible: consistency proof for AC (Gdel's constructible
universe, etc.);

* Main ZF: virtually all theories converted to new-style format;


*** ML ***

* Pure: Tactic.prove provides sane interface for internal proofs;
omits the infamous "standard" operation, so this is more appropriate
than prove_goalw_cterm in many situations (e.g. in simprocs);

* Pure: improved error reporting of simprocs;

* Provers: Simplifier.simproc(_i) provides sane interface for setting
up simprocs;


*** Document preparation ***

* uses \par instead of \\ for line breaks in theory text. This may
shift some page breaks in large documents. To get the old behaviour
use \renewcommand{\isanewline}{\mbox{}\\\mbox{}} in root.tex.

* minimized dependencies of isabelle.sty and isabellesym.sty on
other packages

* \<euro> now needs package babel/greek instead of marvosym (which
broke \Rightarrow)

* normal size for \<zero>...\<nine> (uses \mathbf instead of
textcomp package)



New in Isabelle2002 (March 2002)
--------------------------------

*** Document preparation ***

* greatly simplified document preparation setup, including more
graceful interpretation of isatool usedir -i/-d/-D options, and more
instructive isatool mkdir; users should basically be able to get
started with "isatool mkdir HOL Test && isatool make"; alternatively,
users may run a separate document processing stage manually like this:
"isatool usedir -D output HOL Test && isatool document Test/output";

* theory dependency graph may now be incorporated into documents;
isatool usedir -g true will produce session_graph.eps/.pdf for use
with \includegraphics of LaTeX;

* proper spacing of consecutive markup elements, especially text
blocks after section headings;

* support bold style (for single symbols only), input syntax is like
this: "\<^bold>\<alpha>" or "\<^bold>A";

* \<bullet> is now output as bold \cdot by default, which looks much
better in printed text;

* added default LaTeX bindings for \<tturnstile> and \<TTurnstile>;
note that these symbols are currently unavailable in Proof General /
X-Symbol; new symbols \<zero>, \<one>, ..., \<nine>, and \<euro>;

* isatool latex no longer depends on changed TEXINPUTS, instead
isatool document copies the Isabelle style files to the target
location;


*** Isar ***

* Pure/Provers: improved proof by cases and induction;
  - 'case' command admits impromptu naming of parameters (such as
    "case (Suc n)");
  - 'induct' method divinates rule instantiation from the inductive
    claim; no longer requires excessive ?P bindings for proper
    instantiation of cases;
  - 'induct' method properly enumerates all possibilities of set/type
    rules; as a consequence facts may be also passed through *type*
    rules without further ado;
  - 'induct' method now derives symbolic cases from the *rulified*
    rule (before it used to rulify cases stemming from the internal
    atomized version); this means that the context of a non-atomic
    statement becomes is included in the hypothesis, avoiding the
    slightly cumbersome show "PROP ?case" form;
  - 'induct' may now use elim-style induction rules without chaining
    facts, using ``missing'' premises from the goal state; this allows
    rules stemming from inductive sets to be applied in unstructured
    scripts, while still benefitting from proper handling of non-atomic
    statements; NB: major inductive premises need to be put first, all
    the rest of the goal is passed through the induction;
  - 'induct' proper support for mutual induction involving non-atomic
    rule statements (uses the new concept of simultaneous goals, see
    below);
  - append all possible rule selections, but only use the first
    success (no backtracking);
  - removed obsolete "(simplified)" and "(stripped)" options of methods;
  - undeclared rule case names default to numbers 1, 2, 3, ...;
  - added 'print_induct_rules' (covered by help item in recent Proof
    General versions);
  - moved induct/cases attributes to Pure, methods to Provers;
  - generic method setup instantiated for FOL and HOL;

* Pure: support multiple simultaneous goal statements, for example
"have a: A and b: B" (same for 'theorem' etc.); being a pure
meta-level mechanism, this acts as if several individual goals had
been stated separately; in particular common proof methods need to be
repeated in order to cover all claims; note that a single elimination
step is *not* sufficient to establish the two conjunctions, so this
fails:

  assume "A & B" then have A and B ..   (*".." fails*)

better use "obtain" in situations as above; alternative refer to
multi-step methods like 'auto', 'simp_all', 'blast+' etc.;

* Pure: proper integration with ``locales''; unlike the original
version by Florian Kammller, Isar locales package high-level proof
contexts rather than raw logical ones (e.g. we admit to include
attributes everywhere); operations on locales include merge and
rename; support for implicit arguments (``structures''); simultaneous
type-inference over imports and text; see also HOL/ex/Locales.thy for
some examples;

* Pure: the following commands have been ``localized'', supporting a
target locale specification "(in name)": 'lemma', 'theorem',
'corollary', 'lemmas', 'theorems', 'declare'; the results will be
stored both within the locale and at the theory level (exported and
qualified by the locale name);

* Pure: theory goals may now be specified in ``long'' form, with
ad-hoc contexts consisting of arbitrary locale elements. for example
``lemma foo: fixes x assumes "A x" shows "B x"'' (local syntax and
definitions may be given, too); the result is a meta-level rule with
the context elements being discharged in the obvious way;

* Pure: new proof command 'using' allows to augment currently used
facts after a goal statement ('using' is syntactically analogous to
'apply', but acts on the goal's facts only); this allows chained facts
to be separated into parts given before and after a claim, as in
``from a and b have C using d and e <proof>'';

* Pure: renamed "antecedent" case to "rule_context";

* Pure: new 'judgment' command records explicit information about the
object-logic embedding (used by several tools internally); no longer
use hard-wired "Trueprop";

* Pure: added 'corollary' command;

* Pure: fixed 'token_translation' command;

* Pure: removed obsolete 'exported' attribute;

* Pure: dummy pattern "_" in is/let is now automatically lifted over
bound variables: "ALL x. P x --> Q x" (is "ALL x. _ --> ?C x")
supersedes more cumbersome ... (is "ALL x. _ x --> ?C x");

* Pure: method 'atomize' presents local goal premises as object-level
statements (atomic meta-level propositions); setup controlled via
rewrite rules declarations of 'atomize' attribute; example
application: 'induct' method with proper rule statements in improper
proof *scripts*;

* Pure: emulation of instantiation tactics (rule_tac, cut_tac, etc.)
now consider the syntactic context of assumptions, giving a better
chance to get type-inference of the arguments right (this is
especially important for locales);

* Pure: "sorry" no longer requires quick_and_dirty in interactive
mode;

* Pure/obtain: the formal conclusion "thesis", being marked as
``internal'', may no longer be reference directly in the text;
potential INCOMPATIBILITY, may need to use "?thesis" in rare
situations;

* Pure: generic 'sym' attribute which declares a rule both as pure
'elim?' and for the 'symmetric' operation;

* Pure: marginal comments ``--'' may now occur just anywhere in the
text; the fixed correlation with particular command syntax has been
discontinued;

* Pure: new method 'rules' is particularly well-suited for proof
search in intuitionistic logic; a bit slower than 'blast' or 'fast',
but often produces more compact proof terms with less detours;

* Pure/Provers/classical: simplified integration with pure rule
attributes and methods; the classical "intro?/elim?/dest?"
declarations coincide with the pure ones; the "rule" method no longer
includes classically swapped intros; "intro" and "elim" methods no
longer pick rules from the context; also got rid of ML declarations
AddXIs/AddXEs/AddXDs; all of this has some potential for
INCOMPATIBILITY;

* Provers/classical: attribute 'swapped' produces classical inversions
of introduction rules;

* Provers/simplifier: 'simplified' attribute may refer to explicit
rules instead of full simplifier context; 'iff' attribute handles
conditional rules;

* HOL: 'typedef' now allows alternative names for Rep/Abs morphisms;

* HOL: 'recdef' now fails on unfinished automated proofs, use
"(permissive)" option to recover old behavior;

* HOL: 'inductive' no longer features separate (collective) attributes
for 'intros' (was found too confusing);

* HOL: properly declared induction rules less_induct and
wf_induct_rule;


*** HOL ***

* HOL: moved over to sane numeral syntax; the new policy is as
follows:

  - 0 and 1 are polymorphic constants, which are defined on any
  numeric type (nat, int, real etc.);

  - 2, 3, 4, ... and -1, -2, -3, ... are polymorphic numerals, based
  binary representation internally;

  - type nat has special constructor Suc, and generally prefers Suc 0
  over 1::nat and Suc (Suc 0) over 2::nat;

This change may cause significant problems of INCOMPATIBILITY; here
are some hints on converting existing sources:

  - due to the new "num" token, "-0" and "-1" etc. are now atomic
  entities, so expressions involving "-" (unary or binary minus) need
  to be spaced properly;

  - existing occurrences of "1" may need to be constraint "1::nat" or
  even replaced by Suc 0; similar for old "2";

  - replace "#nnn" by "nnn", and "#-nnn" by "-nnn";

  - remove all special provisions on numerals in proofs;

* HOL: simp rules nat_number expand numerals on nat to Suc/0
representation (depends on bin_arith_simps in the default context);

* HOL: symbolic syntax for x^2 (numeral 2);

* HOL: the class of all HOL types is now called "type" rather than
"term"; INCOMPATIBILITY, need to adapt references to this type class
in axclass/classes, instance/arities, and (usually rare) occurrences
in typings (of consts etc.); internally the class is called
"HOL.type", ML programs should refer to HOLogic.typeS;

* HOL/record package improvements:
  - new derived operations "fields" to build a partial record section,
    "extend" to promote a fixed record to a record scheme, and
    "truncate" for the reverse; cf. theorems "xxx.defs", which are *not*
    declared as simp by default;
  - shared operations ("more", "fields", etc.) now need to be always
    qualified) --- potential INCOMPATIBILITY;
  - removed "make_scheme" operations (use "make" with "extend") --
    INCOMPATIBILITY;
  - removed "more" class (simply use "term") -- INCOMPATIBILITY;
  - provides cases/induct rules for use with corresponding Isar
    methods (for concrete records, record schemes, concrete more
    parts, and schematic more parts -- in that order);
  - internal definitions directly based on a light-weight abstract
    theory of product types over typedef rather than datatype;

