diff -r f39f67982854 -r 91713a1915ee src/HOL/UNITY/SubstAx.thy
--- a/src/HOL/UNITY/SubstAx.thy	Sat Feb 08 14:46:22 2003 +0100
+++ b/src/HOL/UNITY/SubstAx.thy	Sat Feb 08 16:05:33 2003 +0100
@@ -21,7 +21,7 @@
   "op LeadsTo" :: "['a set, 'a set] => 'a program set" (infixl " \<longmapsto>w " 60)
 
 
-(*Resembles the previous definition of LeadsTo*)
+text{*Resembles the previous definition of LeadsTo*}
 lemma LeadsTo_eq_leadsTo: 
      "A LeadsTo B = {F. F \<in> (reachable F \<inter> A) leadsTo (reachable F \<inter> B)}"
 apply (unfold LeadsTo_def)
@@ -76,7 +76,7 @@
 lemma LeadsTo_UNIV [simp]: "F \<in> A LeadsTo UNIV"
 by (simp add: LeadsTo_def)
 
-(*Useful with cancellation, disjunction*)
+text{*Useful with cancellation, disjunction*}
 lemma LeadsTo_Un_duplicate:
      "F \<in> A LeadsTo (A' \<union> A') ==> F \<in> A LeadsTo A'"
 by (simp add: Un_ac)
@@ -91,14 +91,14 @@
 apply (blast intro: LeadsTo_Union)
 done
 
-(*Binary union introduction rule*)
+text{*Binary union introduction rule*}
 lemma LeadsTo_Un:
      "[| F \<in> A LeadsTo C; F \<in> B LeadsTo C |] ==> F \<in> (A \<union> B) LeadsTo C"
 apply (subst Un_eq_Union)
 apply (blast intro: LeadsTo_Union)
 done
 
-(*Lets us look at the starting state*)
+text{*Lets us look at the starting state*}
 lemma single_LeadsTo_I:
      "(!!s. s \<in> A ==> F \<in> {s} LeadsTo B) ==> F \<in> A LeadsTo B"
 by (subst UN_singleton [symmetric], rule LeadsTo_UN, blast)
@@ -182,8 +182,8 @@
 apply (blast intro: EnsuresI LeadsTo_Basis Always_ConstrainsD [THEN Constrains_weaken] transient_strengthen)
 done
 
-(*Set difference: maybe combine with leadsTo_weaken_L??
-  This is the most useful form of the "disjunction" rule*)
+text{*Set difference: maybe combine with leadsTo_weaken_L??
+  This is the most useful form of the "disjunction" rule*}
 lemma LeadsTo_Diff:
      "[| F \<in> (A-B) LeadsTo C;  F \<in> (A \<inter> B) LeadsTo C |]  
       ==> F \<in> A LeadsTo C"
@@ -198,18 +198,18 @@
 done
 
 
-(*Version with no index set*)
+text{*Version with no index set*}
 lemma LeadsTo_UN_UN_noindex: 
      "(!!i. F \<in> (A i) LeadsTo (A' i)) ==> F \<in> (\<Union>i. A i) LeadsTo (\<Union>i. A' i)"
 by (blast intro: LeadsTo_UN_UN)
 
-(*Version with no index set*)
+text{*Version with no index set*}
 lemma all_LeadsTo_UN_UN:
      "\<forall>i. F \<in> (A i) LeadsTo (A' i)  
       ==> F \<in> (\<Union>i. A i) LeadsTo (\<Union>i. A' i)"
 by (blast intro: LeadsTo_UN_UN)
 
-(*Binary union version*)
+text{*Binary union version*}
 lemma LeadsTo_Un_Un:
      "[| F \<in> A LeadsTo A'; F \<in> B LeadsTo B' |]  
             ==> F \<in> (A \<union> B) LeadsTo (A' \<union> B')"
@@ -247,18 +247,18 @@
 done
 
 
-(** The impossibility law **)
+text{*The impossibility law*}
 
-(*The set "A" may be non-empty, but it contains no reachable states*)
-lemma LeadsTo_empty: "F \<in> A LeadsTo {} ==> F \<in> Always (-A)"
+text{*The set "A" may be non-empty, but it contains no reachable states*}
+lemma LeadsTo_empty: "[|F \<in> A LeadsTo {}; all_total F|] ==> F \<in> Always (-A)"
 apply (simp add: LeadsTo_def Always_eq_includes_reachable)
 apply (drule leadsTo_empty, auto)
 done
 
 
-(** PSP: Progress-Safety-Progress **)
+subsection{*PSP: Progress-Safety-Progress*}
 
-(*Special case of PSP: Misra's "stable conjunction"*)
+text{*Special case of PSP: Misra's "stable conjunction"*}
 lemma PSP_Stable:
      "[| F \<in> A LeadsTo A';  F \<in> Stable B |]  
       ==> F \<in> (A \<inter> B) LeadsTo (A' \<inter> B)"
@@ -336,7 +336,7 @@
       ==> F \<in> A LeadsTo B"
 by (rule wf_less_than [THEN LeadsTo_wf_induct], auto)
 
-(*Integer version.  Could generalize from 0 to any lower bound*)
+text{*Integer version.  Could generalize from 0 to any lower bound*}
 lemma integ_0_le_induct:
      "[| F \<in> Always {s. (0::int) \<le> f s};   
          !! z. F \<in> (A \<inter> {s. f s = z}) LeadsTo