* HOL: generic code generator for generating executable ML code from
specifications; specific support for HOL constructs such as inductive
datatypes and sets, as well as recursive functions; can be invoked
via 'generate_code' theory section;

* HOL: canonical cases/induct rules for n-tuples (n = 3..7);

* HOL: consolidated and renamed several theories.  In particular:
        Ord.thy has been absorbed into HOL.thy
        String.thy has been absorbed into List.thy

* HOL: concrete setsum syntax "\<Sum>i:A. b" == "setsum (%i. b) A"
(beware of argument permutation!);

* HOL: linorder_less_split superseded by linorder_cases;

* HOL/List: "nodups" renamed to "distinct";

* HOL: added "The" definite description operator; move Hilbert's "Eps"
to peripheral theory "Hilbert_Choice"; some INCOMPATIBILITIES:
  - Ex_def has changed, now need to use some_eq_ex

* HOL: made split_all_tac safe; EXISTING PROOFS MAY FAIL OR LOOP, so
in this (rare) case use:

  delSWrapper "split_all_tac"
  addSbefore ("unsafe_split_all_tac", unsafe_split_all_tac)

* HOL: added safe wrapper "split_conv_tac" to claset; EXISTING PROOFS
MAY FAIL;

* HOL: introduced f^n = f o ... o f; warning: due to the limits of
Isabelle's type classes, ^ on functions and relations has too general
a domain, namely ('a * 'b) set and 'a => 'b; this means that it may be
necessary to attach explicit type constraints;

* HOL/Relation: the prefix name of the infix "O" has been changed from
"comp" to "rel_comp"; INCOMPATIBILITY: a few theorems have been
renamed accordingly (eg "compI" -> "rel_compI").

* HOL: syntax translations now work properly with numerals and records
expressions;

* HOL: bounded abstraction now uses syntax "%" / "\<lambda>" instead
of "lam" -- INCOMPATIBILITY;

* HOL: got rid of some global declarations (potential INCOMPATIBILITY
for ML tools): const "()" renamed "Product_Type.Unity", type "unit"
renamed "Product_Type.unit";

* HOL: renamed rtrancl_into_rtrancl2 to converse_rtrancl_into_rtrancl

* HOL: removed obsolete theorem "optionE" (use "option.exhaust", or
the "cases" method);

* HOL/GroupTheory: group theory examples including Sylow's theorem (by
Florian Kammller);

* HOL/IMP: updated and converted to new-style theory format; several
parts turned into readable document, with proper Isar proof texts and
some explanations (by Gerwin Klein);

* HOL-Real: added Complex_Numbers (by Gertrud Bauer);

* HOL-Hyperreal is now a logic image;


*** HOLCF ***

* Isar: consts/constdefs supports mixfix syntax for continuous
operations;

* Isar: domain package adapted to new-style theory format, e.g. see
HOLCF/ex/Dnat.thy;

* theory Lift: proper use of rep_datatype lift instead of ML hacks --
potential INCOMPATIBILITY; now use plain induct_tac instead of former
lift.induct_tac, always use UU instead of Undef;

* HOLCF/IMP: updated and converted to new-style theory;


*** ZF ***

* Isar: proper integration of logic-specific tools and packages,
including theory commands '(co)inductive', '(co)datatype',
'rep_datatype', 'inductive_cases', as well as methods 'ind_cases',
'induct_tac', 'case_tac', and 'typecheck' (with attribute 'TC');

* theory Main no longer includes AC; for the Axiom of Choice, base
your theory on Main_ZFC;

* the integer library now covers quotients and remainders, with many
laws relating division to addition, multiplication, etc.;

* ZF/UNITY: Chandy and Misra's UNITY is now available in ZF, giving a
typeless version of the formalism;

* ZF/AC, Coind, IMP, Resid: updated and converted to new-style theory
format;

* ZF/Induct: new directory for examples of inductive definitions,
including theory Multiset for multiset orderings; converted to
new-style theory format;

* ZF: many new theorems about lists, ordinals, etc.;


*** General ***

* Pure/kernel: meta-level proof terms (by Stefan Berghofer); reference
variable proof controls level of detail: 0 = no proofs (only oracle
dependencies), 1 = lemma dependencies, 2 = compact proof terms; see
also ref manual for further ML interfaces;

* Pure/axclass: removed obsolete ML interface
goal_subclass/goal_arity;

* Pure/syntax: new token syntax "num" for plain numerals (without "#"
of "xnum"); potential INCOMPATIBILITY, since -0, -1 etc. are now
separate tokens, so expressions involving minus need to be spaced
properly;

* Pure/syntax: support non-oriented infixes, using keyword "infix"
rather than "infixl" or "infixr";

* Pure/syntax: concrete syntax for dummy type variables admits genuine
sort constraint specifications in type inference; e.g. "x::_::foo"
ensures that the type of "x" is of sort "foo" (but not necessarily a
type variable);

* Pure/syntax: print modes "type_brackets" and "no_type_brackets"
control output of nested => (types); the default behavior is
"type_brackets";

* Pure/syntax: builtin parse translation for "_constify" turns valued
tokens into AST constants;

* Pure/syntax: prefer later declarations of translations and print
translation functions; potential INCOMPATIBILITY: need to reverse
multiple declarations for same syntax element constant;

* Pure/show_hyps reset by default (in accordance to existing Isar
practice);

* Provers/classical: renamed addaltern to addafter, addSaltern to
addSafter;

* Provers/clasimp: ``iff'' declarations now handle conditional rules
as well;

* system: tested support for MacOS X; should be able to get Isabelle +
Proof General to work in a plain Terminal after installing Poly/ML
(e.g. from the Isabelle distribution area) and GNU bash alone
(e.g. from http://www.apple.com); full X11, XEmacs and X-Symbol
support requires further installations, e.g. from
http://fink.sourceforge.net/);

* system: support Poly/ML 4.1.1 (able to manage larger heaps);

* system: reduced base memory usage by Poly/ML (approx. 20 MB instead
of 40 MB), cf. ML_OPTIONS;

* system: Proof General keywords specification is now part of the
Isabelle distribution (see etc/isar-keywords.el);

* system: support for persistent Proof General sessions (refrain from
outdating all loaded theories on startup); user may create writable
logic images like this: ``isabelle -q HOL Test'';

* system: smart selection of Isabelle process versus Isabelle
interface, accommodates case-insensitive file systems (e.g. HFS+); may
run both "isabelle" and "Isabelle" even if file names are badly
damaged (executable inspects the case of the first letter of its own
name); added separate "isabelle-process" and "isabelle-interface";

* system: refrain from any attempt at filtering input streams; no
longer support ``8bit'' encoding of old isabelle font, instead proper
iso-latin characters may now be used; the related isatools
"symbolinput" and "nonascii" have disappeared as well;

* system: removed old "xterm" interface (the print modes "xterm" and
"xterm_color" are still available for direct use in a suitable
terminal);



New in Isabelle99-2 (February 2001)
-----------------------------------

*** Overview of INCOMPATIBILITIES ***

* HOL: please note that theories in the Library and elsewhere often use the
new-style (Isar) format; to refer to their theorems in an ML script you must
bind them to ML identifers by e.g.      val thm_name = thm "thm_name";

* HOL: inductive package no longer splits induction rule aggressively,
but only as far as specified by the introductions given; the old
format may be recovered via ML function complete_split_rule or attribute
'split_rule (complete)';

* HOL: induct renamed to lfp_induct, lfp_Tarski to lfp_unfold,
gfp_Tarski to gfp_unfold;

* HOL: contrapos, contrapos2 renamed to contrapos_nn, contrapos_pp;

* HOL: infix "dvd" now has priority 50 rather than 70 (because it is a
relation); infix "^^" has been renamed "``"; infix "``" has been
renamed "`"; "univalent" has been renamed "single_valued";

* HOL/Real: "rinv" and "hrinv" replaced by overloaded "inverse"
operation;

* HOLCF: infix "`" has been renamed "$"; the symbol syntax is \<cdot>;

* Isar: 'obtain' no longer declares "that" fact as simp/intro;

* Isar/HOL: method 'induct' now handles non-atomic goals; as a
consequence, it is no longer monotonic wrt. the local goal context
(which is now passed through the inductive cases);

* Document preparation: renamed standard symbols \<ll> to \<lless> and
\<gg> to \<ggreater>;


*** Document preparation ***

* \isabellestyle{NAME} selects version of Isabelle output (currently
available: are "it" for near math-mode best-style output, "sl" for
slanted text style, and "tt" for plain type-writer; if no
\isabellestyle command is given, output is according to slanted
type-writer);

* support sub/super scripts (for single symbols only), input syntax is
like this: "A\<^sup>*" or "A\<^sup>\<star>";

* some more standard symbols; see Appendix A of the system manual for
the complete list of symbols defined in isabellesym.sty;

* improved isabelle style files; more abstract symbol implementation
(should now use \isamath{...} and \isatext{...} in custom symbol
definitions);

* antiquotation @{goals} and @{subgoals} for output of *dynamic* goals
state; Note that presentation of goal states does not conform to
actual human-readable proof documents.  Please do not include goal
states into document output unless you really know what you are doing!

* proper indentation of antiquoted output with proportional LaTeX
fonts;

* no_document ML operator temporarily disables LaTeX document
generation;

* isatool unsymbolize tunes sources for plain ASCII communication;


*** Isar ***

* Pure: Isar now suffers initial goal statements to contain unbound
schematic variables (this does not conform to actual readable proof
documents, due to unpredictable outcome and non-compositional proof
checking); users who know what they are doing may use schematic goals
for Prolog-style synthesis of proven results;

* Pure: assumption method (an implicit finishing) now handles actual
rules as well;

* Pure: improved 'obtain' --- moved to Pure, insert "that" into
initial goal, declare "that" only as Pure intro (only for single
steps); the "that" rule assumption may now be involved in implicit
finishing, thus ".." becomes a feasible for trivial obtains;

* Pure: default proof step now includes 'intro_classes'; thus trivial
instance proofs may be performed by "..";

* Pure: ?thesis / ?this / "..." now work for pure meta-level
statements as well;

* Pure: more robust selection of calculational rules;

* Pure: the builtin notion of 'finished' goal now includes the ==-refl
rule (as well as the assumption rule);

* Pure: 'thm_deps' command visualizes dependencies of theorems and
lemmas, using the graph browser tool;

* Pure: predict failure of "show" in interactive mode;

* Pure: 'thms_containing' now takes actual terms as arguments;

* HOL: improved method 'induct' --- now handles non-atomic goals
(potential INCOMPATIBILITY); tuned error handling;

* HOL: cases and induct rules now provide explicit hints about the
number of facts to be consumed (0 for "type" and 1 for "set" rules);
any remaining facts are inserted into the goal verbatim;

* HOL: local contexts (aka cases) may now contain term bindings as
well; the 'cases' and 'induct' methods new provide a ?case binding for
the result to be shown in each case;

* HOL: added 'recdef_tc' command;

* isatool convert assists in eliminating legacy ML scripts;


*** HOL ***

* HOL/Library: a collection of generic theories to be used together
with main HOL; the theory loader path already includes this directory
by default; the following existing theories have been moved here:
HOL/Induct/Multiset, HOL/Induct/Acc (as Accessible_Part), HOL/While
(as While_Combinator), HOL/Lex/Prefix (as List_Prefix);

* HOL/Unix: "Some aspects of Unix file-system security", a typical
modelling and verification task performed in Isabelle/HOL +
Isabelle/Isar + Isabelle document preparation (by Markus Wenzel).

* HOL/Algebra: special summation operator SUM no longer exists, it has
been replaced by setsum; infix 'assoc' now has priority 50 (like
'dvd'); axiom 'one_not_zero' has been moved from axclass 'ring' to
'domain', this makes the theory consistent with mathematical
literature;

* HOL basics: added overloaded operations "inverse" and "divide"
(infix "/"), syntax for generic "abs" operation, generic summation
operator \<Sum>;

* HOL/typedef: simplified package, provide more useful rules (see also
HOL/subset.thy);

* HOL/datatype: induction rule for arbitrarily branching datatypes is
now expressed as a proper nested rule (old-style tactic scripts may
require atomize_strip_tac to cope with non-atomic premises);

* HOL: renamed theory "Prod" to "Product_Type", renamed "split" rule
to "split_conv" (old name still available for compatibility);

* HOL: improved concrete syntax for strings (e.g. allows translation
rules with string literals);

* HOL-Real-Hyperreal: this extends HOL-Real with the hyperreals
 and Fleuriot's mechanization of analysis, including the transcendental
 functions for the reals;

* HOL/Real, HOL/Hyperreal: improved arithmetic simplification;


*** CTT ***

* CTT: x-symbol support for Pi, Sigma, -->, : (membership); note that
"lam" is displayed as TWO lambda-symbols

* CTT: theory Main now available, containing everything (that is, Bool
and Arith);


*** General ***

* Pure: the Simplifier has been implemented properly as a derived rule
outside of the actual kernel (at last!); the overall performance
penalty in practical applications is about 50%, while reliability of
the Isabelle inference kernel has been greatly improved;

* print modes "brackets" and "no_brackets" control output of nested =>
(types) and ==> (props); the default behaviour is "brackets";

* Provers: fast_tac (and friends) now handle actual object-logic rules
as assumptions as well;

* system: support Poly/ML 4.0;

* system: isatool install handles KDE version 1 or 2;



New in Isabelle99-1 (October 2000)
----------------------------------

*** Overview of INCOMPATIBILITIES ***

* HOL: simplification of natural numbers is much changed; to partly
recover the old behaviour (e.g. to prevent n+n rewriting to #2*n)
issue the following ML commands:

  Delsimprocs Nat_Numeral_Simprocs.cancel_numerals;
  Delsimprocs [Nat_Numeral_Simprocs.combine_numerals];

* HOL: simplification no longer dives into case-expressions; this is
controlled by "t.weak_case_cong" for each datatype t;

* HOL: nat_less_induct renamed to less_induct;

* HOL: systematic renaming of the SOME (Eps) rules, may use isatool
fixsome to patch .thy and .ML sources automatically;

  select_equality  -> some_equality
  select_eq_Ex     -> some_eq_ex
  selectI2EX       -> someI2_ex
  selectI2         -> someI2
  selectI          -> someI
  select1_equality -> some1_equality
  Eps_sym_eq       -> some_sym_eq_trivial
  Eps_eq           -> some_eq_trivial

* HOL: exhaust_tac on datatypes superceded by new generic case_tac;

* HOL: removed obsolete theorem binding expand_if (refer to split_if
instead);

* HOL: the recursion equations generated by 'recdef' are now called
f.simps instead of f.rules;

* HOL: qed_spec_mp now also handles bounded ALL as well;

* HOL: 0 is now overloaded, so the type constraint ":: nat" may
sometimes be needed;

* HOL: the constant for "f``x" is now "image" rather than "op ``";

* HOL: the constant for "f-``x" is now "vimage" rather than "op -``";

* HOL: the disjoint sum is now "<+>" instead of "Plus"; the cartesian
product is now "<*>" instead of "Times"; the lexicographic product is
now "<*lex*>" instead of "**";

* HOL: theory Sexp is now in HOL/Induct examples (it used to be part
of main HOL, but was unused); better use HOL's datatype package;

* HOL: removed "symbols" syntax for constant "override" of theory Map;
the old syntax may be recovered as follows:

  syntax (symbols)
    override  :: "('a ~=> 'b) => ('a ~=> 'b) => ('a ~=> 'b)"
      (infixl "\\<oplus>" 100)

* HOL/Real: "rabs" replaced by overloaded "abs" function;

* HOL/ML: even fewer consts are declared as global (see theories Ord,
Lfp, Gfp, WF); this only affects ML packages that refer to const names
internally;

* HOL and ZF: syntax for quotienting wrt an equivalence relation
changed from A/r to A//r;

* ZF: new treatment of arithmetic (nat & int) may break some old
proofs;

* Isar: renamed some attributes (RS -> THEN, simplify -> simplified,
rulify -> rule_format, elimify -> elim_format, ...);

* Isar/Provers: intro/elim/dest attributes changed; renamed
intro/intro!/intro!! flags to intro!/intro/intro? (in most cases, one
should have to change intro!! to intro? only); replaced "delrule" by
"rule del";

* Isar/HOL: renamed "intrs" to "intros" in inductive definitions;

* Provers: strengthened force_tac by using new first_best_tac;

* LaTeX document preparation: several changes of isabelle.sty (see
lib/texinputs);


*** Document preparation ***

* formal comments (text blocks etc.) in new-style theories may now
contain antiquotations of thm/prop/term/typ/text to be presented
according to latex print mode; concrete syntax is like this:
@{term[show_types] "f(x) = a + x"};

* isatool mkdir provides easy setup of Isabelle session directories,
including proper document sources;

* generated LaTeX sources are now deleted after successful run
(isatool document -c); may retain a copy somewhere else via -D option
of isatool usedir;

* isatool usedir -D now lets isatool latex -o sty update the Isabelle
style files, achieving self-contained LaTeX sources and simplifying
LaTeX debugging;

* old-style theories now produce (crude) LaTeX output as well;

* browser info session directories are now self-contained (may be put
on WWW server seperately); improved graphs of nested sessions; removed
graph for 'all sessions';

* several improvements in isabelle style files; \isabellestyle{it}
produces fake math mode output; \isamarkupheader is now \section by
default; see lib/texinputs/isabelle.sty etc.;


*** Isar ***

* Isar/Pure: local results and corresponding term bindings are now
subject to Hindley-Milner polymorphism (similar to ML); this
accommodates incremental type-inference very nicely;

* Isar/Pure: new derived language element 'obtain' supports
generalized existence reasoning;

* Isar/Pure: new calculational elements 'moreover' and 'ultimately'
support accumulation of results, without applying any rules yet;
useful to collect intermediate results without explicit name
references, and for use with transitivity rules with more than 2
premises;

* Isar/Pure: scalable support for case-analysis type proofs: new
'case' language element refers to local contexts symbolically, as
produced by certain proof methods; internally, case names are attached
to theorems as "tags";

* Isar/Pure: theory command 'hide' removes declarations from
class/type/const name spaces;

* Isar/Pure: theory command 'defs' supports option "(overloaded)" to
indicate potential overloading;

* Isar/Pure: changed syntax of local blocks from {{ }} to { };

* Isar/Pure: syntax of sorts made 'inner', i.e. have to write
"{a,b,c}" instead of {a,b,c};

* Isar/Pure now provides its own version of intro/elim/dest
attributes; useful for building new logics, but beware of confusion
with the version in Provers/classical;

* Isar/Pure: the local context of (non-atomic) goals is provided via
case name 'antecedent';

* Isar/Pure: removed obsolete 'transfer' attribute (transfer of thms
to the current context is now done automatically);

* Isar/Pure: theory command 'method_setup' provides a simple interface
for definining proof methods in ML;

* Isar/Provers: intro/elim/dest attributes changed; renamed
intro/intro!/intro!! flags to intro!/intro/intro? (INCOMPATIBILITY, in
most cases, one should have to change intro!! to intro? only);
replaced "delrule" by "rule del";

* Isar/Provers: new 'hypsubst' method, plain 'subst' method and
'symmetric' attribute (the latter supercedes [RS sym]);

* Isar/Provers: splitter support (via 'split' attribute and 'simp'
method modifier); 'simp' method: 'only:' modifier removes loopers as
well (including splits);

* Isar/Provers: Simplifier and Classical methods now support all kind
of modifiers used in the past, including 'cong', 'iff', etc.

* Isar/Provers: added 'fastsimp' and 'clarsimp' methods (combination
of Simplifier and Classical reasoner);

* Isar/HOL: new proof method 'cases' and improved version of 'induct'
now support named cases; major packages (inductive, datatype, primrec,
recdef) support case names and properly name parameters;

* Isar/HOL: new transitivity rules for substitution in inequalities --
monotonicity conditions are extracted to be proven at end of
calculations;

* Isar/HOL: removed 'case_split' thm binding, should use 'cases' proof
method anyway;

* Isar/HOL: removed old expand_if = split_if; theorems if_splits =
split_if split_if_asm; datatype package provides theorems foo.splits =
foo.split foo.split_asm for each datatype;

* Isar/HOL: tuned inductive package, rename "intrs" to "intros"
(potential INCOMPATIBILITY), emulation of mk_cases feature for proof
scripts: new 'inductive_cases' command and 'ind_cases' method; (Note:
use "(cases (simplified))" method in proper proof texts);

* Isar/HOL: added global 'arith_split' attribute for 'arith' method;

* Isar: names of theorems etc. may be natural numbers as well;

* Isar: 'pr' command: optional arguments for goals_limit and
ProofContext.prems_limit; no longer prints theory contexts, but only
proof states;

* Isar: diagnostic commands 'pr', 'thm', 'prop', 'term', 'typ' admit
additional print modes to be specified; e.g. "pr(latex)" will print
proof state according to the Isabelle LaTeX style;

* Isar: improved support for emulating tactic scripts, including proof
methods 'rule_tac' etc., 'cut_tac', 'thin_tac', 'subgoal_tac',
'rename_tac', 'rotate_tac', 'tactic', and 'case_tac' / 'induct_tac'
(for HOL datatypes);

* Isar: simplified (more robust) goal selection of proof methods: 1st
goal, all goals, or explicit goal specifier (tactic emulation); thus
'proof method scripts' have to be in depth-first order;

* Isar: tuned 'let' syntax: replaced 'as' keyword by 'and';

* Isar: removed 'help' command, which hasn't been too helpful anyway;
should instead use individual commands for printing items
(print_commands, print_methods etc.);

* Isar: added 'nothing' --- the empty list of theorems;


*** HOL ***

* HOL/MicroJava: formalization of a fragment of Java, together with a
corresponding virtual machine and a specification of its bytecode
verifier and a lightweight bytecode verifier, including proofs of
type-safety; by Gerwin Klein, Tobias Nipkow, David von Oheimb, and
Cornelia Pusch (see also the homepage of project Bali at
http://isabelle.in.tum.de/Bali/);

* HOL/Algebra: new theory of rings and univariate polynomials, by
Clemens Ballarin;

* HOL/NumberTheory: fundamental Theorem of Arithmetic, Chinese
Remainder Theorem, Fermat/Euler Theorem, Wilson's Theorem, by Thomas M
Rasmussen;

* HOL/Lattice: fundamental concepts of lattice theory and order
structures, including duals, properties of bounds versus algebraic
laws, lattice operations versus set-theoretic ones, the Knaster-Tarski
Theorem for complete lattices etc.; may also serve as a demonstration
for abstract algebraic reasoning using axiomatic type classes, and
mathematics-style proof in Isabelle/Isar; by Markus Wenzel;

* HOL/Prolog: a (bare-bones) implementation of Lambda-Prolog, by David
von Oheimb;

* HOL/IMPP: extension of IMP with local variables and mutually
recursive procedures, by David von Oheimb;

* HOL/Lambda: converted into new-style theory and document;

* HOL/ex/Multiquote: example of multiple nested quotations and
anti-quotations -- basically a generalized version of de-Bruijn
representation; very useful in avoiding lifting of operations;

* HOL/record: added general record equality rule to simpset; fixed
select-update simplification procedure to handle extended records as
well; admit "r" as field name;

* HOL: 0 is now overloaded over the new sort "zero", allowing its use with
other numeric types and also as the identity of groups, rings, etc.;

* HOL: new axclass plus_ac0 for addition with the AC-laws and 0 as identity.
Types nat and int belong to this axclass;

* HOL: greatly improved simplification involving numerals of type nat, int, real:
   (i + #8 + j) = Suc k simplifies to  #7 + (i + j) = k
   i*j + k + j*#3*i     simplifies to  #4*(i*j) + k
  two terms #m*u and #n*u are replaced by #(m+n)*u
    (where #m, #n and u can implicitly be 1; this is simproc combine_numerals)
  and the term/formula #m*u+x ~~ #n*u+y simplifies simplifies to #(m-n)+x ~~ y
    or x ~~ #(n-m)+y, where ~~ is one of = < <= or - (simproc cancel_numerals);

* HOL: meson_tac is available (previously in ex/meson.ML); it is a
powerful prover for predicate logic but knows nothing of clasets; see
ex/mesontest.ML and ex/mesontest2.ML for example applications;

* HOL: new version of "case_tac" subsumes both boolean case split and
"exhaust_tac" on datatypes; INCOMPATIBILITY: exhaust_tac no longer
exists, may define val exhaust_tac = case_tac for ad-hoc portability;

* HOL: simplification no longer dives into case-expressions: only the
selector expression is simplified, but not the remaining arms; to
enable full simplification of case-expressions for datatype t, you may
remove t.weak_case_cong from the simpset, either globally (Delcongs
[thm"t.weak_case_cong"];) or locally (delcongs [...]).

* HOL/recdef: the recursion equations generated by 'recdef' for
function 'f' are now called f.simps instead of f.rules; if all
termination conditions are proved automatically, these simplification
rules are added to the simpset, as in primrec; rules may be named
individually as well, resulting in a separate list of theorems for
each equation;

* HOL/While is a new theory that provides a while-combinator. It
permits the definition of tail-recursive functions without the
provision of a termination measure. The latter is necessary once the
invariant proof rule for while is applied.

* HOL: new (overloaded) notation for the set of elements below/above
some element: {..u}, {..u(}, {l..}, {)l..}. See theory SetInterval.

* HOL: theorems impI, allI, ballI bound as "strip";

* HOL: new tactic induct_thm_tac: thm -> string -> int -> tactic
induct_tac th "x1 ... xn" expects th to have a conclusion of the form
P v1 ... vn and abbreviates res_inst_tac [("v1","x1"),...,("vn","xn")] th;

* HOL/Real: "rabs" replaced by overloaded "abs" function;

* HOL: theory Sexp now in HOL/Induct examples (it used to be part of
main HOL, but was unused);

* HOL: fewer consts declared as global (e.g. have to refer to
"Lfp.lfp" instead of "lfp" internally; affects ML packages only);

* HOL: tuned AST representation of nested pairs, avoiding bogus output
in case of overlap with user translations (e.g. judgements over
tuples); (note that the underlying logical represenation is still
bogus);


*** ZF ***

* ZF: simplification automatically cancels common terms in arithmetic
expressions over nat and int;

* ZF: new treatment of nat to minimize type-checking: all operators
coerce their operands to a natural number using the function natify,
making the algebraic laws unconditional;

* ZF: as above, for int: operators coerce their operands to an integer
using the function intify;

* ZF: the integer library now contains many of the usual laws for the
orderings, including $<=, and monotonicity laws for $+ and $*;

* ZF: new example ZF/ex/NatSum to demonstrate integer arithmetic
simplification;

* FOL and ZF: AddIffs now available, giving theorems of the form P<->Q
to the simplifier and classical reasoner simultaneously;


*** General ***

* Provers: blast_tac now handles actual object-logic rules as
assumptions; note that auto_tac uses blast_tac internally as well;

* Provers: new functions rulify/rulify_no_asm: thm -> thm for turning
outer -->/All/Ball into ==>/!!; qed_spec_mp now uses rulify_no_asm;

* Provers: delrules now handles destruct rules as well (no longer need
explicit make_elim);

* Provers: Blast_tac now warns of and ignores "weak elimination rules" e.g.
  [| inj ?f;          ?f ?x = ?f ?y; ?x = ?y ==> ?W |] ==> ?W
use instead the strong form,
  [| inj ?f; ~ ?W ==> ?f ?x = ?f ?y; ?x = ?y ==> ?W |] ==> ?W
in HOL, FOL and ZF the function cla_make_elim will create such rules
from destruct-rules;

* Provers: Simplifier.easy_setup provides a fast path to basic
Simplifier setup for new object-logics;

* Pure: AST translation rules no longer require constant head on LHS;

* Pure: improved name spaces: ambiguous output is qualified; support
for hiding of names;

* system: smart setup of canonical ML_HOME, ISABELLE_INTERFACE, and
XSYMBOL_HOME; no longer need to do manual configuration in most
situations;

* system: compression of ML heaps images may now be controlled via -c
option of isabelle and isatool usedir (currently only observed by
Poly/ML);

* system: isatool installfonts may handle X-Symbol fonts as well (very
useful for remote X11);

* system: provide TAGS file for Isabelle sources;

* ML: infix 'OF' is a version of 'MRS' with more appropriate argument
order;

* ML: renamed flags Syntax.trace_norm_ast to Syntax.trace_ast; global
timing flag supersedes proof_timing and Toplevel.trace;

* ML: new combinators |>> and |>>> for incremental transformations
with secondary results (e.g. certain theory extensions):

* ML: PureThy.add_defs gets additional argument to indicate potential
overloading (usually false);

* ML: PureThy.add_thms/add_axioms/add_defs now return theorems as
results;



New in Isabelle99 (October 1999)
--------------------------------

*** Overview of INCOMPATIBILITIES (see below for more details) ***

* HOL: The THEN and ELSE parts of conditional expressions (if P then x else y)
are no longer simplified.  (This allows the simplifier to unfold recursive
functional programs.)  To restore the old behaviour, declare

    Delcongs [if_weak_cong];

* HOL: Removed the obsolete syntax "Compl A"; use -A for set
complement;

* HOL: the predicate "inj" is now defined by translation to "inj_on";

* HOL/datatype: mutual_induct_tac no longer exists --
  use induct_tac "x_1 ... x_n" instead of mutual_induct_tac ["x_1", ..., "x_n"]

* HOL/typedef: fixed type inference for representing set; type
arguments now have to occur explicitly on the rhs as type constraints;

* ZF: The con_defs part of an inductive definition may no longer refer
to constants declared in the same theory;

* HOL, ZF: the function mk_cases, generated by the inductive
definition package, has lost an argument.  To simplify its result, it
uses the default simpset instead of a supplied list of theorems.

* HOL/List: the constructors of type list are now Nil and Cons;

* Simplifier: the type of the infix ML functions
        setSSolver addSSolver setSolver addSolver
is now  simpset * solver -> simpset  where `solver' is a new abstract type
for packaging solvers. A solver is created via
        mk_solver: string -> (thm list -> int -> tactic) -> solver
where the string argument is only a comment.


*** Proof tools ***

* Provers/Arith/fast_lin_arith.ML contains a functor for creating a
decision procedure for linear arithmetic. Currently it is used for
types `nat', `int', and `real' in HOL (see below); it can, should and
will be instantiated for other types and logics as well.

* The simplifier now accepts rewrite rules with flexible heads, eg
     hom ?f ==> ?f(?x+?y) = ?f ?x + ?f ?y
  They are applied like any rule with a non-pattern lhs, i.e. by first-order
  matching.


*** General ***

* New Isabelle/Isar subsystem provides an alternative to traditional
tactical theorem proving; together with the ProofGeneral/isar user
interface it offers an interactive environment for developing human
readable proof documents (Isar == Intelligible semi-automated
reasoning); for further information see isatool doc isar-ref,
src/HOL/Isar_examples and http://isabelle.in.tum.de/Isar/

* improved and simplified presentation of theories: better HTML markup
(including colors), graph views in several sizes; isatool usedir now
provides a proper interface for user theories (via -P option); actual
document preparation based on (PDF)LaTeX is available as well (for
new-style theories only); see isatool doc system for more information;

* native support for Proof General, both for classic Isabelle and
Isabelle/Isar;

* ML function thm_deps visualizes dependencies of theorems and lemmas,
using the graph browser tool;

* Isabelle manuals now also available as PDF;

* theory loader rewritten from scratch (may not be fully
bug-compatible); old loadpath variable has been replaced by show_path,
add_path, del_path, reset_path functions; new operations such as
update_thy, touch_thy, remove_thy, use/update_thy_only (see also
isatool doc ref);

* improved isatool install: option -k creates KDE application icon,
option -p DIR installs standalone binaries;

* added ML_PLATFORM setting (useful for cross-platform installations);
more robust handling of platform specific ML images for SML/NJ;

* the settings environment is now statically scoped, i.e. it is never
created again in sub-processes invoked from isabelle, isatool, or
Isabelle;

* path element specification '~~' refers to '$ISABELLE_HOME';

* in locales, the "assumes" and "defines" parts may be omitted if
empty;

* new print_mode "xsymbols" for extended symbol support (e.g. genuine
long arrows);

* new print_mode "HTML";

* new flag show_tags controls display of tags of theorems (which are
basically just comments that may be attached by some tools);

* Isamode 2.6 requires patch to accomodate change of Isabelle font
mode and goal output format:

diff -r Isamode-2.6/elisp/isa-load.el Isamode/elisp/isa-load.el
244c244
<       (list (isa-getenv "ISABELLE") "-msymbols" logic-name)
---
>       (list (isa-getenv "ISABELLE") "-misabelle_font" "-msymbols" logic-name)
diff -r Isabelle-2.6/elisp/isa-proofstate.el Isamode/elisp/isa-proofstate.el
181c181
< (defconst proofstate-proofstart-regexp "^Level [0-9]+$"
---
> (defconst proofstate-proofstart-regexp "^Level [0-9]+"

* function bind_thms stores lists of theorems (cf. bind_thm);

* new shorthand tactics ftac, eatac, datac, fatac;

* qed (and friends) now accept "" as result name; in that case the
theorem is not stored, but proper checks and presentation of the
result still apply;

* theorem database now also indexes constants "Trueprop", "all",
"==>", "=="; thus thms_containing, findI etc. may retrieve more rules;


*** HOL ***

** HOL arithmetic **

* There are now decision procedures for linear arithmetic over nat and
int:

1. arith_tac copes with arbitrary formulae involving `=', `<', `<=',
`+', `-', `Suc', `min', `max' and numerical constants; other subterms
are treated as atomic; subformulae not involving type `nat' or `int'
are ignored; quantified subformulae are ignored unless they are
positive universal or negative existential. The tactic has to be
invoked by hand and can be a little bit slow. In particular, the
running time is exponential in the number of occurrences of `min' and
`max', and `-' on `nat'.

2. fast_arith_tac is a cut-down version of arith_tac: it only takes
(negated) (in)equalities among the premises and the conclusion into
account (i.e. no compound formulae) and does not know about `min' and
`max', and `-' on `nat'. It is fast and is used automatically by the
simplifier.

NB: At the moment, these decision procedures do not cope with mixed
nat/int formulae where the two parts interact, such as `m < n ==>
int(m) < int(n)'.

* HOL/Numeral provides a generic theory of numerals (encoded
efficiently as bit strings); setup for types nat/int/real is in place;
INCOMPATIBILITY: since numeral syntax is now polymorphic, rather than
int, existing theories and proof scripts may require a few additional
type constraints;

* integer division and remainder can now be performed on constant
arguments;

* many properties of integer multiplication, division and remainder
are now available;

* An interface to the Stanford Validity Checker (SVC) is available through the
tactic svc_tac.  Propositional tautologies and theorems of linear arithmetic
are proved automatically.  SVC must be installed separately, and its results
must be TAKEN ON TRUST (Isabelle does not check the proofs, but tags any
invocation of the underlying oracle).  For SVC see
  http://verify.stanford.edu/SVC

* IsaMakefile: the HOL-Real target now builds an actual image;


** HOL misc **

* HOL/Real/HahnBanach: the Hahn-Banach theorem for real vector spaces
(in Isabelle/Isar) -- by Gertrud Bauer;

* HOL/BCV: generic model of bytecode verification, i.e. data-flow
analysis for assembly languages with subtypes;

* HOL/TLA (Lamport's Temporal Logic of Actions): major reorganization
-- avoids syntactic ambiguities and treats state, transition, and
temporal levels more uniformly; introduces INCOMPATIBILITIES due to
changed syntax and (many) tactics;

* HOL/inductive: Now also handles more general introduction rules such
  as "ALL y. (y, x) : r --> y : acc r ==> x : acc r"; monotonicity
  theorems are now maintained within the theory (maintained via the
  "mono" attribute);

* HOL/datatype: Now also handles arbitrarily branching datatypes
  (using function types) such as

  datatype 'a tree = Atom 'a | Branch "nat => 'a tree"

* HOL/record: record_simproc (part of the default simpset) takes care
of selectors applied to updated records; record_split_tac is no longer
part of the default claset; update_defs may now be removed from the
simpset in many cases; COMPATIBILITY: old behavior achieved by

  claset_ref () := claset() addSWrapper record_split_wrapper;
  Delsimprocs [record_simproc]

* HOL/typedef: fixed type inference for representing set; type
arguments now have to occur explicitly on the rhs as type constraints;

* HOL/recdef (TFL): 'congs' syntax now expects comma separated list of theorem
names rather than an ML expression;

* HOL/defer_recdef (TFL): like recdef but the well-founded relation can be
supplied later.  Program schemes can be defined, such as
    "While B C s = (if B s then While B C (C s) else s)"
where the well-founded relation can be chosen after B and C have been given.

* HOL/List: the constructors of type list are now Nil and Cons;
INCOMPATIBILITY: while [] and infix # syntax is still there, of
course, ML tools referring to List.list.op # etc. have to be adapted;

* HOL_quantifiers flag superseded by "HOL" print mode, which is
disabled by default; run isabelle with option -m HOL to get back to
the original Gordon/HOL-style output;

* HOL/Ord.thy: new bounded quantifier syntax (input only): ALL x<y. P,
ALL x<=y. P, EX x<y. P, EX x<=y. P;

* HOL basic syntax simplified (more orthogonal): all variants of
All/Ex now support plain / symbolic / HOL notation; plain syntax for
Eps operator is provided as well: "SOME x. P[x]";

* HOL/Sum.thy: sum_case has been moved to HOL/Datatype;

* HOL/Univ.thy: infix syntax <*>, <+>, <**>, <+> eliminated and made
thus available for user theories;

* HOLCF/IOA/Sequents: renamed 'Cons' to 'Consq' to avoid clash with
HOL/List; hardly an INCOMPATIBILITY since '>>' syntax is used all the
time;

* HOL: new tactic smp_tac: int -> int -> tactic, which applies spec
several times and then mp;


*** LK ***

* the notation <<...>> is now available as a notation for sequences of
formulas;

* the simplifier is now installed

* the axiom system has been generalized (thanks to Soren Heilmann)

* the classical reasoner now has a default rule database


*** ZF ***

* new primrec section allows primitive recursive functions to be given
directly (as in HOL) over datatypes and the natural numbers;

* new tactics induct_tac and exhaust_tac for induction (or case
analysis) over datatypes and the natural numbers;

* the datatype declaration of type T now defines the recursor T_rec;

* simplification automatically does freeness reasoning for datatype
constructors;

* automatic type-inference, with AddTCs command to insert new
type-checking rules;

* datatype introduction rules are now added as Safe Introduction rules
to the claset;

* the syntax "if P then x else y" is now available in addition to
if(P,x,y);


*** Internal programming interfaces ***

* tuned simplifier trace output; new flag debug_simp;

* structures Vartab / Termtab (instances of TableFun) offer efficient
tables indexed by indexname_ord / term_ord (compatible with aconv);

* AxClass.axclass_tac lost the theory argument;

* tuned current_goals_markers semantics: begin / end goal avoids
printing empty lines;

* removed prs and prs_fn hook, which was broken because it did not
include \n in its semantics, forcing writeln to add one
uncoditionally; replaced prs_fn by writeln_fn; consider std_output:
string -> unit if you really want to output text without newline;

* Symbol.output subject to print mode; INCOMPATIBILITY: defaults to
plain output, interface builders may have to enable 'isabelle_font'
mode to get Isabelle font glyphs as before;

* refined token_translation interface; INCOMPATIBILITY: output length
now of type real instead of int;

* theory loader actions may be traced via new ThyInfo.add_hook
interface (see src/Pure/Thy/thy_info.ML); example application: keep
your own database of information attached to *whole* theories -- as
opposed to intra-theory data slots offered via TheoryDataFun;

* proper handling of dangling sort hypotheses (at last!);
Thm.strip_shyps and Drule.strip_shyps_warning take care of removing
extra sort hypotheses that can be witnessed from the type signature;
the force_strip_shyps flag is gone, any remaining shyps are simply
left in the theorem (with a warning issued by strip_shyps_warning);



New in Isabelle98-1 (October 1998)
----------------------------------

*** Overview of INCOMPATIBILITIES (see below for more details) ***

* several changes of automated proof tools;

* HOL: major changes to the inductive and datatype packages, including
some minor incompatibilities of theory syntax;

* HOL: renamed r^-1 to 'converse' from 'inverse'; 'inj_onto' is now
called `inj_on';

* HOL: removed duplicate thms in Arith:
  less_imp_add_less  should be replaced by  trans_less_add1
  le_imp_add_le      should be replaced by  trans_le_add1

* HOL: unary minus is now overloaded (new type constraints may be
required);

* HOL and ZF: unary minus for integers is now #- instead of #~.  In
ZF, expressions such as n#-1 must be changed to n#- 1, since #-1 is
now taken as an integer constant.

* Pure: ML function 'theory_of' renamed to 'theory';


*** Proof tools ***

* Simplifier:
  1. Asm_full_simp_tac is now more aggressive.
     1. It will sometimes reorient premises if that increases their power to
        simplify.
     2. It does no longer proceed strictly from left to right but may also
        rotate premises to achieve further simplification.
     For compatibility reasons there is now Asm_lr_simp_tac which is like the
     old Asm_full_simp_tac in that it does not rotate premises.
  2. The simplifier now knows a little bit about nat-arithmetic.

* Classical reasoner: wrapper mechanism for the classical reasoner now
allows for selected deletion of wrappers, by introduction of names for
wrapper functionals.  This implies that addbefore, addSbefore,
addaltern, and addSaltern now take a pair (name, tactic) as argument,
and that adding two tactics with the same name overwrites the first
one (emitting a warning).
  type wrapper = (int -> tactic) -> (int -> tactic)
  setWrapper, setSWrapper, compWrapper and compSWrapper are replaced by
  addWrapper, addSWrapper: claset * (string * wrapper) -> claset
  delWrapper, delSWrapper: claset *  string            -> claset
  getWrapper is renamed to appWrappers, getSWrapper to appSWrappers;

* Classical reasoner: addbefore/addSbefore now have APPEND/ORELSE
semantics; addbefore now affects only the unsafe part of step_tac
etc.; this affects addss/auto_tac/force_tac, so EXISTING PROOFS MAY
FAIL, but proofs should be fixable easily, e.g. by replacing Auto_tac
by Force_tac;

* Classical reasoner: setwrapper to setWrapper and compwrapper to
compWrapper; added safe wrapper (and access functions for it);

* HOL/split_all_tac is now much faster and fails if there is nothing
to split.  Some EXISTING PROOFS MAY REQUIRE ADAPTION because the order
and the names of the automatically generated variables have changed.
split_all_tac has moved within claset() from unsafe wrappers to safe
wrappers, which means that !!-bound variables are split much more
aggressively, and safe_tac and clarify_tac now split such variables.
If this splitting is not appropriate, use delSWrapper "split_all_tac".
Note: the same holds for record_split_tac, which does the job of
split_all_tac for record fields.

* HOL/Simplifier: Rewrite rules for case distinctions can now be added
permanently to the default simpset using Addsplits just like
Addsimps. They can be removed via Delsplits just like
Delsimps. Lower-case versions are also available.

* HOL/Simplifier: The rule split_if is now part of the default
simpset. This means that the simplifier will eliminate all occurrences
of if-then-else in the conclusion of a goal. To prevent this, you can
either remove split_if completely from the default simpset by
`Delsplits [split_if]' or remove it in a specific call of the
simplifier using `... delsplits [split_if]'.  You can also add/delete
other case splitting rules to/from the default simpset: every datatype
generates suitable rules `split_t_case' and `split_t_case_asm' (where
t is the name of the datatype).

* Classical reasoner / Simplifier combination: new force_tac (and
derivatives Force_tac, force) combines rewriting and classical
reasoning (and whatever other tools) similarly to auto_tac, but is
aimed to solve the given subgoal completely.


*** General ***

* new top-level commands `Goal' and `Goalw' that improve upon `goal'
and `goalw': the theory is no longer needed as an explicit argument -
the current theory context is used; assumptions are no longer returned
at the ML-level unless one of them starts with ==> or !!; it is
recommended to convert to these new commands using isatool fixgoal
(backup your sources first!);

* new top-level commands 'thm' and 'thms' for retrieving theorems from
the current theory context, and 'theory' to lookup stored theories;

* new theory section 'locale' for declaring constants, assumptions and
definitions that have local scope;

* new theory section 'nonterminals' for purely syntactic types;

* new theory section 'setup' for generic ML setup functions
(e.g. package initialization);

* the distribution now includes Isabelle icons: see
lib/logo/isabelle-{small,tiny}.xpm;

* isatool install - install binaries with absolute references to
ISABELLE_HOME/bin;

* isatool logo -- create instances of the Isabelle logo (as EPS);

* print mode 'emacs' reserved for Isamode;

* support multiple print (ast) translations per constant name;

* theorems involving oracles are now printed with a suffixed [!];


*** HOL ***

* there is now a tutorial on Isabelle/HOL (do 'isatool doc tutorial');

* HOL/inductive package reorganized and improved: now supports mutual
definitions such as

  inductive EVEN ODD
    intrs
      null "0 : EVEN"
      oddI "n : EVEN ==> Suc n : ODD"
      evenI "n : ODD ==> Suc n : EVEN"

new theorem list "elims" contains an elimination rule for each of the
recursive sets; inductive definitions now handle disjunctive premises
correctly (also ZF);

INCOMPATIBILITIES: requires Inductive as an ancestor; component
"mutual_induct" no longer exists - the induction rule is always
contained in "induct";


* HOL/datatype package re-implemented and greatly improved: now
supports mutually recursive datatypes such as

  datatype
    'a aexp = IF_THEN_ELSE ('a bexp) ('a aexp) ('a aexp)
            | SUM ('a aexp) ('a aexp)
            | DIFF ('a aexp) ('a aexp)
            | NUM 'a
  and
    'a bexp = LESS ('a aexp) ('a aexp)
            | AND ('a bexp) ('a bexp)
            | OR ('a bexp) ('a bexp)

as well as indirectly recursive datatypes such as

  datatype
    ('a, 'b) term = Var 'a
                  | App 'b ((('a, 'b) term) list)

The new tactic  mutual_induct_tac [<var_1>, ..., <var_n>] i  performs
induction on mutually / indirectly recursive datatypes.

Primrec equations are now stored in theory and can be accessed via
<function_name>.simps.

INCOMPATIBILITIES:

  - Theories using datatypes must now have theory Datatype as an
    ancestor.
  - The specific <typename>.induct_tac no longer exists - use the
    generic induct_tac instead.
  - natE has been renamed to nat.exhaust - use exhaust_tac
    instead of res_inst_tac ... natE. Note that the variable
    names in nat.exhaust differ from the names in natE, this
    may cause some "fragile" proofs to fail.
  - The theorems split_<typename>_case and split_<typename>_case_asm
    have been renamed to <typename>.split and <typename>.split_asm.
  - Since default sorts of type variables are now handled correctly,
    some datatype definitions may have to be annotated with explicit
    sort constraints.
  - Primrec definitions no longer require function name and type
    of recursive argument.

Consider using isatool fixdatatype to adapt your theories and proof
scripts to the new package (backup your sources first!).


* HOL/record package: considerably improved implementation; now
includes concrete syntax for record types, terms, updates; theorems
for surjective pairing and splitting !!-bound record variables; proof
support is as follows:

  1) standard conversions (selectors or updates applied to record
constructor terms) are part of the standard simpset;

  2) inject equations of the form ((x, y) = (x', y')) == x=x' & y=y' are
made part of standard simpset and claset via addIffs;

  3) a tactic for record field splitting (record_split_tac) is part of
the standard claset (addSWrapper);

To get a better idea about these rules you may retrieve them via
something like 'thms "foo.simps"' or 'thms "foo.iffs"', where "foo" is
the name of your record type.

The split tactic 3) conceptually simplifies by the following rule:

  "(!!x. PROP ?P x) == (!!a b. PROP ?P (a, b))"

Thus any record variable that is bound by meta-all will automatically
blow up into some record constructor term, consequently the
simplifications of 1), 2) apply.  Thus force_tac, auto_tac etc. shall
solve record problems automatically.


* reorganized the main HOL image: HOL/Integ and String loaded by
default; theory Main includes everything;

* automatic simplification of integer sums and comparisons, using cancellation;

* added option_map_eq_Some and not_Some_eq to the default simpset and claset;

* added disj_not1 = "(~P | Q) = (P --> Q)" to the default simpset;

* many new identities for unions, intersections, set difference, etc.;

* expand_if, expand_split, expand_sum_case and expand_nat_case are now
called split_if, split_split, split_sum_case and split_nat_case (to go
with add/delsplits);

* HOL/Prod introduces simplification procedure unit_eq_proc rewriting
(?x::unit) = (); this is made part of the default simpset, which COULD
MAKE EXISTING PROOFS FAIL under rare circumstances (consider
'Delsimprocs [unit_eq_proc];' as last resort); also note that
unit_abs_eta_conv is added in order to counter the effect of
unit_eq_proc on (%u::unit. f u), replacing it by f rather than by
%u.f();

* HOL/Fun INCOMPATIBILITY: `inj_onto' is now called `inj_on' (which
makes more sense);

* HOL/Set INCOMPATIBILITY: rule `equals0D' is now a well-formed destruct rule;
  It and 'sym RS equals0D' are now in the default  claset, giving automatic
  disjointness reasoning but breaking a few old proofs.

* HOL/Relation INCOMPATIBILITY: renamed the relational operator r^-1
to 'converse' from 'inverse' (for compatibility with ZF and some
literature);

* HOL/recdef can now declare non-recursive functions, with {} supplied as
the well-founded relation;

* HOL/Set INCOMPATIBILITY: the complement of set A is now written -A instead of
    Compl A.  The "Compl" syntax remains available as input syntax for this
    release ONLY.

* HOL/Update: new theory of function updates:
    f(a:=b) == %x. if x=a then b else f x
may also be iterated as in f(a:=b,c:=d,...);

* HOL/Vimage: new theory for inverse image of a function, syntax f-``B;

* HOL/List:
  - new function list_update written xs[i:=v] that updates the i-th
    list position. May also be iterated as in xs[i:=a,j:=b,...].
  - new function `upt' written [i..j(] which generates the list
    [i,i+1,...,j-1], i.e. the upper bound is excluded. To include the upper
    bound write [i..j], which is a shorthand for [i..j+1(].
  - new lexicographic orderings and corresponding wellfoundedness theorems.

* HOL/Arith:
  - removed 'pred' (predecessor) function;
  - generalized some theorems about n-1;
  - many new laws about "div" and "mod";
  - new laws about greatest common divisors (see theory ex/Primes);

* HOL/Relation: renamed the relational operator r^-1 "converse"
instead of "inverse";

* HOL/Induct/Multiset: a theory of multisets, including the wellfoundedness
  of the multiset ordering;

* directory HOL/Real: a construction of the reals using Dedekind cuts
  (not included by default);

* directory HOL/UNITY: Chandy and Misra's UNITY formalism;

* directory HOL/Hoare: a new version of Hoare logic which permits many-sorted
  programs, i.e. different program variables may have different types.

* calling (stac rew i) now fails if "rew" has no effect on the goal
  [previously, this check worked only if the rewrite rule was unconditional]
  Now rew can involve either definitions or equalities (either == or =).


*** ZF ***

* theory Main includes everything; INCOMPATIBILITY: theory ZF.thy contains
  only the theorems proved on ZF.ML;

* ZF INCOMPATIBILITY: rule `equals0D' is now a well-formed destruct rule;
  It and 'sym RS equals0D' are now in the default  claset, giving automatic
  disjointness reasoning but breaking a few old proofs.

* ZF/Update: new theory of function updates
    with default rewrite rule  f(x:=y) ` z = if(z=x, y, f`z)
  may also be iterated as in f(a:=b,c:=d,...);

* in  let x=t in u(x), neither t nor u(x) has to be an FOL term.

* calling (stac rew i) now fails if "rew" has no effect on the goal
  [previously, this check worked only if the rewrite rule was unconditional]
  Now rew can involve either definitions or equalities (either == or =).

* case_tac provided for compatibility with HOL
    (like the old excluded_middle_tac, but with subgoals swapped)


*** Internal programming interfaces ***

* Pure: several new basic modules made available for general use, see
also src/Pure/README;

* improved the theory data mechanism to support encapsulation (data
kind name replaced by private Object.kind, acting as authorization
key); new type-safe user interface via functor TheoryDataFun; generic
print_data function becomes basically useless;

* removed global_names compatibility flag -- all theory declarations
are qualified by default;

* module Pure/Syntax now offers quote / antiquote translation
functions (useful for Hoare logic etc. with implicit dependencies);
see HOL/ex/Antiquote for an example use;

* Simplifier now offers conversions (asm_)(full_)rewrite: simpset ->
cterm -> thm;

* new tactical CHANGED_GOAL for checking that a tactic modifies a
subgoal;

* Display.print_goals function moved to Locale.print_goals;

* standard print function for goals supports current_goals_markers
variable for marking begin of proof, end of proof, start of goal; the
default is ("", "", ""); setting current_goals_markers := ("<proof>",
"</proof>", "<goal>") causes SGML like tagged proof state printing,
for example;



New in Isabelle98 (January 1998)
--------------------------------

*** Overview of INCOMPATIBILITIES (see below for more details) ***

* changed lexical syntax of terms / types: dots made part of long
identifiers, e.g. "%x.x" no longer possible, should be "%x. x";

* simpset (and claset) reference variable replaced by functions
simpset / simpset_ref;

* no longer supports theory aliases (via merge) and non-trivial
implicit merge of thms' signatures;

* most internal names of constants changed due to qualified names;

* changed Pure/Sequence interface (see Pure/seq.ML);


*** General Changes ***

* hierachically structured name spaces (for consts, types, axms, thms
etc.); new lexical class 'longid' (e.g. Foo.bar.x) may render much of
old input syntactically incorrect (e.g. "%x.x"); COMPATIBILITY:
isatool fixdots ensures space after dots (e.g. "%x. x"); set
long_names for fully qualified output names; NOTE: ML programs
(special tactics, packages etc.) referring to internal names may have
to be adapted to cope with fully qualified names; in case of severe
backward campatibility problems try setting 'global_names' at compile
time to have enrything declared within a flat name space; one may also
fine tune name declarations in theories via the 'global' and 'local'
section;

* reimplemented the implicit simpset and claset using the new anytype
data filed in signatures; references simpset:simpset ref etc. are
replaced by functions simpset:unit->simpset and
simpset_ref:unit->simpset ref; COMPATIBILITY: use isatool fixclasimp
to patch your ML files accordingly;

* HTML output now includes theory graph data for display with Java
applet or isatool browser; data generated automatically via isatool
usedir (see -i option, ISABELLE_USEDIR_OPTIONS);

* defs may now be conditional; improved rewrite_goals_tac to handle
conditional equations;

* defs now admits additional type arguments, using TYPE('a) syntax;

* theory aliases via merge (e.g. M=A+B+C) no longer supported, always
creates a new theory node; implicit merge of thms' signatures is
restricted to 'trivial' ones; COMPATIBILITY: one may have to use
transfer:theory->thm->thm in (rare) cases;

* improved handling of draft signatures / theories; draft thms (and
ctyps, cterms) are automatically promoted to real ones;

* slightly changed interfaces for oracles: admit many per theory, named
(e.g. oracle foo = mlfun), additional name argument for invoke_oracle;

* print_goals: optional output of const types (set show_consts and
show_types);

* improved output of warnings (###) and errors (***);

* subgoal_tac displays a warning if the new subgoal has type variables;

* removed old README and Makefiles;

* replaced print_goals_ref hook by print_current_goals_fn and result_error_fn;

* removed obsolete init_pps and init_database;

* deleted the obsolete tactical STATE, which was declared by
    fun STATE tacfun st = tacfun st st;

* cd and use now support path variables, e.g. $ISABELLE_HOME, or ~
(which abbreviates $HOME);

* changed Pure/Sequence interface (see Pure/seq.ML); COMPATIBILITY:
use isatool fixseq to adapt your ML programs (this works for fully
qualified references to the Sequence structure only!);

* use_thy no longer requires writable current directory; it always
reloads .ML *and* .thy file, if either one is out of date;


*** Classical Reasoner ***

* Clarify_tac, clarify_tac, clarify_step_tac, Clarify_step_tac: new
tactics that use classical reasoning to simplify a subgoal without
splitting it into several subgoals;

* Safe_tac: like safe_tac but uses the default claset;


*** Simplifier ***

* added simplification meta rules:
    (asm_)(full_)simplify: simpset -> thm -> thm;

* simplifier.ML no longer part of Pure -- has to be loaded by object
logics (again);

* added prems argument to simplification procedures;

* HOL, FOL, ZF: added infix function `addsplits':
  instead of `<simpset> setloop (split_tac <thms>)'
  you can simply write `<simpset> addsplits <thms>'


*** Syntax ***

* TYPE('a) syntax for type reflection terms;

* no longer handles consts with name "" -- declare as 'syntax' instead;

* pretty printer: changed order of mixfix annotation preference (again!);

* Pure: fixed idt/idts vs. pttrn/pttrns syntactic categories;


*** HOL ***

* HOL: there is a new splitter `split_asm_tac' that can be used e.g.
  with `addloop' of the simplifier to faciliate case splitting in premises.

* HOL/TLA: Stephan Merz's formalization of Lamport's Temporal Logic of Actions;

* HOL/Auth: new protocol proofs including some for the Internet
  protocol TLS;

* HOL/Map: new theory of `maps' a la VDM;

* HOL/simplifier: simplification procedures nat_cancel_sums for
cancelling out common nat summands from =, <, <= (in)equalities, or
differences; simplification procedures nat_cancel_factor for
cancelling common factor from =, <, <= (in)equalities over natural
sums; nat_cancel contains both kinds of procedures, it is installed by
default in Arith.thy -- this COULD MAKE EXISTING PROOFS FAIL;

* HOL/simplifier: terms of the form
  `? x. P1(x) & ... & Pn(x) & x=t & Q1(x) & ... Qn(x)'  (or t=x)
  are rewritten to
  `P1(t) & ... & Pn(t) & Q1(t) & ... Qn(t)',
  and those of the form
  `! x. P1(x) & ... & Pn(x) & x=t & Q1(x) & ... Qn(x) --> R(x)'  (or t=x)
  are rewritten to
  `P1(t) & ... & Pn(t) & Q1(t) & ... Qn(t) --> R(t)',

* HOL/datatype
  Each datatype `t' now comes with a theorem `split_t_case' of the form

  P(t_case f1 ... fn x) =
     ( (!y1 ... ym1. x = C1 y1 ... ym1 --> P(f1 y1 ... ym1)) &
        ...
       (!y1 ... ymn. x = Cn y1 ... ymn --> P(f1 y1 ... ymn))
     )

  and a theorem `split_t_case_asm' of the form

  P(t_case f1 ... fn x) =
    ~( (? y1 ... ym1. x = C1 y1 ... ym1 & ~P(f1 y1 ... ym1)) |
        ...
       (? y1 ... ymn. x = Cn y1 ... ymn & ~P(f1 y1 ... ymn))
     )
  which can be added to a simpset via `addsplits'. The existing theorems
  expand_list_case and expand_option_case have been renamed to
  split_list_case and split_option_case.

* HOL/Arithmetic:
  - `pred n' is automatically converted to `n-1'.
    Users are strongly encouraged not to use `pred' any longer,
    because it will disappear altogether at some point.
  - Users are strongly encouraged to write "0 < n" rather than
    "n ~= 0". Theorems and proof tools have been modified towards this
    `standard'.

* HOL/Lists:
  the function "set_of_list" has been renamed "set" (and its theorems too);
  the function "nth" now takes its arguments in the reverse order and
  has acquired the infix notation "!" as in "xs!n".

* HOL/Set: UNIV is now a constant and is no longer translated to Compl{};

* HOL/Set: The operator (UN x.B x) now abbreviates (UN x:UNIV. B x) and its
  specialist theorems (like UN1_I) are gone.  Similarly for (INT x.B x);

* HOL/record: extensible records with schematic structural subtyping
(single inheritance); EXPERIMENTAL version demonstrating the encoding,
still lacks various theorems and concrete record syntax;


*** HOLCF ***

* removed "axioms" and "generated by" sections;

* replaced "ops" section by extended "consts" section, which is capable of
  handling the continuous function space "->" directly;

* domain package:
  . proves theorems immediately and stores them in the theory,
  . creates hierachical name space,
  . now uses normal mixfix annotations (instead of cinfix...),
  . minor changes to some names and values (for consistency),
  . e.g. cases -> casedist, dists_eq -> dist_eqs, [take_lemma] -> take_lemmas,
  . separator between mutual domain defs: changed "," to "and",
  . improved handling of sort constraints;  now they have to
    appear on the left-hand side of the equations only;

* fixed LAM <x,y,zs>.b syntax;

* added extended adm_tac to simplifier in HOLCF -- can now discharge
adm (%x. P (t x)), where P is chainfinite and t continuous;


*** FOL and ZF ***

* FOL: there is a new splitter `split_asm_tac' that can be used e.g.
  with `addloop' of the simplifier to faciliate case splitting in premises.

* qed_spec_mp, qed_goal_spec_mp, qed_goalw_spec_mp are available, as
in HOL, they strip ALL and --> from proved theorems;



New in Isabelle94-8 (May 1997)
------------------------------

*** General Changes ***

* new utilities to build / run / maintain Isabelle etc. (in parts
still somewhat experimental); old Makefiles etc. still functional;

* new 'Isabelle System Manual';

* INSTALL text, together with ./configure and ./build scripts;

* reimplemented type inference for greater efficiency, better error
messages and clean internal interface;

* prlim command for dealing with lots of subgoals (an easier way of
setting goals_limit);


*** Syntax ***

* supports alternative (named) syntax tables (parser and pretty
printer); internal interface is provided by add_modesyntax(_i);

* Pure, FOL, ZF, HOL, HOLCF now support symbolic input and output; to
be used in conjunction with the Isabelle symbol font; uses the
"symbols" syntax table;

* added token_translation interface (may translate name tokens in
arbitrary ways, dependent on their type (free, bound, tfree, ...) and
the current print_mode); IMPORTANT: user print translation functions
are responsible for marking newly introduced bounds
(Syntax.mark_boundT);

* token translations for modes "xterm" and "xterm_color" that display
names in bold, underline etc. or colors (which requires a color
version of xterm);

* infixes may now be declared with names independent of their syntax;

* added typed_print_translation (like print_translation, but may
access type of constant);


*** Classical Reasoner ***

Blast_tac: a new tactic!  It is often more powerful than fast_tac, but has
some limitations.  Blast_tac...
  + ignores addss, addbefore, addafter; this restriction is intrinsic
  + ignores elimination rules that don't have the correct format
        (the conclusion MUST be a formula variable)
  + ignores types, which can make HOL proofs fail
  + rules must not require higher-order unification, e.g. apply_type in ZF
    [message "Function Var's argument not a bound variable" relates to this]
  + its proof strategy is more general but can actually be slower

* substitution with equality assumptions no longer permutes other
assumptions;

* minor changes in semantics of addafter (now called addaltern); renamed
setwrapper to setWrapper and compwrapper to compWrapper; added safe wrapper
(and access functions for it);

* improved combination of classical reasoner and simplifier:
  + functions for handling clasimpsets
  + improvement of addss: now the simplifier is called _after_ the
    safe steps.
  + safe variant of addss called addSss: uses safe simplifications
    _during_ the safe steps. It is more complete as it allows multiple
    instantiations of unknowns (e.g. with slow_tac).

*** Simplifier ***

* added interface for simplification procedures (functions that
produce *proven* rewrite rules on the fly, depending on current
redex);

* ordering on terms as parameter (used for ordered rewriting);

* new functions delcongs, deleqcongs, and Delcongs. richer rep_ss;

* the solver is now split into a safe and an unsafe part.
This should be invisible for the normal user, except that the
functions setsolver and addsolver have been renamed to setSolver and
addSolver; added safe_asm_full_simp_tac;


*** HOL ***

* a generic induction tactic `induct_tac' which works for all datatypes and
also for type `nat';

* a generic case distinction tactic `exhaust_tac' which works for all
datatypes and also for type `nat';

* each datatype comes with a function `size';

* patterns in case expressions allow tuple patterns as arguments to
constructors, for example `case x of [] => ... | (x,y,z)#ps => ...';

* primrec now also works with type nat;

* recdef: a new declaration form, allows general recursive functions to be
defined in theory files.  See HOL/ex/Fib, HOL/ex/Primes, HOL/Subst/Unify.

* the constant for negation has been renamed from "not" to "Not" to
harmonize with FOL, ZF, LK, etc.;

* HOL/ex/LFilter theory of a corecursive "filter" functional for
infinite lists;

* HOL/Modelcheck demonstrates invocation of model checker oracle;

* HOL/ex/Ring.thy declares cring_simp, which solves equational
problems in commutative rings, using axiomatic type classes for + and *;

* more examples in HOL/MiniML and HOL/Auth;

* more default rewrite rules for quantifiers, union/intersection;

* a new constant `arbitrary == @x.False';

* HOLCF/IOA replaces old HOL/IOA;

* HOLCF changes: derived all rules and arities
  + axiomatic type classes instead of classes
  + typedef instead of faking type definitions
  + eliminated the internal constants less_fun, less_cfun, UU_fun, UU_cfun etc.
  + new axclasses cpo, chfin, flat with flat < chfin < pcpo < cpo < po
  + eliminated the types void, one, tr
  + use unit lift and bool lift (with translations) instead of one and tr
  + eliminated blift from Lift3.thy (use Def instead of blift)
  all eliminated rules are derived as theorems --> no visible changes ;


*** ZF ***

* ZF now has Fast_tac, Simp_tac and Auto_tac.  Union_iff is a now a default
rewrite rule; this may affect some proofs.  eq_cs is gone but can be put back
as ZF_cs addSIs [equalityI];



New in Isabelle94-7 (November 96)
---------------------------------

* allowing negative levels (as offsets) in prlev and choplev;

* super-linear speedup for large simplifications;

* FOL, ZF and HOL now use miniscoping: rewriting pushes
quantifications in as far as possible (COULD MAKE EXISTING PROOFS
FAIL); can suppress it using the command Delsimps (ex_simps @
all_simps); De Morgan laws are also now included, by default;

* improved printing of ==>  :  ~:

* new object-logic "Sequents" adds linear logic, while replacing LK
and Modal (thanks to Sara Kalvala);

* HOL/Auth: correctness proofs for authentication protocols;

* HOL: new auto_tac combines rewriting and classical reasoning (many
examples on HOL/Auth);

* HOL: new command AddIffs for declaring theorems of the form P=Q to
the rewriter and classical reasoner simultaneously;

* function uresult no longer returns theorems in "standard" format;
regain previous version by: val uresult = standard o uresult;



New in Isabelle94-6
-------------------

* oracles -- these establish an interface between Isabelle and trusted
external reasoners, which may deliver results as theorems;

* proof objects (in particular record all uses of oracles);

* Simp_tac, Fast_tac, etc. that refer to implicit simpset / claset;

* "constdefs" section in theory files;

* "primrec" section (HOL) no longer requires names;

* internal type "tactic" now simply "thm -> thm Sequence.seq";



New in Isabelle94-5
-------------------

* reduced space requirements;

* automatic HTML generation from theories;

* theory files no longer require "..." (quotes) around most types;

* new examples, including two proofs of the Church-Rosser theorem;

* non-curried (1994) version of HOL is no longer distributed;



New in Isabelle94-4
-------------------

* greatly reduced space requirements;

* theory files (.thy) no longer require \...\ escapes at line breaks;

* searchable theorem database (see the section "Retrieving theorems" on
page 8 of the Reference Manual);

* new examples, including Grabczewski's monumental case study of the
Axiom of Choice;

* The previous version of HOL renamed to Old_HOL;

* The new version of HOL (previously called CHOL) uses a curried syntax
for functions.  Application looks like f a b instead of f(a,b);

* Mutually recursive inductive definitions finally work in HOL;

* In ZF, pattern-matching on tuples is now available in all abstractions and
translates to the operator "split";



New in Isabelle94-3
-------------------

* new infix operator, addss, allowing the classical reasoner to
perform simplification at each step of its search.  Example:
        fast_tac (cs addss ss)

* a new logic, CHOL, the same as HOL, but with a curried syntax
for functions.  Application looks like f a b instead of f(a,b).  Also pairs
look like (a,b) instead of <a,b>;

* PLEASE NOTE: CHOL will eventually replace HOL!

* In CHOL, pattern-matching on tuples is now available in all abstractions.
It translates to the operator "split".  A new theory of integers is available;

* In ZF, integer numerals now denote two's-complement binary integers.
Arithmetic operations can be performed by rewriting.  See ZF/ex/Bin.ML;

* Many new examples: I/O automata, Church-Rosser theorem, equivalents
of the Axiom of Choice;



New in Isabelle94-2
-------------------

* Significantly faster resolution;

* the different sections in a .thy file can now be mixed and repeated
freely;

* Database of theorems for FOL, HOL and ZF.  New
commands including qed, qed_goal and bind_thm store theorems in the database.

* Simple database queries: return a named theorem (get_thm) or all theorems of
a given theory (thms_of), or find out what theory a theorem was proved in
(theory_of_thm);

* Bugs fixed in the inductive definition and datatype packages;

* The classical reasoner provides deepen_tac and depth_tac, making FOL_dup_cs
and HOL_dup_cs obsolete;

* Syntactic ambiguities caused by the new treatment of syntax in Isabelle94-1
have been removed;

* Simpler definition of function space in ZF;

* new results about cardinal and ordinal arithmetic in ZF;

* 'subtype' facility in HOL for introducing new types as subsets of existing
types;

:mode=text:wrap=hard:maxLineLen=72:
$Id$